AppRole auth: add support for 'secret_id_bound_cidrs' and 'token_bound_cidrs' #220
Description
vault-ruby currently supports the 'bound_cidrs' option for the AppRole auth method.
The 'bound_cidrs' option is deprecated in favour of the 'secret_id_bound_cidrs' and 'token_bound_cidrs' options. Could support for these new options please be added?
The lack of support for these options is the likely cause of an issue we see with our custom Puppet types and providers leveraging the vault-ruby gem to write the config.
A Puppet manifest configuring an AppRole might look like this:
vault_approle { 'my_approle':
ensure => 'present',
vault_address => https://active.vault.service.consul:8200,
role_id => 'my_approle',
options => {
'policies' => ['default', 'my_approle_read'],
'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
'token_bound_cidrs' => ['10.XX.XX.XX/32'],
'token_max_ttl' => 300,
'token_num_uses' => 10,
'token_ttl' => 300,
},
require => [
Vault_auth['approle'],
Vault_policy['my_approle_read'],
]
}
The issue we are seeing is that all AppRoles are created and work as expected but are reconfigured on each Puppet run, this is due to the subnet mask being stripped from the configured ‘token_bound_cidrs’ as shown in the Puppet run output below:
Notice: /Stage[main]/Profiles::Vault_configuration/Vault_approle[my_approle]/options: options changed {
'policies' => ['default', 'my_approle_read'],
'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
'token_bound_cidrs' => ['10.XX.XX.XX'],
'token_max_ttl' => 300,
'token_num_uses' => 50,
'token_ttl' => 300
} to {
'secret_id_num_uses' => 0,
'token_num_uses' => 50,
'token_ttl' => 300,
'token_max_ttl' => 300,
'policies' => ['default', 'my_approle_read'],
'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
'token_bound_cidrs' => ['10.XX.XX.XX/32']
} (corrective)