Added TTL field (hashicorp#2318)

* added TTL field

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>

* Added `Computed: True` to TTL

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>

* redundant since false is the default

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>

* Added changlog entry

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>

* Tried adding some tests

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>

* is this enough to read it?

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>

---------

Signed-off-by: Lasse Gaardsholt <lasse.gaardsholt@bestseller.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

CHANGELOG.md

@@ -7,6 +7,7 @@ FEATURES:
 * Update `vault_approle_auth_backend_role_secret_id` to support `num_uses` and `ttl` fields ([#2345](https://github.com/hashicorp/terraform-provider-vault/pull/2345))
 * Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2206](https://github.com/hashicorp/terraform-provider-vault/pull/2206))
 * Add support for `allow_empty_principals` field for the `vault_ssh_secret_backend_role` resource ([#2354](https://github.com/hashicorp/terraform-provider-vault/pull/2354))
+* Update `vault_gcp_secret_impersonated_account` to support setting `ttl` ([#2318](https://github.com/hashicorp/terraform-provider-vault/pull/2318))
 * Add support for `connection_timeout` field for the `vault_ldap_auth_backend` resource ([#2358](https://github.com/hashicorp/terraform-provider-vault/pull/2358))
 * Add support for Rootless Configuration for Static Roles to Postgres DB ([#2341](https://github.com/hashicorp/terraform-provider-vault/pull/2341))
 
@@ -26,7 +27,7 @@ BUGS:
 FEATURES:
 * Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)).
 * Add support for `inheritable` on `vault_quota_rate_limit` and `vault_quota_lease_count`. Requires Vault 1.15+.: ([#2133](https://github.com/hashicorp/terraform-provider-vault/pull/2133)).
-* Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 
+* Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)).
 * Add support for new WIF fields in `vault_azure_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2250](https://github.com/hashicorp/terraform-provider-vault/pull/2250))
 * Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
 * Add support for new WIF fields in `vault_gcp_auth_backend` ([#2256](https://github.com/hashicorp/terraform-provider-vault/pull/2256))
@@ -295,7 +296,7 @@ BUGS:
 ## 3.15.2 (May 3, 2023)
 BUGS:
 * Revert [#1830](https://github.com/hashicorp/terraform-provider-vault/pull/1830) which introduced a unexpected breaking change in the way authentication is done within a namespace: ([#1840](https://github.com/hashicorp/terraform-provider-vault/pull/1840))
- 
+
 ## 3.15.1 (May 3, 2023)
 BUGS:
 * Ensure that the auth_login honours the provider's namespace: ([#1830](https://github.com/hashicorp/terraform-provider-vault/pull/1830))
@@ -433,37 +434,37 @@ FEATURES:
 IMPROVEMENTS:
 * Fix Import for OIDC Scope resource:
   ([#1548](https://github.com/hashicorp/terraform-provider-vault/pull/1548))
-* Update entity alias creation to use entity lookup api: 
+* Update entity alias creation to use entity lookup api:
   ([#1517](https://github.com/hashicorp/terraform-provider-vault/pull/1517))
   ([#1552](https://github.com/hashicorp/terraform-provider-vault/pull/1552))
-* Add support for Consul secrets engine enhancements: 
+* Add support for Consul secrets engine enhancements:
   ([#1518](https://github.com/hashicorp/terraform-provider-vault/pull/1518))
-* auth/gcp: adds `custom_endpoint` parameter to backend config: 
+* auth/gcp: adds `custom_endpoint` parameter to backend config:
   ([#1482](https://github.com/hashicorp/terraform-provider-vault/pull/1482))
 * auth/jwt: adds `user_claim_json_pointer` and `max_age` to roles:
   ([#1478](https://github.com/hashicorp/terraform-provider-vault/pull/1478))
 
