gcp auth: fix bound_labels not being applied

[jasonodonnell]

A typo in the vault_gcp_auth_backend_role resulted in roles not applying bound_labels, even if one was specified. Unfortunately the test suite didn't explicitly test for this value and the GCP auth method doesn't return empty values for roles: https://github.com/hashicorp/vault-plugin-auth-gcp/blob/master/plugin/path_role.go#L307-L310.

I've changed the test code slightly to check Vault for the appropriate resources.

Fixes #996.

Manual Test

provider "vault" {
  address = "http://127.0.0.1:8200"
  token   = "root"
}

resource "vault_gcp_auth_backend" "gcp" {
  path = "gcp"
  description = "debug gcp auth endpoint; automation=terraform"
}

resource "vault_gcp_auth_backend_role" "gcp" {
  backend = vault_gcp_auth_backend.gcp.path
  role = "test-role"
  type = "gce"
  bound_labels = ["role:test", "foo:bar"]
}

$ vault server -dev -dev-root-token-id=root
$ terraform init 
$ terraform apply
# Verify bound_labels is set
$ vault read auth/gcp/role/test-role
Key                        Value
---                        -----
add_group_aliases          false
bound_labels               map[foo:bar role:test]
role_id                    84c89156-cc57-8b01-faed-31855e461115
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             []
token_ttl                  0s
token_type                 default
type                       gce

[jasonodonnell]

Unrelated CI failure but looking into it 👍

[tvoran]

This works fine when I try it manually, though if possible I would like to see the tests checking the response from vault against the tf state for bound_labels, and right now it looks like only the tf state is being checked.

It looks like the tricky part here is that the vault API input for bound_labels is a list, while the response is a map, so that's why testGCPAuthBackendRoleCheck_attrs() doesn't quite work as-is.

[jasonodonnell]

@tvoran Resolved per d1fe0f1.

[tomhjp]

LGTM 👍

[tvoran]

(This comment is out of scope of this PR, just satisfying my own curiosity.)

One more thing I noticed about testGCPAuthBackendRoleCheck_attrs() is it can skip items in the state if they're lists, since they show up in state like this:

"token_policies.#":          "2",
"token_policies.505685419":  "policy_a",
"token_policies.889812584":  "policy_b",

Something like this would help cover that case:

diff --git a/vault/resource_gcp_auth_backend_role_test.go b/vault/resource_gcp_auth_backend_role_test.go
index 55cc29a4..42bc1a0b 100644
--- a/vault/resource_gcp_auth_backend_role_test.go
+++ b/vault/resource_gcp_auth_backend_role_test.go
@@ -176,7 +176,10 @@ func testGCPAuthBackendRoleCheck_attrs(backend, name string) resource.TestCheckF
 
                for stateAttr, apiAttr := range attrs {
                        if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" {
-                               continue
+                               // lists have a different index in instanceState.Attributes
+                               if instanceState.Attributes[stateAttr+".#"] == "" || instanceState.Attributes[stateAttr+".#"] == "0" {
+                                       continue
+                               }
                        }
                        var match bool
                        switch resp.Data[apiAttr].(type) {

[tvoran]

👍