remove set_namespace_from_token field

hashicorp · Nov 30, 2023 · 3799f9a · 3799f9a
1 parent 289a101
commit 3799f9a
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 21 deletions.
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -363,7 +363,6 @@ const (
 	FieldServiceAccountJWT             = "service_account_jwt"
 	FieldDisableISSValidation          = "disable_iss_validation"
 	FieldPEMKeys                       = "pem_keys"
-	FieldSetNamespaceFromToken         = "set_namespace_from_token"
 	/*
 		common environment variables
 	*/

diff --git a/internal/provider/meta.go b/internal/provider/meta.go
@@ -340,12 +340,20 @@ func (p *ProviderMeta) setClient() error {
 			"Future releases may not support this type of configuration.", tokenNamespace)
 
 		namespace = tokenNamespace
+
 		// set the namespace on the provider to ensure that all child
 		// namespace paths are properly honoured.
-		if v, ok := d.Get(consts.FieldSetNamespaceFromToken).(bool); ok && v {
+		// We default to setting the namespace from the token unless the
+		// env var is set to false.
+		setFromToken, err := strconv.ParseBool(os.Getenv("VAULT_SET_NAMESPACE_FROM_TOKEN"))
+		if err == nil && setFromToken || err != nil {
 			if err := d.Set(consts.FieldNamespace, namespace); err != nil {
 				return err
 			}
+		} else {
+			log.Printf("[WARN] VAULT_SET_NAMESPACE_FROM_TOKEN environment "+
+				"variable is set to \"false\". The token namespace %q will "+
+				"not be used as the root namespace for all resources.", tokenNamespace)
 		}
 	}
 

diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/vault/api"
 
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 )
@@ -102,6 +103,7 @@ func NewProvider(
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "Path to a CA certificate file to validate the server's certificate.",
+				DefaultFunc: schema.EnvDefaultFunc(api.EnvVaultCACert, ""),
 			},
 			consts.FieldCACertDir: {
 				Type:        schema.TypeString,
@@ -138,13 +140,6 @@ func NewProvider(
 				Optional:    true,
 				Description: "The namespace to use. Available only for Vault Enterprise.",
 			},
-			consts.FieldSetNamespaceFromToken: {
-				Type:     schema.TypeBool,
-				Optional: true,
-				Description: "In the case where the Vault token is for a specific namespace " +
-					"and the provider namespace is not configured, use the token namespace " +
-					"as the root namespace for all resources.",
-			},
 			"headers": {
 				Type:        schema.TypeList,
 				Optional:    true,

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -9,7 +9,7 @@ description: |-
 # Vault Provider
 
 The Vault provider allows Terraform to read from, write to, and configure
-[HashiCorp Vault](https://vaultproject.io/).
+[HashiCorp Vault](https://developer.hashicorp.com/vault).
 
 ~> **Important** Interacting with Vault from Terraform causes any secrets
 that you read and write to be persisted in both Terraform's state file
@@ -214,10 +214,6 @@ variables in order to keep credential information out of the configuration.
 
 * `use_root_namespace` - (Optional) Authenticate to the root Vault namespace. Conflicts with `namespace`.
 
-* `set_namespace_from_token` -(Optional) Defaults to `true`. In the case where the Vault token is
-  for a specific namespace and the provider namespace is not configured, use the token namespace
-  as the root namespace for all resources.
-
 * `skip_get_vault_version` - (Optional) Skip the dynamic fetching of the Vault server version. 
   Set to `true` when the */sys/seal-status* API endpoint is not available. See [vault_version_override](#vault_version_override)
   for related info
@@ -741,9 +737,9 @@ provider "vault" {
 The Vault provider supports managing [Namespaces][namespaces] (a feature of
 Vault Enterprise), as well as creating resources in those namespaces by
 utilizing [Provider Aliasing][aliasing]. The `namespace` option in the [provider
-block][provider-block] enables the management of  resources in the specified
-namespace. 
-In addition, all resources and data sources support specifying their own `namespace`. 
+block](#provider-arguments) enables the management of resources in the specified
+namespace.
+In addition, all resources and data sources support specifying their own `namespace`.
 All resource's `namespace` will be made relative to the `provider`'s configured namespace.
 
 ### Importing namespaced resources
@@ -966,11 +962,19 @@ default
 vault_team_policy
 ```
 
-## Tutorials 
+### Token namespaces
+
+In the case where the Vault token is for a specific namespace and the provider
+namespace is not configured, the provider will use the token namespace as the
+root namespace for all resources. This behavior can be disabled by setting the
+`VAULT_SET_NAMESPACE_FROM_TOKEN ` environment variable to "false". The only
+accepted values are "true" and "false".
+
+
+## Tutorials
 
 Refer to the [Codify Management of Vault Enterprise Using Terraform](https://learn.hashicorp.com/tutorials/vault/codify-mgmt-enterprise) tutorial for additional examples using Vault namespaces.
 
 
-[namespaces]: https://www.vaultproject.io/docs/enterprise/namespaces#vault-enterprise-namespaces
-[aliasing]: https://www.terraform.io/docs/configuration/providers.html#alias-multiple-provider-configurations
-[provider-block]: /docs#provider-arguments
+[namespaces]: https://developer.hashicorp.com/vault/docs/enterprise/namespaces#vault-enterprise-namespaces
+[aliasing]: https://developer.hashicorp.com/terraform/language/providers/configuration#alias-multiple-provider-configurations