Merge branch 'main' into VAULT-21621/add-max-retries-field

hashicorp · Jun 12, 2024 · 9e08ae2 · 9e08ae2
2 parents e9e5a2a + 3fca3dd
commit 9e08ae2
Show file tree

Hide file tree

Showing 34 changed files with 1,521 additions and 353 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,22 @@
+# See GitHub's docs for more information on this file:
+# https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
+version: 2
+updates:
+  # Dependabot only updates hashicorp GHAs, external GHAs are managed by internal tooling (tsccr)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    allow:
+      - dependency-name: "hashicorp/*"
+  # Defines a group by package name, for security updates for golang dependencies
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      golang:
+        applies-to: security-updates
+        patterns:
+          - "golang.org*"
+          - "google.golang.org*"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -66,9 +66,9 @@ jobs:
         - "vault-enterprise:1.11.12-ent"
         - "vault-enterprise:1.12.11-ent"
         - "vault-enterprise:1.13.13-ent"
-        - "vault-enterprise:1.14.11-ent"
-        - "vault-enterprise:1.15.7-ent"
-        - "vault-enterprise:1.16.1-ent"
+        - "vault-enterprise:1.14.12-ent"
+        - "vault-enterprise:1.15.8-ent"
+        - "vault-enterprise:1.16.2-ent"
         - "vault:latest"
     services:
       vault:

diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.21.6
+1.22.3
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,8 +4,11 @@ FEATURES:
 * Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)).
 * Add support for `inheritable` on `vault_quota_rate_limit` and `vault_quota_lease_count`. Requires Vault 1.15+.: ([#2133](https://github.com/hashicorp/terraform-provider-vault/pull/2133)).
 * Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 
-* Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
 * Add support for new WIF fields in `vault_azure_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2250](https://github.com/hashicorp/terraform-provider-vault/pull/2250))
+* Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
+* Add support for new WIF fields in `vault_gcp_auth_backend` ([#2256](https://github.com/hashicorp/terraform-provider-vault/pull/2256))
+* Add support for new WIF fields in `vault_azure_auth_backend_config`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2254](https://github.com/hashicorp/terraform-provider-vault/pull/2254)).
+* Add new data source and resource `vault_pki_secret_backend_config_est`. Requires Vault 1.16+. *Available only for Vault Enterprise* ([#2246](https://github.com/hashicorp/terraform-provider-vault/pull/2246))
 * Add support for `max_retries` in `vault_aws_auth_backend_client`: ([#2270](https://github.com/hashicorp/terraform-provider-vault/pull/2270))
 
 IMPROVEMENTS:

diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -424,6 +424,17 @@ const (
 	FieldDelegatedAuthAccessors        = "delegated_auth_accessors"
 	FieldPluginVersion                 = "plugin_version"
 	FieldUseMSGraphAPI                 = "use_microsoft_graph_api"
+	FieldEnabled                       = "enabled"
+	FieldDefaultMount                  = "default_mount"
+	FieldDefaultPathPolicy             = "default_path_policy"
+	FieldLabelToPathPolicy             = "label_to_path_policy"
+	FieldAuthenticators                = "authenticators"
+	FieldEnableSentinelParsing         = "enable_sentinel_parsing"
+	FieldAuditFields                   = "audit_fields"
+	FieldLastUpdated                   = "last_updated"
+	FieldCustomEndpoint                = "custom_endpoint"
+	FieldPrivateKeyID                  = "private_key_id"
+	FieldTune                          = "tune"
 	FieldMaxRetries                    = "max_retries"
 
 	/*
@@ -494,17 +505,15 @@ const (
 	/*
 		Vault version constants
 	*/
-	VaultVersion190    = "1.9.0"
-	VaultVersion110    = "1.10.0"
-	VaultVersion111    = "1.11.0"
-	VaultVersion112    = "1.12.0"
-	VaultVersion113    = "1.13.0"
-	VaultVersion114    = "1.14.0"
-	VaultVersion115    = "1.15.0"
-	VaultVersion116    = "1.16.0"
-	VaultVersion116Ent = "1.16.0+ent"
-	VaultVersion117    = "1.17.0"
-	VaultVersion117Ent = "1.17.0+ent"
+	VaultVersion190 = "1.9.0"
+	VaultVersion110 = "1.10.0"
+	VaultVersion111 = "1.11.0"
+	VaultVersion112 = "1.12.0"
+	VaultVersion113 = "1.13.0"
+	VaultVersion114 = "1.14.0"
+	VaultVersion115 = "1.15.0"
+	VaultVersion116 = "1.16.0"
+	VaultVersion117 = "1.17.0"
 
