Implement rotation manager for root token#96
Open
drewmullen wants to merge 13 commits into
Open
Conversation
drewmullen
force-pushed
the
f-rotate-root
branch
from
b9f89a4 to
5c62bab
Compare
Contributor
Author
|
1 unit and 1 acc test working... acc2025-09-22T15:51:47-04:00 debug layer=debugger ContinueOnce
2025-09-22T15:51:47.712-0400 [INFO] Rotating configuration token
2025-09-22T15:51:47.948-0400 [DEBUG] Creating new user token with description:: user-<>="Rotated by Vault (sg9yb)"
--- PASS: TestConfig_Rotation (15.47s)
--- PASS: TestConfig_Rotation/Test_Token_Rotation (15.47s)
PASSunitgo test -run TestBackend_PathConfig_RegisterRotation
2025-09-22T15:55:24.748-0400 [DEBUG] Registering rotation job: mount=config
PASS
ok github.com/hashicorp/vault-plugin-secrets-terraform 0.623s |
drewmullen
changed the title
drewmullen
force-pushed
the
f-rotate-root
branch
from
b1a9d2a to
9fa5d7c
Compare
…d to prevent breaking config if new token is invalid
drewmullen
commented
Apr 14, 2026
| Type: framework.TypeString, | ||
| Description: "The ID of the token. Required for rotation. Token IDs begin with `at-<>`.", | ||
| }, | ||
| "old_token": { |
Contributor
Author
There was a problem hiding this comment.
Given certain internal conversations - we can remove this
drewmullen
commented
Apr 24, 2026
| Type string `json:"type"` | ||
| } `json:"data"` | ||
| } `json:"authenticated-resource"` | ||
| } `json:"relationships"` |
Contributor
Author
There was a problem hiding this comment.
Suggested change
| } `json:"relationships"` | |
| } `json:"relationships"` | |
| Links struct { | |
| Self string `json:"self"` | |
| AuthToken string `json:"auth-token",omitempty"` | |
| } `json:"links"` |
Contributor
Author
There was a problem hiding this comment.
because AuthToken may not come from older versions of tfe the omitempty may not work here. may have to rework the struct definition
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PCI review checklist
Closes: #65
TODO (will complete after peer review to ensure no changes are requested):
NOTE: My plan is to update the docs after I get some feedback from the team
Details
2 new parameters have been added to the config path.
token_id: the id of the token. This can only be gotten by generating a token via API (see shell examples below)old_token: Meta argument to determine how the secret engine will handle the prior root token after its rotated. Can bedeleteorkeep.Fetching a token via api
Token IDs are not easily readable from the API. Its best to get the ID when the token is created.
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.