[Feature Request] Add JWT type to nomad_acl_auth_method

[flexwie]

The nomad_acl_auth_method resource currently only has support for OIDC type methods. It would be great, if the JWT type would also be supported (along with the added parameters in the config block).

[lgfa29]

Thanks for the suggestion @flexwie!

It does seem like the nomad_acl_auth_method is a little outdated, so it would be really nice to update it.

[flexwie]

I have no experience writing Terraform resources, but I can give this a shot!

[lgfa29]

That's awesome @flexwie!

Resources in Terraform providers have a very simple CRUD (Create, Retrieve, Update, and Delete) interface. Since a resource already exists, you mostly need to update its configuration and populate the values so they're stored in the Terraform state.

I believe you will need to add the new fields here:

terraform-provider-nomad/nomad/resource_acl_auth_method.go

Lines 79 to 142 in ca90452

	func resourceACLAuthMethodConfig() *schema.Resource {
	return &schema.Resource{
	Schema: map[string]*schema.Schema{
	"oidc_discovery_url": {
	Description: "The OIDC Discovery URL, without any .well-known component (base path).",
	Type: schema.TypeString,
	Required: true,
	},
	"oidc_client_id": {
	Description: "The OAuth Client ID configured with the OIDC provider.",
	Type: schema.TypeString,
	Required: true,
	},
	"oidc_client_secret": {
	Description: "The OAuth Client Secret configured with the OIDC provider.",
	Type: schema.TypeString,
	Required: true,
	Sensitive: true,
	},
	"oidc_scopes": {
	Description: "List of OIDC scopes.",
	Type: schema.TypeList,
	Elem: &schema.Schema{Type: schema.TypeString},
	Optional: true,
	},
	"bound_audiences": {
	Description: "List of auth claims that are valid for login.",
	Type: schema.TypeList,
	Elem: &schema.Schema{Type: schema.TypeString},
	Optional: true,
	},
	"allowed_redirect_uris": {
	Description: "A list of allowed values that can be used for the redirect URI.",
	Type: schema.TypeList,
	Elem: &schema.Schema{Type: schema.TypeString},
	Required: true,
	},
	"discovery_ca_pem": {
	Description: "PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.",
	Type: schema.TypeList,
	Elem: &schema.Schema{Type: schema.TypeString},
	Optional: true,
	},
	"signing_algs": {
	Description: "A list of supported signing algorithms.",
	Type: schema.TypeList,
	Elem: &schema.Schema{Type: schema.TypeString},
	Optional: true,
	},
	"claim_mappings": {
	Description: "Mappings of claims (key) that will be copied to a metadata field (value).",
	Type: schema.TypeMap,
	Elem: &schema.Schema{Type: schema.TypeString},
	Optional: true,
	},
	"list_claim_mappings": {
	Description: "Mappings of list claims (key) that will be copied to a metadata field (value).",
	Type: schema.TypeMap,
	Elem: &schema.Schema{Type: schema.TypeString},
	Optional: true,
	},
	},
	}
	}

And then update these two functions that are used to map values from the internal Terraform representation to the Nomad SDK (and vice-versa):

terraform-provider-nomad/nomad/resource_acl_auth_method.go

Lines 287 to 369 in ca90452

	func generateNomadACLAuthMethodConfig(intf interface{}) (*api.ACLAuthMethodConfig, error) {
	configMap, ok := intf.(map[string]interface{})
	if !ok {
	return nil, fmt.Errorf("invalid type %T for auth method config, expected map[string]interface{}", intf)
	}
	var authMethodConfig api.ACLAuthMethodConfig
	for k, v := range configMap {
	switch k {
	case "oidc_discovery_url":
	authMethodConfig.OIDCDiscoveryURL = v.(string)
	case "oidc_client_id":
	authMethodConfig.OIDCClientID = v.(string)
	case "oidc_client_secret":
	authMethodConfig.OIDCClientSecret = v.(string)
	case "oidc_scopes":
	unpacked, err := unpackStringArray(v, "oidc_scopes")
	if err != nil {
	return nil, err
	}
	authMethodConfig.OIDCScopes = unpacked
	case "bound_audiences":
	unpacked, err := unpackStringArray(v, "bound_audiences")
	if err != nil {
	return nil, err
	}
	authMethodConfig.BoundAudiences = unpacked
	case "allowed_redirect_uris":
	unpacked, err := unpackStringArray(v, "allowed_redirect_uris")
	if err != nil {
	return nil, err
	}
	authMethodConfig.AllowedRedirectURIs = unpacked
	case "discovery_ca_pem":
	unpacked, err := unpackStringArray(v, "discovery_ca_pem")
	if err != nil {
	return nil, err
	}
	authMethodConfig.DiscoveryCaPem = unpacked
	case "signing_algs":
	unpacked, err := unpackStringArray(v, "signing_algs")
	if err != nil {
	return nil, err
	}
	authMethodConfig.SigningAlgs = unpacked
	case "claim_mappings":
	unpacked, err := unpackStringMap(v, "claim_mappings")
	if err != nil {
	return nil, err
	}
	authMethodConfig.ClaimMappings = unpacked
	case "list_claim_mappings":
	unpacked, err := unpackStringMap(v, "list_claim_mappings")
	if err != nil {
	return nil, err
	}
	authMethodConfig.ListClaimMappings = unpacked
	}
	}
	return &authMethodConfig, nil
	}
	func flattenACLAuthMethodConfig(cfg *api.ACLAuthMethodConfig) []any {
	if cfg == nil {
	return nil
	}
	result := map[string]interface{}{
	"oidc_discovery_url": cfg.OIDCDiscoveryURL,
	"oidc_client_id": cfg.OIDCClientID,
	"oidc_client_secret": cfg.OIDCClientSecret,
	"oidc_scopes": packStringArray(cfg.OIDCScopes),
	"bound_audiences": packStringArray(cfg.BoundAudiences),
	"allowed_redirect_uris": packStringArray(cfg.AllowedRedirectURIs),
	"discovery_ca_pem": packStringArray(cfg.DiscoveryCaPem),
	"signing_algs": packStringArray(cfg.SigningAlgs),
	"claim_mappings": packStringMap(cfg.ClaimMappings),
	"list_claim_mappings": packStringMap(cfg.ListClaimMappings),
	}
	return []any{result}
	}

Lastly the new values should be documented in https://github.com/hashicorp/terraform-provider-nomad/blob/main/website/docs/r/acl_auth_method.html.markdown. You can use https://registry.terraform.io/tools/doc-preview to preview changes there.

Let me know if you have any questions!