Identity improvements

[nazarewk]

This PR implements #320 ideas, except for group membership management.
Fixes #343
Fixes #320

Major change

Adds vault_identity_group_policies resource and vault_identity_group.external_policies attribute.
It solves chicken & egg problem of using vault_identity_group.id inside templated vault_policy.

Bug fixes

1. adds missing error checks in Go d.Set(...)
2. as a result fixes vault_identity_entity.disabled not working at all (used TypeString instead of expected TypeBool)
3. fixes error messages being about AppRole instead of specific Identity* in vault_identity_* resources

Minor changes

1. enables passthrough importers on vault_identity_* resources
2. enables name autogeneration (by default Vault assigns group-<UUID> or entity-<UUID> names) by Required: true -> Optional: true
3. enables renaming vault_identity_entity and vault_identity_group resources (ForceNew: false was enough),

[nazarewk]

I guess the test was a random failure, closing and reopening

[lawliet89]

I would like to see this merged in. Would be useful to manage policies for entities and groups.

If you would like, I could help work on the suggestions next week.

[lawliet89]

This field seems a bit counter-intuitive if you compare it with the google_xxx_iam_* or other similar resources.

May I suggest that:

• if policies is not provided, do a DiffSuppressFunc to suppress a diff on policies
• Likewise, do not set policies while writing the entity.

Then, users can use the new resources you have added to manage policies.

[nazarewk]

I don't think it is possible to tell whether the value was set by user or read from the Vault.

[cvbarros]

@nazarewk since you got this underway, would you mind breaking a few more eggs and addressing the problem described in #343?
Apparently the reserved id field in the resource schema for these resources is causing problems with Terraform 0.12. AFAIK, I've never implmented any resourced that had an id field set in the schema, just always used SetId() to make the attribute available for output.

[nazarewk]

@cvbarros i'm not sure what is the interaction of id attribute, tests are passing after simply removing the field, so i will stick with it.

[cvbarros]

@nazarewk with previous Terraform versions, one could get away of having id attribute in the resource schema with just a warning.

What happens is that it is a common mistake to assume that in order to have a resource's id attribute exported, one would have to add it to the schema. This is not the case, since Terraform exposes it by default. It's safe (and recommended, since TF 0.12 is being more strict) to remove it.

[nazarewk]

Is there some maintainer participating in conversation? It is ready for merging and I would like to proceed.

[cvbarros]

@nazarewk I think repo is undergoing a codefreeze at the moment for #356. It's a pretty big change, and probably all PRs will have to be rebased once that biggie is done.

[tyrannosaurus-becks]

Thanks @cvbarros and @nazarewk ! The fix for #343 would indeed be nice to have but can also be done separately, so I will go ahead and take this one in as-is. Much appreciated!

[AndresPineros]

Hello, I just downloaded Terraform 0.12 (latest release, not beta or rc) and I'm getting this issue:
Error: Failed to instantiate provider "vault" to obtain schema: Incompatible API version with plugin. Plugin version: 4, Client versions: [5]

I don't really know the src of Terraform of the provider, can anyone explain why this happen? Is there a solution?

Thanks 👍