✨ d/vault_policy_document - support for subscribe_event_types

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Unreleased
 
+FEATURES:
+ * Added optional subscribe_event_types attribute to data `vault_policy_document`: https://github.com/hashicorp/terraform-provider-vault/pull/2433
+
 ## 4.7.0 (Mar 12, 2025)
 
 FEATURES:

vault/data_source_policy_document.go

@@ -22,14 +22,15 @@ type Policy struct {
 }
 
 type PolicyRule struct {
-	Path               string
-	Description        string
-	MinWrappingTTL     string
-	MaxWrappingTTL     string
-	Capabilities       []string
-	RequiredParameters []string
-	AllowedParameters  map[string][]string
-	DeniedParameters   map[string][]string
+	Path                string
+	Description         string
+	MinWrappingTTL      string
+	MaxWrappingTTL      string
+	Capabilities        []string
+	RequiredParameters  []string
+	AllowedParameters   map[string][]string
+	DeniedParameters    map[string][]string
+	SubscribeEventTypes []string
 }
 
 var allowedCapabilities = []string{
@@ -133,6 +134,14 @@ func policyDocumentDataSource() *schema.Resource {
 								},
 							},
 						},
+
+						"subscribe_event_types": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
 					},
 				},
 			},
@@ -187,6 +196,10 @@ func policyDocumentDataSourceRead(d *schema.ResourceData, meta interface{}) erro
 				}
 			}
 
+			if subscribeEventTypesIntfs := rawRule["subscribe_event_types"].([]interface{}); len(subscribeEventTypesIntfs) > 0 {
+				rule.SubscribeEventTypes = policyDecodeConfigListOfStrings(subscribeEventTypesIntfs)
+			}
+
 			log.Printf("[DEBUG] Rule is: %#v", rule)
 
 			rules[i] = rule
@@ -268,6 +281,10 @@ func policyRenderPolicyRule(rule *PolicyRule) string {
 	renderedRule := fmt.Sprintf("path \"%s\" {\n", rule.Path)
 	renderedRule = fmt.Sprintf("%s  capabilities = %s\n", renderedRule, policyRenderListOfStrings(rule.Capabilities))
 
+	if len(rule.SubscribeEventTypes) > 0 {
+		renderedRule = fmt.Sprintf("%s  subscribe_event_types = %s\n", renderedRule, policyRenderListOfStrings(rule.SubscribeEventTypes))
+	}
+
 	if rule.Description != "" {
 		renderedRule = fmt.Sprintf("# %s\n%s", rule.Description, renderedRule)
 	}

vault/data_source_policy_document_test.go

@@ -26,6 +26,21 @@ func TestDataSourcePolicyDocument(t *testing.T) {
 	})
 }
 
+func TestDataSourcePolicyDocument_withSubscribeEvents(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck:          func() { testutil.TestAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				Config: testDataSourcePolicyDocument_withSubscribeEvents,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.vault_policy_document.test", "hcl", testResultPolicyHCLDocument_withSubscribeEvents),
+				),
+			},
+		},
+	})
+}
+
 var testDataSourcePolicyDocument_config = `
 data "vault_policy_document" "test" {
   rule {
@@ -122,6 +137,21 @@ path "secret/test3/" {
 }
 `
 
+var testDataSourcePolicyDocument_withSubscribeEvents = `
+data "vault_policy_document" "test" {
+  rule {
+    path                   = "secret/test1/*"
+    capabilities           = ["read", "list", "subscribe"]
+    subscribe_event_types  = ["*"]
+  }
+}
+`
+var testResultPolicyHCLDocument_withSubscribeEvents = `path "secret/test1/*" {
+  capabilities = ["read", "list", "subscribe"]
+  subscribe_event_types = ["*"]
+}
+`
+
 func testDataSourcePolicyDocument_check(s *terraform.State) error {
 	resourceState := s.Modules[0].Resources["data.vault_policy_document.test"]
 	if resourceState == nil {

website/docs/d/policy_document.md

@@ -47,6 +47,8 @@ Each document configuration may have one or more `rule` blocks, which each accep
 
 * `max_wrapping_ttl` - (Optional) The maximum allowed TTL that clients can specify for a wrapped response.
 
+* `subscribe_event_types` - (Optional) Event types to subscribe to. See [Vault Documentation](https://developer.hashicorp.com/vault/docs/concepts/events) for possible event types.
+
 ### Parameters
 
 Each of `*_parameter` attributes can optionally further restrict paths based on the keys and data at those keys when evaluating the permissions for a path.