hashicorp · dpowley · Sep 22, 2022 · Sep 26, 2022
@@ -1,13 +1,13 @@
 # Vault Plugin: Terraform Cloud Secrets Backend [![HashiCorp](https://circleci.com/gh/hashicorp/vault-plugin-secrets-terraform.svg?style=svg)](https://circleci.com/gh/hashicorp/vault-plugin-secrets-terraform)
 
 This is a standalone backend plugin for use with [Hashicorp
-Vault](https://www.github.com/hashicorp/vault). This plugin generates revocable,
-time-limited API tokens for [Terraform Cloud](https://www.terraform.io/cloud) users, as well as manages single API
-tokens for Terraform teams and Organizations. Please see Terraform Cloud's
-documentation on [API
-Tokens](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html)
-for more information on the types of API tokens offered by the Terraform Cloud
-  API.
+Vault](https://www.github.com/hashicorp/vault). This plugin generates:
+- Revocable, time-limited [API tokens](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens#user-api-tokens) for [Terraform Cloud users](https://www.terraform.io/cloud-docs/users-teams-organizations/users).
+- Revocable, time-limited [Terraform Cloud teams](https://www.terraform.io/cloud-docs/users-teams-organizations/teams) and corresponding [API tokens](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens#team-api-tokens).
+- Manages single [API tokens](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens#team-api-tokens) for existing [Terraform Cloud teams](https://www.terraform.io/cloud-docs/users-teams-organizations/teams).
+- Manages single [API tokens](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens#organization-api-tokens) for [Terraform Cloud organizations](https://www.terraform.io/cloud-docs/users-teams-organizations/organizations). 
+
+Please see Terraform Cloud's documentation on [API Tokens](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html) for more information on the types of API tokens offered by the Terraform Cloud API.
 
 **Please note**: We take Vault's security and our users' trust very seriously.
 If you believe you have found a security issue in Vault, _please responsibly

@@ -51,6 +51,8 @@ type testEnv struct {
 
 	// TokenIDs tracks the IDs of generated tokens, to make sure we clean up
 	TokenIDs []string
+	// TeamIDs tracks the IDs of generated teams, to make sure we clean up
+	TeamIDs []string
 }
 
 func (e *testEnv) AddConfig(t *testing.T) {
@@ -150,6 +152,73 @@ func (e *testEnv) ReadTeamToken(t *testing.T) {
 	}
 }
 
+func (e *testEnv) AddDynamicTeamTokenRole(t *testing.T) {
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "role/test-dynamic-team-token",
+		Storage:   e.Storage,
+		Data: map[string]interface{}{
+			"organization": e.Organization,
+			"team_options": "{\"visibility\": \"secret\"}",
+			"token_type":   "dynamic_team",
+		},
+	}
+	resp, err := e.Backend.HandleRequest(e.Context, req)
+	require.Nil(t, err)
+	require.Nil(t, resp)
+}
+
+func (e *testEnv) ReadDynamicTeamToken(t *testing.T) {
+	req := &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "creds/test-dynamic-team-token",
+		Storage:   e.Storage,
+	}
+	resp, err := e.Backend.HandleRequest(e.Context, req)
+	require.Nil(t, err)
+	require.NotNil(t, resp)
+	require.NotEmpty(t, resp.Data["token"])
+
+	if t, ok := resp.Data["team_id"]; ok {
+		e.TeamIDs = append(e.TeamIDs, t.(string))
+	}
+
+	// verify there is a token
+	b := e.Backend.(*tfBackend)
+	client, err := b.getClient(e.Context, e.Storage)
+	if err != nil {
+		t.Fatal("fatal getting client")
+	}
+	tt, err := client.TeamTokens.Read(e.Context, e.TeamID)
+	if err != nil {
+		t.Fatalf("unexpected error reading team token: %s", err)
+	}
+	require.NotNil(t, tt)
+	if t, ok := resp.Data["token"]; ok {
+		e.SecretToken = t.(string)
+	}
+
+	// verify there is a team
+	team, err := client.Teams.Read(e.Context, e.TeamID)
+	if err != nil {
+		t.Fatalf("unexpected error reading team token: %s", err)
+	}
+	require.NotNil(t, team)
+}
+
+func (e *testEnv) CleanupDynamicTeams(t *testing.T) {
+	for _, id := range e.TeamIDs {
+		b := e.Backend.(*tfBackend)
+		client, err := b.getClient(e.Context, e.Storage)
+		if err != nil {
+			t.Fatal("fatal getting client")
+		}
+		if err := client.Teams.Delete(e.Context, id); err != nil {
+			t.Fatalf("unexpected error deleting team: %v", err)
+		}
+	}
+}
+
 func (e *testEnv) AddUserTokenRole(t *testing.T) {
 	req := &logical.Request{
 		Operation: logical.UpdateOperation,

