From 3aab644c1dc2b6bc9ab6bbec854a9c4e279176ce Mon Sep 17 00:00:00 2001
From: Chris Arcand <chris@chrisarcand.com>
Date: Tue, 3 Feb 2026 20:23:31 -0600
Subject: [PATCH] Update AppRole documentation with modern parameters

Updated the set_role method documentation to include current Vault
AppRole parameters:
- secret_id_bound_cidrs (replaces deprecated bound_cidr_list)
- token_bound_cidrs (for token IP restrictions)
- token_policies (replaces deprecated policies)
- local_secret_ids
- token_explicit_max_ttl
- token_no_default_policy
- token_num_uses
- token_period
- token_type

These parameters were already supported by vault-ruby (the method
passes all options directly to Vault), but were not documented.

Added reference to official Vault API documentation for the complete
list of available parameters.

Fixes #220
---
 CHANGELOG.md             |  1 +
 lib/vault/api/approle.rb | 39 ++++++++++++++++++++++++++-------------
 2 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5819fc6..457e68a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 IMPROVEMENTS
 
 - Added `cluster_address` field to `LeaderStatus` response from `sys/leader` endpoint [GH-204]
+- Updated AppRole `set_role` documentation to include modern parameters like `secret_id_bound_cidrs`, `token_bound_cidrs`, and `token_policies`. Added reference to official Vault API docs for complete parameter list. [GH-220]
 
 BUG FIXES
 
diff --git a/lib/vault/api/approle.rb b/lib/vault/api/approle.rb
index e9d9ae4..31c92c9 100644
--- a/lib/vault/api/approle.rb
+++ b/lib/vault/api/approle.rb
@@ -24,9 +24,10 @@ class AppRole < Request
     # @example
     #   Vault.approle.set_role("testrole", {
     #     secret_id_ttl: "10m",
+    #     secret_id_bound_cidrs: ["10.0.0.0/8"],
     #     token_ttl:     "20m",
-    #     policies:      "default",
-    #     period:        3600,
+    #     token_policies: ["default", "app-policy"],
+    #     token_bound_cidrs: ["10.0.0.0/8"],
     #   }) #=> true
     #
     # @param [String] name
@@ -34,29 +35,41 @@ class AppRole < Request
     # @param [Hash] options
     # @option options [Boolean] :bind_secret_id
     #   Require secret_id to be presented when logging in using this AppRole.
-    # @option options [String] :bound_cidr_list
-    #   Comma-separated list of CIDR blocks. Specifies blocks of IP addresses
-    #   which can perform the login operation.
-    # @option options [String] :policies
-    #   Comma-separated list of policies set on tokens issued via this AppRole.
+    # @option options [Array<String>] :secret_id_bound_cidrs
+    #   Array of CIDR blocks. If set, specifies blocks of IP addresses which
+    #   can perform the login operation.
     # @option options [String] :secret_id_num_uses
     #   Number of times any particular SecretID can be used to fetch a token
     #   from this AppRole, after which the SecretID will expire.
     # @option options [Fixnum, String] :secret_id_ttl
     #   The number of seconds or a golang-formatted timestamp like "60m" after
     #   which any SecretID expires.
+    # @option options [Boolean] :local_secret_ids
+    #   If set, the secret IDs generated using this role will be cluster local.
+    # @option options [Array<String>] :token_policies
+    #   Array of policies to be set on tokens issued using this AppRole.
+    # @option options [Array<String>] :token_bound_cidrs
+    #   Array of CIDR blocks. If set, specifies blocks of IP addresses which
+    #   can authenticate using tokens generated by this AppRole.
     # @option options [Fixnum, String] :token_ttl
     #   The number of seconds or a golang-formatted timestamp like "60m" to set
     #   as the TTL for issued tokens and at renewal time.
     # @option options [Fixnum, String] :token_max_ttl
     #   The number of seconds or a golang-formatted timestamp like "60m" after
     #   which the issued token can no longer be renewed.
-    # @option options [Fixnum, String] :period
-    #   The number of seconds or a golang-formatted timestamp like "60m".
-    #   If set, the token generated using this AppRole is a periodic token.
-    #   So long as it is renewed it never expires, but the TTL set on the token
-    #   at each renewal is fixed to the value specified here. If this value is
-    #   modified, the token will pick up the new value at its next renewal.
+    # @option options [Fixnum, String] :token_explicit_max_ttl
+    #   If set, tokens created via this role carry an explicit maximum TTL.
+    # @option options [Boolean] :token_no_default_policy
+    #   If set, the default policy will not be set on tokens issued via this role.
+    # @option options [Fixnum] :token_num_uses
+    #   The maximum number of times a generated token may be used.
+    # @option options [Fixnum, String] :token_period
+    #   The maximum allowed period value when a periodic token is requested.
+    # @option options [String] :token_type
+    #   The type of token that should be generated (service, batch, or default).
+    #
+    # For a complete list of parameters, see the Vault AppRole API documentation:
+    # https://developer.hashicorp.com/vault/api-docs/auth/approle
     #
     # @return [true]
     def set_role(name, options = {})