gcp auth: fix bound_labels not being applied

hashicorp · Apr 16, 2021 · 5a37759 · 5a37759
1 parent c9b010e
commit 5a37759
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/vault/resource_gcp_auth_backend_role.go b/vault/resource_gcp_auth_backend_role.go
@@ -220,8 +220,8 @@ func gcpRoleUpdateFields(d *schema.ResourceData, data map[string]interface{}, cr
 		data["bound_instance_groups"] = v.(*schema.Set).List()
 	}
 
-	if v, ok := d.GetOk("bound_instance_labels"); ok {
-		data["bound_instance_labels"] = v.(*schema.Set).List()
+	if v, ok := d.GetOk("bound_labels"); ok {
+		data["bound_labels"] = v.(*schema.Set).List()
 	}
 }
 
@@ -348,14 +348,25 @@ func gcpAuthResourceRead(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
-	for _, k := range []string{"project_id", "bound_projects", "add_group_aliases", "max_jwt_exp", "bound_service_accounts", "bound_zones", "bound_regions", "bound_instance_groups", "bound_labels"} {
+	for _, k := range []string{"project_id", "bound_projects", "add_group_aliases", "max_jwt_exp", "bound_service_accounts", "bound_zones", "bound_regions", "bound_instance_groups"} {
 		if v, ok := resp.Data[k]; ok {
 			if err := d.Set(k, v); err != nil {
 				return fmt.Errorf("error reading %s for GCP Auth Backend Role %q: %q", k, path, err)
 			}
 		}
 	}
 
+	if v, ok := resp.Data["bound_labels"]; ok {
+		labels := []string{}
+		for labelK, labelV := range v.(map[string]interface{}) {
+			labels = append(labels, fmt.Sprintf("%s:%s", labelK, labelV))
+		}
+
+		if err := d.Set("bound_labels", labels); err != nil {
+			return fmt.Errorf("error setting bound_labels for GCP auth backend role: %q", err)
+		}
+	}
+
 	// These checks are done for backwards compatibility. The 'type' key used to be
 	// 'role_type' and was changed to 'role' errorneously before being corrected
 	if v, ok := resp.Data["type"]; ok {

diff --git a/vault/resource_gcp_auth_backend_role_test.go b/vault/resource_gcp_auth_backend_role_test.go
@@ -69,7 +69,11 @@ func TestGCPAuthBackendRole_gce(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config: testGCPAuthBackendRoleConfig_gce(backend, name, projectId),
-				Check:  testGCPAuthBackendRoleCheck_attrs(backend, name),
+				Check: resource.ComposeTestCheckFunc(
+					testGCPAuthBackendRoleCheck_attrs(backend, name),
+					resource.TestCheckResourceAttr("vault_gcp_auth_backend_role.test",
+						"bound_labels.#", "2"),
+				),
 			},
 		},
 	})
@@ -166,7 +170,6 @@ func testGCPAuthBackendRoleCheck_attrs(backend, name string) resource.TestCheckF
 			"bound_service_accounts": "bound_service_accounts",
 			"bound_regions":          "bound_regions",
 			"bound_zones":            "bound_zones",
-			"bound_labels":           "bound_labels",
 			"add_group_aliases":      "add_group_aliases",
 		}
 
@@ -307,7 +310,7 @@ resource "vault_gcp_auth_backend_role" "test" {
     token_policies         = ["policy_a", "policy_b"]
     bound_regions          = ["eu-west2"]
     bound_zones            = ["europe-west2-c"]
-    bound_labels           = ["foo"]
+    bound_labels           = ["foo:bar", "key:value"]
 }
 `, backend, name, projectId)