Add reuse_wrapping_token functionality.

hashicorp · Sep 3, 2021 · 7718e43 · 7718e43
1 parent 5d8751b
commit 7718e43
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 6 deletions.
diff --git a/vault/resource_approle_auth_backend_role_secret_id.go b/vault/resource_approle_auth_backend_role_secret_id.go
@@ -80,6 +80,13 @@ func approleAuthBackendRoleSecretIDResource() *schema.Resource {
 				},
 			},
 
+			"reuse_wrapping_token": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Reuse the wrapping token if the wrapped secret-id is still valid.",
+				ForceNew:    true,
+			},
+
 			"accessor": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -141,6 +148,8 @@ func approleAuthBackendRoleSecretIDCreate(d *schema.ResourceData, meta interface
 	} else {
 		data["metadata"] = ""
 	}
+	var reuseWrappingToken bool
+	reuseWrappingToken = d.Get("reuse_wrapping_token").(bool)
 
 	wrappingTTL, wrapped := d.GetOk("wrapping_ttl")
 
@@ -167,7 +176,11 @@ func approleAuthBackendRoleSecretIDCreate(d *schema.ResourceData, meta interface
 	var accessor string
 
 	if wrapped {
-		accessor = resp.WrapInfo.Accessor
+		if reuseWrappingToken {
+			accessor = resp.WrapInfo.WrappedAccessor
+		} else {
+			accessor = resp.WrapInfo.Accessor
+		}
 		d.Set("wrapping_token", resp.WrapInfo.Token)
 		d.Set("wrapping_accessor", accessor)
 	} else {
@@ -176,7 +189,7 @@ func approleAuthBackendRoleSecretIDCreate(d *schema.ResourceData, meta interface
 		d.Set("accessor", accessor)
 	}
 
-	d.SetId(approleAuthBackendRoleSecretIDID(backend, role, accessor, wrapped))
+	d.SetId(approleAuthBackendRoleSecretIDID(backend, role, accessor, wrapped, reuseWrappingToken))
 
 	return approleAuthBackendRoleSecretIDRead(d, meta)
 }
@@ -191,8 +204,10 @@ func approleAuthBackendRoleSecretIDRead(d *schema.ResourceData, meta interface{}
 	}
 
 	// If the ID is wrapped, there is no information available other than whether
-	// the wrapping token is still valid.
-	if wrapped {
+	// the wrapping token is still valid, unless we are planning to re-use it.
+	reuseWrappingToken := d.Get("reuse_wrapping_token").(bool)
+
+	if wrapped && !reuseWrappingToken {
 		valid, err := approleAuthBackendRoleSecretIDExists(d, meta)
 		if err != nil {
 			return err
@@ -326,8 +341,8 @@ func approleAuthBackendRoleSecretIDExists(d *schema.ResourceData, meta interface
 	return resp != nil, nil
 }
 
-func approleAuthBackendRoleSecretIDID(backend, role, accessor string, wrapped bool) string {
-	if wrapped {
+func approleAuthBackendRoleSecretIDID(backend, role, accessor string, wrapped bool, reuse_wrapping_token bool) string {
+	if wrapped && !reuse_wrapping_token {
 		accessor = "wrapped-" + accessor
 	}
 	return fmt.Sprintf("backend=%s::role=%s::accessor=%s", strings.Trim(backend, "/"), strings.Trim(role, "/"), accessor)

diff --git a/vault/resource_approle_auth_backend_role_secret_id_test.go b/vault/resource_approle_auth_backend_role_secret_id_test.go
@@ -2,6 +2,7 @@ package vault
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
@@ -57,6 +58,30 @@ func TestAccAppRoleAuthBackendRoleSecretID_wrapped(t *testing.T) {
 	})
 }
 
+func TestAccAppRoleAuthBackendRoleSecretID_wrapped_reuse(t *testing.T) {
+	backend := acctest.RandomWithPrefix("approle")
+	role := acctest.RandomWithPrefix("test-role")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { util.TestAccPreCheck(t) },
+		Providers:    testProviders,
+		CheckDestroy: testAccCheckAppRoleAuthBackendRoleSecretIDDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAppRoleAuthBackendRoleSecretIDConfig_wrapped_reuse(backend, role),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(secretIDResource, "backend", backend),
+					resource.TestCheckResourceAttr(secretIDResource, "role_name", role),
+					resource.TestCheckResourceAttrSet(secretIDResource, "wrapping_accessor"),
+					resource.TestCheckResourceAttrSet(secretIDResource, "wrapping_token"),
+					resource.TestCheckResourceAttrSet(secretIDResource, "accessor"),
+					resource.TestMatchResourceAttr(secretIDResource, "accessor", regexp.MustCompile("^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$")),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAppRoleAuthBackendRoleSecretID_wrapped_namespace(t *testing.T) {
 	backend := acctest.RandomWithPrefix("approle")
 	role := acctest.RandomWithPrefix("test-role")
@@ -199,6 +224,27 @@ resource "vault_approle_auth_backend_role_secret_id" "secret_id" {
 }`, backend, role)
 }
 
+func testAccAppRoleAuthBackendRoleSecretIDConfig_wrapped_reuse(backend, role string) string {
+	return fmt.Sprintf(`
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "%s"
+}
+
+resource "vault_approle_auth_backend_role" "role" {
+  backend = "${vault_auth_backend.approle.path}"
+  role_name = "%s"
+  token_policies = ["default", "dev", "prod"]
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "secret_id" {
+  role_name = "${vault_approle_auth_backend_role.role.role_name}"
+  backend = "${vault_auth_backend.approle.path}"
+  wrapping_ttl = "60s"
+  reuse_wrapping_token = true
+}`, backend, role)
+}
+
 func testAccAppRoleAuthBackendRoleSecretIDConfig_wrapped_namespace(namespacePath, backend, role string) string {
 	return fmt.Sprintf(`
 provider "vault" {