kubernetes auth role: allow unset audience

hashicorp · Apr 11, 2021 · ec0fe79 · ec0fe79
1 parent 93cac34
commit ec0fe79
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/vault/resource_kubernetes_auth_backend_role.go b/vault/resource_kubernetes_auth_backend_role.go
@@ -159,8 +159,14 @@ func kubernetesAuthBackendRoleUpdateFields(d *schema.ResourceData, data map[stri
 		data["period"] = v.(int)
 	}
 
-	if v, ok := d.GetOk("audience"); ok {
-		data["audience"] = v.(string)
+	if create {
+		if v, ok := d.GetOk("audience"); ok {
+			data["audience"] = v.(string)
+		}
+	} else {
+		if d.HasChange("audience") {
+			data["audience"] = d.Get("audience").(string)
+		}
 	}
 }
 

diff --git a/vault/resource_kubernetes_auth_backend_role_test.go b/vault/resource_kubernetes_auth_backend_role_test.go
@@ -373,6 +373,40 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"audience", newAudience),
 				),
 			},
+			// Unset `audience`
+			{
+				Config: testAccKubernetesAuthBackendRoleConfig_basicWithAudience(backend, role, newTTL, ""),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"backend", backend),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"role_name", role),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_names.64447719", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_names.#", "1"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespaces.64447719", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespaces.#", "1"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_policies.1971754988", "default"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_policies.326271447", "dev"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_policies.232240223", "prod"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_policies.#", "3"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_ttl", strconv.Itoa(newTTL)),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_max_ttl", "0"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"token_period", "0"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"audience", ""),
+				),
+			},
 		},
 	})
 }