@@ -4,10 +4,11 @@ go 1.14
 
 require (
 	github.com/hashicorp/go-hclog v1.0.0
-	github.com/hashicorp/go-tfe v0.20.0
+	github.com/hashicorp/go-tfe v1.10.0
+	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/vault-testing-stepwise v0.1.1
 	github.com/hashicorp/vault/api v1.2.0
 	github.com/hashicorp/vault/sdk v0.2.1
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.8.0
 )
@@ -90,7 +90,6 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -148,24 +147,25 @@ github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6cc2C1mDaW3NQ9sY1FY=
 github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
-github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiwC1FZWkvQPQ4=
-github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
+github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
+github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 h1:78ki3QBevHwYrVxnyVeaEz+7WtifHhauYF23es/0KlI=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 h1:nd0HIW15E6FG1MsnArYaHfuw9C2zgzM8LxkG5Ty/788=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
-github.com/hashicorp/go-slug v0.7.0 h1:8HIi6oreWPtnhpYd8lIGQBgp4rXzDWQTOhfILZm+nok=
-github.com/hashicorp/go-slug v0.7.0/go.mod h1:Ib+IWBYfEfJGI1ZyXMGNbu2BU+aa3Dzu41RKLH301v4=
+github.com/hashicorp/go-slug v0.10.0 h1:mh4DDkBJTh9BuEjY/cv8PTo7k9OjT4PcW8PgZnJ4jTY=
+github.com/hashicorp/go-slug v0.10.0/go.mod h1:Ib+IWBYfEfJGI1ZyXMGNbu2BU+aa3Dzu41RKLH301v4=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/go-tfe v0.20.0 h1:XUAhKoCX8ZUQfwBebC8hz7nkSSnqgNkaablIfxnZ0PQ=
-github.com/hashicorp/go-tfe v0.20.0/go.mod h1:gyXLXbpBVxA2F/6opah8XBsOkZJxHYQmghl0OWi8keI=
+github.com/hashicorp/go-tfe v1.10.0 h1:mkEge/DSca8VQeBSAQbjEy8fWFHbrJA76M7dny5XlYc=
+github.com/hashicorp/go-tfe v1.10.0/go.mod h1:uSWi2sPw7tLrqNIiASid9j3SprbbkPSJ/2s3X0mMemg=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
@@ -299,14 +299,17 @@ github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKv
 github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -453,8 +456,9 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2 h1:kG1BFyqVHuQoVQiR1bWGnfz/fmHvvuiSPIV7rvl360E=

@@ -55,14 +55,19 @@ func (b *tfBackend) pathCredentialsRead(ctx context.Context, req *logical.Reques
 		return nil, errors.New("error retrieving role: role is nil")
 	}
 
-	if roleEntry.UserID != "" {
+	switch roleEntry.TokenType {
+	case UserTokenType:
 		return b.createUserCreds(ctx, req, roleEntry)
+	case DynamicTeamTokenType:
+		return b.createDynamicTeamCreds(ctx, req, roleEntry)
+	default:
 	}
 
 	resp := &logical.Response{
 		Data: map[string]interface{}{
 			"token_id":     roleEntry.TokenID,
 			"token":        roleEntry.Token,
+			"token_type":   roleEntry.TokenType,
 			"organization": roleEntry.Organization,
 			"team_id":      roleEntry.TeamID,
 			"role":         roleEntry.Name,
@@ -71,18 +76,32 @@ func (b *tfBackend) pathCredentialsRead(ctx context.Context, req *logical.Reques
 	return resp, nil
 }
 
