add iam_tags to vault_aws_secret_backend_role

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Unreleased
 
+FEATURES:
+* Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)).
+
 ## 4.2.0 (Mar 27, 2024)
 
 FEATURES:

vault/resource_aws_secret_backend_role.go

@@ -76,6 +76,14 @@ func awsSecretBackendRoleResource(name string) *schema.Resource {
 				Optional:    true,
 				Description: "A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.",
 			},
+			"iam_tags": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Description: "A map of strings representing key/value pairs used as tags for any IAM user created by this role.",
+			},
 			"default_sts_ttl": {
 				Type:        schema.TypeInt,
 				Optional:    true,
@@ -123,6 +131,8 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 
 	iamGroups := d.Get("iam_groups").(*schema.Set).List()
 
+	iamTags := d.Get("iam_tags")
+
 	if policyDocument == "" && len(policyARNs) == 0 && len(roleARNs) == 0 && len(iamGroups) == 0 {
 		return fmt.Errorf("at least one of: `policy_document`, `policy_arns`, `role_arns` or `iam_groups` must be set")
 	}
@@ -155,6 +165,9 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 	if d.HasChange("iam_groups") {
 		data["iam_groups"] = iamGroups
 	}
+	if d.HasChange("iam_tags") {
+		data["iam_tags"] = iamTags
+	}
 	if d.HasChange("user_path") {
 		if credentialType == "iam_user" {
 			data["user_path"] = userPath
@@ -239,6 +252,9 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	if v, ok := secret.Data["iam_groups"]; ok {
 		d.Set("iam_groups", v)
 	}
+	if v, ok := secret.Data["iam_tags"]; ok {
+		d.Set("iam_tags", v)
+	}
 	if v, ok := secret.Data["permissions_boundary_arn"]; ok {
 		d.Set("permissions_boundary_arn", v)
 	}

vault/resource_aws_secret_backend_role_test.go

@@ -27,6 +27,10 @@ const (
 	testAccAWSSecretBackendRolePermissionsBoundaryArn_updated = "arn:aws:iam::123456789123:policy/boundary2"
 	testAccAWSSecretBackendRoleIamUserPath_basic              = "/path1/"
 	testAccAWSSecretBackendRoleIamUserPath_updated            = "/path2/"
+	testAccAWSSecretBackendRoleIamTag_key_basic               = "key1"
+	testAccAWSSecretBackendRoleIamTag_value_basic             = "value1"
+	testAccAWSSecretBackendRoleIamTag_key_updated             = "key2"
+	testAccAWSSecretBackendRoleIamTag_value_updated           = "value2"
 )
 
 func TestAccAWSSecretBackendRole_basic(t *testing.T) {
@@ -167,6 +171,8 @@ func testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend string) resou
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "permissions_boundary_arn", testAccAWSSecretBackendRolePermissionsBoundaryArn_basic),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "user_path", testAccAWSSecretBackendRoleIamUserPath_basic),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.%", "1"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", fmt.Sprintf("iam_tags.%s", testAccAWSSecretBackendRoleIamTag_key_basic), testAccAWSSecretBackendRoleIamTag_value_basic),
 	)
 }
 
@@ -205,6 +211,8 @@ func testAccAWSSecretBackendRoleCheckUpdatedAttributes(name, backend string) res
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "permissions_boundary_arn", testAccAWSSecretBackendRolePermissionsBoundaryArn_updated),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "user_path", testAccAWSSecretBackendRoleIamUserPath_updated),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.%", "1"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", fmt.Sprintf("iam_tags.%s", testAccAWSSecretBackendRoleIamTag_key_updated), testAccAWSSecretBackendRoleIamTag_value_updated),
 	)
 }
 
@@ -274,8 +282,17 @@ resource "vault_aws_secret_backend_role" "test_iam_user_type_optional_attributes
   backend = vault_aws_secret_backend.test.path
   permissions_boundary_arn = "%s"
   user_path = "%s"
+  iam_tags = {
+    %s = "%s"
+  }
 }
-`, name, testAccAWSSecretBackendRolePolicyArn_basic, testAccAWSSecretBackendRolePermissionsBoundaryArn_basic, testAccAWSSecretBackendRoleIamUserPath_basic),
+`,
+			name,
+			testAccAWSSecretBackendRolePolicyArn_basic,
+			testAccAWSSecretBackendRolePermissionsBoundaryArn_basic,
+			testAccAWSSecretBackendRoleIamUserPath_basic,
+			testAccAWSSecretBackendRoleIamTag_key_basic,
+			testAccAWSSecretBackendRoleIamTag_value_basic),
 	}
 
 	return strings.Join(resources, "\n")
@@ -360,8 +377,17 @@ resource "vault_aws_secret_backend_role" "test_iam_user_type_optional_attributes
   backend = vault_aws_secret_backend.test.path
   permissions_boundary_arn = "%s"
   user_path = "%s"
+  iam_tags = {
+	%s = "%s"
+  }
 }
-`, name, testAccAWSSecretBackendRolePolicyArn_updated, testAccAWSSecretBackendRolePermissionsBoundaryArn_updated, testAccAWSSecretBackendRoleIamUserPath_updated),
+`,
+			name,
+			testAccAWSSecretBackendRolePolicyArn_updated,
+			testAccAWSSecretBackendRolePermissionsBoundaryArn_updated,
+			testAccAWSSecretBackendRoleIamUserPath_updated,
+			testAccAWSSecretBackendRoleIamTag_key_updated,
+			testAccAWSSecretBackendRoleIamTag_value_updated),
 	}
 	return strings.Join(resources, "\n")
 }

website/docs/r/aws_secret_backend_role.html.md

@@ -90,6 +90,9 @@ The following arguments are supported:
   policies from each group in `iam_groups` combined with the `policy_document`
   and `policy_arns` parameters.
 
+* `iam_tags` (Optional) - A map of strings representing key/value pairs
+  to be used as tags for any IAM user that is created by this role.
+
 * `default_sts_ttl` - (Optional) The default TTL in seconds for STS credentials.
   When a TTL is not specified when STS credentials are requested,
   and a default TTL is specified on the role,