Add support for missing max_retries param

hashicorp · Jun 12, 2024 · 48453e4 · 48453e4
1 parent 8677f60
commit 48453e4
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 5 deletions.
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -424,6 +424,7 @@ const (
 	FieldDelegatedAuthAccessors        = "delegated_auth_accessors"
 	FieldPluginVersion                 = "plugin_version"
 	FieldUseMSGraphAPI                 = "use_microsoft_graph_api"
+	FieldMaxRetries                    = "max_retries"
 
 	/*
 		common environment variables

diff --git a/vault/resource_aws_auth_backend_client.go b/vault/resource_aws_auth_backend_client.go
@@ -101,6 +101,12 @@ func awsAuthBackendClientResource() *schema.Resource {
 				Computed:    true,
 				Description: "The TTL of generated identity tokens in seconds.",
 			},
+			consts.FieldMaxRetries: {
+				Type:        schema.TypeInt,
+				Default:     -1,
+				Optional:    true,
+				Description: "Number of max retries the client should use for recoverable errors.",
+			},
 		},
 	}
 }
@@ -119,11 +125,10 @@ func awsAuthBackendWrite(ctx context.Context, d *schema.ResourceData, meta inter
 	stsEndpoint := d.Get(consts.FieldSTSEndpoint).(string)
 	stsRegion := d.Get(consts.FieldSTSRegion).(string)
 	stsRegionFromClient := d.Get(useSTSRegionFromClient).(bool)
-
 	identityTokenAud := d.Get(consts.FieldIdentityTokenAudience).(string)
 	roleArn := d.Get(consts.FieldRoleArn).(string)
 	identityTokenTTL := d.Get(consts.FieldIdentityTokenTTL).(int)
-
+	maxRetries := d.Get(consts.FieldMaxRetries).(int)
 	iamServerIDHeaderValue := d.Get(consts.FieldIAMServerIDHeaderValue).(string)
 
 	path := awsAuthBackendClientPath(backend)
@@ -134,6 +139,7 @@ func awsAuthBackendWrite(ctx context.Context, d *schema.ResourceData, meta inter
 		consts.FieldSTSEndpoint:            stsEndpoint,
 		consts.FieldSTSRegion:              stsRegion,
 		consts.FieldIAMServerIDHeaderValue: iamServerIDHeaderValue,
+		consts.FieldMaxRetries:             maxRetries,
 	}
 
 	if d.HasChange(consts.FieldAccessKey) || d.HasChange(consts.FieldSecretKey) {
@@ -204,6 +210,7 @@ func awsAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta interf
 		consts.FieldSTSEndpoint,
 		consts.FieldSTSRegion,
 		consts.FieldIAMServerIDHeaderValue,
+		consts.FieldMaxRetries,
 	}
 	for _, k := range fields {
 		if v, ok := secret.Data[k]; ok {

diff --git a/vault/resource_aws_auth_backend_client_test.go b/vault/resource_aws_auth_backend_client_test.go
@@ -4,8 +4,8 @@
 package vault
 
 import (
+	"encoding/json"
 	"fmt"
-
 	"regexp"
 	"testing"
 
@@ -240,13 +240,20 @@ func testAccAWSAuthBackendClientCheck_attrs(backend string) resource.TestCheckFu
 			consts.FieldSTSEndpoint:            consts.FieldSTSEndpoint,
 			consts.FieldSTSRegion:              consts.FieldSTSRegion,
 			consts.FieldIAMServerIDHeaderValue: consts.FieldIAMServerIDHeaderValue,
+			consts.FieldMaxRetries:             consts.FieldMaxRetries,
 		}
 		for stateAttr, apiAttr := range attrs {
 			if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" {
 				continue
 			}
-			if resp.Data[apiAttr] != instanceState.Attributes[stateAttr] {
-				return fmt.Errorf("expected %s (%s) of %q to be %q, got %q", apiAttr, stateAttr, endpoint, instanceState.Attributes[stateAttr], resp.Data[apiAttr])
+			if apiAttr == consts.FieldMaxRetries {
+				if resp.Data[apiAttr].(json.Number).String() != instanceState.Attributes[stateAttr] {
+					return fmt.Errorf("expected %s (%s) of %q to be %q, got %q", apiAttr, stateAttr, endpoint, instanceState.Attributes[stateAttr], resp.Data[apiAttr].(json.Number).String())
+				}
+			} else {
+				if resp.Data[apiAttr] != instanceState.Attributes[stateAttr] {
+					return fmt.Errorf("expected %s (%s) of %q to be %q, got %q", apiAttr, stateAttr, endpoint, instanceState.Attributes[stateAttr], resp.Data[apiAttr])
+				}
 			}
 		}
 		return nil
@@ -302,6 +309,7 @@ resource "vault_aws_auth_backend_client" "client" {
   sts_endpoint = "http://vault.test/sts"
   sts_region = "vault-test"
   iam_server_id_header_value = "vault.test"
+  max_retries = "-1"
 }
 `, backend)
 }
@@ -323,6 +331,7 @@ resource "vault_aws_auth_backend_client" "client" {
   sts_endpoint = "http://updated.vault.test/sts"
   sts_region = "updated-vault-test"
   iam_server_id_header_value = "updated.vault.test"
+  max_retries = "0"
 }`, backend)
 }
 

diff --git a/website/docs/r/aws_auth_backend_client.html.md b/website/docs/r/aws_auth_backend_client.html.md
@@ -100,6 +100,9 @@ The following arguments are supported:
     `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
     that are used in the IAM auth method.
 
+* `max_retries` - (Optional) Number of max retries the client should use for recoverable errors. 
+    The default `-1` falls back to the AWS SDK's default behavior.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.