From b5be85726fa8def6b6197daa91f6abe0ee813056 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Tue, 11 Jun 2024 15:58:24 -0700 Subject: [PATCH] fix tests and remove legacy code --- internal/consts/consts.go | 1 + vault/auth_token.go | 2 + vault/resource_okta_auth_backend.go | 30 +- .../resource_okta_auth_backend_group_test.go | 14 +- vault/resource_okta_auth_backend_test.go | 411 ++++++------------ vault/resource_okta_auth_backend_user_test.go | 8 +- website/docs/r/okta_auth_backend.html.md | 39 ++ 7 files changed, 189 insertions(+), 316 deletions(-) diff --git a/internal/consts/consts.go b/internal/consts/consts.go index c65c069007..795ace3705 100644 --- a/internal/consts/consts.go +++ b/internal/consts/consts.go @@ -500,6 +500,7 @@ const ( MountTypeTerraform = "terraform" MountTypeNone = "none" MountTypeSAML = "saml" + MountTypeOkta = "okta" /* Vault version constants diff --git a/vault/auth_token.go b/vault/auth_token.go index 76989f6ef2..f1b92bbdf6 100644 --- a/vault/auth_token.go +++ b/vault/auth_token.go @@ -75,6 +75,7 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf Type: schema.TypeInt, Description: "The maximum lifetime of the generated token", Optional: true, + Computed: true, ConflictsWith: config.TokenMaxTTLConflict, } @@ -112,6 +113,7 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf Type: schema.TypeInt, Description: "The initial ttl of the token to generate in seconds", Optional: true, + Computed: true, ConflictsWith: config.TokenTTLConflict, } diff --git a/vault/resource_okta_auth_backend.go b/vault/resource_okta_auth_backend.go index 4ebd793145..645cb66e92 100644 --- a/vault/resource_okta_auth_backend.go +++ b/vault/resource_okta_auth_backend.go @@ -85,6 +85,7 @@ func oktaAuthBackendResource() *schema.Resource { Description: "Duration after which authentication will be expired", ValidateFunc: validateOktaTTL, StateFunc: normalizeOktaTTL, + Deprecated: "Deprecated. Please use `token_ttl` instead.", }, "max_ttl": { @@ -95,6 +96,7 @@ func oktaAuthBackendResource() *schema.Resource { Default: "0", ValidateFunc: validateOktaTTL, StateFunc: normalizeOktaTTL, + Deprecated: "Deprecated. Please use `token_max_ttl` instead.", }, "group": { @@ -305,7 +307,7 @@ func oktaAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta inter path := d.Id() log.Printf("[DEBUG] Reading auth %s from Vault", path) - mount, err := mountutil.GetAuthMount(context.Background(), client, path) + mount, err := mountutil.GetAuthMount(ctx, client, path) if errors.Is(err, mountutil.ErrMountNotFound) { log.Printf("[WARN] Mount %q not found, removing from state.", path) d.SetId("") @@ -363,24 +365,6 @@ func oktaReadAuthConfig(client *api.Client, path string, d *schema.ResourceData) return err } - // map schema config TTL strings to okta auth TTL params. - // the provider input type of string does not match Vault's API of int64 - ttlFieldMap := map[string]string{ - "ttl": "token_ttl", - "max_ttl": "token_max_ttl", - } - for k, v := range ttlFieldMap { - if v, ok := config.Data[v]; ok { - s, err := parseutil.ParseString(v) - if err != nil { - return err - } - if err := d.Set(k, s); err != nil { - return err - } - } - } - params := []string{ "base_url", "bypass_okta_mfa", @@ -419,14 +403,6 @@ func oktaAuthBackendUpdate(ctx context.Context, d *schema.ResourceData, meta int "token": d.Get("token"), } - if ttl, ok := d.GetOk("ttl"); ok { - configuration["ttl"] = ttl - } - - if maxTtl, ok := d.GetOk("max_ttl"); ok { - configuration["max_ttl"] = maxTtl - } - updateTokenFields(d, configuration, false) _, err := client.Logical().Write(oktaConfigEndpoint(path), configuration) diff --git a/vault/resource_okta_auth_backend_group_test.go b/vault/resource_okta_auth_backend_group_test.go index 93de84742f..e8a62a5e62 100644 --- a/vault/resource_okta_auth_backend_group_test.go +++ b/vault/resource_okta_auth_backend_group_test.go @@ -21,6 +21,7 @@ func TestAccOktaAuthBackendGroup_basic(t *testing.T) { t.Parallel() path := "okta-" + strconv.Itoa(acctest.RandInt()) organization := "dummy" + resourceName := "vault_okta_auth_backend_group.test" resource.Test(t, resource.TestCase{ ProviderFactories: providerFactories, @@ -31,7 +32,11 @@ func TestAccOktaAuthBackendGroup_basic(t *testing.T) { Config: testAccOktaAuthGroupConfig_basic(path, organization), Check: resource.ComposeTestCheckFunc( testAccOktaAuthBackendGroup_InitialCheck, - testAccOktaAuthBackend_GroupsCheck(path, "foo", []string{"one", "two", "default"}), + resource.TestCheckResourceAttr(resourceName, "group_name", "foo"), + resource.TestCheckResourceAttr(resourceName, "policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "policies.1", "one"), + resource.TestCheckResourceAttr(resourceName, "policies.2", "two"), ), }, { @@ -48,6 +53,7 @@ func TestAccOktaAuthBackendGroup_specialChar(t *testing.T) { t.Parallel() path := "okta-" + strconv.Itoa(acctest.RandInt()) organization := "dummy" + resourceName := "vault_okta_auth_backend_group.test" resource.Test(t, resource.TestCase{ ProviderFactories: providerFactories, @@ -58,7 +64,11 @@ func TestAccOktaAuthBackendGroup_specialChar(t *testing.T) { Config: testAccOktaAuthGroupConfig_specialChar(path, organization), Check: resource.ComposeTestCheckFunc( testAccOktaAuthBackendGroup_InitialCheck, - testAccOktaAuthBackend_GroupsCheck(path, "foo/bar", []string{"one", "two", "default"}), + resource.TestCheckResourceAttr(resourceName, "group_name", "foo/bar"), + resource.TestCheckResourceAttr(resourceName, "policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "policies.1", "one"), + resource.TestCheckResourceAttr(resourceName, "policies.2", "two"), ), }, { diff --git a/vault/resource_okta_auth_backend_test.go b/vault/resource_okta_auth_backend_test.go index a693bf38c9..d75d28340c 100644 --- a/vault/resource_okta_auth_backend_test.go +++ b/vault/resource_okta_auth_backend_test.go @@ -4,44 +4,60 @@ package vault import ( - "encoding/json" "fmt" - "regexp" "testing" - "time" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "github.com/hashicorp/terraform-provider-vault/internal/provider" + "github.com/hashicorp/terraform-provider-vault/internal/consts" "github.com/hashicorp/terraform-provider-vault/testutil" - "github.com/hashicorp/terraform-provider-vault/util" ) func TestAccOktaAuthBackend_basic(t *testing.T) { t.Parallel() organization := "example" path := resource.PrefixedUniqueId("okta-basic-") + resourceType := "vault_okta_auth_backend" + resourceName := resourceType + ".test" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, - CheckDestroy: testAccOktaAuthBackend_Destroyed(path), + CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeOkta, consts.FieldPath), Steps: []resource.TestStep{ { Config: testAccOktaAuthConfig_basic(path, organization), Check: resource.ComposeTestCheckFunc( - testAccOktaAuthBackend_InitialCheck, - testAccOktaAuthBackend_GroupsCheck(path, "dummy", []string{"one", "two", "default"}), - testAccOktaAuthBackend_UsersCheck(path, "foo", []string{"dummy"}, []string{}), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "3600"), + resource.TestCheckResourceAttr(resourceName, "organization", "example"), + resource.TestCheckResourceAttr(resourceName, "description", "Testing the Terraform okta auth backend"), + resource.TestCheckResourceAttrSet(resourceName, "accessor"), + resource.TestCheckResourceAttr(resourceName, "group.#", "1"), + resource.TestCheckResourceAttr(resourceName, "group.0.group_name", "dummy"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.1", "one"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.2", "two"), + resource.TestCheckResourceAttr(resourceName, "user.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.username", "foo"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "dummy"), ), }, { Config: testAccOktaAuthConfig_updated(path, organization), Check: resource.ComposeTestCheckFunc( - testAccOktaAuthBackend_GroupsCheck(path, "example", []string{"three", "four", "default"}), - testAccOktaAuthBackend_UsersCheck(path, "bar", []string{"example"}, []string{}), + resource.TestCheckResourceAttr(resourceName, "group.#", "1"), + resource.TestCheckResourceAttr(resourceName, "group.0.group_name", "example"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.1", "four"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.2", "three"), + resource.TestCheckResourceAttr(resourceName, "user.