Persist namespace to state on import (#1563)

* Add read wrapper function for namespace import
* Wrap all relevant schema.Resource.Read funcs
* Wrap all relevant schema.Resource.ReadContext funcs

generated/datasources/transform/decode/role_name.go

@@ -12,13 +12,14 @@ import (
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/vault"
 )
 
 const roleNameEndpoint = "/transform/decode/{role_name}"
 
 func RoleNameDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readRoleNameResource,
+		Read: vault.ReadWrapper(readRoleNameResource),
 		Schema: map[string]*schema.Schema{
 			"path": {
 				Type:        schema.TypeString,

generated/datasources/transform/encode/role_name.go

@@ -12,13 +12,14 @@ import (
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/vault"
 )
 
 const roleNameEndpoint = "/transform/encode/{role_name}"
 
 func RoleNameDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readRoleNameResource,
+		Read: vault.ReadWrapper(readRoleNameResource),
 		Schema: map[string]*schema.Schema{
 			"path": {
 				Type:        schema.TypeString,

generated/resources/transform/alphabet/name.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/vault"
 )
 
 const nameEndpoint = "/transform/alphabet/{name}"
@@ -42,7 +43,7 @@ func NameResource() *schema.Resource {
 	return &schema.Resource{
 		Create: createNameResource,
 		Update: updateNameResource,
-		Read:   readNameResource,
+		Read:   vault.ReadWrapper(readNameResource),
 		Exists: resourceNameExists,
 		Delete: deleteNameResource,
 		Importer: &schema.ResourceImporter{

generated/resources/transform/role/name.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/vault"
 )
 
 const nameEndpoint = "/transform/role/{name}"
@@ -43,7 +44,7 @@ func NameResource() *schema.Resource {
 	return &schema.Resource{
 		Create: createNameResource,
 		Update: updateNameResource,
-		Read:   readNameResource,
+		Read:   vault.ReadWrapper(readNameResource),
 		Exists: resourceNameExists,
 		Delete: deleteNameResource,
 		Importer: &schema.ResourceImporter{

generated/resources/transform/template/name.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/vault"
 )
 
 const (
@@ -85,7 +86,7 @@ Only applicable to FPE transformations.`,
 	return &schema.Resource{
 		Create: createNameResource,
 		Update: updateNameResource,
-		Read:   readNameResource,
+		Read:   vault.ReadWrapper(readNameResource),
 		Exists: resourceNameExists,
 		Delete: deleteNameResource,
 		Importer: &schema.ResourceImporter{

generated/resources/transform/transformation/name.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/vault"
 )
 
 const nameEndpoint = "/transform/transformation/{name}"
@@ -70,7 +71,7 @@ func NameResource() *schema.Resource {
 	return &schema.Resource{
 		Create: createNameResource,
 		Update: updateNameResource,
-		Read:   readNameResource,
+		Read:   vault.ReadWrapper(readNameResource),
 		Exists: resourceNameExists,
 		Delete: deleteNameResource,
 		Importer: &schema.ResourceImporter{

testutil/testutil.go

@@ -21,6 +21,8 @@ import (
 	"github.com/mitchellh/go-homedir"
 
 	goversion "github.com/hashicorp/go-version"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 )
 
 const (
@@ -661,3 +663,16 @@ func GetImportTestStep(resourceName string, skipVerify bool, ignoreFields ...str
 		ImportStateVerifyIgnore: ignoreFields,
 	}
 }
+
+// GetNamespaceImportStateCheck checks that the namespace was properly imported into the state.
+func GetNamespaceImportStateCheck(ns string) resource.ImportStateCheckFunc {
+	return func(states []*terraform.InstanceState) error {
+		for _, s := range states {
+			if actual := s.Attributes[consts.FieldNamespace]; actual != ns {
+				return fmt.Errorf("expected %q for %s, actual %q",
+					ns, consts.FieldNamespace, actual)
+			}
+		}
+		return nil
+	}
+}

vault/data_identity_entity.go

@@ -89,7 +89,7 @@ var (
 
 func identityEntityDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: identityEntityDataSourceRead,
+		Read: ReadWrapper(identityEntityDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			"entity_name": {

vault/data_identity_group.go

@@ -43,7 +43,7 @@ var (
 
 func identityGroupDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: identityGroupDataSourceRead,
+		Read: ReadWrapper(identityGroupDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			"group_name": {

