VAULT-43852 Added write-only field and updated related files for keytab and removed unwanted tests

Author: vijayavelsekar

internal/consts/consts.go

@@ -815,6 +815,7 @@ const (
 	FieldBindPassWOVersion          = "bindpass_wo_version"
 	FieldKeytab                     = "keytab"
 	FieldKeytabWO                   = "keytab_wo"
+	FieldKeytabWOVersion            = "keytab_wo_version"
 	FieldClientTLSKeyWO             = "client_tls_key_wo"
 	FieldClientTLSKeyWOVersion      = "client_tls_key_wo_version"
 	FieldClientTLSCertWO            = "client_tls_cert_wo"

internal/vault/auth/kerberos/kerberos_config_resource.go

@@ -51,6 +51,7 @@ type kerberosAuthBackendConfigModel struct {
 	base.BaseModel
 	Mount              types.String `tfsdk:"mount"`
 	KeytabWO           types.String `tfsdk:"keytab_wo"`
+	KeytabWOVersion    types.Int64  `tfsdk:"keytab_wo_version"`
 	ServiceAccount     types.String `tfsdk:"service_account"`
 	RemoveInstanceName types.Bool   `tfsdk:"remove_instance_name"`
 	AddGroupAliases    types.Bool   `tfsdk:"add_group_aliases"`
@@ -89,6 +90,10 @@ func (r *kerberosAuthBackendConfigResource) Schema(_ context.Context, _ resource
 				Sensitive:   true,
 				Description: "Base64-encoded keytab file content (write-only). Must contain an entry matching service_account.",
 			},
+			consts.FieldKeytabWOVersion: schema.Int64Attribute{
+				Required:    true,
+				Description: "Version identifier for keytab updates. Increment this value to trigger a keytab update.",
+			},
 			consts.FieldServiceAccount: schema.StringAttribute{
 				Required:    true,
 				Description: "The Kerberos service account associated with the keytab entry (e.g., 'vault_svc').",
@@ -108,53 +113,57 @@ func (r *kerberosAuthBackendConfigResource) Schema(_ context.Context, _ resource
 }
 
 func (r *kerberosAuthBackendConfigResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan kerberosAuthBackendConfigModel
 	var config kerberosAuthBackendConfigModel
 
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
 	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	resp.Diagnostics.Append(r.writeConfig(ctx, &config)...)
+	resp.Diagnostics.Append(r.writeConfig(ctx, &plan, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	resp.Diagnostics.Append(resp.State.Set(ctx, &config)...)
+	resp.Diagnostics.Append(resp.State.Set(ctx, &plan)...)
 }
 
 func (r *kerberosAuthBackendConfigResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var plan kerberosAuthBackendConfigModel
 	var config kerberosAuthBackendConfigModel
 
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
 	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	resp.Diagnostics.Append(r.writeConfig(ctx, &config)...)
+	resp.Diagnostics.Append(r.writeConfig(ctx, &plan, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	resp.Diagnostics.Append(resp.State.Set(ctx, &config)...)
+	resp.Diagnostics.Append(resp.State.Set(ctx, &plan)...)
 }
 
 // writeConfig is a reusable helper that writes configuration to Vault and reads it back.
 // Used by both Create and Update operations.
-func (r *kerberosAuthBackendConfigResource) writeConfig(ctx context.Context, config *kerberosAuthBackendConfigModel) diag.Diagnostics {
+func (r *kerberosAuthBackendConfigResource) writeConfig(ctx context.Context, plan *kerberosAuthBackendConfigModel, config *kerberosAuthBackendConfigModel) diag.Diagnostics {
 	var diags diag.Diagnostics
 
-	vaultClient, err := client.GetClient(ctx, r.Meta(), config.Namespace.ValueString())
+	vaultClient, err := client.GetClient(ctx, r.Meta(), plan.Namespace.ValueString())
 	if err != nil {
 		diags.AddError(errutil.ClientConfigureErr(err))
 		return diags
 	}
 
-	mount := strings.Trim(config.Mount.ValueString(), "/")
+	mount := strings.Trim(plan.Mount.ValueString(), "/")
 	configPath := r.configPath(mount)
 