-func (b *tfBackend) createUserCreds(ctx context.Context, req *logical.Request, role *terraformRoleEntry) (*logical.Response, error) {
-	token, err := b.createToken(ctx, req.Storage, role)
+func (b *tfBackend) createDynamicTeamCreds(ctx context.Context, req *logical.Request, role *terraformRoleEntry) (*logical.Response, error) {
+	client, err := b.getClient(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+
+	teamID, err := createTeam(ctx, client, role.Organization, role.TeamOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	token, err := createTeamToken(ctx, client, teamID)
 	if err != nil {
 		return nil, err
 	}
 
 	resp := b.Secret(terraformTokenType).Response(map[string]interface{}{
-		"token":    token.Token,
-		"token_id": token.ID,
+		"token":      token.Token,
+		"token_id":   token.ID,
+		"team_id":    teamID,
+		"token_type": role.TokenType,
 	}, map[string]interface{}{
-		"token_id": token.ID,
-		"role":     role.Name,
+		"token_id":   token.ID,
+		"role":       role.Name,
+		"team_id":    teamID,
+		"token_type": role.TokenType,
 	})
 
 	if role.TTL > 0 {
@@ -96,32 +115,35 @@ func (b *tfBackend) createUserCreds(ctx context.Context, req *logical.Request, r
 	return resp, nil
 }
 
-func (b *tfBackend) createToken(ctx context.Context, s logical.Storage, roleEntry *terraformRoleEntry) (*terraformToken, error) {
-	client, err := b.getClient(ctx, s)
+func (b *tfBackend) createUserCreds(ctx context.Context, req *logical.Request, role *terraformRoleEntry) (*logical.Response, error) {
+	client, err := b.getClient(ctx, req.Storage)
 	if err != nil {
 		return nil, err
 	}
 
-	var token *terraformToken
-
-	switch {
-	case isOrgToken(roleEntry.Organization, roleEntry.TeamID):
-		token, err = createOrgToken(ctx, client, roleEntry.Organization)
-	case isTeamToken(roleEntry.TeamID):
-		token, err = createTeamToken(ctx, client, roleEntry.TeamID)
-	default:
-		token, err = createUserToken(ctx, client, roleEntry.UserID)
+	token, err := createUserToken(ctx, client, role.UserID)
+	if err != nil {
+		return nil, err
 	}
 
-	if err != nil {
-		return nil, fmt.Errorf("error creating Terraform token: %w", err)
+	resp := b.Secret(terraformTokenType).Response(map[string]interface{}{
+		"token":    token.Token,
+		"token_id": token.ID,
+	}, map[string]interface{}{
+		"token_id":   token.ID,
+		"role":       role.Name,
+		"token_type": role.TokenType,
+	})
+
+	if role.TTL > 0 {
+		resp.Secret.TTL = role.TTL
 	}
 
-	if token == nil {
-		return nil, errors.New("error creating Terraform token")
+	if role.MaxTTL > 0 {
+		resp.Secret.MaxTTL = role.MaxTTL
 	}
 
-	return token, nil
+	return resp, nil
 }
 
 const pathCredentialsHelpSyn = `

@@ -68,6 +68,23 @@ func TestAcceptanceTeamToken(t *testing.T) {
 	t.Run("read team token cred", acceptanceTestEnv.ReadTeamToken)
 }
 
+func TestAcceptanceDynamicTeamToken(t *testing.T) {
+	if !runAcceptanceTests {
+		t.SkipNow()
+	}
+
+	acceptanceTestEnv, err := newAcceptanceTestEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("add config", acceptanceTestEnv.AddConfig)
+	t.Run("add dynamic team token role", acceptanceTestEnv.AddDynamicTeamTokenRole)
+	t.Run("read dynamic team token cred", acceptanceTestEnv.ReadDynamicTeamToken)
+	t.Run("read dynamic team token cred", acceptanceTestEnv.ReadDynamicTeamToken)
+	t.Run("clean up dynamic teams", acceptanceTestEnv.CleanupDynamicTeams)
+}
+
 func TestAcceptanceUserToken(t *testing.T) {
 	if !runAcceptanceTests {
 		t.SkipNow()