Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add new WIF fields for GCP Auth (Vault Enterprise only) #2256

Merged
merged 7 commits into from
Jun 6, 2024
Merged

Add new WIF fields for GCP Auth (Vault Enterprise only) #2256

merged 7 commits into from
Jun 6, 2024

Conversation

vinay-gopalan
Copy link
Contributor

Description

Adds the following new fields to the GCP Auth Backend resource to enable the WIF workflow:

  • identity_token_audience
  • identity_token_ttl
  • identity_token_key
  • service_account_email

Checklist

  • Added CHANGELOG entry (only for user-facing changes)
  • Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestGCPAuthBackend_WIF'
=== RUN   TestGCPAuthBackend_WIF
--- PASS: TestGCPAuthBackend_WIF (1.96s)
PASS

fairclothjm
fairclothjm reviewed Jun 5, 2024
View reviewed changes
vault/resource_gcp_auth_backend.go Show resolved Hide resolved
vault/resource_gcp_secret_backend.go
@@ -131,7 +131,7 @@ func gcpSecretBackendCreate(ctx context.Context, d *schema.ResourceData, meta in

d.Partial(true)
log.Printf("[DEBUG] Mounting GCP backend at %q", path)
useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117Ent)
useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117) && provider.IsEnterpriseSupported(meta)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was the previous check not sufficient to check for ent support?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fairclothjm upon testing with different versions I realized that since IsAPISupported only checks if a semantic version is greater than the other, the previous check was passing for non-enterprise versions since v1.17.0 > v1.16.3+ent. It looks like the safest bet is to check the enterprise metadata separately from the version comparison

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks that makes sense. After this PR lands are we planning to update the other WIF TFVP resources to make the same check?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, looks like you may have covered those in this PR already with recent commits.

@vinay-gopalan vinay-gopalan requested review from a team and Zlaticanin June 5, 2024 22:50
@vinay-gopalan vinay-gopalan added this to the 4.3.0 milestone Jun 5, 2024
@Zlaticanin
Copy link
Contributor

Should be add another usage example here for WIF? Similar how we've done for others

@vinay-gopalan
Copy link
Contributor Author

Should be add another usage example here for WIF? Similar how we've done for others

Ah thanks for the reminder! Added examples for both Auth and Secrets

Zlaticanin
Zlaticanin approved these changes Jun 6, 2024
View reviewed changes
Copy link
Contributor

@Zlaticanin Zlaticanin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🥳

@vinay-gopalan vinay-gopalan merged commit 877124b into main Jun 6, 2024
1 check passed
@vinay-gopalan vinay-gopalan deleted the VAULT-25137/gcp-auth-wif branch June 6, 2024 17:59
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

@Zlaticanin Zlaticanin Zlaticanin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.3.0
Development

Successfully merging this pull request may close these issues.
3 participants
@vinay-gopalan @Zlaticanin @fairclothjm