Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent invalid policy_arns from being created. #1229

Merged
merged 1 commit into from
Nov 22, 2021
Merged

Prevent invalid policy_arns from being created. #1229

merged 1 commit into from
Nov 22, 2021

Conversation

benashz
Copy link
Contributor

@benashz benashz commented Nov 19, 2021
edited
Loading

With the update to TF SDKv2 calling schema.ResourceData.Get() on a
TypeSet now returns nil. The previous code was testing for empty string,
which resulted in the policy_arns being set to [""] in Vault when no
policy_arns were specified in the TF code.

The offending conditional was referencing the vestigial schema key named
policy_arn, which has now been removed.

Additional fixes:

  • remove vestigial schema key policy
  • extend tests to cover reported failure mode
  • enhance other policy_arn tests
  • always validate the JSON policy document to avoid invalid input
  • update util.JsonDiffSuppress to log at the warn level rather than
    error, since the JSON parse errors are treated as non fatal

Community Note

  • Please vote on this pull request by adding a 馃憤 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #1226 #925

Output from acceptance testing:

$ make dev testacc TESTARGS='-v -test.run TestAccAWSSecretBackendRole'
==> Checking that code complies with gofmt requirements...
go build -o terraform-provider-vault
mv terraform-provider-vault ~/.terraform.d/plugins/
TF_ACC=1 go test $(go list ./...) -v -v -test.run TestAccAWSSecretBackendRole -timeout 20m

[...]

=== RUN   TestAccAWSSecretBackendRole_basic
--- PASS: TestAccAWSSecretBackendRole_basic (4.77s)
=== RUN   TestAccAWSSecretBackendRole_import
--- PASS: TestAccAWSSecretBackendRole_import (3.62s)
=== RUN   TestAccAWSSecretBackendRole_nested
--- PASS: TestAccAWSSecretBackendRole_nested (3.40s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     (cached)
...

@benashz
Prevent invalid policy_arns from being created.
397b6df 
With the update to TF SDKv2 calling schema.ResourceData.Get() on a
TypeSet now returns nil. The previous code was testing for empty string,
which resulted in the policy_arns being set to [""] in Vault when no
policy_arns were specified in the TF code.

The offending conditional was referencing the vestigial schema key named
'policy_arn', which has now been removed.

Additional fixes:
- remove vestigial schema key `policy`
- extend tests to cover reported failure mode
- enhance other policy_arn tests
- always validate the JSON policy document to avoid invalid input
- update util.JsonDiffSuppress to log at the warn level rather than
  error, since the JSON parse errors non fatal
vinay-gopalan
vinay-gopalan approved these changes Nov 22, 2021
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@benashz benashz merged commit 6fe61a1 into main Nov 22, 2021
@benashz benashz deleted the VAULT-4356/fix-invalid-policy-arns branch November 22, 2021 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

@kalafut kalafut Awaiting requested review from kalafut

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

policy_arns cannot be null on version 3.0.0
2 participants
@benashz @vinay-gopalan