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.username", "bar"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "example"), ), }, }, @@ -52,110 +68,132 @@ func TestAccOktaAuthBackend_import(t *testing.T) { t.Parallel() organization := "example" path := resource.PrefixedUniqueId("okta-import-") + resourceType := "vault_okta_auth_backend" + resourceName := resourceType + ".test" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, - CheckDestroy: testAccOktaAuthBackend_Destroyed(path), + CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeOkta, consts.FieldPath), Steps: []resource.TestStep{ { Config: testAccOktaAuthConfig_basic(path, organization), Check: resource.ComposeTestCheckFunc( - testAccOktaAuthBackend_InitialCheck, - testAccOktaAuthBackend_GroupsCheck(path, "dummy", []string{"one", "two", "default"}), - testAccOktaAuthBackend_UsersCheck(path, "foo", []string{"dummy"}, []string{}), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "3600"), + resource.TestCheckResourceAttr(resourceName, "organization", "example"), + resource.TestCheckResourceAttr(resourceName, "description", "Testing the Terraform okta auth backend"), + resource.TestCheckResourceAttrSet(resourceName, "accessor"), + resource.TestCheckResourceAttr(resourceName, "group.#", "1"), + resource.TestCheckResourceAttr(resourceName, "group.0.group_name", "dummy"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.1", "one"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.2", "two"), + resource.TestCheckResourceAttr(resourceName, "user.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.username", "foo"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "dummy"), ), }, - { - ResourceName: "vault_okta_auth_backend.test", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{ - "token", - "disable_remount", - }, - }, + testutil.GetImportTestStep(resourceName, false, nil, + "token", + "disable_remount", + "ttl", + "max_ttl"), { Config: testAccOktaAuthConfig_updated(path, organization), Check: resource.ComposeTestCheckFunc( - testAccOktaAuthBackend_GroupsCheck(path, "example", []string{"three", "four", "default"}), - testAccOktaAuthBackend_UsersCheck(path, "bar", []string{"example"}, []string{}), + resource.TestCheckResourceAttr(resourceName, "group.#", "1"), + resource.TestCheckResourceAttr(resourceName, "group.0.group_name", "example"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.1", "four"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.2", "three"), + resource.TestCheckResourceAttr(resourceName, "user.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.username", "bar"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "example"), ), }, - { - ResourceName: "vault_okta_auth_backend.test", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{ - "token", - "disable_remount", - }, - }, + testutil.GetImportTestStep(resourceName, false, nil, + "token", + "disable_remount", + "ttl", + "max_ttl"), }, }) } -func TestAccOktaAuthBackend_invalid_ttl(t *testing.T) { +func TestAccOktaAuthBackend_groups_optional(t *testing.T) { t.Parallel() organization := "example" - path := resource.PrefixedUniqueId("okta-invalid-ttl-") + path := resource.PrefixedUniqueId("okta-group-optional") + resourceType := "vault_okta_auth_backend" + resourceName := resourceType + ".test" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, - CheckDestroy: testAccOktaAuthBackend_Destroyed(path), + CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeOkta, consts.FieldPath), Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_invalid_ttl(path, organization), - ExpectError: regexp.MustCompile(`Error: invalid value for "ttl", could not parse "invalid_ttl"`), + Config: testAccOktaAuthConfig_groups_optional(path, organization), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "user.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.username", "bar"), + resource.TestCheckResourceAttr(resourceName, "user.0.policies.