TFVP-Initial-Implementation-Sys-Backend-Group-Policy-Application

[itsjiyapatel]

Description

Implements a new Terraform resource vault_config_group_policy_application for managing Vault's group policy application mode configuration. This provides a type-safe, declarative way to control how identity group policies are applied across namespace hierarchies, replacing the need to use vault_generic_endpoint for this critical security configuration.

Resource: vault_config_group_policy_application at internal/vault/sys/config/group_policy_application.go

Key Features:

• Full CRUD operations with proper error handling
• Root/admin namespace restriction with validation
• Two supported modes: within_namespace_hierarchy (default) and any
• Singleton resource pattern with fixed ID "config"
• Import support with ID validation
• Enterprise namespace support
• Delete operation resets to default mode

Configuration Modes:

• within_namespace_hierarchy: Groups can only apply policies within their namespace hierarchy (default, more restrictive)
• any: Groups can apply policies from any namespace (less restrictive, increased flexibility)

Relates OR Closes #0000

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ go test -v -count=1 -run TestAccConfigGroupPolicyApplication ./internal/vault/sys/config
=== RUN   TestAccConfigGroupPolicyApplication
    group_policy_application_test.go:25: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication (0.91s)
=== RUN   TestAccConfigGroupPolicyApplication_update
    group_policy_application_test.go:54: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_update (1.58s)
=== RUN   TestAccConfigGroupPolicyApplication_invalidMode
    group_policy_application_test.go:101: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_invalidMode (0.14s)
=== RUN   TestAccConfigGroupPolicyApplication_invalidNamespace
    group_policy_application_test.go:118: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_invalidNamespace (0.24s)
=== RUN   TestAccConfigGroupPolicyApplication_importInvalidID
    group_policy_application_test.go:135: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_importInvalidID (0.59s)
=== RUN   TestAccConfigGroupPolicyApplication_modeAny
    group_policy_application_test.go:159: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_modeAny (0.51s)
=== RUN   TestAccConfigGroupPolicyApplication_delete
    group_policy_application_test.go:181: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_delete (1.16s)
=== RUN   TestAccConfigGroupPolicyApplication_explicitRootNamespace
    group_policy_application_test.go:214: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_explicitRootNamespace (0.67s)
=== RUN   TestAccConfigGroupPolicyApplication_importVerifyNamespace
    group_policy_application_test.go:242: Vault server version "1.22.0-beta1+ent"
--- PASS: TestAccConfigGroupPolicyApplication_importVerifyNamespace (0.68s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/internal/vault/sys/config 7.123s


...

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[Copilot]

Pull request overview

Adds a new Terraform Plugin Framework resource to manage Vault Enterprise’s global group policy application mode (sys/config/group-policy-application) as a singleton configuration, with accompanying docs, constants/version gating, and acceptance tests.

Changes:

• Introduces vault_config_group_policy_application resource with CRUD + import and Vault Enterprise 1.13.8+ checks.
• Registers the new resource in the framework provider and adds supporting constants/version references.
• Adds resource documentation and acceptance tests.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
internal/vault/sys/config/group_policy_application.go	Implements the new singleton sys/config resource (schema + CRUD/import + validation/version checks).
internal/vault/sys/config/group_policy_application_test.go	Adds acceptance tests covering basic CRUD/import and some validation scenarios.
internal/provider/fwprovider/provider.go	Registers the new framework resource.
internal/provider/meta.go	Adds VaultVersion1138 semver for API gating.
internal/consts/consts.go	Adds group_policy_application_mode field constant (and VaultVersion1138).
website/docs/r/config_group_policy_application.html.md	Adds user-facing documentation for the new resource.
CHANGELOG.md	Adds a changelog entry for the new resource.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.