secret/ssh: add support for allow_empty_principals on roles (#2354)

* secret/ssh: add support for allow_empty_principals on roles

* changelog

* ignore import field

* remove comment

CHANGELOG.md

@@ -6,6 +6,7 @@ FEATURES:
 * Update `vault_database_secret_backend_connection` to support skip_verification config for Cassandra ([#2346](https://github.com/hashicorp/terraform-provider-vault/pull/2346))
 * Update `vault_approle_auth_backend_role_secret_id` to support `num_uses` and `ttl` fields ([#2345](https://github.com/hashicorp/terraform-provider-vault/pull/2345))
 * Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2206](https://github.com/hashicorp/terraform-provider-vault/pull/2206))
+* Add support for `allow_empty_principals` field for the `vault_ssh_secret_backend_role` resource ([#2354](https://github.com/hashicorp/terraform-provider-vault/pull/2354))
 
 ## 4.4.0 (Aug 7, 2024)
 

vault/resource_ssh_secret_backend_role.go

@@ -183,6 +183,11 @@ func sshSecretBackendRoleResource() *schema.Resource {
 			Optional:    true,
 			Computed:    true,
 		},
+		"allow_empty_principals": {
+			Type:     schema.TypeBool,
+			Optional: true,
+			Default:  false,
+		},
 	}
 
 	return &schema.Resource{
@@ -261,6 +266,9 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 
 		data["allowed_domains_template"] = d.Get("allowed_domains_template")
 	}
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		data["allow_empty_principals"] = d.Get("allow_empty_principals").(bool)
+	}
 
 	if v, ok := d.GetOk("key_id_format"); ok {
 		data["key_id_format"] = v.(string)
@@ -359,9 +367,13 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	if provider.IsAPISupported(meta, provider.VaultVersion112) {
 		fields = append(fields, []string{"default_user_template", "allowed_domains_template"}...)
 	}
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		fields = append(fields, []string{"allow_empty_principals"}...)
+	}
 
-	// cidr_list cannot be read from the API
-	// potential for drift here
+	// cannot be read from the API, potential for drift here:
+	// - cidr_list
+	// - allow_empty_principals
 	for _, k := range fields {
 		if err := d.Set(k, role.Data[k]); err != nil {
 			return err

vault/resource_ssh_secret_backend_role_test.go

@@ -50,6 +50,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 		// 30s is the default value vault uese.
 		// https://developer.hashicorp.com/vault/api-docs/secret/ssh#not_before_duration
 		resource.TestCheckResourceAttr(resourceName, "not_before_duration", "30"),
+		resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "false"),
 	)
 
 	updateCheckFuncs := append(commonCheckFuncs,
@@ -73,6 +74,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "ttl", "43200"),
 		// 50m (3000 seconds)
 		resource.TestCheckResourceAttr(resourceName, "not_before_duration", "3000"),
+		resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "true"),
 	)
 
 	getCheckFuncs := func(isUpdate bool) resource.TestCheckFunc {
@@ -84,19 +86,6 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 				checks = append(checks, initialCheckFuncs...)
 			}
 
-			meta := testProvider.Meta().(*provider.ProviderMeta)
-			isVaultVersion112 := meta.IsAPISupported(provider.VaultVersion112)
-			if isVaultVersion112 {
-				if isUpdate {
-					checks = append(checks,
-						resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "true"),
-					)
-				} else {
-					checks = append(checks,
-						resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "false"),
-					)
-				}
-			}
 			return resource.ComposeAggregateTestCheckFunc(checks...)(state)
 		}
 	}
@@ -129,35 +118,17 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "allowed_user_key_config.1.lengths.0", "256"),
 				),
 			},
-			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
+			testutil.GetImportTestStep(resourceName, false, nil, "allow_empty_principals"),
 		}
 	}
 
-	t.Run("vault-1.11-and-below", func(t *testing.T) {
-		resource.Test(t, resource.TestCase{
-			ProviderFactories: providerFactories,
-			PreCheck: func() {
-				testutil.TestAccPreCheck(t)
-				SkipIfAPIVersionGTE(t, testProvider.Meta(), provider.VaultVersion112)
-			},
-			CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
-			Steps:        getSteps(""),
-		})
-	})
-	t.Run("vault-1.12-and-up", func(t *testing.T) {
-		resource.Test(t, resource.TestCase{
-			ProviderFactories: providerFactories,
-			PreCheck: func() {
-				testutil.TestAccPreCheck(t)
-				SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion112)
-			},
-			CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
-			Steps:        getSteps("allowed_domains_template = true"),
-		})
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+		},
+		CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
+		Steps:        getSteps(""),
 	})
 }
 
@@ -205,7 +176,7 @@ func TestAccSSHSecretBackendRole_template(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "default_user_template", "true"),
 				),
 			},
-			testutil.GetImportTestStep(resourceName, false, nil),
+			testutil.GetImportTestStep(resourceName, false, nil, "allow_empty_principals"),
 		},
 	})
 }
@@ -289,6 +260,7 @@ resource "vault_ssh_secret_backend_role" "test_role" {
   allow_user_key_ids       = true
   allowed_critical_options = "foo,bar"
   allowed_domains          = "example.com,foo.com"
+  allowed_domains_template = true
   allowed_extensions       = "ext1,ext2"
   default_extensions       = { "ext1" = "" }
   default_critical_options = { "opt1" = "" }