 	// Build the API request
-	vaultRequest, apiDiags := r.getApiModel(config)
+	vaultRequest, apiDiags := r.getApiModel(plan, config)
 	diags.Append(apiDiags...)
 	if diags.HasError() {
 		return diags
@@ -173,15 +182,15 @@ func (r *kerberosAuthBackendConfigResource) writeConfig(ctx context.Context, con
 	tflog.Info(ctx, fmt.Sprintf("Kerberos auth backend config successfully written to '%s'", configPath))
 
 	// Read back the configuration
-	found, readDiags := r.read(ctx, config)
+	found, readDiags := r.read(ctx, plan)
 	diags.Append(readDiags...)
 	if diags.HasError() {
 		return diags
 	}
 	if !found {
 		diags.AddError(
 			"Error reading back Kerberos auth backend config after write",
-			fmt.Sprintf("Config at '%s' was not found after successful write", r.configPath(strings.Trim(config.Mount.ValueString(), "/"))),
+			fmt.Sprintf("Config at '%s' was not found after successful write", r.configPath(strings.Trim(plan.Mount.ValueString(), "/"))),
 		)
 		return diags
 	}
@@ -318,14 +327,14 @@ func (r *kerberosAuthBackendConfigResource) mountFromPath(path string) (string,
 }
 
 // getApiModel builds the Vault API request map from the Terraform data model.
-func (r *kerberosAuthBackendConfigResource) getApiModel(config *kerberosAuthBackendConfigModel) (map[string]any, diag.Diagnostics) {
+func (r *kerberosAuthBackendConfigResource) getApiModel(plan *kerberosAuthBackendConfigModel, config *kerberosAuthBackendConfigModel) (map[string]any, diag.Diagnostics) {
 	var diags diag.Diagnostics
 
 	vaultRequest := map[string]any{
 		consts.FieldKeytab:             config.KeytabWO.ValueString(),
-		consts.FieldServiceAccount:     config.ServiceAccount.ValueString(),
-		consts.FieldRemoveInstanceName: config.RemoveInstanceName.ValueBool(),
-		consts.FieldAddGroupAliases:    config.AddGroupAliases.ValueBool(),
+		consts.FieldServiceAccount:     plan.ServiceAccount.ValueString(),
+		consts.FieldRemoveInstanceName: plan.RemoveInstanceName.ValueBool(),
+		consts.FieldAddGroupAliases:    plan.AddGroupAliases.ValueBool(),
 	}
 
 	return vaultRequest, diags

internal/vault/auth/kerberos/kerberos_config_resource_test.go

@@ -46,6 +46,7 @@ func TestAccKerberosAuthBackendConfig_basic(t *testing.T) {
 				ImportStateId:                        fmt.Sprintf("auth/%s/config", path),
 				ImportStateVerify:                    true,
 				ImportStateVerifyIdentifierAttribute: consts.FieldMount,
+				ImportStateVerifyIgnore:              []string{consts.FieldKeytabWOVersion},
 			},
 		},
 	})
@@ -87,6 +88,7 @@ func TestAccKerberosAuthBackendConfig_update(t *testing.T) {
 				ImportStateId:                        fmt.Sprintf("auth/%s/config", path),
 				ImportStateVerify:                    true,
 				ImportStateVerifyIdentifierAttribute: consts.FieldMount,
+				ImportStateVerifyIgnore:              []string{consts.FieldKeytabWOVersion},
 			},
 		},
 	})
@@ -131,28 +133,6 @@ func TestAccKerberosAuthBackendConfig_updateAndReplacement(t *testing.T) {
 	})
 }
 