vault/data_identity_oidc_client_creds.go

@@ -11,7 +11,7 @@ import (
 
 func identityOIDCClientCredsDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readOIDCClientCredsResource,
+		Read: ReadWrapper(readOIDCClientCredsResource),
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:        schema.TypeString,

vault/data_identity_oidc_openid_config.go

@@ -15,7 +15,7 @@ const identityOIDCOpenIDConfigPathSuffix = "/.well-known/openid-configuration"
 
 func identityOIDCOpenIDConfigDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readOIDCOpenIDConfigResource,
+		Read: ReadWrapper(readOIDCOpenIDConfigResource),
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:        schema.TypeString,

vault/data_identity_oidc_public_keys.go

@@ -15,7 +15,7 @@ const identityOIDCPublicKeysPathSuffix = "/.well-known/keys"
 
 func identityOIDCPublicKeysDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readOIDCPublicKeysResource,
+		Read: ReadWrapper(readOIDCPublicKeysResource),
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:        schema.TypeString,

vault/data_source_ad_credentials.go

@@ -11,7 +11,7 @@ import (
 
 func adAccessCredentialsDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readCredsResource,
+		Read: ReadWrapper(readCredsResource),
 		Schema: map[string]*schema.Schema{
 			"backend": {
 				Type:        schema.TypeString,

vault/data_source_approle_auth_backend_role_id.go

@@ -12,7 +12,7 @@ import (
 
 func approleAuthBackendRoleIDDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: approleAuthBackendRoleIDRead,
+		Read: ReadWrapper(approleAuthBackendRoleIDRead),
 
 		Schema: map[string]*schema.Schema{
 			"role_name": {

vault/data_source_auth_backend.go

@@ -11,7 +11,7 @@ import (
 
 func authBackendDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: authBackendDataSourceRead,
+		Read: ReadWrapper(authBackendDataSourceRead),
 		Schema: map[string]*schema.Schema{
 			"path": {
 				Type:        schema.TypeString,

vault/data_source_aws_access_credentials.go

@@ -40,7 +40,7 @@ const (
 
 func awsAccessCredentialsDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: awsAccessCredentialsDataSourceRead,
+		Read: ReadWrapper(awsAccessCredentialsDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			"backend": {

vault/data_source_azure_access_credentials.go

@@ -21,7 +21,7 @@ import (
 
 func azureAccessCredentialsDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: azureAccessCredentialsDataSourceRead,
+		Read: ReadWrapper(azureAccessCredentialsDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			"backend": {

vault/data_source_gcp_auth_backend_role.go

@@ -103,7 +103,7 @@ func gcpAuthBackendRoleDataSource() *schema.Resource {
 	addTokenFields(fields, &addTokenFieldsConfig{})
 
 	return &schema.Resource{
-		Read:   gcpAuthBackendRoleRead,
+		Read:   ReadWrapper(gcpAuthBackendRoleRead),
 		Schema: fields,
 	}
 }

vault/data_source_generic_secret.go

@@ -14,7 +14,7 @@ import (
 
 func genericSecretDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: genericSecretDataSourceRead,
+		Read: ReadWrapper(genericSecretDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			consts.FieldPath: {

vault/data_source_kubernetes_auth_backend_config.go

@@ -12,7 +12,7 @@ import (
 
 func kubernetesAuthBackendConfigDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: kubernetesAuthBackendConfigDataSourceRead,
+		Read: ReadWrapper(kubernetesAuthBackendConfigDataSourceRead),
 		Schema: map[string]*schema.Schema{
 			"backend": {
 				Type:        schema.TypeString,

vault/data_source_kubernetes_auth_backend_role.go

@@ -58,7 +58,7 @@ func kubernetesAuthBackendRoleDataSource() *schema.Resource {
 	addTokenFields(fields, &addTokenFieldsConfig{})
 
 	return &schema.Resource{
-		Read:   kubernetesAuthBackendRoleDataSourceRead,
+		Read:   ReadWrapper(kubernetesAuthBackendRoleDataSourceRead),
 		Schema: fields,
 	}
 }

vault/data_source_kubernetes_credentials.go

@@ -19,7 +19,7 @@ const (
 
 func kubernetesServiceAccountTokenDataSource() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: readKubernetesServiceAccountToken,
+		ReadContext: ReadContextWrapper(readKubernetesServiceAccountToken),
 		Schema: map[string]*schema.Schema{
 			consts.FieldBackend: {
 				Type: schema.TypeString,