 	/*
 		Vault auth methods

diff --git a/internal/provider/meta.go b/internal/provider/meta.go
@@ -35,16 +35,14 @@ const (
 var (
 	MaxHTTPRetriesCCC int
 
-	VaultVersion110    = version.Must(version.NewSemver(consts.VaultVersion110))
-	VaultVersion111    = version.Must(version.NewSemver(consts.VaultVersion111))
-	VaultVersion112    = version.Must(version.NewSemver(consts.VaultVersion112))
-	VaultVersion113    = version.Must(version.NewSemver(consts.VaultVersion113))
-	VaultVersion114    = version.Must(version.NewSemver(consts.VaultVersion114))
-	VaultVersion115    = version.Must(version.NewSemver(consts.VaultVersion115))
-	VaultVersion116    = version.Must(version.NewSemver(consts.VaultVersion116))
-	VaultVersion116Ent = version.Must(version.NewSemver(consts.VaultVersion116Ent))
-	VaultVersion117    = version.Must(version.NewSemver(consts.VaultVersion117))
-	VaultVersion117Ent = version.Must(version.NewSemver(consts.VaultVersion117Ent))
+	VaultVersion110 = version.Must(version.NewSemver(consts.VaultVersion110))
+	VaultVersion111 = version.Must(version.NewSemver(consts.VaultVersion111))
+	VaultVersion112 = version.Must(version.NewSemver(consts.VaultVersion112))
+	VaultVersion113 = version.Must(version.NewSemver(consts.VaultVersion113))
+	VaultVersion114 = version.Must(version.NewSemver(consts.VaultVersion114))
+	VaultVersion115 = version.Must(version.NewSemver(consts.VaultVersion115))
+	VaultVersion116 = version.Must(version.NewSemver(consts.VaultVersion116))
+	VaultVersion117 = version.Must(version.NewSemver(consts.VaultVersion117))
 
 	TokenTTLMinRecommended = time.Minute * 15
 )

diff --git a/vault/auth_mount.go b/vault/auth_mount.go
@@ -4,14 +4,15 @@
 package vault
 
 import (
-	"fmt"
+	"context"
+
 	"log"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
-	"github.com/hashicorp/vault/api"
-
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/vault/api"
 )
 
 func authMountTuneSchema() *schema.Schema {
@@ -76,22 +77,22 @@ func authMountTuneSchema() *schema.Schema {
 	}
 }
 
-func authMountTune(client *api.Client, path string, configured interface{}) error {
+func authMountTune(ctx context.Context, client *api.Client, path string, configured interface{}) error {
 	input := expandAuthMethodTune(configured.(*schema.Set).List())
 
-	return tuneMount(client, path, input)
+	return tuneMount(ctx, client, path, input)
 }
 
-func tuneMount(client *api.Client, path string, input api.MountConfigInput) error {
-	err := client.Sys().TuneMount(path, input)
+func tuneMount(ctx context.Context, client *api.Client, path string, input api.MountConfigInput) error {
+	err := client.Sys().TuneMountWithContext(ctx, path, input)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 
-func authMountTuneGet(client *api.Client, path string) (map[string]interface{}, error) {
-	tune, err := client.Sys().MountConfig(path)
+func authMountTuneGet(ctx context.Context, client *api.Client, path string) (map[string]interface{}, error) {
+	tune, err := client.Sys().MountConfigWithContext(ctx, path)
 	if err != nil {
 		log.Printf("[ERROR] Error when reading tune config from path %q: %s", path+"/tune", err)
 		return nil, err
@@ -100,11 +101,11 @@ func authMountTuneGet(client *api.Client, path string) (map[string]interface{},
 	return flattenAuthMethodTune(tune), nil
 }
 