-// TestAccKerberosAuthBackendConfig_defaultCheck tests to check default values
-func TestAccKerberosAuthBackendConfig_defaultCheck(t *testing.T) {
-	serviceAccount := "vault/localhost@EXAMPLE.COM"
-
-	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { acctestutil.TestAccPreCheck(t) },
-		ProtoV5ProviderFactories: providertest.ProtoV5ProviderFactories,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccKerberosAuthBackendConfigConfig_defaultValues(serviceAccount),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("vault_kerberos_auth_backend_config.config", consts.FieldMount, "kerberos"),
-					resource.TestCheckResourceAttr("vault_kerberos_auth_backend_config.config", consts.FieldServiceAccount, serviceAccount),
-					resource.TestCheckNoResourceAttr("vault_kerberos_auth_backend_config.config", consts.FieldKeytabWO),
-					resource.TestCheckNoResourceAttr("vault_kerberos_auth_backend_config.config", consts.FieldRemoveInstanceName),
-					resource.TestCheckNoResourceAttr("vault_kerberos_auth_backend_config.config", consts.FieldAddGroupAliases),
-				),
-			},
-		},
-	})
-}
-
 // TestAccKerberosAuthBackendConfig_validationErrors tests various validation errors
 func TestAccKerberosAuthBackendConfig_validationErrors(t *testing.T) {
 	path := acctest.RandomWithPrefix("kerberos")
@@ -162,16 +142,6 @@ func TestAccKerberosAuthBackendConfig_validationErrors(t *testing.T) {
 		PreCheck:                 func() { acctestutil.TestAccPreCheck(t) },
 		ProtoV5ProviderFactories: providertest.ProtoV5ProviderFactories,
 		Steps: []resource.TestStep{
-			// Test missing keytab
-			{
-				Config:      testAccKerberosAuthBackendConfigConfig_missingKeytab(path, serviceAccount),
-				ExpectError: regexp.MustCompile(`(attribute|argument) "keytab_wo" is required`),
-			},
-			// Test missing service account
-			{
-				Config:      testAccKerberosAuthBackendConfigConfig_missingServiceAccount(path),
-				ExpectError: regexp.MustCompile(`(attribute|argument) "service_account" is required`),
-			},
 			// Test empty service account - empty string passes Terraform validation but fails at Vault API
 			{
 				Config:      testAccKerberosAuthBackendConfigConfig_emptyServiceAccount(path),
@@ -269,6 +239,7 @@ func TestAccKerberosAuthBackendConfig_namespace(t *testing.T) {
 				ImportStateId:                        fmt.Sprintf("auth/%s/config", path),
 				ImportStateVerify:                    true,
 				ImportStateVerifyIdentifierAttribute: consts.FieldMount,
+				ImportStateVerifyIgnore:              []string{consts.FieldKeytabWOVersion},
 			},
 			{
 				// Cleanup step needed for the import step above
@@ -282,36 +253,6 @@ func TestAccKerberosAuthBackendConfig_namespace(t *testing.T) {
 	})
 }
 
-// Configuration templates for negative tests
-
-func testAccKerberosAuthBackendConfigConfig_missingKeytab(path, serviceAccount string) string {
-	return fmt.Sprintf(`
-resource "vault_auth_backend" "kerberos" {
-  type = "kerberos"
-  path = %q
-}
-
-resource "vault_kerberos_auth_backend_config" "config" {
-  mount           = vault_auth_backend.kerberos.path
-  service_account = %q
-}
-`, path, serviceAccount)
-}
-
-func testAccKerberosAuthBackendConfigConfig_missingServiceAccount(path string) string {
-	return fmt.Sprintf(`
-resource "vault_auth_backend" "kerberos" {
-  type = "kerberos"
-  path = %q
-}
-
-resource "vault_kerberos_auth_backend_config" "config" {
-  mount  = vault_auth_backend.kerberos.path
-  keytab_wo = %q
-}
-`, path, testKeytab)
-}
-
 func testAccKerberosAuthBackendConfigConfig_emptyServiceAccount(path string) string {
 	return fmt.Sprintf(`
 resource "vault_auth_backend" "kerberos" {
@@ -320,9 +261,10 @@ resource "vault_auth_backend" "kerberos" {
 }
 
 resource "vault_kerberos_auth_backend_config" "config" {
-  mount           = vault_auth_backend.kerberos.path
-  keytab_wo       = %q
-  service_account = ""
+  mount             = vault_auth_backend.kerberos.path
+  keytab_wo         = %q
+  keytab_wo_version = 1
+  service_account   = ""
 }
 `, path, testKeytab)
 }
@@ -335,9 +277,10 @@ resource "vault_auth_backend" "kerberos" {
 }
 
 resource "vault_kerberos_auth_backend_config" "config" {
-  mount           = vault_auth_backend.kerberos.path
-  keytab_wo       = ""
-  service_account = %q
+  mount             = vault_auth_backend.kerberos.path
+  keytab_wo         = ""
+  keytab_wo_version = 1
+  service_account   = %q
 }
 `, path, serviceAccount)
 }
@@ -352,9 +295,10 @@ resource "vault_auth_backend" "kerberos" {
 }
 