vault/data_source_kv_secret.go

@@ -14,7 +14,7 @@ import (
 
 func kvSecretDataSource() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: kvSecretDataSourceRead,
+		ReadContext: ReadContextWrapper(kvSecretDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			consts.FieldPath: {

vault/data_source_kv_secret_v2.go

@@ -15,7 +15,7 @@ import (
 
 func kvSecretV2DataSource() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: kvSecretV2DataSourceRead,
+		ReadContext: ReadContextWrapper(kvSecretV2DataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			consts.FieldMount: {

vault/data_source_kv_secrets_list.go

@@ -12,7 +12,7 @@ import (
 
 func kvSecretListDataSource() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: kvSecretListDataSourceRead,
+		ReadContext: ReadContextWrapper(kvSecretListDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			consts.FieldPath: {

vault/data_source_kv_secrets_list_v2.go

@@ -12,7 +12,7 @@ import (
 
 func kvSecretListDataSourceV2() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: kvSecretV2ListDataSourceRead,
+		ReadContext: ReadContextWrapper(kvSecretV2ListDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			consts.FieldMount: {

vault/data_source_kv_subkeys_v2.go

@@ -15,7 +15,7 @@ import (
 
 func kvSecretSubkeysV2DataSource() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: kvSecretSubkeysDataSourceRead,
+		ReadContext: ReadContextWrapper(kvSecretSubkeysDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			consts.FieldMount: {

vault/data_source_nomad_credentials.go

@@ -11,7 +11,7 @@ import (
 
 func nomadAccessCredentialsDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: readNomadCredsResource,
+		Read: ReadWrapper(readNomadCredsResource),
 		Schema: map[string]*schema.Schema{
 			"backend": {
 				Type:        schema.TypeString,

vault/data_source_policy_document.go

@@ -41,7 +41,7 @@ var allowedCapabilities = []string{
 
 func policyDocumentDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: policyDocumentDataSourceRead,
+		Read: ReadWrapper(policyDocumentDataSourceRead),
 		Schema: map[string]*schema.Schema{
 			"rule": {
 				Type:        schema.TypeList,

vault/data_source_transit_decrypt.go

@@ -11,7 +11,7 @@ import (
 
 func transitDecryptDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: transitDecryptDataSourceRead,
+		Read: ReadWrapper(transitDecryptDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			"key": {

vault/data_source_transit_encrypt.go

@@ -11,7 +11,7 @@ import (
 
 func transitEncryptDataSource() *schema.Resource {
 	return &schema.Resource{
-		Read: transitEncryptDataSourceRead,
+		Read: ReadWrapper(transitEncryptDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
 			"key": {

vault/provider.go

@@ -1,9 +1,13 @@
 package vault
 
 import (
+	"context"
 	"fmt"
+	"log"
+	"os"
 
 	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/vault/api"
 
@@ -834,3 +838,41 @@ func UpdateSchemaResource(r *schema.Resource) *schema.Resource {
 
 	return r
 }
+
+// ReadWrapper provides common read operations to the wrapped schema.ReadFunc.
+func ReadWrapper(f schema.ReadFunc) schema.ReadFunc {
+	return func(d *schema.ResourceData, i interface{}) error {
+		if err := importNamespace(d); err != nil {
+			return err
+		}
+
+		return f(d, i)
+	}
+}
+
+// ReadContextWrapper provides common read operations to the wrapped schema.ReadContextFunc.
+func ReadContextWrapper(f schema.ReadContextFunc) schema.ReadContextFunc {
+	return func(ctx context.Context, d *schema.ResourceData, i interface{}) diag.Diagnostics {
+		if err := importNamespace(d); err != nil {
+			return diag.FromErr(err)
+		}
+		return f(ctx, d, i)
+	}
+}
+
+func importNamespace(d *schema.ResourceData) error {
+	if ns := os.Getenv(consts.EnvVarVaultNamespaceImport); ns != "" {
+		s := d.State()
+		if _, ok := s.Attributes[consts.FieldNamespace]; !ok {
+			log.Printf(`[INFO] Environment variable %s set, `+
+				`attempting TF state import "%s=%s"`,
+				consts.EnvVarVaultNamespaceImport, consts.FieldNamespace, ns)
+			if err := d.Set(consts.FieldNamespace, ns); err != nil {
+				return fmt.Errorf("failed to import %q, err=%w",
+					consts.EnvVarVaultNamespaceImport, err)
+			}
+		}
+	}
+
+	return nil
+}