-
Notifications
You must be signed in to change notification settings - Fork 0
/
resource_aws_auth_backend_role_tag.go
127 lines (113 loc) · 3.37 KB
/
resource_aws_auth_backend_role_tag.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package vault
import (
"fmt"
"log"
"strings"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/vault/api"
)
func awsAuthBackendRoleTagResource() *schema.Resource {
return &schema.Resource{
Create: awsAuthBackendRoleTagResourceCreate,
Read: awsAuthBackendRoleTagResourceRead,
Delete: awsAuthBackendRoleTagResourceDelete,
Schema: map[string]*schema.Schema{
"backend": {
Type: schema.TypeString,
Optional: true,
Default: "aws",
Description: "AWS auth backend to read tags from.",
ForceNew: true,
},
"role": {
Type: schema.TypeString,
Required: true,
Description: "Name of the role.",
ForceNew: true,
},
"policies": {
Type: schema.TypeList,
Optional: true,
Description: "Policies to be associated with the tag.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
ForceNew: true,
},
"max_ttl": {
Type: schema.TypeString,
Optional: true,
Description: "The maximum allowed lifetime of tokens issued using this role.",
ForceNew: true,
},
"instance_id": {
Type: schema.TypeString,
Optional: true,
Description: "Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.",
ForceNew: true,
},
"allow_instance_migration": {
Type: schema.TypeBool,
Optional: true,
Description: "Allows migration of the underlying instance where the client resides.",
ForceNew: true,
},
"disallow_reauthentication": {
Type: schema.TypeBool,
Optional: true,
Description: "Only allow a single token to be granted per instance ID.",
ForceNew: true,
},
"tag_value": {
Type: schema.TypeString,
Computed: true,
},
"tag_key": {
Type: schema.TypeString,
Computed: true,
},
},
}
}
func awsAuthBackendRoleTagResourceCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
backend := d.Get("backend").(string)
role := d.Get("role").(string)
path := "auth/" + strings.Trim(backend, "/") + "/role/" + strings.Trim(role, "/") + "/tag"
data := map[string]interface{}{}
if v, ok := d.GetOk("policies"); ok {
data["policies"] = v
}
if v, ok := d.GetOk("max_ttl"); ok {
data["max_ttl"] = v
}
if v, ok := d.GetOk("instance_id"); ok {
data["instance_id"] = v
}
if v, ok := d.GetOk("allow_instance_migration"); ok {
data["allow_instance_migration"] = v
}
if v, ok := d.GetOk("disallow_reauthentication"); ok {
data["disallow_reauthentication"] = v
}
log.Printf("[DEBUG] Reading tag data %q from Vault", path)
secret, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error reading tag data %q from Vault: %s", path, err)
}
log.Printf("[DEBUG] Read tag data %q from Vault", path)
d.SetId(secret.RequestID)
d.Set("tag_value", secret.Data["tag_value"])
d.Set("tag_key", secret.Data["tag_key"])
return nil
}
func awsAuthBackendRoleTagResourceRead(d *schema.ResourceData, meta interface{}) error {
// no read API call, this is only a resource to avoid nonces regenerating
// on every refresh
return nil
}
func awsAuthBackendRoleTagResourceDelete(d *schema.ResourceData, meta interface{}) error {
// no delete API call, this is only a resource to avoid nonces regenerating
// on every refresh
return nil
}