Update vault_identity_entity to exclude policies from Vault request i…

…f external_policies = true. (#1950) * Updates vault_identity_entity_policies tests to ensure policies survive entity update. * Exclude policies in req if vault_identity_entity.external_policies = true.
hashicorp · Jul 25, 2023 · 9669daa · 9669daa
1 parent 5195f02
commit 9669daa
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/vault/resource_identity_entity.go b/vault/resource_identity_entity.go
@@ -103,7 +103,7 @@ func identityEntityUpdateFields(d *schema.ResourceData, data map[string]interfac
 			// should be configured on the entity.
 			data["external_policies"] = d.Get("external_policies").(bool)
 			if data["external_policies"].(bool) {
-				data["policies"] = nil
+				delete(data, "policies")
 			}
 		}
 	}

diff --git a/vault/resource_identity_entity_policies_test.go b/vault/resource_identity_entity_policies_test.go
@@ -69,6 +69,16 @@ func TestAccIdentityEntityPoliciesNonExclusive(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_identity_entity_policies.test", "policies.0", "foo"),
 				),
 			},
+			{
+				Config: testAccIdentityEntityPoliciesConfigNonExclusiveUpdateEntity(entity),
+				Check: resource.ComposeTestCheckFunc(
+					testAccIdentityEntityPoliciesCheckLogical("vault_identity_entity.entity", []string{"dev", "foo"}),
+					resource.TestCheckResourceAttr("vault_identity_entity_policies.dev", "policies.#", "1"),
+					resource.TestCheckResourceAttr("vault_identity_entity_policies.dev", "policies.0", "dev"),
+					resource.TestCheckResourceAttr("vault_identity_entity_policies.test", "policies.#", "1"),
+					resource.TestCheckResourceAttr("vault_identity_entity_policies.test", "policies.0", "foo"),
+				),
+			},
 		},
 	})
 }
@@ -266,6 +276,31 @@ resource "vault_identity_entity_policies" "dev" {
 }
 
 
+resource "vault_identity_entity_policies" "test" {
+  entity_id = vault_identity_entity.entity.id
+  exclusive = false
+  policies = ["foo"]
+}
+`, entity)
+}
+
+func testAccIdentityEntityPoliciesConfigNonExclusiveUpdateEntity(entity string) string {
+	return fmt.Sprintf(`
+resource "vault_identity_entity" "entity" {
+  name = "%s"
+  external_policies = true
+  metadata = {
+    version = "1"
+  }
+}
+
+resource "vault_identity_entity_policies" "dev" {
+	entity_id = vault_identity_entity.entity.id
+  exclusive = false
+  policies = ["dev"]
+}
+
+
 resource "vault_identity_entity_policies" "test" {
   entity_id = vault_identity_entity.entity.id
   exclusive = false