 BUGS:
-* Support updating backend descriptions: 
+* Support updating backend descriptions:
  ([#1550](https://github.com/hashicorp/terraform-provider-vault/pull/1550))
  ([#1543](https://github.com/hashicorp/terraform-provider-vault/pull/1543))
 * Properly set the `base64_pem` in Vault for Couchbase:
  ([#1545](https://github.com/hashicorp/terraform-provider-vault/pull/1545))
 * Fix bug where some rabbitmq config changes trigger erroneous mount recreation:
  ([#1542](https://github.com/hashicorp/terraform-provider-vault/pull/1542))
-* Update `*kv_secrets*` resources to support namespaces: 
+* Update `*kv_secrets*` resources to support namespaces:
  ([#1529](https://github.com/hashicorp/terraform-provider-vault/pull/1529))
 * Do not validate JSON on OIDC scope template:
  ([#1547](https://github.com/hashicorp/terraform-provider-vault/pull/1547))
 
 ## 3.7.0 (June 15, 2022)
-FEATURES: 
+FEATURES:
 * Support setting `namespace` by resource
- ([#1305](https://github.com/hashicorp/terraform-provider-vault/pull/1305)) 
+ ([#1305](https://github.com/hashicorp/terraform-provider-vault/pull/1305))
  ([#1479](https://github.com/hashicorp/terraform-provider-vault/pull/1479))
 * Add dedicated KV (v1/v2) secret engine resources, and data sources, supersedes `vault_generic_secret`
  ([#1457](https://github.com/hashicorp/terraform-provider-vault/pull/1457))
- 
+
 IMPROVEMENTS:
 * Update vault libs to v1.10.3
  ([#1483](https://github.com/hashicorp/terraform-provider-vault/pull/1483))
@@ -477,85 +478,85 @@ IMPROVEMENTS:
  ([#1084](https://github.com/hashicorp/terraform-provider-vault/pull/1084))
 * ci: Test against vault-enterprise 1.10.3-ent:
   ([#1461](https://github.com/hashicorp/terraform-provider-vault/pull/1461))
- 
+
 BUGS:
 * `resource/auth_backend`: validate `path`, disallowing leading/trailing /
  ([#1471](https://github.com/hashicorp/terraform-provider-vault/pull/1471))
 * `resource/vault_jwt_auth_backend_role`: fix `bound_claims` not being unset when empty
  ([#1469](https://github.com/hashicorp/terraform-provider-vault/pull/1469))
 * `resource/cert_auth_backend`: add the correct field name: `allowed_organizational_units`
   ([#1496](https://github.com/hashicorp/terraform-provider-vault/pull/1496))
- 
+
 ## 3.6.0 (May 18, 2022)
 IMPROVEMENTS:
-* `resource/pki_secret_backend_root_cert`: Force new root CA resource creation on out-of-band changes.  
+* `resource/pki_secret_backend_root_cert`: Force new root CA resource creation on out-of-band changes.
   ([#1428](https://github.com/hashicorp/terraform-provider-vault/pull/1428))
-* `resource/pki_secret_backend_intermediate_set_signed`: Document complete usage example.  
+* `resource/pki_secret_backend_intermediate_set_signed`: Document complete usage example.
   ([#1452](https://github.com/hashicorp/terraform-provider-vault/pull/1452))
-* `resource/pki_secret_backend_config_urls`: Add support for importing PKI config URLs  
+* `resource/pki_secret_backend_config_urls`: Add support for importing PKI config URLs
   ([#1451](https://github.com/hashicorp/terraform-provider-vault/pull/1451))
-* `vault/resource_pki_secret_backend*`: Extend revocation support to other resources    
+* `vault/resource_pki_secret_backend*`: Extend revocation support to other resources
   ([#1446](https://github.com/hashicorp/terraform-provider-vault/pull/1446))
-* `vault/resource_pki_secret_backend*`: Force new root CA/cert resource creation on out-of-band changes.  
+* `vault/resource_pki_secret_backend*`: Force new root CA/cert resource creation on out-of-band changes.
   ([#1432](https://github.com/hashicorp/terraform-provider-vault/pull/1432))
-* `datasource/generic_secret`: Improve documentation.  
+* `datasource/generic_secret`: Improve documentation.
   ([#1390](https://github.com/hashicorp/terraform-provider-vault/pull/1390))
-* `resource/ldap_auth_backend`: Support setting `userfilter`.  
+* `resource/ldap_auth_backend`: Support setting `userfilter`.
   ([#1378](https://github.com/hashicorp/terraform-provider-vault/pull/1378))
-* `resource/aws_auth_backend_role`: Add `role_id` as a computed field.   
+* `resource/aws_auth_backend_role`: Add `role_id` as a computed field.
   ([#1377](https://github.com/hashicorp/terraform-provider-vault/pull/1377))
-* Auth: Handle CIDR prefix being stripped for hosts in `token_bound_cidrs`  
+* Auth: Handle CIDR prefix being stripped for hosts in `token_bound_cidrs`
   ([#1346](https://github.com/hashicorp/terraform-provider-vault/pull/1346))
-* Add `allowed_serial_numbers` support  
+* Add `allowed_serial_numbers` support
   ([#1119](https://github.com/hashicorp/terraform-provider-vault/pull/1119))
-* `resource/pki_secret_backend_role`: Allow `key_type` to be set to `any`.   
+* `resource/pki_secret_backend_role`: Allow `key_type` to be set to `any`.
   ([#791](https://github.com/hashicorp/terraform-provider-vault/pull/791))
-* `resource/aws_secret_backend_role`: Add `user_path` and `permissions_boundary_arn` arguments.  
+* `resource/aws_secret_backend_role`: Add `user_path` and `permissions_boundary_arn` arguments.
   ([#781](https://github.com/hashicorp/terraform-provider-vault/pull/781))
 
