hashicorp · jasonodonnell · Dec 14, 2020 · Jul 10, 2020
diff --git a/vault/resource_identity_oidc_role.go b/vault/resource_identity_oidc_role.go
@@ -53,13 +53,15 @@ func identityOidcRole() *schema.Resource {
 				Type:        schema.TypeString,
 				Description: "The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role",
 				Computed:    true,
+				Optional:    true,
 			},
 		},
 	}
 }
 
 func identityOidcRoleUpdateFields(d *schema.ResourceData, data map[string]interface{}) {
 	data["key"] = d.Get("key").(string)
+	data["client_id"] = d.Get("client_id").(string)
 	data["template"] = d.Get("template").(string)
 	data["ttl"] = d.Get("ttl").(int)
 }

diff --git a/vault/resource_identity_oidc_role_test.go b/vault/resource_identity_oidc_role_test.go
@@ -44,35 +44,68 @@ func TestAccIdentityOidcRole(t *testing.T) {
 	})
 }
 
+func TestAccIdentityOidcRoleWithClientId(t *testing.T) {
+	name := acctest.RandomWithPrefix("test-role")
+	clientId := acctest.RandomWithPrefix("test-client-id")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testProviders,
+		CheckDestroy: testAccCheckIdentityOidcRoleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId),
+				Check: resource.ComposeTestCheckFunc(
+					testAccIdentityOidcRoleCheckAttrs(),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", ""),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", clientId),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "86400"),
+				),
+			},
+			{
+				ResourceName:      "vault_identity_oidc_role.role",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccIdentityOidcRoleUpdate(t *testing.T) {
 	name := acctest.RandomWithPrefix("test-role")
+	clientId := acctest.RandomWithPrefix("test-client-id")
+	updateClientId := acctest.RandomWithPrefix("test-update-client-id")
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckIdentityOidcRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccIdentityOidcRoleConfig(name),
+				Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId),
 				Check:  testAccIdentityOidcRoleCheckAttrs(),
 			},
 			{
-				Config: testAccIdentityOidcRoleConfigUpdate(name),
+				Config: testAccIdentityOidcRoleConfigUpdate(name, updateClientId),
 				Check: resource.ComposeTestCheckFunc(
 					testAccIdentityOidcRoleCheckAttrs(),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", fmt.Sprintf("%s\n", testAccIdentityOidcRoleTemplate)),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", updateClientId),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "3600"),
 				),
 			},
 			{
-				Config: testAccIdentityOidcRoleConfig(name),
+				Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId),
 				Check: resource.ComposeTestCheckFunc(
 					testAccIdentityOidcRoleCheckAttrs(),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", ""),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", clientId),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "86400"),
 				),
 			},
@@ -209,7 +242,22 @@ resource "vault_identity_oidc_role" "role" {
 `, entityName, entityName)
 }
 
-func testAccIdentityOidcRoleConfigUpdate(entityName string) string {
+func testAccIdentityOidcRoleWithClientIdConfig(entityName string, clientId string) string {
+	return fmt.Sprintf(`
+resource "vault_identity_oidc_key" "key" {
+  name = "%s"
+  algorithm = "RS256"
+}
+
+resource "vault_identity_oidc_role" "role" {
+	name = "%s"
+	key = vault_identity_oidc_key.key.name
+  client_id = "%s"
+}
+`, entityName, entityName, clientId)
+}
+
+func testAccIdentityOidcRoleConfigUpdate(entityName string, clientId string) string {
 	return fmt.Sprintf(`
 resource "vault_identity_oidc_key" "key" {
   name = "%s"
@@ -219,10 +267,11 @@ resource "vault_identity_oidc_key" "key" {
 resource "vault_identity_oidc_role" "role" {
 	name = "%s"
 	key = vault_identity_oidc_key.key.name
+  client_id = "%s"
 
 	template = <<EOF
 %s
 EOF
 	ttl = 3600
-}`, entityName, entityName, testAccIdentityOidcRoleTemplate)
+}`, entityName, entityName, clientId, testAccIdentityOidcRoleTemplate)
 }
diff --git a/website/docs/r/identity_oidc_role.html.md b/website/docs/r/identity_oidc_role.html.md
@@ -90,15 +90,15 @@ The following arguments are supported:
 
 * `ttl` - (Optional) TTL of the tokens generated against the role in number of seconds.
 
+* `client_id` - (Optional) The value that will be included in the `aud` field of all the OIDC identity
+  tokens issued by this role
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `id` - The name of the created role.
 
-* `client_id` - The value that will be included in the `aud` field of all the OIDC identity
-  tokens issued by this role
-
 ## Import
 
 The key can be imported with the role name, for example: