Kerberos auth method initial implementation of resources and ephemeral resources#2819
Open
vijayavelsekar wants to merge 41 commits intomainfrom
Open
Kerberos auth method initial implementation of resources and ephemeral resources#2819vijayavelsekar wants to merge 41 commits intomainfrom
vijayavelsekar wants to merge 41 commits intomainfrom
Conversation
vijayavelsekar
changed the title
Contributor
harshit-nema
left a comment
harshit-nema
left a comment
There was a problem hiding this comment.
Review comments for config_resource.
Contributor
harshit-nema
left a comment
harshit-nema
left a comment
There was a problem hiding this comment.
Sharing few review comments for kerberos_ldap_config_resource.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds initial Terraform Plugin Framework support for Vault’s Kerberos auth method, including 3 new managed resources (backend config, LDAP config, group mappings) and 1 new ephemeral resource for Kerberos login/token issuance, plus accompanying docs and acceptance tests.
Changes:
- Introduce Kerberos auth resources:
vault_kerberos_auth_backend_config,vault_kerberos_auth_backend_ldap_config,vault_kerberos_auth_backend_group. - Add Kerberos login ephemeral resource:
vault_kerberos_auth_backend_login(revokes token on close). - Add new docs + acceptance tests, and adjust
vault_auth_backendsdata source test to avoid concurrent backend conflicts.
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| website/docs/r/kerberos_auth_backend_ldap_config.html.md | New resource docs for Kerberos LDAP configuration, including token fields and import instructions. |
| website/docs/r/kerberos_auth_backend_group.html.md | New resource docs for mapping LDAP groups to Vault policies under Kerberos auth. |
| website/docs/r/kerberos_auth_backend_config.html.md | New resource docs for configuring Kerberos backend (keytab/service account). |
| website/docs/ephemeral-resources/kerberos_auth_backend_login.html.md | New ephemeral resource docs for Kerberos login and ephemeral token usage. |
| vault/data_source_auth_backends_test.go | Updates acceptance test assertions to avoid conflicts with concurrently-created Kerberos backends. |
| testutil/testutil.go | Adds helper + struct for skipping Kerberos tests unless required env vars are present. |
| internal/vault/auth/kerberos/kerberos_ldap_config_resource_test.go | Adds acceptance test coverage for Kerberos LDAP config resource (defaults, updates, import, namespace, etc.). |
| internal/vault/auth/kerberos/kerberos_ldap_config_resource.go | Implements Kerberos LDAP config resource using the Plugin Framework + token field helpers. |
| internal/vault/auth/kerberos/kerberos_group_resource_test.go | Adds acceptance tests for Kerberos group resource behavior (CRUD/import/namespace/errors). |
| internal/vault/auth/kerberos/kerberos_group_resource.go | Implements Kerberos group mapping resource (policies for LDAP groups). |
| internal/vault/auth/kerberos/kerberos_config_resource_test.go | Adds acceptance tests for Kerberos backend config resource (CRUD/import/defaults/errors/namespace). |
| internal/vault/auth/kerberos/kerberos_config_resource.go | Implements Kerberos backend config resource (write-only keytab, service account, options). |
| internal/vault/auth/ephemeral/kerberos_login_test.go | Adds acceptance tests for Kerberos login ephemeral resource (basic/options/namespace). |
| internal/vault/auth/ephemeral/kerberos_login.go | Implements Kerberos login ephemeral resource (SPNEGO auth header + token revocation on Close). |
| internal/provider/fwprovider/provider.go | Registers the new Kerberos resources and ephemeral resource with the framework provider. |
| internal/consts/consts.go | Adds missing consts used by Kerberos resources/ephemeral outputs (e.g., identity_policies, keytab, client TLS WO fields). |
| CHANGELOG.md | Adds changelog entry for the new Kerberos resources and ephemeral login. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
vijayavelsekar
force-pushed
the
VAULT-42404-Kerberos-Auth-Method-Implementation
branch
from
ddd802e to
84b9313
Compare
Contributor
harshit-nema
left a comment
harshit-nema
left a comment
There was a problem hiding this comment.