 BUGS:
-* `resource/pki_secret_backend_root_sign_intermediate`: Ensure that the `certificate_bundle`, and `ca_chain` 
-  do not contain duplicate certificates.  
+* `resource/pki_secret_backend_root_sign_intermediate`: Ensure that the `certificate_bundle`, and `ca_chain`
+  do not contain duplicate certificates.
   ([#1428](https://github.com/hashicorp/terraform-provider-vault/pull/1428))
-* `resource/identity_entity_alias`: Serialize create, update, and delete operations in order to prevent alias 
-  mismatches.  
+* `resource/identity_entity_alias`: Serialize create, update, and delete operations in order to prevent alias
+  mismatches.
   ([#1429](https://github.com/hashicorp/terraform-provider-vault/pull/1429))
 * `database_secret*`: Ignore mongodb-atlas `private_key` on read from Vault.
-  mismatches.  
+  mismatches.
   ([#1438](https://github.com/hashicorp/terraform-provider-vault/issues/1438))
-* `resource/auth_backend`: Remove `ForceNew` behavior when updating `description`.  
+* `resource/auth_backend`: Remove `ForceNew` behavior when updating `description`.
   ([#1439](https://github.com/hashicorp/terraform-provider-vault/pull/1439))
-* `resource/identity_group_member_entity_ids`: Properly handle nil `member_entity_ids` in response.  
-  ([#1448](https://github.com/hashicorp/terraform-provider-vault/pull/1448))  
-* `resource/pki_secret_backend_role`: Fix TTL handling in PKI role.  
+* `resource/identity_group_member_entity_ids`: Properly handle nil `member_entity_ids` in response.
+  ([#1448](https://github.com/hashicorp/terraform-provider-vault/pull/1448))
+* `resource/pki_secret_backend_role`: Fix TTL handling in PKI role.
   ([#1447](https://github.com/hashicorp/terraform-provider-vault/pull/1447))
-* `resource/pki_secret_backend_role`: `key_usage` value should be computed.  
+* `resource/pki_secret_backend_role`: `key_usage` value should be computed.
   ([#1443](https://github.com/hashicorp/terraform-provider-vault/pull/1443))
-* `resource/vault_pki_secret_backend_{cert,sign}`: Properly force a new resource whenever the cert is near expiry.  
+* `resource/vault_pki_secret_backend_{cert,sign}`: Properly force a new resource whenever the cert is near expiry.
   ([#1440](https://github.com/hashicorp/terraform-provider-vault/pull/1440))
-* `resource/identity_entity_alias`: Remove read operation on entity alias update.  
+* `resource/identity_entity_alias`: Remove read operation on entity alias update.
   ([#1434](https://github.com/hashicorp/terraform-provider-vault/pull/1434))
 
