Merge pull request hashicorp#135 from JayH5/hashicorpgh-134/bound_ec2…

…_instance_id vault_aws_auth_backend_role: Add bound_ec2_instance_id parameter
dandandy · Sep 26, 2018 · e3bcd71 · e3bcd71
2 parents 5527f16 + 7d10741
commit e3bcd71
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/vault/resource_aws_auth_backend_role.go b/vault/resource_aws_auth_backend_role.go
@@ -98,6 +98,14 @@ func awsAuthBackendRoleResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"bound_ec2_instance_id": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Only EC2 instances that match this instance ID will be permitted to log in.",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"role_tag": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -229,6 +237,7 @@ func awsAuthBackendRoleCreate(d *schema.ResourceData, meta interface{}) error {
 		setSlice(d, "bound_subnet_id", data)
 		setSlice(d, "bound_iam_role_arn", data)
 		setSlice(d, "bound_iam_instance_profile_arn", data)
+		setSlice(d, "bound_ec2_instance_id", data)
 	}
 
 	if authType == "ec2" {
@@ -321,6 +330,7 @@ func awsAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 
 	d.Set("bound_account_id", resp.Data["bound_account_id"])
 	d.Set("bound_ami_id", resp.Data["bound_ami_id"])
+	d.Set("bound_ec2_instance_id", resp.Data["bound_ec2_instance_id"])
 	d.Set("bound_iam_instance_profile_arn", resp.Data["bound_iam_instance_profile_arn"])
 	d.Set("bound_iam_role_arn", resp.Data["bound_iam_role_arn"])
 	d.Set("bound_subnet_id", resp.Data["bound_subnet_id"])
@@ -392,6 +402,9 @@ func awsAuthBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error {
 		if v, ok := d.GetOk("bound_iam_instance_profile_arn"); ok {
 			data["bound_iam_instance_profile_arn"] = v.(string)
 		}
+		if v, ok := d.GetOk("bound_ec2_instance_id"); ok {
+			data["bound_ec2_instance_id"] = v.(string)
+		}
 	}
 
 	if authType == "ec2" {

diff --git a/vault/resource_aws_auth_backend_role_test.go b/vault/resource_aws_auth_backend_role_test.go
@@ -214,6 +214,7 @@ func testAccAWSAuthBackendRoleCheck_attrs(backend, role string) resource.TestChe
 			"bound_subnet_id":                "bound_subnet_id",
 			"bound_iam_role_arn":             "bound_iam_role_arn",
 			"bound_iam_instance_profile_arn": "bound_iam_instance_profile_arn",
+			"bound_ec2_instance_id":          "bound_ec2_instance_id",
 			"role_tag":                       "role_tag",
 			"bound_iam_principal_arn":        "bound_iam_principal_arn",
 			"inferred_entity_type":           "inferred_entity_type",
@@ -300,6 +301,7 @@ resource "vault_aws_auth_backend_role" "role" {
   auth_type = "iam"
   bound_ami_id = ["ami-8c1be5f6"]
   bound_account_id = ["123456789012"]
+  bound_ec2_instance_id = ["i-06bb291939760ba66"]
   bound_vpc_id = ["vpc-b61106d4"]
   bound_subnet_id = ["vpc-a33128f1"]
   bound_iam_role_arn = ["arn:aws:iam::123456789012:role/S3Access"]
@@ -363,6 +365,7 @@ resource "vault_aws_auth_backend_role" "role" {
   auth_type = "ec2"
   bound_ami_id = ["ami-8c1be5f6"]
   bound_account_id = ["123456789012"]
+  bound_ec2_instance_id = ["i-06bb291939760ba66"]
   bound_region = ["us-east-1"]
   bound_vpc_id = ["vpc-b61106d4"]
   bound_subnet_id = ["vpc-a33128f1"]