GCP auth: support nested backend mount paths (#1050)

* Updated gcp_auth_backend_role to fix the provider issue 880.

* Adding test with nested backend path

* stricter matching for role name

Adjusted role name portion of regex's to match single path component,
and added unit tests for gcpAuthResourceBackendFromPath() and
gcpAuthResourceRoleFromPath().

Co-authored-by: Vikash Sharma <vikash.sharma@ampion.com.au>

vault/resource_gcp_auth_backend_role.go

@@ -3,13 +3,19 @@ package vault
 import (
 	"fmt"
 	"log"
+	"regexp"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 
 	"github.com/hashicorp/vault/api"
 )
 
+var (
+	gcpAuthBackendFromPathRegex  = regexp.MustCompile("^auth/(.+)/role/[^/]+$")
+	gcpAuthRoleNameFromPathRegex = regexp.MustCompile("^auth/.+/role/([^/]+)$")
+)
+
 func gcpAuthBackendRoleResource() *schema.Resource {
 	fields := map[string]*schema.Schema{
 		"role": {
@@ -409,17 +415,23 @@ func gcpAuthResourceExists(d *schema.ResourceData, meta interface{}) (bool, erro
 }
 
 func gcpAuthResourceBackendFromPath(path string) (string, error) {
-	var parts = strings.Split(path, "/")
-	if len(parts) != 4 {
-		return "", fmt.Errorf("Expected 4 parts in path '%s'", path)
+	if !gcpAuthBackendFromPathRegex.MatchString(path) {
+		return "", fmt.Errorf("no backend found")
 	}
-	return parts[1], nil
+	res := gcpAuthBackendFromPathRegex.FindStringSubmatch(path)
+	if len(res) != 2 {
+		return "", fmt.Errorf("unexpected number of matches (%d) for backend", len(res))
+	}
+	return res[1], nil
 }
 
 func gcpAuthResourceRoleFromPath(path string) (string, error) {
-	var parts = strings.Split(path, "/")
-	if len(parts) != 4 {
-		return "", fmt.Errorf("Expected 4 parts in path '%s'", path)
+	if !gcpAuthRoleNameFromPathRegex.MatchString(path) {
+		return "", fmt.Errorf("no role found")
+	}
+	res := gcpAuthRoleNameFromPathRegex.FindStringSubmatch(path)
+	if len(res) != 2 {
+		return "", fmt.Errorf("unexpected number of matches (%d) for role", len(res))
 	}
-	return parts[3], nil
+	return res[1], nil
 }

vault/resource_gcp_auth_backend_role_test.go

@@ -13,8 +13,61 @@ import (
 	"github.com/hashicorp/vault/api"
 )
 
+func TestGCPAuthBackend_pathRegex(t *testing.T) {
+	tests := map[string]struct {
+		path      string
+		wantMount string
+		wantRole  string
+	}{
+		"no nesting": {
+			path:      "auth/gcp/role/carrot",
+			wantMount: "gcp",
+			wantRole:  "carrot",
+		},
+		"nested": {
+			path:      "auth/test/usc1/gpc/role/usc1-test-master",
+			wantMount: "test/usc1/gpc",
+			wantRole:  "usc1-test-master",
+		},
+		"nested with double 'role'": {
+			path:      "auth/gcp/role/role/foo",
+			wantMount: "gcp/role",
+			wantRole:  "foo",
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			mount, err := gcpAuthResourceBackendFromPath(tc.path)
+			if err != nil {
+				t.Fatalf("unexpected error: %s", err)
+			}
+			if mount != tc.wantMount {
+				t.Fatalf("expected mount %q, got %q", tc.wantMount, mount)
+			}
+
+			role, err := gcpAuthResourceRoleFromPath(tc.path)
+			if err != nil {
+				t.Fatalf("unexpected error: %s", err)
+			}
+			if role != tc.wantRole {
+				t.Fatalf("expected role %q, got %q", tc.wantRole, role)
+			}
+		})
+	}
+}
+
 func TestGCPAuthBackendRole_basic(t *testing.T) {
-	backend := acctest.RandomWithPrefix("tf-test-gcp-backend")
+	t.Run("simple backend path", func(t *testing.T) {
+		backend := acctest.RandomWithPrefix("tf-test-gcp-backend")
+		testGCPAuthBackendRole_basic(t, backend)
+	})
+	t.Run("nested backend path", func(t *testing.T) {
+		backend := acctest.RandomWithPrefix("tf-test-gcp-backend") + "/nested"
+		testGCPAuthBackendRole_basic(t, backend)
+	})
+}
+
+func testGCPAuthBackendRole_basic(t *testing.T, backend string) {
 	name := acctest.RandomWithPrefix("tf-test-gcp-role")
 	serviceAccount := acctest.RandomWithPrefix("tf-test-gcp-service-account")
 	projectId := acctest.RandomWithPrefix("tf-test-gcp-project-id")