vault_ssh_secret_backend_role: Support default_users_template and templated default_user

[laugmanuel]

Starting with the upcoming Vault 1.12.0, the default_user will be templatable. The Terraform provider should support this quickly, as it removes the burden from the user to supply the default_user on each SSH client auth request.

Terraform Version

Affected Resource(s)

• vault_ssh_secret_backend_role

Terraform Configuration Files

resource "vault_ssh_secret_backend_role" "client" {
  name                    = "client"
  backend                 = vault_mount.ssh-client.path
  key_type                = "ca"
 
  allowed_users_template  = true
  allowed_users           = "{{ identity.entity.aliases.${vault_jwt_auth_backend.oidc.accessor}.name }}"

  # This should be implemented; this will be available from Vault 1.12.0 onwards
  default_users_template   = true
  default_user              = "{{ identity.entity.aliases.${vault_jwt_auth_backend.oidc.accessor}.name }}"
}

Debug Output

Panic Output

Expected Behavior

Terraform Vault provider supports default_users_template
Documentation is changed

Actual Behavior

currently not supported

Steps to Reproduce

Important Factoids

References

• Allow identity templates in ssh backend default_user field vault#16351
• https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#unreleased