#", "2"), + resource.TestCheckResourceAttr(resourceName, "user.0.policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "user.0.policies.1", "eng"), + ), }, }, }) } -func TestAccOktaAuthBackend_invalid_max_ttl(t *testing.T) { +func TestAccOktaAuthBackend_remount(t *testing.T) { t.Parallel() + path := acctest.RandomWithPrefix("tf-test-auth-okta") + updatedPath := acctest.RandomWithPrefix("tf-test-auth-okta-updated") + organization := "example" - path := resource.PrefixedUniqueId("okta-invalid_max_ttl-") + resourceName := "vault_okta_auth_backend.test" resource.Test(t, resource.TestCase{ - PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, - CheckDestroy: testAccOktaAuthBackend_Destroyed(path), + PreCheck: func() { testutil.TestAccPreCheck(t) }, Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_invalid_max_ttl(path, organization), - ExpectError: regexp.MustCompile(`Error: invalid value for "max_ttl", could not parse "invalid_max_ttl"`), + Config: testAccOktaAuthConfig_basic(path, organization), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "path", path), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "3600"), + resource.TestCheckResourceAttr(resourceName, "organization", "example"), + resource.TestCheckResourceAttr(resourceName, "description", "Testing the Terraform okta auth backend"), + resource.TestCheckResourceAttrSet(resourceName, "accessor"), + ), }, - }, - }) -} - -func TestAccOktaAuthBackend_groups_optional(t *testing.T) { - t.Parallel() - organization := "example" - path := resource.PrefixedUniqueId("okta-group-optional") - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testutil.TestAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccOktaAuthBackend_Destroyed(path), - Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_groups_optional(path, organization), + Config: testAccOktaAuthConfig_basic(updatedPath, organization), Check: resource.ComposeTestCheckFunc( - testAccOktaAuthBackend_UsersCheck(path, "bar", []string{}, []string{"eng", "default"}), + resource.TestCheckResourceAttr(resourceName, "path", updatedPath), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "3600"), + resource.TestCheckResourceAttr(resourceName, "organization", "example"), + resource.TestCheckResourceAttr(resourceName, "description", "Testing the Terraform okta auth backend"), + resource.TestCheckResourceAttrSet(resourceName, "accessor"), ), }, + testutil.GetImportTestStep(resourceName, false, nil, + "token", + "disable_remount", + "ttl", + "max_ttl"), }, }) } -func TestAccOktaAuthBackend_remount(t *testing.T) { +func TestAccOktaAuthBackend_TokenFields(t *testing.T) { t.Parallel() path := acctest.RandomWithPrefix("tf-test-auth-okta") - updatedPath := acctest.RandomWithPrefix("tf-test-auth-okta-updated") - organization := "example" resourceName := "vault_okta_auth_backend.test" @@ -164,20 +202,21 @@ func TestAccOktaAuthBackend_remount(t *testing.T) { PreCheck: func() { testutil.TestAccPreCheck(t) }, Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_basic(path, organization), + Config: testAccOktaAuthConfig_tokenFields(path, organization), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "path", path), - testAccOktaAuthBackend_InitialCheck, - ), - }, - { - Config: testAccOktaAuthConfig_basic(updatedPath, organization), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(resourceName, "path", updatedPath), - testAccOktaAuthBackend_InitialCheck, + resource.TestCheckResourceAttr(resourceName, "token_policies.#", "2"), + resource.TestCheckResourceAttr(resourceName, "token_policies.0", "policy_a"), + resource.TestCheckResourceAttr(resourceName, "token_policies.1", "policy_b"), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "300"), + resource.TestCheckResourceAttr(resourceName, "token_max_ttl", "600"), ), }, - testutil.GetImportTestStep(resourceName, false, nil, "token", "disable_remount"), + testutil.GetImportTestStep(resourceName, false, nil, + "token", + "disable_remount", + "ttl", + "max_ttl"), }, }) } @@ -189,7 +228,7 @@ resource "vault_okta_auth_backend" "test" { path = "%s" organization = "%s" token = "this must be kept secret" - ttl = "1h" + token_ttl = 3600 group { group_name = "dummy" policies = ["one", "two", "default"] @@ -221,32 +260,6 @@ resource "vault_okta_auth_backend" "test" { `, path, organization) } -func testAccOktaAuthConfig_invalid_ttl(path string, organization string) string { - return