 ## 3.5.0 (April 20, 2022)
 FEATURES:
 * Add MFA support: new resources `vault_mfa_okta`, `vault_mfa_totp`, `vault_mfa_pingid` ([#1395](https://github.com/hashicorp/terraform-provider-vault/pull/1395))
-* *New* `resource/database_secrets_mount`: Configures any number of database secrets engines under 
+* *New* `resource/database_secrets_mount`: Configures any number of database secrets engines under
  a single, dedicated mount resource
  ([#1400](https://github.com/terraform-providers/terraform-provider-vault/pull/1400))
 
 IMPROVEMENTS:
-* `data/vault_generic_secret`: Add new field `with_lease_start_time` to `vault_generic_secret` datasource 
+* `data/vault_generic_secret`: Add new field `with_lease_start_time` to `vault_generic_secret` datasource
   ([#1414](https://github.com/hashicorp/terraform-provider-vault/pull/1414))
 * `resource/vault_ssh_secret_backend_role`: support configuring multiple public SSH key lengths in vault-1.10+
   ([#1413](https://github.com/terraform-providers/terraform-provider-vault/pull/1413))
-* `resource/database_secret*`: Add support for configuring TLS, and the `username_template` field for the ElasticSearch.  
+* `resource/database_secret*`: Add support for configuring TLS, and the `username_template` field for the ElasticSearch.
 * `resource/pki_secret_backend_cert`: Add support for optionally revoking the certificate upon resource destruction.
   ([#1411](https://github.com/terraform-providers/terraform-provider-vault/pull/1411))
 * `provider`: Add support for setting the `tls_server_name` to use as the SNI host when connecting via TLS.
   ([#1145](https://github.com/terraform-providers/terraform-provider-vault/pull/1145)
 * `docs`: Add links to Learn Tutorials.
   ([#1399](https://github.com/terraform-providers/terraform-provider-vault/pull/1399))
- 
+
 BUGS:
 * `resource/identity_group`: Fix issue where the group's `member_entity_ids` were being unset in error on update.
   ([#1409](https://github.com/terraform-providers/terraform-provider-vault/pull/1409))
@@ -574,7 +575,7 @@ IMPROVEMENTS:
 ## 3.4.0 (March 24, 2022)
 FEATURES:
 * `data/azure_access_credentials` Add `subscription_id` and `tenant_id` fields to used during credential validation ([#1384](https://github.com/terraform-providers/terraform-provider-vault/pull/1384))
-* Add OIDC Provider support: new resources `vault_identity_oidc_scope`, `vault_identity_oidc_assignment`, `vault_identity_oidc_client` 
+* Add OIDC Provider support: new resources `vault_identity_oidc_scope`, `vault_identity_oidc_assignment`, `vault_identity_oidc_client`
  , `vault_identity_oidc_provider`, `vault_identity_oidc_public_keys`, `vault_identity_oidc_openid_config` ([#1363](https://github.com/hashicorp/terraform-provider-vault/pull/1363))
 
 BUGS:
@@ -608,8 +609,8 @@ BUGS:
 IMPROVEMENTS:
 * `resource/token_auth_backend_role`: Add `allowed_policies_glob` and `disallowed_polices_glob` ([#1316](https://github.com/hashicorp/terraform-provider-vault/pull/1316))
 * `resource/database_secret_backend_connection`: Add support for configuring the secret engine's `plugin_name` ([#1320](https://github.com/hashicorp/terraform-provider-vault/pull/1320))
-* `resource/pki_secret_backend_root_sign_intermediate`: Update schema for `ca_chain` from string to a list of   
-  `issuing_ca` and `certificate`, add new `certificate_bundle` attribute that provides the concatenation of the   
+* `resource/pki_secret_backend_root_sign_intermediate`: Update schema for `ca_chain` from string to a list of
+  `issuing_ca` and `certificate`, add new `certificate_bundle` attribute that provides the concatenation of the
   intermediate and issuing CA certificates (PEM encoded) ([#1330](https://github.com/hashicorp/terraform-provider-vault/pull/1330))
 * `resource/azure_secret_backend`: Add support for setting `use_microsoft_graph_api` ([#1335](https://github.com/hashicorp/terraform-provider-vault/pull/1335))
 * `r/d/kubernetes_auth_backend_role`: Add support for setting and getting `alias_name_source` ([#1336](https://github.com/hashicorp/terraform-provider-vault/pull/1336))

