Support inheritable resource quotas #2133

husunal · 2024-01-26T09:14:06Z

Description

Support inheritable parameter for the vault_quota_rate_limit and vault_quota_lease_count resources.

Checklist

Added CHANGELOG entry (only for user-facing changes)
Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

=== RUN   TestQuotaRateLimit
--- PASS: TestQuotaRateLimit (2.62s)
=== RUN   TestQuotaRateLimitWithRole
    resource_quota_rate_limit_test.go:88: Vault server version "1.15.4+ent"
--- PASS: TestQuotaRateLimitWithRole (1.91s)
=== RUN   TestQuotaRateLimitWithNamespace
--- PASS: TestQuotaRateLimitWithNamespace (4.68s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault

=== RUN   TestQuotaLeaseCount
--- PASS: TestQuotaLeaseCount (5.02s)
=== RUN   TestQuotaLeaseCountWithRole
    resource_quota_lease_count_test.go:86: Vault server version "1.15.4+ent"
--- PASS: TestQuotaLeaseCountWithRole (4.09s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault

Community Note

Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

fairclothjm · 2024-01-30T17:13:28Z

vault/resource_quota_lease_count.go

+	if data["path"] == "" && d.Get("inheritable") == nil {
+		data["inheritable"] = true
+	} else if v, ok := d.GetOkExists("inheritable"); ok {
+		data["inheritable"] = v.(bool)
+	}


GetOkExists is deprecated so we prefer to use d.Get for booleans. This can be simplified and requires inheritable to not be Computed.

Suggested change

if data["path"] == "" && d.Get("inheritable") == nil {

data["inheritable"] = true

} else if v, ok := d.GetOkExists("inheritable"); ok {

data["inheritable"] = v.(bool)

}

data["inheritable"] = d.Get("inheritable").(bool)

fairclothjm · 2024-01-30T17:13:52Z

vault/resource_quota_lease_count.go

+	if data["path"] == "" && d.Get("inheritable") == nil {
+		data["inheritable"] = true
+	} else if v, ok := d.GetOkExists("inheritable"); ok {
+		data["inheritable"] = v.(bool)
+	}


GetOkExists is deprecated so we prefer to use d.Get for booleans. This can be simplified and requires inheritable to not be Computed.

Suggested change

if data["path"] == "" && d.Get("inheritable") == nil {

data["inheritable"] = true

} else if v, ok := d.GetOkExists("inheritable"); ok {

data["inheritable"] = v.(bool)

}

data["inheritable"] = d.Get("inheritable").(bool)

vault/resource_quota_lease_count.go

vault/resource_quota_lease_count_test.go

website/docs/r/quota_lease_count.md

website/docs/r/quota_rate_limit.md

CHANGELOG.md

fairclothjm

Thanks for the contribution @husunal ! I left some comments that apply generally to the change. Thanks!

husunal · 2024-05-07T15:56:11Z

All tasks are done except for replacing GetOkExists. I have tested it with both GetOk and Get, but these changes caused other issues in the tests. @fairclothjm could you please take another look and merge it if everything looks good to you?

=== RUN   TestQuotaLeaseCount
--- PASS: TestQuotaLeaseCount (5.00s)
=== RUN   TestQuotaLeaseCountWithRole
    resource_quota_lease_count_test.go:80: Vault server version "1.16.2+ent"
--- PASS: TestQuotaLeaseCountWithRole (4.11s)
=== RUN   TestQuotaLeaseCountInheritable
    resource_quota_lease_count_test.go:122: Vault server version "1.16.2+ent"
--- PASS: TestQuotaLeaseCountInheritable (5.23s)
=== RUN   TestQuotaLeaseCountWithRoleInheritable
    resource_quota_lease_count_test.go:180: Vault server version "1.16.2+ent"
--- PASS: TestQuotaLeaseCountWithRoleInheritable (4.48s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     19.934s

=== RUN   TestQuotaRateLimit
--- PASS: TestQuotaRateLimit (3.15s)
=== RUN   TestQuotaRateLimitWithRole
    resource_quota_rate_limit_test.go:83: Vault server version "1.16.2+ent"
--- PASS: TestQuotaRateLimitWithRole (3.01s)
=== RUN   TestQuotaRateLimitInheritable
    resource_quota_rate_limit_test.go:128: Vault server version "1.16.2+ent"
--- PASS: TestQuotaRateLimitInheritable (2.96s)
=== RUN   TestQuotaRateLimitWithNamespaceInheritable
    resource_quota_rate_limit_test.go:181: Vault server version "1.16.2+ent"
--- PASS: TestQuotaRateLimitWithNamespaceInheritable (4.15s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     13.905s

fairclothjm

LGTM! Thanks @husunal

fairclothjm · 2024-05-07T16:01:48Z

@husunal I am running the build for all supported vault versions and then will merge if all is good.

fairclothjm · 2024-05-07T17:00:10Z

@husunal Failing on Vault 1.16.1 Ent:

=== RUN   TestQuotaLeaseCount
    resource_quota_lease_count_test.go:26: Step 4/4 error: Error running apply: exit status 1
        
        Error: Error updating Resource Lease Count Quota tf-test-937347198022270975: Error making API request.
        
        URL: PUT http://localhost:8200/v1/sys/quotas/lease-count/tf-test-937347198022270975
        Code: 400. Errors:
        
        * quota rule with similar properties exists under the name "default"
        
          with vault_quota_lease_count.foobar,
          on terraform_plugin_test.tf line 2, in resource "vault_quota_lease_count" "foobar":
           2: resource "vault_quota_lease_count" "foobar" {
        
--- FAIL: TestQuotaLeaseCount (2.28s)

husunal · 2024-05-07T19:09:20Z

Thank you @fairclothjm

I’m unable to reproduce the error. Can we re-run the failed tests?

husunal · 2024-05-07T21:53:13Z

It seems that the test failure is related to the new default lease count quota. I have updated the test to skip creating a quota in the root namespace if the version is 1.16 or greater.

husunal · 2024-05-08T13:27:01Z

@fairclothjm can we run another build for all supported Vault versions?

The issue caused by the new default lease count quota should now be fixed.

github-actions bot added documentation size/L labels Jan 26, 2024