fmt.Sprintf(` -resource "vault_okta_auth_backend" "test" { - description = "Testing the Terraform okta auth backend" - path = "%s" - organization = "%s" - token = "this must be kept secret" - ttl = "invalid_ttl" - max_ttl = "1h" -} -`, path, organization) -} - -func testAccOktaAuthConfig_invalid_max_ttl(path string, organization string) string { - return fmt.Sprintf(` -resource "vault_okta_auth_backend" "test" { - description = "Testing the Terraform okta auth backend" - path = "%s" - organization = "%s" - token = "this must be kept secret" - ttl = "1h" - max_ttl = "invalid_max_ttl" -} -`, path, organization) -} - func testAccOktaAuthConfig_groups_optional(path string, organization string) string { return fmt.Sprintf(` resource "vault_okta_auth_backend" "test" { @@ -262,188 +275,14 @@ resource "vault_okta_auth_backend" "test" { `, path, organization) } -func testAccOktaAuthBackend_InitialCheck(s *terraform.State) error { - resourceState := s.Modules[0].Resources["vault_okta_auth_backend.test"] - if resourceState == nil { - return fmt.Errorf("resource not found in state") - } - - instanceState := resourceState.Primary - if instanceState == nil { - return fmt.Errorf("resource has no primary instance") - } - - path := instanceState.ID - - if path != instanceState.Attributes["path"] { - return fmt.Errorf("id doesn't match path") - } - - client, e := provider.GetClient(instanceState, testProvider.Meta()) - if e != nil { - return e - } - - authMounts, err := client.Sys().ListAuth() - if err != nil { - return err - } - - authMount := authMounts[path+"/"] - - if authMount == nil { - return fmt.Errorf("auth mount %s not present", path) - } - - if "okta" != authMount.Type { - return fmt.Errorf("incorrect mount type: %s", authMount.Type) - } - - if "Testing the Terraform okta auth backend" != authMount.Description { - return fmt.Errorf("incorrect description: %s", authMount.Description) - } - - config, err := client.Logical().Read(fmt.Sprintf("/auth/%s/config", path)) - if err != nil { - return fmt.Errorf("error reading back configuration: %s", err) - } - - if "example" != config.Data["organization"] { - return fmt.Errorf("incorrect organization: %s", config.Data["organization"]) - } - - ttl, err := config.Data["ttl"].(json.Number).Int64() - if err != nil { - return err - } - - if int64((time.Hour * 1).Seconds()) != ttl { - return fmt.Errorf("incorrect ttl: %s", config.Data["ttl"]) - } - - if instanceState.Attributes["accessor"] != authMount.Accessor { - return fmt.Errorf("incorrect accessor: %s", instanceState.Attributes["accessor"]) - } - - return nil -} - -func testAccOktaAuthBackend_GroupsCheck(path, groupName string, expectedPolicies []string) resource.TestCheckFunc { - return func(s *terraform.State) error { - client := testProvider.Meta().(*provider.ProviderMeta).MustGetClient() - - groupList, err := client.Logical().List(fmt.Sprintf("/auth/%s/groups", path)) - if err != nil { - return fmt.Errorf("error reading back group configuration: %s", err) - } - - if len(groupList.Data["keys"].([]interface{})) != 1 { - return fmt.Errorf("unexpected groups present: %v", groupList.Data) - } - - dummyGroup, err := client.Logical().Read(fmt.Sprintf("/auth/%s/groups/%s", path, groupName)) - if err != nil { - return fmt.Errorf("error reading back configuration: %s", err) - } - - var missing []interface{} - - actual := util.ToStringArray(dummyGroup.Data["policies"].([]interface{})) - EXPECTED: - for _, i := range expectedPolicies { - for _, j := range actual { - if i == j { - continue EXPECTED - } - } - - missing = append(missing, i) - } - - if len(missing) != 0 { - return fmt.Errorf("group policies incorrect; expected %[1]v, actual %[2]v (types: %[1]T, %[2]T)", expectedPolicies, actual) - } - - return nil - } -} - -func testAccOktaAuthBackend_UsersCheck(path, userName string, expectedGroups, expectedPolicies []string) resource.TestCheckFunc { - return func(s *terraform.State) error { - client := testProvider.Meta().(*provider.ProviderMeta).MustGetClient() - - userList, err := client.Logical().List(fmt.Sprintf("/auth/%s/users", path)) - if err != nil { - return fmt.Errorf("error reading back configuration: %s", err) - } - - if len(userList.Data["keys"].