Add gcp auth role extras

vault/resource_gcp_auth_backend_role.go

@@ -66,6 +66,38 @@ func gcpAuthBackendRoleResource() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"bound_zones": &schema.Schema{
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+				Computed: true,
+			},
+			"bound_regions": &schema.Schema{
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+				Computed: true,
+			},
+			"bound_instance_groups": &schema.Schema{
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+				Computed: true,
+			},
+			"bound_labels": &schema.Schema{
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+				Computed: true,
+			},
 			"backend": &schema.Schema{
 				Type:     schema.TypeString,
 				Optional: true,
@@ -121,6 +153,22 @@ func gcpAuthResourceWrite(d *schema.ResourceData, meta interface{}) error {
 		data["bound_service_accounts"] = v.(*schema.Set).List()
 	}
 
+	if v, ok := d.GetOk("bound_zones"); ok {
+		data["bound_zones"] = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("bound_regions"); ok {
+		data["bound_regions"] = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("bound_instance_groups"); ok {
+		data["bound_instance_groups"] = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("bound_instance_labels"); ok {
+		data["bound_instance_labels"] = v.(*schema.Set).List()
+	}
+
 	log.Printf("[DEBUG] Writing role %q to GCP auth backend", path)
 	d.SetId(path)
 	_, err := client.Logical().Write(path, data)
@@ -159,6 +207,22 @@ func gcpAuthResourceUpdate(d *schema.ResourceData, meta interface{}) error {
 		data["bound_service_accounts"] = v.(*schema.Set).List()
 	}
 
+	if v, ok := d.GetOk("bound_zones"); ok {
+		data["bound_zones"] = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("bound_regions"); ok {
+		data["bound_regions"] = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("bound_instance_groups"); ok {
+		data["bound_instance_groups"] = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("bound_labels"); ok {
+		data["bound_labels"] = v.(*schema.Set).List()
+	}
+
 	log.Printf("[DEBUG] Updating role %q in GCP auth backend", path)
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
@@ -196,9 +260,33 @@ func gcpAuthResourceRead(d *schema.ResourceData, meta interface{}) error {
 		schema.NewSet(
 			schema.HashString, resp.Data["policies"].([]interface{})))
 
-	d.Set("bound_service_accounts",
-		schema.NewSet(
-			schema.HashString, resp.Data["bound_service_accounts"].([]interface{})))
+	if accounts, ok := resp.Data["bound_service_accounts"]; ok {
+		d.Set("bound_service_accounts",
+			schema.NewSet(
+				schema.HashString, accounts.([]interface{})))
+	}
+
+	if zones, ok := resp.Data["bound_zones"]; ok {
+		d.Set("bound_zones", schema.NewSet(schema.HashString, zones.([]interface{})))
+	}
+
+	if regions, ok := resp.Data["bound_regions"]; ok {
+		d.Set("bound_regions",
+			schema.NewSet(
+				schema.HashString, regions.([]interface{})))
+	}
+
+	if groups, ok := resp.Data["bound_instance_groups"]; ok {
+		d.Set("bound_instance_groups",
+			schema.NewSet(
+				schema.HashString, groups.([]interface{})))
+	}
+
+	if labels, ok := resp.Data["bound_labels"]; ok {
+		d.Set("bound_labels",
+			schema.NewSet(
+				schema.HashString, labels.([]interface{})))
+	}
 
 	return nil
 }

vault/resource_gcp_auth_backend_role_test.go

@@ -32,6 +32,24 @@ func TestGCPAuthBackendRole_basic(t *testing.T) {
 	})
 }
 
+func TestGCPAuthBackendRole_gce(t *testing.T) {
+	backend := acctest.RandomWithPrefix("tf-test-gcp-backend")
+	name := acctest.RandomWithPrefix("tf-test-gcp-role")
+	projectId := acctest.RandomWithPrefix("tf-test-gcp-project-id")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testProviders,
+		CheckDestroy: testGCPAuthBackendRoleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testGCPAuthBackendRoleConfig_gce(backend, name, projectId),
+				Check:  testGCPAuthBackendRoleCheck_attrs(backend, name),
+			},
+		},
+	})
+}
+
 func testGCPAuthBackendRoleDestroy(s *terraform.State) error {
 	client := testProvider.Meta().(*api.Client)
 
@@ -95,6 +113,9 @@ func testGCPAuthBackendRoleCheck_attrs(backend, name string) resource.TestCheckF
 			"period":                 "period",
 			"policies":               "policies",
 			"bound_service_accounts": "bound_service_accounts",
+			"bound_regions":          "bound_regions",
+			"bound_zones":            "bound_zones",
+			"bound_labels":           "bound_labels",
 		}
 
 		for stateAttr, apiAttr := range attrs {
@@ -192,3 +213,28 @@ resource "vault_gcp_auth_backend_role" "test" {
 `, backend, name, serviceAccount, projectId)
 
 }
+
+func testGCPAuthBackendRoleConfig_gce(backend, name, projectId string) string {
+
+	return fmt.Sprintf(`
+
+resource "vault_auth_backend" "gcp" {
+    path = "%s"
+    type = "gcp"
+}
+
+resource "vault_gcp_auth_backend_role" "test" {
+    backend                = "${vault_auth_backend.gcp.path}"
+    role                   = "%s"
+    type                   = "gce"
+    project_id             = "%s"
+    ttl                    = 300
+    max_ttl                = 600
+		policies               = ["policy_a", "policy_b"]
+		bound_regions					 = ["eu-west2"]
+		bound_zones  					 = ["europe-west2-c"]
+		bound_labels					 = ["foo"]
+}
+`, backend, name, projectId)
+
+}

website/docs/r/gcp_auth_backend_role.html.md

@@ -33,7 +33,7 @@ The following arguments are supported:
 
 * `role` - (Required) Name of the GCP role
 
-* `type` - (Required) Type of GCP authentication role
+* `type` - (Required) Type of GCP authentication role (either `gce` or `iam`)
 
 * `project_id` - (Required) GCP Project that the role exists within
 
@@ -45,10 +45,22 @@ The following arguments are supported:
 
 * `policies` - (Optional) Policies to grant on the issued token
 
-* `bound_service_accounts` - (Optional) GCP Service Accounts allowed to issue tokens under this role
-
 * `backend` - (Optional) Path to the mounted GCP auth backend
 
+* `bound_service_accounts` - (Optional) GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`We)
+
+### gce-only Parameters
+
+The following parameters are only valid when the role is of type `"gce"`:
+
+* `bound_zones` - (Optional)  The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
+
+* `bound_regions` - (Optional) The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
+
+* `bound_instance_groups` - (Optional) The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
+
+* `bound_labels` - (Optional) A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
+
 For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api/auth/gcp/index.html).
 
 ## Attribute Reference