Fix up some bits

internal/consts/consts.go

@@ -37,7 +37,7 @@ const (
 	FieldParameters                    = "parameters"
 	FieldMethod                        = "method"
 	FieldNamespace                     = "namespace"
-	FieldIsRootNamespace               = "is_root_namespace"
+	FieldUseRootNamespace              = "use_root_namespace"
 	FieldNamespaceID                   = "namespace_id"
 	FieldNamespacePath                 = "namespace_path"
 	FieldPathFQ                        = "path_fq"

internal/provider/auth.go

@@ -151,7 +151,7 @@ func (l *AuthLoginCommon) Init(d *schema.ResourceData, authField string, validat
 
 func (l *AuthLoginCommon) Namespace() (string, bool) {
 	if l.params != nil {
-		if v, ok := l.params[consts.FieldIsRootNamespace]; ok && v.(bool) {
+		if v, ok := l.params[consts.FieldUseRootNamespace]; ok && v.(bool) {
 			return "", true
 		}
 
@@ -250,6 +250,12 @@ func (l *AuthLoginCommon) init(d *schema.ResourceData) (string, map[string]inter
 	var params map[string]interface{}
 	if v, ok := l.getOk(d, consts.FieldParameters); ok {
 		params = v.(map[string]interface{})
+		ns, _ := l.getOk(d, consts.FieldNamespace)
+		params[consts.FieldNamespace] = ns
+
+		if v := l.get(d, consts.FieldUseRootNamespace); v != nil {
+			params[consts.FieldUseRootNamespace] = v
+		}
 	} else {
 		v := config[0]
 		if v == nil {
@@ -259,10 +265,6 @@ func (l *AuthLoginCommon) init(d *schema.ResourceData) (string, map[string]inter
 		}
 	}
 
-	if v, ok := params[consts.FieldIsRootNamespace]; ok && !v.(bool) {
-		delete(params, consts.FieldIsRootNamespace)
-	}
-
 	l.initialized = true
 
 	return path, params, nil
@@ -302,6 +304,10 @@ func (l *AuthLoginCommon) getOk(d *schema.ResourceData, field string) (interface
 	return d.GetOk(l.fieldPath(d, field))
 }
 
+func (l *AuthLoginCommon) get(d *schema.ResourceData, field string) interface{} {
+	return d.Get(l.fieldPath(d, field))
+}
+
 func (l *AuthLoginCommon) fieldPath(d *schema.ResourceData, field string) string {
 	return fmt.Sprintf("%s.0.%s", l.authField, field)
 }
@@ -332,24 +338,35 @@ func GetAuthLogin(r *schema.ResourceData) (AuthLogin, error) {
 	return nil, nil
 }
 
-func mustAddLoginSchema(r *schema.Resource, defaultMount string) *schema.Resource {
+func mustAddLoginSchema(r *schema.Resource, authField string, defaultMount string) *schema.Resource {
 	m := map[string]*schema.Schema{
 		consts.FieldNamespace: {
 			Type:     schema.TypeString,
 			Optional: true,
 			Description: fmt.Sprintf(
 				"The authentication engine's namespace. Conflicts with %s",
-				consts.FieldIsRootNamespace,
+				consts.FieldUseRootNamespace,
 			),
+			ConflictsWith: []string{
+				fmt.Sprintf("%s.0.%s",
+					authField,
+					consts.FieldUseRootNamespace,
+				),
+			},
 		},
-		consts.FieldIsRootNamespace: {
+		consts.FieldUseRootNamespace: {
 			Type:     schema.TypeBool,
 			Optional: true,
 			Description: fmt.Sprintf(
 				"Authenticate to the root Vault namespace. Conflicts with %s",
 				consts.FieldNamespace,
 			),
-			ConflictsWith: []string{consts.FieldNamespace},
+			ConflictsWith: []string{
+				fmt.Sprintf("%s.0.%s",
+					authField,
+					consts.FieldNamespace,
+				),
+			},
 		},
 	}
 

internal/provider/auth_aws.go

@@ -128,7 +128,7 @@ func GetAWSLoginSchemaResource(authField string) *schema.Resource {
 				Description: `The Vault header value to include in the STS signing request.`,
 			},
 		},
-	}, consts.MountTypeAWS)
+	}, authField, consts.MountTypeAWS)
 }
 
 var _ AuthLogin = (*AuthLoginAWS)(nil)

internal/provider/auth_aws_test.go

@@ -46,6 +46,7 @@ func TestAuthLoginAWS_Init(t *testing.T) {
 			},
 			expectParams: map[string]interface{}{
 				consts.FieldNamespace:                "ns1",
+				consts.FieldUseRootNamespace:         false,
 				consts.FieldRole:                     "alice",
 				consts.FieldMount:                    consts.MountTypeAWS,
 				consts.FieldAWSAccessKeyID:           "key-id",

internal/provider/auth_azure.go

@@ -99,7 +99,7 @@ func GetAzureLoginSchemaResource(authField string) *schema.Resource {
 				ConflictsWith: []string{fmt.Sprintf("%s.0.%s", authField, consts.FieldJWT)},
 			},
 		},
-	}, consts.MountTypeAzure)
+	}, authField, consts.MountTypeAzure)
 }
 
 var _ AuthLogin = (*AuthLoginAzure)(nil)

internal/provider/auth_azure_test.go

@@ -38,6 +38,7 @@ func TestAuthLoginAzure_Init(t *testing.T) {
 			},
 			expectParams: map[string]interface{}{
 				consts.FieldNamespace:         "ns1",
+				consts.FieldUseRootNamespace:  false,
 				consts.FieldMount:             consts.MountTypeAzure,
 				consts.FieldRole:              "alice",
 				consts.FieldJWT:               "jwt1",

internal/provider/auth_cert.go

@@ -55,7 +55,7 @@ func GetCertLoginSchemaResource(authField string) *schema.Resource {
 				Description: "Path to a file containing the private key that the certificate was issued for.",
 			},
 		},
-	}, consts.MountTypeCert)
+	}, authField, consts.MountTypeCert)
 }
 
 var _ AuthLogin = (*AuthLoginCert)(nil)

internal/provider/auth_cert_test.go

@@ -53,12 +53,13 @@ func TestAuthLoginCert_Init(t *testing.T) {
 			},
 			authField: consts.FieldAuthLoginCert,
 			expectParams: map[string]interface{}{
-				consts.FieldNamespace:  "",
-				consts.FieldMount:      consts.MountTypeCert,
-				consts.FieldName:       "",
-				consts.FieldCACertFile: "ca.crt",
-				consts.FieldCertFile:   "cert.crt",
-				consts.FieldKeyFile:    "cert.key",
+				consts.FieldNamespace:        "",
+				consts.FieldUseRootNamespace: false,
+				consts.FieldMount:            consts.MountTypeCert,
+				consts.FieldName:             "",
+				consts.FieldCACertFile:       "ca.crt",
+				consts.FieldCertFile:         "cert.crt",
+				consts.FieldKeyFile:          "cert.key",
 			},
 			wantErr: false,
 		},
@@ -75,11 +76,12 @@ func TestAuthLoginCert_Init(t *testing.T) {
 			},
 			authField: consts.FieldAuthLoginCert,
 			expectParams: map[string]interface{}{
-				consts.FieldNamespace: "",
-				consts.FieldMount:     consts.MountTypeCert,
-				consts.FieldName:      "bob",
-				consts.FieldCertFile:  "cert.crt",
-				consts.FieldKeyFile:   "cert.key",
+				consts.FieldNamespace:        "",
+				consts.FieldUseRootNamespace: false,
+				consts.FieldMount:            consts.MountTypeCert,
+				consts.FieldName:             "bob",
+				consts.FieldCertFile:         "cert.crt",
+				consts.FieldKeyFile:          "cert.key",
 			},
 			wantErr: false,
 		},
@@ -97,12 +99,13 @@ func TestAuthLoginCert_Init(t *testing.T) {
 			},
 			authField: consts.FieldAuthLoginCert,
 			expectParams: map[string]interface{}{
-				consts.FieldNamespace:  "ns1",
-				consts.FieldMount:      consts.MountTypeCert,
-				consts.FieldName:       "",
-				consts.FieldCACertFile: "ca.crt",
-				consts.FieldCertFile:   "cert.crt",
-				consts.FieldKeyFile:    "cert.key",
+				consts.FieldNamespace:        "ns1",
+				consts.FieldUseRootNamespace: false,
+				consts.FieldMount:            consts.MountTypeCert,
+				consts.FieldName:             "",
+				consts.FieldCACertFile:       "ca.crt",
+				consts.FieldCertFile:         "cert.crt",
+				consts.FieldKeyFile:          "cert.key",
 			},
 			wantErr: false,
 		},
@@ -125,15 +128,16 @@ func TestAuthLoginCert_Init(t *testing.T) {
 			},
 			authField: consts.FieldAuthLoginCert,
 			expectParams: map[string]interface{}{
-				consts.FieldCACertDir:     "/foo/baz",
-				consts.FieldSkipTLSVerify: true,
-				consts.FieldTLSServerName: "baz.biff",
-				consts.FieldNamespace:     "ns1",
-				consts.FieldMount:         "cert1",
-				consts.FieldName:          "bob",
-				consts.FieldCACertFile:    "ca.crt",
-				consts.FieldCertFile:      "cert.crt",
-				consts.FieldKeyFile:       "cert.key",
+				consts.FieldNamespace:        "ns1",
+				consts.FieldUseRootNamespace: false,
+				consts.FieldCACertDir:        "/foo/baz",
+				consts.FieldSkipTLSVerify:    true,
+				consts.FieldTLSServerName:    "baz.biff",
+				consts.FieldMount:            "cert1",
+				consts.FieldName:             "bob",
+				consts.FieldCACertFile:       "ca.crt",
+				consts.FieldCertFile:         "cert.crt",
+				consts.FieldKeyFile:          "cert.key",
 			},
 			wantErr: false,
 		},

internal/provider/auth_gcp.go

@@ -76,7 +76,7 @@ func GetGCPLoginSchemaResource(authField string) *schema.Resource {
 				ConflictsWith: []string{fmt.Sprintf("%s.0.%s", authField, consts.FieldJWT)},
 			},
 		},
-	}, consts.MountTypeGCP)
+	}, authField, consts.MountTypeGCP)
 }
 
 var _ AuthLogin = (*AuthLoginGCP)(nil)
@@ -120,7 +120,7 @@ func (l *AuthLoginGCP) Login(client *api.Client) (*api.Secret, error) {
 	}
 
 	params, err := l.copyParamsExcluding(
-		consts.FieldIsRootNamespace,
+		consts.FieldUseRootNamespace,
 		consts.FieldNamespace,
 		consts.FieldMount,
 		consts.FieldJWT,

internal/provider/auth_generic.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"fmt"
+	"log"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/vault/api"
@@ -33,32 +34,16 @@ func GetGenericLoginSchema(authField string) *schema.Schema {
 }
 
 func GetGenericLoginSchemaResource(_ string) *schema.Resource {
-	return &schema.Resource{
+	return mustAddLoginSchema(&schema.Resource{
 		Schema: map[string]*schema.Schema{
 			consts.FieldPath: {
 				Type:     schema.TypeString,
 				Required: true,
 			},
-			consts.FieldNamespace: {
-				Type:     schema.TypeString,
-				Optional: true,
-				Description: fmt.Sprintf(
-					"The authentication engine's namespace. Conflicts with %s",
-					consts.FieldIsRootNamespace,
-				),
-			},
-			consts.FieldIsRootNamespace: {
-				Type:     schema.TypeBool,
-				Optional: true,
-				Description: fmt.Sprintf(
-					"Authenticate to the root Vault namespace. Conflicts with %s",
-					consts.FieldNamespace,
-				),
-				ConflictsWith: []string{consts.FieldNamespace},
-			},
 			consts.FieldParameters: {
-				Type:     schema.TypeMap,
-				Optional: true,
+				Type:      schema.TypeMap,
+				Optional:  true,
+				Sensitive: true,
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
 				},
@@ -68,7 +53,7 @@ func GetGenericLoginSchemaResource(_ string) *schema.Resource {
 				Optional: true,
 			},
 		},
-	}
+	}, consts.FieldAuthLoginGeneric, consts.MountTypeNone)
 }
 
 var _ AuthLogin = (*AuthLoginGeneric)(nil)
@@ -78,10 +63,8 @@ var _ AuthLogin = (*AuthLoginGeneric)(nil)
 // Requires configuration provided by SchemaLoginGeneric.
 type AuthLoginGeneric struct {
 	AuthLoginCommon
-	path            string
-	namespace       string
-	namespaceExists bool
-	method          string
+	path   string
+	method string
 }
 
 func (l *AuthLoginGeneric) Init(d *schema.ResourceData, authField string) (AuthLogin, error) {
@@ -115,7 +98,10 @@ func (l *AuthLoginGeneric) Login(client *api.Client) (*api.Secret, error) {
 		return nil, err
 	}
 
-	params, err := l.copyParams()
+	params, err := l.copyParamsExcluding(
+		consts.FieldNamespace,
+		consts.FieldUseRootNamespace,
+	)
 	if err != nil {
 		return nil, err
 	}

internal/provider/auth_generic_test.go

@@ -19,7 +19,7 @@ func TestAuthLoginGeneric_Namespace(t *testing.T) {
 		{
 			name: "root-ns",
 			params: map[string]interface{}{
-				consts.FieldIsRootNamespace: true,
+				consts.FieldUseRootNamespace: true,
 			},
 			want:   "",
 			exists: true,

internal/provider/auth_jwt.go

@@ -33,7 +33,7 @@ func GetJWTLoginSchema(authField string) *schema.Schema {
 }
 
 // GetJWTLoginSchemaResource for the jwt authentication engine.
-func GetJWTLoginSchemaResource(_ string) *schema.Resource {
+func GetJWTLoginSchemaResource(authField string) *schema.Resource {
 	return mustAddLoginSchema(&schema.Resource{
 		Schema: map[string]*schema.Schema{
 			consts.FieldRole: {
@@ -48,7 +48,7 @@ func GetJWTLoginSchemaResource(_ string) *schema.Resource {
 				DefaultFunc: schema.EnvDefaultFunc(consts.EnvVarVaultAuthJWT, nil),
 			},
 		},
-	}, consts.MountTypeJWT)
+	}, authField, consts.MountTypeJWT)
 }
 
 var _ AuthLogin = (*AuthLoginJWT)(nil)
@@ -94,7 +94,7 @@ func (l *AuthLoginJWT) Login(client *api.Client) (*api.Secret, error) {
 	}
 
 	params, err := l.copyParamsExcluding(
-		consts.FieldIsRootNamespace,
+		consts.FieldUseRootNamespace,
 		consts.FieldNamespace,
 		consts.FieldMount,
 	)

internal/provider/auth_jwt_test.go

@@ -31,10 +31,11 @@ func TestAuthLoginJWT_Init(t *testing.T) {
 				},
 			},
 			expectParams: map[string]interface{}{
-				consts.FieldNamespace: "ns1",
-				consts.FieldMount:     consts.MountTypeJWT,
-				consts.FieldRole:      "alice",
-				consts.FieldJWT:       "jwt1",
+				consts.FieldNamespace:        "ns1",
+				consts.FieldUseRootNamespace: false,
+				consts.FieldMount:            consts.MountTypeJWT,
+				consts.FieldRole:             "alice",
+				consts.FieldJWT:              "jwt1",
 			},
 			wantErr: false,
 		},

internal/provider/auth_kerberos.go

@@ -98,7 +98,7 @@ func GetKerberosLoginSchemaResource(authField string) *schema.Resource {
 				Description:   "Strip the host from the username found in the keytab.",
 			},
 		},
-	}, consts.MountTypeKerberos)
+	}, authField, consts.MountTypeKerberos)
 
 	return s
 }

internal/provider/auth_kerberos_test.go

@@ -39,8 +39,9 @@ func TestAuthLoginKerberos_Init(t *testing.T) {
 			},
 			authField: consts.FieldAuthLoginKerberos,
 			expectParams: map[string]interface{}{
-				consts.FieldToken:                  testNegTokenInit,
 				consts.FieldNamespace:              "",
+				consts.FieldUseRootNamespace:       false,
+				consts.FieldToken:                  testNegTokenInit,
 				consts.FieldMount:                  consts.MountTypeKerberos,
 				consts.FieldUsername:               "",
 				consts.FieldService:                "",