Add local to audit resource

vault/resource_audit.go

@@ -24,29 +24,32 @@ func auditResource() *schema.Resource {
 				Optional:    true,
 				Computed:    true,
 				ForceNew:    true,
-				Description: "Path in which to enable the audit device",
+				Description: "Path in which to enable the audit device.",
 			},
-
 			"type": {
 				Type:        schema.TypeString,
 				Required:    true,
 				ForceNew:    true,
-				Description: "Type of the audit device, such as 'file'",
+				Description: "Type of the audit device, such as 'file'.",
 			},
-
 			"description": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				ForceNew:    true,
-				Description: "Human-friendly description of the audit device",
+				Description: "Human-friendly description of the audit device.",
+			},
+			"local": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.",
 			},
-
 			"options": {
 				Type:        schema.TypeMap,
 				Elem:        &schema.Schema{Type: schema.TypeString},
 				Required:    true,
 				ForceNew:    true,
-				Description: "Configuration options to pass to the audit device itself",
+				Description: "Configuration options to pass to the audit device itself.",
 			},
 		},
 	}
@@ -55,9 +58,12 @@ func auditResource() *schema.Resource {
 func auditWrite(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
+	description := d.Get("description").(string)
+	local := d.Get("local").(bool)
+	mountType := d.Get("type").(string)
 	path := d.Get("path").(string)
 	if path == "" {
-		path = d.Get("type").(string)
+		path = mountType
 	}
 
 	optionsRaw := d.Get("options").(map[string]interface{})
@@ -68,13 +74,14 @@ func auditWrite(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	log.Printf("[DEBUG] Enabling audit backend %s in Vault", path)
+	opts := &api.EnableAuditOptions{
+		Type:        mountType,
+		Description: description,
+		Local:       local,
+		Options:     options,
+	}
 
-	if err := client.Sys().EnableAudit(
-		path,
-		d.Get("type").(string),
-		d.Get("description").(string),
-		options,
-	); err != nil {
+	if err := client.Sys().EnableAuditWithOptions(path, opts); err != nil {
 		return fmt.Errorf("error enabling audit backend: %s", err)
 	}
 
@@ -121,6 +128,7 @@ func auditRead(d *schema.ResourceData, meta interface{}) error {
 		return nil
 	}
 
+	// Local is not returned by the List operation
 	d.Set("path", path)
 	d.Set("type", audit.Type)
 	d.Set("description", audit.Description)

vault/resource_audit_test.go

@@ -30,6 +30,7 @@ resource "vault_audit" "test" {
 	path = "%s"
 	type = "file"
 	description = "Example file audit for vault"
+	local = true
 	options = {
 		path = "stdout"
 	}
@@ -72,6 +73,10 @@ func testResourceAudit_initialCheck(expectedPath string) resource.TestCheckFunc
 			return fmt.Errorf("type is %v; wanted %v", audit.Type, wanted)
 		}
 
+		if wanted := true; audit.Local != wanted {
+			return fmt.Errorf("local is %v; wanted %v", audit.Local, wanted)
+		}
+
 		if wanted := "stdout"; audit.Options["path"] != wanted {
 			return fmt.Errorf("log path is %v; wanted %v", audit.Options["path"], wanted)
 		}

website/docs/r/audit.html.md

@@ -26,6 +26,7 @@ resource "vault_audit" "test" {
 resource "vault_audit" "test" {
   type = "socket"
   path = "app_socket"
+  local = false
 
   options = {
     address     = "127.0.0.1:8000"
@@ -45,6 +46,8 @@ The following arguments are supported:
 
 * `description` - (Optional) Human-friendly description of the audit device.
 
+* `local` - (Optional) Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
+
 * `options` - (Required) Configuration options to pass to the audit device itself.
 
 For a reference of the device types and their options, consult the [Vault documentation.](https://www.vaultproject.io/docs/audit/index.html)