[Enhancement]: JWT/OIDC Auth Role: Preserve value types in bound_issuers map #2755
Description
Description
The "bound_issuer" parameter within vault_jwt_auth_backend_role can currently be set to a map that uses string as type for the values of its tupels. The string can either be a single value or a comma separated list of multiple values. Comma separated lists will be converted into a list before sending it to the Vault API (see Docs).
The conversion happens in the following code snippet:
terraform-provider-vault/vault/resource_jwt_auth_backend_role.go
Lines 427 to 446 in 9f993e9
Since Vault allows a typed check of bound_claims, this behavior limits the Terraform provider to only configure checking claims which are strings. Therefore it should also be possible to use typed values within the map, e. g.:
"bound_claims": {
"email_verified": true, # type = bool
"some_number": 123 # type = int
}When this is payload applied via the Vault CLI/API directly, typing is preserved within Vault. When applying this via the Terraform provider, vales are converted to strings. As some IdPs deliver typed tokens, it is crucial, that typing is preserved.
Affected Resource(s) and/or Data Source(s)
- vault_jwt_auth_backend_role
Potential Terraform Configuration
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.oidc.path
role_name = "default"
token_policies = ["default"]
user_claim = "sub"
bound_claims = {
email_verified = true,
some_number = 123
}
}References
- https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role#bound_claims-2
- https://developer.hashicorp.com/vault/api-docs/auth/jwt#bound_claims
Would you like to implement a fix?
None