vault/resource_gcp_secret_impersonated_account.go

@@ -68,6 +68,12 @@ func gcpSecretImpersonatedAccountResource() *schema.Resource {
 				Computed:    true,
 				Description: "Project of the GCP Service Account managed by this impersonated account",
 			},
+			consts.FieldTTL: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Time to live.",
+				Computed:    true,
+			},
 		},
 	}
 }
@@ -136,7 +142,7 @@ func gcpSecretImpersonatedAccountRead(ctx context.Context, d *schema.ResourceDat
 		return diag.FromErr(err)
 	}
 
-	for _, k := range []string{consts.FieldTokenScopes, consts.FieldServiceAccountEmail, consts.FieldServiceAccountProject} {
+	for _, k := range []string{consts.FieldTokenScopes, consts.FieldServiceAccountEmail, consts.FieldServiceAccountProject, consts.FieldTTL} {
 		v, ok := resp.Data[k]
 		if ok {
 			if err := d.Set(k, v); err != nil {
@@ -200,6 +206,10 @@ func gcpSecretImpersonatedAccountUpdateFields(d *schema.ResourceData, data map[s
 	if v, ok := d.GetOk(consts.FieldTokenScopes); ok {
 		data[consts.FieldTokenScopes] = v.(*schema.Set).List()
 	}
+
+	if v, ok := d.GetOk(consts.FieldTTL); ok {
+		data[consts.FieldTTL] = v.(string)
+	}
 }
 
 func gcpSecretImpersonatedAccountPath(backend, impersonatedAccount string) string {

vault/resource_gcp_secret_impersonated_account_test.go

@@ -50,6 +50,7 @@ func TestGCPSecretImpersonatedAccount(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "service_account_project", project),
 					resource.TestCheckResourceAttr(resourceName, "token_scopes.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "token_scopes.0", "https://www.googleapis.com/auth/cloud-platform"),
+					resource.TestCheckResourceAttr(resourceName, "ttl", "700"),
 				),
 			},
 			{
@@ -62,6 +63,7 @@ func TestGCPSecretImpersonatedAccount(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "token_scopes.#", "2"),
 					resource.TestCheckResourceAttr(resourceName, "token_scopes.0", "https://www.googleapis.com/auth/cloud-platform"),
 					resource.TestCheckResourceAttr(resourceName, "token_scopes.1", "https://www.googleapis.com/auth/cloud-platform.read-only"),
+					resource.TestCheckResourceAttr(resourceName, "ttl", "700"),
 				),
 			},
 			testutil.GetImportTestStep(resourceName, false, nil),
@@ -96,6 +98,7 @@ resource "vault_gcp_secret_impersonated_account" "test" {
 	impersonated_account = "%s"
 	token_scopes   = ["https://www.googleapis.com/auth/cloud-platform"]
 	service_account_email = "%s"
+	ttl = 700
 }
 `, testGCPSecretImpersonatedAccount_backend(backend, credentials), impersonatedAccount, serviceAccountEmail)
 }
@@ -112,6 +115,7 @@ resource "vault_gcp_secret_impersonated_account" "test" {
         "https://www.googleapis.com/auth/cloud-platform",
     ]
 	service_account_email = "%s"
+	ttl = 700
 }
 `, testGCPSecretImpersonatedAccount_backend(backend, credentials), impersonatedAccount, serviceAccountEmail)
 }

website/docs/r/gcp_secret_impersonated_account.html.md

@@ -46,6 +46,9 @@ The following arguments are supported:
 
 * `token_scopes` - (Required) List of OAuth scopes to assign to access tokens generated under this impersonated account.
 
+* `ttl` - (Optional) Specifies the default TTL for service principals generated using this role.
+  Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+
 ## Attributes Reference
 
 In addition to the fields above, the following attributes are also exposed: