Merge branch 'main' into main

SiftScience · Sep 5, 2023 · 87219cf · 87219cf
2 parents cd8e490 + 588b783
commit 87219cf
Show file tree

Hide file tree

Showing 9 changed files with 193 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 FEATURES:
 * Add x509 support to static database roles: ([#1992](https://github.com/hashicorp/terraform-provider-vault/pull/1992))
 
+IMPROVEMENTS:
+* Update dependencies ([#1958](https://github.com/hashicorp/terraform-provider-vault/pull/1958))
+  * github.com/hashicorp/go-secure-stdlib/awsutil `v0.1.6` -> `v0.2.3`
+
 ## 3.20.0 (Aug 30, 2023)
 FEATURES:
 * Add support for setting `permanently_delete` argument on `resource_azure_secret_backend_role`: ([#1958](https://github.com/hashicorp/terraform-provider-vault/pull/1958))

diff --git a/go.mod b/go.mod
@@ -26,11 +26,11 @@ require (
 	github.com/hashicorp/errwrap v1.1.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
-	github.com/hashicorp/go-hclog v1.3.1
+	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-plugin v1.4.5 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1
-	github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6
+	github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.16.0

diff --git a/go.sum b/go.sum
@@ -390,6 +390,7 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.25.39/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
+github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.37.19/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.44.106 h1:FzINxRGt0gAzz01ixtKfkjiDOnnpd/uNbstW/qPW2QE=
 github.com/aws/aws-sdk-go v1.44.106/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
@@ -1061,8 +1062,8 @@ github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39E
 github.com/hashicorp/go-hclog v1.1.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.2.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo=
-github.com/hashicorp/go-hclog v1.3.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
+github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@@ -1103,8 +1104,8 @@ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5O
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2/go.mod h1:QRJZ7siKie+SZJB9jLbfKrs0Gd0yPWMtbneg0iU1PrY=
 github.com/hashicorp/go-secure-stdlib/awsutil v0.1.5/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg=
-github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 h1:W9WN8p6moV1fjKLkeqEgkAMu5rauy9QeYDAmIaPuuiA=
-github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3 h1:AAQ6Vmo/ncfrZYtbpjhO+g0Qt+iNpYtl3UWT1NLmbYY=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
@@ -1818,8 +1819,9 @@ github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -1829,8 +1831,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=

diff --git a/vault/resource_quota_lease_count.go b/vault/resource_quota_lease_count.go
@@ -49,6 +49,11 @@ func quotaLeaseCountResource() *schema.Resource {
 				Description:  "The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.",
 				ValidateFunc: validation.IntAtLeast(0),
 			},
+			consts.FieldRole: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.",
+			},
 		},
 	}
 }
@@ -69,6 +74,12 @@ func quotaLeaseCountCreate(d *schema.ResourceData, meta interface{}) error {
 	data["path"] = d.Get("path").(string)
 	data["max_leases"] = d.Get("max_leases").(int)
 
+	if provider.IsAPISupported(meta, provider.VaultVersion112) {
+		if v, ok := d.GetOk(consts.FieldRole); ok {
+			data[consts.FieldRole] = v
+		}
+	}
+
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
 		d.SetId("")
@@ -100,7 +111,12 @@ func quotaLeaseCountRead(d *schema.ResourceData, meta interface{}) error {
 		return nil
 	}
 
-	for _, k := range []string{"path", "max_leases"} {
+	fields := []string{"path", "max_leases", "name"}
+	if provider.IsAPISupported(meta, provider.VaultVersion112) {
+		fields = append(fields, consts.FieldRole)
+	}
+
+	for _, k := range fields {
 		v, ok := resp.Data[k]
 		if ok {
 			if err := d.Set(k, v); err != nil {
@@ -127,6 +143,12 @@ func quotaLeaseCountUpdate(d *schema.ResourceData, meta interface{}) error {
 	data["path"] = d.Get(consts.FieldPath).(string)
 	data["max_leases"] = d.Get("max_leases").(int)
 
+	if provider.IsAPISupported(meta, provider.VaultVersion112) {
+		if v, ok := d.GetOk(consts.FieldRole); ok {
+			data[consts.FieldRole] = v
+		}
+	}
+
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
 		d.SetId("")

diff --git a/vault/resource_quota_lease_count_test.go b/vault/resource_quota_lease_count_test.go
@@ -56,6 +56,48 @@ func TestQuotaLeaseCount(t *testing.T) {
 	})
 }
 
+func TestQuotaLeaseCountWithRole(t *testing.T) {
+	name := acctest.RandomWithPrefix("lease-count")
+	backend := acctest.RandomWithPrefix("approle")
+	role := acctest.RandomWithPrefix("test-role")
+	leaseCount := "1001"
+	newLeaseCount := "2001"
+	resourceName := "vault_quota_lease_count.foobar"
+
+	resource.Test(t, resource.TestCase{
+		Providers: testProviders,
+		PreCheck: func() {
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion112)
+		},
+		CheckDestroy: resource.ComposeTestCheckFunc(
+			testQuotaLeaseCountCheckDestroy([]string{leaseCount, newLeaseCount}),
+			testAccCheckAppRoleAuthBackendRoleDestroy,
+		),
+		Steps: []resource.TestStep{
+			{
+				Config: testQuotaLeaseCountWithRoleConfig(backend, role, name, leaseCount),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldPath, fmt.Sprintf("auth/%s/", backend)),
+					resource.TestCheckResourceAttr(resourceName, "max_leases", leaseCount),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldRole, role),
+				),
+			},
+			{
+				Config: testQuotaLeaseCountWithRoleConfig(backend, role, name, newLeaseCount),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldPath, fmt.Sprintf("auth/%s/", backend)),
+					resource.TestCheckResourceAttr(resourceName, "max_leases", newLeaseCount),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldRole, role),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil),
+		},
+	})
+}
+
 func testQuotaLeaseCountCheckDestroy(leaseCounts []string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client := testProvider.Meta().(*provider.ProviderMeta).GetClient()
@@ -89,3 +131,25 @@ resource "vault_quota_lease_count" "foobar" {
 }
 `, ns, name, path, maxLeases)
 }
+
+func testQuotaLeaseCountWithRoleConfig(backend, role, name, maxLeases string) string {
+	return fmt.Sprintf(`
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "%s"
+}
+
+resource "vault_approle_auth_backend_role" "role" {
+  backend = vault_auth_backend.approle.path
+  role_name = "%s"
+  token_policies = ["default", "dev", "prod"]
+}
+
+resource "vault_quota_lease_count" "foobar" {
+  name = "%s"
+  path = "auth/${vault_auth_backend.approle.path}/"
+  role = vault_approle_auth_backend_role.role.role_name
+  max_leases = %s
+}
+`, backend, role, name, maxLeases)
+}
diff --git a/vault/resource_quota_rate_limit.go b/vault/resource_quota_rate_limit.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 )
@@ -60,6 +61,11 @@ func quotaRateLimitResource() *schema.Resource {
 				Description:  "If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.",
 				ValidateFunc: validation.IntAtLeast(0),
 			},
+			consts.FieldRole: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.",
+			},
 		},
 	}
 }
@@ -88,6 +94,12 @@ func quotaRateLimitCreate(d *schema.ResourceData, meta interface{}) error {
 		data["block_interval"] = v
 	}
 
+	if provider.IsAPISupported(meta, provider.VaultVersion112) {
+		if v, ok := d.GetOk(consts.FieldRole); ok {
+			data[consts.FieldRole] = v
+		}
+	}
+
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
 		d.SetId("")
@@ -119,7 +131,12 @@ func quotaRateLimitRead(d *schema.ResourceData, meta interface{}) error {
 		return nil
 	}
 
-	for _, k := range []string{"path", "rate", "interval", "block_interval"} {
+	fields := []string{"path", "rate", "interval", "block_interval", "name"}
+	if provider.IsAPISupported(meta, provider.VaultVersion112) {
+		fields = append(fields, consts.FieldRole)
+	}
+
+	for _, k := range fields {
 		v, ok := resp.Data[k]
 		if ok {
 			if err := d.Set(k, v); err != nil {
@@ -154,6 +171,12 @@ func quotaRateLimitUpdate(d *schema.ResourceData, meta interface{}) error {
 		data["block_interval"] = v
 	}
 
+	if provider.IsAPISupported(meta, provider.VaultVersion112) {
+		if v, ok := d.GetOk(consts.FieldRole); ok {
+			data[consts.FieldRole] = v
+		}
+	}
+
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
 		d.SetId("")

diff --git a/vault/resource_quota_rate_limit_test.go b/vault/resource_quota_rate_limit_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
-
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/testutil"
 )
@@ -35,7 +35,7 @@ func TestQuotaRateLimit(t *testing.T) {
 		CheckDestroy: testQuotaRateLimitCheckDestroy([]string{rateLimit, newRateLimit}),
 		Steps: []resource.TestStep{
 			{
-				Config: testQuotaRateLimit_Config(name, "", rateLimit, 1, 0),
+				Config: testQuotaRateLimitConfig(name, "", rateLimit, 1, 0),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_quota_rate_limit.foobar", "name", name),
 					resource.TestCheckResourceAttr("vault_quota_rate_limit.foobar", "path", ""),
@@ -45,7 +45,7 @@ func TestQuotaRateLimit(t *testing.T) {
 				),
 			},
 			{
-				Config: testQuotaRateLimit_Config(name, "", newRateLimit, 60, 120),
+				Config: testQuotaRateLimitConfig(name, "", newRateLimit, 60, 120),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_quota_rate_limit.foobar", "name", name),
 					resource.TestCheckResourceAttr("vault_quota_rate_limit.foobar", "path", ""),
@@ -55,7 +55,7 @@ func TestQuotaRateLimit(t *testing.T) {
 				),
 			},
 			{
-				Config: testQuotaRateLimit_Config(name, "sys/", newRateLimit, 60, 120),
+				Config: testQuotaRateLimitConfig(name, "sys/", newRateLimit, 60, 120),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_quota_rate_limit.foobar", "name", name),
 					resource.TestCheckResourceAttr("vault_quota_rate_limit.foobar", "path", "sys/"),
@@ -68,6 +68,40 @@ func TestQuotaRateLimit(t *testing.T) {
 	})
 }
 
+func TestQuotaRateLimitWithRole(t *testing.T) {
+	name := acctest.RandomWithPrefix("rate-limit")
+	backend := acctest.RandomWithPrefix("approle")
+	role := acctest.RandomWithPrefix("test-role")
+	rateLimit := randomQuotaRateString()
+	resourceName := "vault_quota_rate_limit.foobar"
+
+	resource.Test(t, resource.TestCase{
+		Providers: testProviders,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion112)
+		},
+		CheckDestroy: resource.ComposeTestCheckFunc(
+			testQuotaRateLimitCheckDestroy([]string{rateLimit}),
+			testAccCheckAppRoleAuthBackendRoleDestroy,
+		),
+		Steps: []resource.TestStep{
+			{
+				Config: testQuotaRateLimitWithRoleConfig(backend, role, name, rateLimit, 1, 0),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldPath, fmt.Sprintf("auth/%s/", backend)),
+					resource.TestCheckResourceAttr(resourceName, "rate", rateLimit),
+					resource.TestCheckResourceAttr(resourceName, "interval", "1"),
+					resource.TestCheckResourceAttr(resourceName, "block_interval", "0"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldRole, role),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil),
+		},
+	})
+}
+
 func testQuotaRateLimitCheckDestroy(rateLimits []string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client := testProvider.Meta().(*provider.ProviderMeta).GetClient()
@@ -88,7 +122,7 @@ func testQuotaRateLimitCheckDestroy(rateLimits []string) resource.TestCheckFunc
 }
 
 // Caution: Don't set test rate values too low or other tests running concurrently might fail
-func testQuotaRateLimit_Config(name, path, rate string, interval, blockInterval int) string {
+func testQuotaRateLimitConfig(name, path, rate string, interval, blockInterval int) string {
 	return fmt.Sprintf(`
 resource "vault_quota_rate_limit" "foobar" {
   name = "%s"
@@ -99,3 +133,27 @@ resource "vault_quota_rate_limit" "foobar" {
 }
 `, name, path, rate, interval, blockInterval)
 }
+
+func testQuotaRateLimitWithRoleConfig(backend, role, name, rate string, interval, blockInterval int) string {
+	return fmt.Sprintf(`
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "%s"
+}
+
+resource "vault_approle_auth_backend_role" "role" {
+  backend = vault_auth_backend.approle.path
+  role_name = "%s"
+  token_policies = ["default", "dev", "prod"]
+}
+
+resource "vault_quota_rate_limit" "foobar" {
+  name = "%s"
+  path = "auth/${vault_auth_backend.approle.path}/"
+  role = vault_approle_auth_backend_role.role.role_name
+  rate = %s
+  interval = %d
+  block_interval = %d
+}
+`, backend, role, name, rate, interval, blockInterval)
+}
diff --git a/website/docs/r/quota_lease_count.md b/website/docs/r/quota_lease_count.md
@@ -48,6 +48,8 @@ The following arguments are supported:
 * `max_leases` - (Required) The maximum number of leases to be allowed by the quota
   rule. The `max_leases` must be positive.
 
+* `role` - (Optional) If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.

diff --git a/website/docs/r/quota_rate_limit.md b/website/docs/r/quota_rate_limit.md
@@ -51,6 +51,8 @@ The following arguments are supported:
 * `block_interval` - (Optional) If set, when a client reaches a rate limit threshold, the client will
   be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
 
+* `role` - (Optional) If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.