([]interface{})) != 1 { - return fmt.Errorf("unexpected users present: %v", userList.Data) - } - - user, err := client.Logical().Read(fmt.Sprintf("/auth/%s/users/%s", path, userName)) - if err != nil { - return fmt.Errorf("error reading back configuration: %s", err) - } - - var missing []interface{} - - actual := util.ToStringArray(user.Data["policies"].([]interface{})) - if len(expectedPolicies) != len(actual) { - return fmt.Errorf("expected %d policies, got %d", len(expectedPolicies), len(actual)) - } - EXPECTED_POLICIES: - for _, i := range expectedPolicies { - for _, j := range actual { - if i == j { - continue EXPECTED_POLICIES - } - } - - missing = append(missing, i) - } - - if len(missing) != 0 { - return fmt.Errorf("user policies incorrect; expected %[1]v (len: %[3]d), actual %[2]v (len: %[4]d) (types: %[1]T, %[2]T)", expectedPolicies, actual, len(expectedPolicies), len(actual)) - } - - actual = util.ToStringArray(user.Data["groups"].([]interface{})) - - if len(expectedGroups) != len(actual) { - return fmt.Errorf("expected %d groups, got %d", len(expectedGroups), len(actual)) - } - EXPECTED_GROUPS: - for _, i := range expectedGroups { - for _, j := range actual { - if i == j { - continue EXPECTED_GROUPS - } - } - - missing = append(missing, i) - } - - if len(missing) != 0 { - return fmt.Errorf("user groups incorrect; expected %[1]v, actual %[2]v (types: %[1]T, %[2]T)", expectedGroups, actual) - } - - return nil - } +func testAccOktaAuthConfig_tokenFields(path string, organization string) string { + return fmt.Sprintf(` +resource "vault_okta_auth_backend" "test" { + path = "%s" + organization = "%s" + token_ttl = 300 + token_max_ttl = 600 + token_policies = ["policy_a", "policy_b"] } - -func testAccOktaAuthBackend_Destroyed(path string) resource.TestCheckFunc { - return func(s *terraform.State) error { - client := testProvider.Meta().(*provider.ProviderMeta).MustGetClient() - - authMounts, err := client.Sys().ListAuth() - if err != nil { - return err - } - - if _, ok := authMounts[fmt.Sprintf("%s/", path)]; ok { - return fmt.Errorf("auth mount not destroyed") - } - - return nil - } +`, path, organization) } diff --git a/vault/resource_okta_auth_backend_user_test.go b/vault/resource_okta_auth_backend_user_test.go index faebbadc83..6d2e10ec85 100644 --- a/vault/resource_okta_auth_backend_user_test.go +++ b/vault/resource_okta_auth_backend_user_test.go @@ -21,6 +21,7 @@ func TestAccOktaAuthBackendUser(t *testing.T) { t.Parallel() path := "okta-" + strconv.Itoa(acctest.RandInt()) organization := "dummy" + resourceName := "vault_okta_auth_backend_user.test" resource.Test(t, resource.TestCase{ ProviderFactories: providerFactories, @@ -31,7 +32,12 @@ func TestAccOktaAuthBackendUser(t *testing.T) { Config: testAccOktaAuthUserConfig(path, organization), Check: resource.ComposeTestCheckFunc( testAccOktaAuthBackendUser_InitialCheck, - testAccOktaAuthBackend_UsersCheck(path, "user_test", []string{"one", "two"}, []string{"three"}), + resource.TestCheckResourceAttr(resourceName, "username", "user_test"), + resource.TestCheckResourceAttr(resourceName, "groups.#", "2"), + resource.TestCheckResourceAttr(resourceName, "groups.0", "one"), + resource.TestCheckResourceAttr(resourceName, "groups.1", "two"), + resource.TestCheckResourceAttr(resourceName, "policies.#", "1"), + resource.TestCheckResourceAttr(resourceName, "policies.0", "three"), ), }, }, diff --git a/website/docs/r/okta_auth_backend.html.md b/website/docs/r/okta_auth_backend.html.md index 8f32093da9..fee0805fbb 100644 --- a/website/docs/r/okta_auth_backend.html.md +++ b/website/docs/r/okta_auth_backend.html.md @@ -82,6 +82,45 @@ If this is not supplied only locally configured groups will be enabled. * `policies` - (Optional) List of Vault policies to associate with this user +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_period` - (Optional) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses) + of times a generated token may be used (within its lifetime); 0 means unlimited. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + ## Attributes Reference In addition to all arguments above, the following attributes are exported: