terraform-provider-vault
terraform-provider-vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
feat: new resource `vault_ldap_group_policy_attachment`
trafficstars
Description
This PR creates a new resource vault_ldap_group_policy_attachment that manages policies outside the LDAP group management (resource vault_ldap_auth_backend_group).
Closes https://github.com/hashicorp/terraform-provider-vault/issues/2460
Checklist
- [X] Added CHANGELOG entry (only for user-facing changes)
- [X] Acceptance tests where run against all supported Vault Versions
Output from acceptance testing:
TF_ACC=1 go test -v -timeout 30m ./vault -run TestLDAPGroupPolicyAttachment
Additional Notes
Before
locals {
existing_policies = { "LDAP-GROUP" = try(jsondecode(data.http.ldap_groups.response_body).data.policies, [])}
}
data "http" "ldap_groups" {
url = "${var.vault_url}/v1/auth/ldap/groups/LDAP-GROUP"
request_headers = {
"X-Vault-Token" = local.vault_token
}
}
resource "vault_policy" "sample" {
name = "example"
policy = <<-EOT
path "sample-mount/*" {
capabilities = ["read", "list", "create", "delete", "update"]
}
EOT
}
resource "vault_ldap_auth_backend_group" "sample" {
backend = local.vault_ldap_auth_backend
groupname = "LDAP-GROUP"
policies = toset(concat(
local.existing_policies,
[vault_policy.sample.name],
))
lifecycle {
prevent_destroy = true
}
}
After
resource "vault_policy" "sample" {
name = "example"
policy = <<-EOT
path "sample-mount/*" {
capabilities = ["read", "list", "create", "delete", "update"]
}
EOT
}
resource "vault_ldap_auth_backend_group" "sample" {
backend = local.vault_ldap_auth_backend
groupname = "LDAP-GROUP"
}
resource "vault_ldap_group_policy_attachment" "sample" {
backend = local.vault_ldap_auth_backend
groupname = "LDAP-GROUP"
policies = [vault_policy.sample.name]
}
Community Note
- Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
- Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request