 resource "vault_kerberos_auth_backend_config" "config" {
-  mount           = vault_auth_backend.kerberos.path
-  keytab_wo       = %q
-  service_account = %q
+  mount             = vault_auth_backend.kerberos.path
+  keytab_wo         = %q
+  keytab_wo_version = 1
+  service_account   = %q
 }
 `, path, testKeytab, serviceAccount)
 }
@@ -369,6 +313,7 @@ resource "vault_auth_backend" "kerberos" {
 resource "vault_kerberos_auth_backend_config" "config" {
   mount                = vault_auth_backend.kerberos.path
   keytab_wo            = %q
+  keytab_wo_version    = 1
   service_account      = %q
   remove_instance_name = %t
   add_group_aliases    = %t
@@ -384,27 +329,14 @@ resource "vault_auth_backend" "kerberos" {
 }
 
 resource "vault_kerberos_auth_backend_config" "config" {
-  mount           = vault_auth_backend.kerberos.path
-  keytab_wo       = %q
-  service_account = %q
+  mount             = vault_auth_backend.kerberos.path
+  keytab_wo         = %q
+  keytab_wo_version = 2
+  service_account   = %q
 }
 `, path, keytab, serviceAccount)
 }
 
-func testAccKerberosAuthBackendConfigConfig_defaultValues(serviceAccount string) string {
-	return fmt.Sprintf(`
-resource "vault_auth_backend" "kerberos" {
-  type = "kerberos"
-}
-
-resource "vault_kerberos_auth_backend_config" "config" {
-  mount           = vault_auth_backend.kerberos.path
-  keytab_wo       = %q
-  service_account = %q
-}
-`, testKeytab, serviceAccount)
-}
-
 func testAccKerberosAuthBackendConfigConfig_namespace(namespace, path, serviceAccount string) string {
 	return fmt.Sprintf(`
 resource "vault_namespace" "test" {
@@ -418,10 +350,11 @@ resource "vault_auth_backend" "kerberos" {
 }
 
 resource "vault_kerberos_auth_backend_config" "config" {
-  namespace       = vault_namespace.test.path
-  mount           = vault_auth_backend.kerberos.path
-  keytab_wo       = %q
-  service_account = %q
+  namespace         = vault_namespace.test.path
+  mount             = vault_auth_backend.kerberos.path
+  keytab_wo         = %q
+  keytab_wo_version = 1
+  service_account   = %q
 }
 `, namespace, path, testKeytab, serviceAccount)
 }

internal/vault/auth/kerberos/kerberos_login_ephemeral_resource_test.go

@@ -168,6 +168,7 @@ resource "vault_auth_backend" "kerberos" {
 resource "vault_kerberos_auth_backend_config" "config" {
   mount               = vault_auth_backend.kerberos.path
   keytab_wo           = "%s"
+  keytab_wo_version   = 1
   service_account     = "%s"
 }
 
@@ -270,6 +271,7 @@ resource "vault_auth_backend" "kerberos" {
 resource "vault_kerberos_auth_backend_config" "config" {
   mount               = vault_auth_backend.kerberos.path
   keytab_wo           = "%s"
+  keytab_wo_version   = 1
   service_account     = "%s"
 }
 
@@ -402,6 +404,7 @@ resource "vault_kerberos_auth_backend_config" "config" {
   namespace           = vault_namespace.test.path
   mount               = vault_auth_backend.kerberos.path
   keytab_wo           = "%s"
+  keytab_wo_version   = 1
   service_account     = "%s"
 }
 
@@ -486,6 +489,7 @@ resource "vault_auth_backend" "kerberos" {
 resource "vault_kerberos_auth_backend_config" "config" {
   mount               = vault_auth_backend.kerberos.path
   keytab_wo           = "%s"
+  keytab_wo_version   = 1
   service_account     = "%s"
 }
 
@@ -569,6 +573,7 @@ resource "vault_auth_backend" "kerberos" {
 resource "vault_kerberos_auth_backend_config" "config" {
   mount               = vault_auth_backend.kerberos.path
   keytab_wo           = "%s"
+  keytab_wo_version   = 1
   service_account     = "%s"
 }