-func authMountDisable(client *api.Client, path string) error {
+func authMountDisable(ctx context.Context, client *api.Client, path string) diag.Diagnostics {
 	log.Printf("[DEBUG] Disabling auth mount config from '%q'", path)
-	err := client.Sys().DisableAuth(path)
+	err := client.Sys().DisableAuthWithContext(ctx, path)
 	if err != nil {
-		return fmt.Errorf("error disabling auth mount from '%q': %s", path, err)
+		return diag.Errorf("error disabling auth mount from '%q': %s", path, err)
 	}
 	log.Printf("[INFO] Disabled auth mount from '%q'", path)
 

diff --git a/vault/data_source_pki_secret_backend_config_est.go b/vault/data_source_pki_secret_backend_config_est.go
@@ -0,0 +1,168 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package vault
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/vault/api"
+)
+
+func pkiSecretBackendConfigEstDataSource() *schema.Resource {
+	return &schema.Resource{
+		Description: "Reads Vault PKI EST configuration",
+		ReadContext: provider.ReadContextWrapper(readPKISecretBackendConfigEst),
+		Schema: map[string]*schema.Schema{
+			consts.FieldBackend: {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Path where PKI engine is mounted",
+			},
+			consts.FieldEnabled: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Specifies whether EST is enabled",
+			},
+			consts.FieldDefaultMount: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster",
+			},
+			consts.FieldDefaultPathPolicy: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>",
+			},
+			consts.FieldLabelToPathPolicy: {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: "A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths",
+			},
+			consts.FieldAuthenticators: {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Lists the mount accessors EST should delegate authentication requests towards",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cert": {
+							Type:        schema.TypeMap,
+							Optional:    true,
+							Description: "The accessor and cert_role properties for cert auth backends",
+						},
+						"userpass": {
+							Type:        schema.TypeMap,
+							Optional:    true,
+							Description: "The accessor property for user pass auth backends",
+						},
+					},
+				},
+			},
+			consts.FieldEnableSentinelParsing: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If set, parse out fields from the provided CSR making them available for Sentinel policies",
+			},
+			consts.FieldAuditFields: {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			consts.FieldLastUpdated: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "A read-only timestamp representing the last time the configuration was updated",
+			},
+		},
+	}
+}
+
+func readPKISecretBackendConfigEst(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if err := verifyPkiEstFeatureSupported(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client, err := provider.GetClient(d, meta)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed getting client: %w", err))
+	}
+
+	backend := d.Get(consts.FieldBackend).(string)
+	path := pkiSecretBackendConfigEstPath(backend)
+
+	if err := readEstConfig(ctx, d, client, path); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func readEstConfig(ctx context.Context, d *schema.ResourceData, client *api.Client, path string) error {
+	resp, err := client.Logical().ReadWithContext(ctx, path)
+	if err != nil {
+		return fmt.Errorf("error reading from Vault: %w", err)
+	}
+	if resp == nil {
+		return fmt.Errorf("got nil response from Vault from path: %q", path)
+	}
+
+	d.SetId(path)
+
+	keyComputedFields := []string{
+		consts.FieldEnabled,
+		consts.FieldDefaultMount,
+		consts.FieldDefaultPathPolicy,
+		consts.FieldLabelToPathPolicy,
+		consts.FieldEnableSentinelParsing,
+		consts.FieldAuditFields,
+		consts.FieldLastUpdated,
+	}
+
+	for _, k := range keyComputedFields {
+		if fieldVal, ok := resp.Data[k]; ok {
+			if err := d.Set(k, fieldVal); err != nil {
+				return fmt.Errorf("failed setting field [%s] with val [%s]: %w", k, fieldVal, err)
+			}
+		}
+	}
+
+	if authenticators, authOk := resp.Data[consts.FieldAuthenticators]; authOk {
+		if err := d.Set(consts.FieldAuthenticators, []interface{}{authenticators}); err != nil {
+			return fmt.Errorf("failed setting field [%s] with val [%s]: %w", consts.FieldAuthenticators, authenticators, err)
+		}
+	}
+
+	return nil
+}
+
+// verifyPkiEstFeatureSupported verifies that we are talking to a Vault enterprise edition
+// and its version 1.16.0 or higher, returns nil if the above is met, otherwise an error
+func verifyPkiEstFeatureSupported(meta interface{}) error {
+	currentVersion := meta.(*provider.ProviderMeta).GetVaultVersion()
+
+	minVersion := provider.VaultVersion116
+	if !provider.IsAPISupported(meta, minVersion) {
+		return fmt.Errorf("feature not enabled on current Vault version. min version required=%s; "+
+			"current vault version=%s", minVersion, currentVersion)
+	}
+
+	if !provider.IsEnterpriseSupported(meta) {
+		return errors.New("feature requires Vault Enterprise")
+	}
+	return nil
+}
+
+func pkiSecretBackendConfigEstPath(backend string) string {
+	return strings.Trim(backend, "/") + "/config/est"
+}