Review comments for kerberos_group_resource
Contributor
harshit-nema
left a comment
harshit-nema
left a comment
There was a problem hiding this comment.
Ephemeral resource : Kerberos_login review.
Also will there be any modifications required for vault.erb file for this new implementation on Vault Kerberos auth method
|
|
siyer-corp
reviewed
Mar 20, 2026
Contributor
siyer-corp
left a comment
siyer-corp
left a comment
There was a problem hiding this comment.
Provided some comments on the first pass. For the ldap_config_resource, can we check if the functionality is similar to ldap_auth resource?
siyer-corp
reviewed
Mar 22, 2026
Contributor
siyer-corp
left a comment
siyer-corp
left a comment
There was a problem hiding this comment.
As discussed, let's check if changes in vault/data_source_auth_backends_test.go are required. Provided some additional comments.
siyer-corp
reviewed
Mar 27, 2026
Contributor
siyer-corp
left a comment
siyer-corp
left a comment
There was a problem hiding this comment.
As discussed, can we refactor the tests accordingly?
| }, | ||
| consts.FieldEnableSamaccountnameLogin: schema.BoolAttribute{ | ||
| Optional: true, | ||
| Description: "If true, matching sAMAccountName attribute values will be allowed to login when upndomain is defined. Default: false. **Note:** This field is only supported in Vault 1.19.0 and above. Do not configure this attribute if your Vault version is below 1.19.0.", |
Contributor
There was a problem hiding this comment.
Can we make this consise? We can update the note to say "Requires Vault 1.19.0+"
| Optional: true, | ||
| WriteOnly: true, | ||
| Sensitive: true, | ||
| Description: "Client certificate key to provide to the LDAP server, must be x509 PEM encoded (write-only). Must be used together with client_tls_key_wo_version.", |
Contributor
There was a problem hiding this comment.
Can we split these into multi-line for better readability?
| // Copyright (c) HashiCorp, Inc. | ||
| // SPDX-License-Identifier: MPL-2.0 | ||
|
|
||
| package ephemeralauth |
Contributor
There was a problem hiding this comment.
Can we move these two files inside the kerberos directory?
| } | ||
|
|
||
| // TestAccKerberosAuthBackendConfig_runtimeErrors tests runtime errors | ||
| func TestAccKerberosAuthBackendConfig_runtimeErrors(t *testing.T) { |
Contributor
There was a problem hiding this comment.
Do we need this as it's testing vault functionality, not TFVP?
| } | ||
|
|
||
| // TestAccKerberosAuthBackendLDAPConfig_runtimeErrors tests runtime errors | ||
| func TestAccKerberosAuthBackendLDAPConfig_runtimeErrors(t *testing.T) { |
Contributor
There was a problem hiding this comment.
Do we need this as it's testing vault functionality, not TFVP?
| }) | ||
| } | ||
|
|
||
| func TestAccKerberosAuthBackendGroup_invalid(t *testing.T) { |
Contributor
There was a problem hiding this comment.
Do we need this as it's testing vault functionality, not TFVP?
vijayavelsekar
force-pushed
the
VAULT-42404-Kerberos-Auth-Method-Implementation
branch
2 times, most recently
from
b9ccbe1 to
9c79a2d
Compare
…d_config resource
…mentation and test fix
…ecuting test cases
… to enable zero value update in statefile
…rent standard pattern
…ab and removed unwanted tests
vijayavelsekar
force-pushed
the
VAULT-42404-Kerberos-Auth-Method-Implementation
branch
from
161070d to
108b7fc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Initial implementation for below resources and ephemeral resource.
Closes #1723
Checklist
Output from acceptance testing:
Community Note
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.