Update various Authentication Resources for Vault 1.2 #478

lawliet89 · 2019-07-29T09:37:22Z

Vault 1.2 has the change:

auth/token: Token store roles use new, common token fields for the values that overlap with other auth backends. period, explicit_max_ttl, and bound_cidrs will continue to work, with priority being given to the token_ prefixed versions of those parameters. They will also be returned when doing a read on the role if they were used to provide values initially; however, in Vault 1.4 if period or explicit_max_ttl is zero they will no longer be returned. (explicit_max_ttl was already not returned if empty.)

This causes the provider to panic when used with Vault 1.2.

This PR attempts to fix these panics by deprecating some fields and adding new ones.

TODOs:

Update resource_cert_auth_backend_role
Update Documentation
Some more tests

Questions for @tyrannosaurus-becks :

Some resources requires setting all fields or omitted fields get reset to defaults. This makes it hard for the provider to provide backward compatibility because we now have to set all new token_ fields when updating or they get reset. I think this can be done by querying Vault for its version but it adds complexity.
There's quite a bit of complexity for backwards support and it's hard to test. Do you think it's worth doing a major version bump and breaking compatibility?

- Except Importing See hashicorp/vault#7020 Add deprecated tests - Remove behaviour for Pre-Vault 0.10

Fix tests

Update Github resources

Add tests Bump test images back to `latest`

tyrannosaurus-becks

Wow. Thank you, this is very much appreciated and quite excellent. Well done.

tyrannosaurus-becks · 2019-08-02T21:13:45Z

cmd/coverage/main.go

@@ -9,7 +9,7 @@ import (
 	"os"
 	"sort"

-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"


Nice catch! Thank you!

lawliet89 · 2019-08-02T23:21:40Z

I will submit a new pr to update the documentation.

StephenWithPH · 2019-08-09T18:41:07Z

@lawliet89 and @tyrannosaurus-becks and @paddycarver : this is great work; we've been waiting for this.

Purely an FYI: we were waiting on this so much that we enabled GitHub release notifications, but we didn't get a notification for this release. After digging, I learned that:

Without adding a message to the release, it only counts as a "tag" and not as a full release.

I suspect this also explains why the releases page doesn't emphasize release 2.2.0... it thinks this was just a tag.

42wim · 2019-08-16T16:03:02Z

This breaks nomad's vault integration, it still expects Period.

https://github.com/hashicorp/nomad/blob/83a75b310d60b6e9f3c6ca6d43c0a5ee104ef3fd/nomad/vault.go#L902-L904

kalafut · 2019-11-19T16:58:48Z

Note to future readers: This change first appeared in version 2.2.0 of the provider.

Update various Authentication Resources for Vault 1.2

ghost added the size/XXL label Jul 29, 2019

lawliet89 force-pushed the vault-1.2-auth branch from 19765cd to b2605cc Compare July 29, 2019 09:43

lawliet89 added 8 commits July 31, 2019 10:19

Update dependencies

c3daca8

Fix AppRole Auth Role Compatibility issues

497e283

- Except Importing See hashicorp/vault#7020 Add deprecated tests - Remove behaviour for Pre-Vault 0.10

Fix panics in AWS Auth Backend Roles

bb45a4b

Fix tests

Update vault_jwt_auth_backend_role

f5ad93b

Update vault_kubernetes_auth_backend_role

76f23a4

Update vault_gcp_auth_backend_role

7130669

Update Github roles

958733a

Update Github resources

Update Token Auth Backend Role

e8e3bff

Add tests Bump test images back to `latest`

lawliet89 force-pushed the vault-1.2-auth branch from 3fe0de4 to e8e3bff Compare July 31, 2019 02:20

Update cert_auth_backend_role

c754dd1

tyrannosaurus-becks self-assigned this Aug 2, 2019

tyrannosaurus-becks approved these changes Aug 2, 2019

View reviewed changes

tyrannosaurus-becks merged commit 5b6ad5f into hashicorp:master Aug 2, 2019

lawliet89 mentioned this pull request Aug 5, 2019

Update Authentication Role resources documentation with changes for Vault 1.2 #487

Merged

lawliet89 deleted the vault-1.2-auth branch August 5, 2019 04:45

This was referenced Aug 5, 2019

vault_approle_auth_backend_role does not work with vault v1.20 #485

Closed

Panic error for an approle on backend #489

Closed

kalafut mentioned this pull request Oct 2, 2019

Token_type parameter is not supported in vault_jwt_auth_backend or in general any of the auth backend resources #555

Closed

dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021

Merge pull request hashicorp#478 from lawliet89/vault-1.2-auth

a504240

Update various Authentication Resources for Vault 1.2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update various Authentication Resources for Vault 1.2 #478

Update various Authentication Resources for Vault 1.2 #478

lawliet89 commented Jul 29, 2019 •

edited

Loading

tyrannosaurus-becks left a comment

tyrannosaurus-becks Aug 2, 2019

lawliet89 commented Aug 2, 2019

StephenWithPH commented Aug 9, 2019

42wim commented Aug 16, 2019

kalafut commented Nov 19, 2019

Update various Authentication Resources for Vault 1.2 #478

Update various Authentication Resources for Vault 1.2 #478

Conversation

lawliet89 commented Jul 29, 2019 • edited Loading

tyrannosaurus-becks left a comment

Choose a reason for hiding this comment

tyrannosaurus-becks Aug 2, 2019

Choose a reason for hiding this comment

lawliet89 commented Aug 2, 2019

StephenWithPH commented Aug 9, 2019

42wim commented Aug 16, 2019

kalafut commented Nov 19, 2019

lawliet89 commented Jul 29, 2019 •

edited

Loading