Add support for log_level PKI SCEP configuration (#2525)

* Add support for log_level PKI SCEP configuration.

* Bump to latest 1.20 version.

* Add changelog entry.

Author: victorr

.github/workflows/build.yml

@@ -67,7 +67,7 @@ jobs:
         - "vault-enterprise:1.17.17-ent"
         - "vault-enterprise:1.18.10-ent"
         - "vault-enterprise:1.19.5-ent"
-        - "vault-enterprise:1.20.0-ent"
+        - "vault-enterprise:1.20.1-ent"
         - "vault:latest"
     services:
       vault:

CHANGELOG.md

@@ -5,6 +5,7 @@ FEATURES:
 * Add support for `root_password_ttl` in `vault_azure_secret_backend` resource. Requires Vault 1.15+ ([#2529](https://github.com/hashicorp/terraform-provider-vault/pull/2529))
 * Add support for managed key parameters in the SSH CA config endpoint ([#2480](https://github.com/hashicorp/terraform-provider-vault/pull/2480))
 * Add new resources `vault_oci_auth_backend` and `vault_oci_auth_backend_role` to manage OCI auth backend and roles. ([#1761](https://github.com/hashicorp/terraform-provider-vault/pull/1761))
+* Add support for `log_level` in `vault_pki_secret_backend_config_scep` resource. Requires Vault 1.20.1+ ([#2525](https://github.com/hashicorp/terraform-provider-vault/pull/2525))
 
 BUGS:
 * Fix the tune block issue where it always updates unless field values match Vault server defaults

internal/consts/consts.go

@@ -67,6 +67,7 @@ const (
 	FieldLastPassword                   = "last_password"
 	FieldLastVaultRotation              = "last_vault_rotation"
 	FieldLocal                          = "local"
+	FieldLogLevel                       = "log_level"
 	FieldSealWrap                       = "seal_wrap"
 	FieldExternalEntropyAccess          = "external_entropy_access"
 	FieldAWS                            = "aws"

vault/data_source_pki_secret_backend_config_scep.go

@@ -91,6 +91,11 @@ var pkiSecretBackendConfigScepDataSourceSchema = map[string]*schema.Schema{
 			},
 		},
 	},
+	consts.FieldLogLevel: {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "The level of logging verbosity, affects only SCEP logs on this mount",
+	},
 	consts.FieldLastUpdated: {
 		Type:        schema.TypeString,
 		Computed:    true,

vault/resource_pki_secret_backend_config_scep.go

@@ -106,6 +106,12 @@ var pkiSecretBackendConfigScepResourceSchema = map[string]*schema.Schema{
 			},
 		},
 	},
+	consts.FieldLogLevel: {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Computed:    true,
+		Description: "The level of logging verbosity, affects only SCEP logs on this mount",
+	},
 	consts.FieldLastUpdated: {
 		Type:        schema.TypeString,
 		Computed:    true, // read-only property

vault/resource_pki_secret_backend_config_scep_test.go

@@ -56,6 +56,7 @@ func TestAccPKISecretBackendConfigScep_Empty(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceBackend, consts.FieldExternalValidation+".#", "1"),
 					resource.TestCheckResourceAttr(resourceBackend, consts.FieldExternalValidation+".0.%", "1"),
 					resource.TestCheckResourceAttr(resourceBackend, consts.FieldExternalValidation+".0.intune.%", "0"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldLogLevel, ""),
 					resource.TestCheckResourceAttrSet(resourceBackend, consts.FieldLastUpdated),
 
 					// Validate we read back the data back as we did upon creation
@@ -75,6 +76,7 @@ func TestAccPKISecretBackendConfigScep_Empty(t *testing.T) {
 					resource.TestCheckResourceAttr(dataName, consts.FieldExternalValidation+".#", "1"),
 					resource.TestCheckResourceAttr(dataName, consts.FieldExternalValidation+".0.%", "1"),
 					resource.TestCheckResourceAttr(dataName, consts.FieldExternalValidation+".0.intune.%", "0"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldLogLevel, ""),
 					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
 				),
 			},
@@ -132,6 +134,7 @@ resource "vault_pki_secret_backend_config_scep" "test" {
   allowed_encryption_algorithms = ["des-cbc", "3des-cbc"]
   allowed_digest_algorithms = ["sha-1"]
   restrict_ca_chain_to_issuer = true
+  log_level = "trace"
   authenticators { 
 	cert = { "accessor" = "test", "cert_role" = "cert-role" }
     scep = { "accessor" = "auth-scep-accessor", "scep_role" = "scep-role"}
@@ -172,6 +175,7 @@ data "vault_pki_secret_backend_config_scep" "test" {
 					resource.TestCheckResourceAttr(resourceBackend, consts.FieldExternalValidation+".0.intune.%", "2"),
 					resource.TestCheckResourceAttr(resourceBackend, consts.FieldExternalValidation+".0.intune.client_id", "the client ID"),
 					resource.TestCheckResourceAttr(resourceBackend, consts.FieldExternalValidation+".0.intune.tenant_id", "the tenant ID"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldLogLevel, "trace"),
 
 					resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend),
 					resource.TestCheckResourceAttr(dataName, consts.FieldEnabled, "true"),
@@ -195,6 +199,7 @@ data "vault_pki_secret_backend_config_scep" "test" {
 					resource.TestCheckResourceAttr(dataName, consts.FieldExternalValidation+".0.intune.%", "2"),
 					resource.TestCheckResourceAttr(dataName, consts.FieldExternalValidation+".0.intune.client_id", "the client ID"),
 					resource.TestCheckResourceAttr(dataName, consts.FieldExternalValidation+".0.intune.tenant_id", "the tenant ID"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldLogLevel, "trace"),
 				),
 			},
 			{

website/docs/d/pki_secret_backend_config_scep.html.md

@@ -62,6 +62,7 @@ The following arguments are supported:
 
 * `restrict_ca_chain_to_issuer` - If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
 
+* `log_level` - The level of logging verbosity, affects only SCEP logs on this mount.
 
 <a id="nestedatt--authenticators"></a>
 ### Nested Schema for `authenticators`

website/docs/r/pki_secret_backend_config_scep.html.md

@@ -72,6 +72,8 @@ The following arguments are supported:
 
 * `restrict_ca_chain_to_issuer` - (Optional) If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
 
+* `log_level` - (Optional) The level of logging verbosity, affects only SCEP logs on this mount.
+
 
 <a id="nestedatt--authenticators"></a>
 ### Nested Schema for `authenticators`