Add support for missing max_retries param in `vault_aws_auth_backen…

…d_client` resource (#2270)

* Add support for missing max_retries param

CHANGELOG.md

@@ -10,6 +10,7 @@ FEATURES:
 * Add support for new WIF fields in `vault_azure_auth_backend_config`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2254](https://github.com/hashicorp/terraform-provider-vault/pull/2254)).
 * Add new data source and resource `vault_pki_secret_backend_config_est`. Requires Vault 1.16+. *Available only for Vault Enterprise* ([#2246](https://github.com/hashicorp/terraform-provider-vault/pull/2246))
 * Support missing token parameters on `vault_okta_auth_backend` resource: ([#2210](https://github.com/hashicorp/terraform-provider-vault/pull/2210))
+* Add support for `max_retries` in `vault_aws_auth_backend_client`: ([#2270](https://github.com/hashicorp/terraform-provider-vault/pull/2270))
 
 IMPROVEMENTS:
 * return a useful error when delete fails for the `vault_jwt_auth_backend_role` resource: ([#2232](https://github.com/hashicorp/terraform-provider-vault/pull/2232))

internal/consts/consts.go

@@ -435,6 +435,7 @@ const (
 	FieldCustomEndpoint                = "custom_endpoint"
 	FieldPrivateKeyID                  = "private_key_id"
 	FieldTune                          = "tune"
+	FieldMaxRetries                    = "max_retries"
 
 	/*
 		common environment variables

vault/resource_aws_auth_backend_client.go

@@ -101,6 +101,12 @@ func awsAuthBackendClientResource() *schema.Resource {
 				Computed:    true,
 				Description: "The TTL of generated identity tokens in seconds.",
 			},
+			consts.FieldMaxRetries: {
+				Type:        schema.TypeInt,
+				Default:     -1,
+				Optional:    true,
+				Description: "Number of max retries the client should use for recoverable errors.",
+			},
 		},
 	}
 }
@@ -119,11 +125,10 @@ func awsAuthBackendWrite(ctx context.Context, d *schema.ResourceData, meta inter
 	stsEndpoint := d.Get(consts.FieldSTSEndpoint).(string)
 	stsRegion := d.Get(consts.FieldSTSRegion).(string)
 	stsRegionFromClient := d.Get(useSTSRegionFromClient).(bool)
-
 	identityTokenAud := d.Get(consts.FieldIdentityTokenAudience).(string)
 	roleArn := d.Get(consts.FieldRoleArn).(string)
 	identityTokenTTL := d.Get(consts.FieldIdentityTokenTTL).(int)
-
+	maxRetries := d.Get(consts.FieldMaxRetries).(int)
 	iamServerIDHeaderValue := d.Get(consts.FieldIAMServerIDHeaderValue).(string)
 
 	path := awsAuthBackendClientPath(backend)
@@ -134,6 +139,7 @@ func awsAuthBackendWrite(ctx context.Context, d *schema.ResourceData, meta inter
 		consts.FieldSTSEndpoint:            stsEndpoint,
 		consts.FieldSTSRegion:              stsRegion,
 		consts.FieldIAMServerIDHeaderValue: iamServerIDHeaderValue,
+		consts.FieldMaxRetries:             maxRetries,
 	}
 
 	if d.HasChange(consts.FieldAccessKey) || d.HasChange(consts.FieldSecretKey) {
@@ -204,6 +210,7 @@ func awsAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta interf
 		consts.FieldSTSEndpoint,
 		consts.FieldSTSRegion,
 		consts.FieldIAMServerIDHeaderValue,
+		consts.FieldMaxRetries,
 	}
 	for _, k := range fields {
 		if v, ok := secret.Data[k]; ok {

vault/resource_aws_auth_backend_client_test.go

@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"encoding/json"
 	"fmt"
 	"regexp"
 	"testing"
@@ -240,13 +241,15 @@ func testAccAWSAuthBackendClientCheck_attrs(backend string) resource.TestCheckFu
 			consts.FieldSTSEndpoint:            consts.FieldSTSEndpoint,
 			consts.FieldSTSRegion:              consts.FieldSTSRegion,
 			consts.FieldIAMServerIDHeaderValue: consts.FieldIAMServerIDHeaderValue,
+			consts.FieldMaxRetries:             consts.FieldMaxRetries,
 		}
 		for stateAttr, apiAttr := range attrs {
-			if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" {
-				continue
+			respApiAttr := resp.Data[apiAttr]
+			if apiAttr == consts.FieldMaxRetries {
+				respApiAttr = resp.Data[apiAttr].(json.Number).String()
 			}
-			if resp.Data[apiAttr] != instanceState.Attributes[stateAttr] {
-				return fmt.Errorf("expected %s (%s) of %q to be %q, got %q", apiAttr, stateAttr, endpoint, instanceState.Attributes[stateAttr], resp.Data[apiAttr])
+			if respApiAttr != instanceState.Attributes[stateAttr] {
+				return fmt.Errorf("expected %s (%s) of %q to be %q, got %q", apiAttr, stateAttr, endpoint, instanceState.Attributes[stateAttr], respApiAttr)
 			}
 		}
 		return nil
@@ -302,6 +305,7 @@ resource "vault_aws_auth_backend_client" "client" {
   sts_endpoint = "http://vault.test/sts"
   sts_region = "vault-test"
   iam_server_id_header_value = "vault.test"
+  max_retries = "-1"
 }
 `, backend)
 }
@@ -323,6 +327,7 @@ resource "vault_aws_auth_backend_client" "client" {
   sts_endpoint = "http://updated.vault.test/sts"
   sts_region = "updated-vault-test"
   iam_server_id_header_value = "updated.vault.test"
+  max_retries = "0"
 }`, backend)
 }
 

website/docs/r/aws_auth_backend_client.html.md

@@ -100,6 +100,9 @@ The following arguments are supported:
     `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
     that are used in the IAM auth method.
 
+* `max_retries` - (Optional) Number of max retries the client should use for recoverable errors. 
+    The default `-1` falls back to the AWS SDK's default behavior.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.