Skip to content

Commit

Permalink
Add field set_namespace_from_token to Provider configuration (#2070)
Browse files Browse the repository at this point in the history
  • Loading branch information
vinay-gopalan authored Oct 31, 2023
1 parent f7c9bdf commit d91302f
Show file tree
Hide file tree
Showing 6 changed files with 74 additions and 14 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ FEATURES:
* Add support for configuring SAML Auth resources ([#2053](https://github.com/hashicorp/terraform-provider-vault/pull/2053))
* Add support for `custom_metadata` on `vault_namespace`: ([#2033](https://github.com/hashicorp/terraform-provider-vault/pull/2033))
* Add support for `OCSP*` role fields for the cert auth resource: ([#2056](https://github.com/hashicorp/terraform-provider-vault/pull/2056))
* Add field `set_namespace_from_token` to Provider configuration ([#2070](https://github.com/hashicorp/terraform-provider-vault/pull/2070))

BUGS:
* Fix panic when reading `client_secret` from a public oidc client ([#2048](https://github.com/hashicorp/terraform-provider-vault/pull/2048))
Expand Down
1 change: 1 addition & 0 deletions internal/consts/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,7 @@ const (
FieldServiceAccountJWT = "service_account_jwt"
FieldDisableISSValidation = "disable_iss_validation"
FieldPEMKeys = "pem_keys"
FieldSetNamespaceFromToken = "set_namespace_from_token"
/*
common environment variables
*/
Expand Down
6 changes: 4 additions & 2 deletions internal/provider/meta.go
Original file line number Diff line number Diff line change
Expand Up @@ -314,8 +314,10 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
namespace = tokenNamespace
// set the namespace on the provider to ensure that all child
// namespace paths are properly honoured.
if err := d.Set(consts.FieldNamespace, namespace); err != nil {
return nil, err
if v, ok := d.Get(consts.FieldSetNamespaceFromToken).(bool); ok && v {
if err := d.Set(consts.FieldNamespace, namespace); err != nil {
return nil, err
}
}
}

Expand Down
68 changes: 56 additions & 12 deletions internal/provider/meta_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -553,13 +553,15 @@ func TestNewProviderMeta(t *testing.T) {
}

tests := []struct {
name string
d *schema.ResourceData
data map[string]interface{}
wantNamespace string
tokenNamespace string
authLoginNamespace string
wantErr bool
name string
d *schema.ResourceData
data map[string]interface{}
wantNamespace string
tokenNamespace string
authLoginNamespace string
wantErr bool
checkSetSetTokenNamespace bool
wantNamespaceFromToken string
}{
{
name: "invalid-nil-ResourceData",
Expand Down Expand Up @@ -627,22 +629,60 @@ func TestNewProviderMeta(t *testing.T) {
name: "with-provider-ns-and-auth-login-with-ns",
d: pr.TestResourceData(),
data: map[string]interface{}{
consts.FieldNamespace: nsPrefix + "prov-ns-auth-ns",
consts.FieldNamespace: nsPrefix + "prov-ns-prov-ns",
consts.FieldSkipGetVaultVersion: true,
consts.FieldSkipChildToken: true,
consts.FieldAuthLoginUserpass: []map[string]interface{}{
{
consts.FieldNamespace: nsPrefix + "auth-ns-prov-ns",
consts.FieldNamespace: nsPrefix + "auth-ns-auth-ns",
consts.FieldMount: consts.MountTypeUserpass,
consts.FieldUsername: defaultUser,
consts.FieldPassword: defaultPassword,
},
},
},
authLoginNamespace: nsPrefix + "auth-ns-prov-ns",
wantNamespace: nsPrefix + "prov-ns-auth-ns",
authLoginNamespace: nsPrefix + "auth-ns-auth-ns",
wantNamespace: nsPrefix + "prov-ns-prov-ns",
wantErr: false,
},
{
// expect token based namespace to be ignored.
name: "set-namespace-from-token-false",
d: pr.TestResourceData(),
data: map[string]interface{}{
consts.FieldSkipGetVaultVersion: true,
consts.FieldSetNamespaceFromToken: false,
consts.FieldSkipChildToken: true,
},
tokenNamespace: nsPrefix + "set-ns-from-token-auth-false-ignored",
wantNamespace: nsPrefix + "set-ns-from-token-auth-false-ignored",
checkSetSetTokenNamespace: true,
wantNamespaceFromToken: "",
wantErr: false,
},
{
// expect token based namespace to be ignored.
name: "set-namespace-from-token-true",
d: pr.TestResourceData(),
data: map[string]interface{}{
consts.FieldSkipGetVaultVersion: true,
consts.FieldSetNamespaceFromToken: true,
consts.FieldSkipChildToken: true,
consts.FieldAuthLoginUserpass: []map[string]interface{}{
{
consts.FieldNamespace: nsPrefix + "set-ns-from-token-auth-true",
consts.FieldMount: consts.MountTypeUserpass,
consts.FieldUsername: defaultUser,
consts.FieldPassword: defaultPassword,
},
},
},
authLoginNamespace: nsPrefix + "set-ns-from-token-auth-true",
wantNamespace: nsPrefix + "set-ns-from-token-auth-true",
checkSetSetTokenNamespace: true,
wantNamespaceFromToken: nsPrefix + "set-ns-from-token-auth-true",
wantErr: false,
},
}

createNamespace := func(t *testing.T, client *api.Client, ns string) {
Expand Down Expand Up @@ -748,7 +788,11 @@ func TestNewProviderMeta(t *testing.T) {
}

if !reflect.DeepEqual(p.client.Namespace(), tt.wantNamespace) {
t.Errorf("NewProviderMeta() got ns = %v, want ns %v", p.client.Namespace(), tt.wantNamespace)
t.Errorf("NewProviderMeta() got ns = %q, want ns %q", p.client.Namespace(), tt.wantNamespace)
}

if tt.checkSetSetTokenNamespace && tt.wantNamespaceFromToken != tt.d.Get(consts.FieldNamespace).(string) {
t.Errorf("NewProviderMeta() got ns = %q, want ns %q", tt.d.Get(consts.FieldNamespace).(string), tt.wantNamespaceFromToken)
}

if client.Token() == "" {
Expand Down
8 changes: 8 additions & 0 deletions internal/provider/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,14 @@ func NewProvider(
DefaultFunc: schema.EnvDefaultFunc("VAULT_NAMESPACE", ""),
Description: "The namespace to use. Available only for Vault Enterprise.",
},
consts.FieldSetNamespaceFromToken: {
Type: schema.TypeBool,
Optional: true,
Default: true,
Description: "In the case where the Vault token is for a specific namespace " +
"and the provider namespace is not configured, use the token namespace " +
"as the root namespace for all resources.",
},
"headers": {
Type: schema.TypeList,
Optional: true,
Expand Down
4 changes: 4 additions & 0 deletions website/docs/index.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,10 @@ variables in order to keep credential information out of the configuration.

* `use_root_namespace` - (Optional) Authenticate to the root Vault namespace. Conflicts with `namespace`.

* `set_namespace_from_token` -(Optional) Defaults to `true`. In the case where the Vault token is
for a specific namespace and the provider namespace is not configured, use the token namespace
as the root namespace for all resources.

* `skip_get_vault_version` - (Optional) Skip the dynamic fetching of the Vault server version.
Set to `true` when the */sys/seal-status* API endpoint is not available. See [vault_version_override](#vault_version_override)
for related info
Expand Down

0 comments on commit d91302f

Please sign in to comment.