ram-parameswaran
diff --git a/‎docker-compose.yaml
+9-6 b/‎docker-compose.yaml
+9-6
diff --git a/‎internal/consts/consts.go
+3 b/‎internal/consts/consts.go
+3
diff --git a/‎vault/resource_database_secret_backend_static_role.go
+87-68 b/‎vault/resource_database_secret_backend_static_role.go
+87-68
@@ -16,16 +16,19 @@ services:
       VAULT_TOKEN: "TEST"
       MYSQL_URL: "vault:vault@tcp(mysql:3306)/"
 
+  # to run this container on Mac M1 you need to
+  # export DOCKER_DEFAULT_PLATFORM=linux/amd64
+  # to run acceptance tests locally you need to
+  # export MYSQL_URL=root:mysql@tcp(localhost:3306)/
+  # to run the docker container
+  # docker compose up -d mysql
   mysql:
-    image: mysql:5.7
+    image: docker.mirror.hashicorp.services/mysql:latest
     command: --default-authentication-plugin=mysql_native_password
     ports:
     - "3306:3306"
     environment:
-      MYSQL_ROOT_PASSWORD: "root"
-      MYSQL_DATABASE: "main"
-      MYSQL_USER: "vault"
-      MYSQL_PASSWORD: "vault"
+      MYSQL_ROOT_PASSWORD: "mysql"
 
   elastic:
     image: elasticsearch:7.17.10
@@ -95,4 +98,4 @@ services:
     ports:
       - "9042:9042"
     volumes:
-      - ./testdata/cassandra.yaml:/etc/cassandra/cassandra.yaml
+      - ./testdata/cassandra.yaml:/etc/cassandra/cassandra.yaml
@@ -352,6 +352,9 @@ const (
 	FieldCredentialType                = "credential_type"
 	FieldFilename                      = "filename"
 	FieldDefault                       = "default"
+	FieldRotationStatements            = "rotation_statements"
+	FieldRotationSchedule              = "rotation_schedule"
+	FieldRotationWindow                = "rotation_window"
 	FieldKubernetesCACert              = "kubernetes_ca_cert"
 	FieldDisableLocalCAJWT             = "disable_local_ca_jwt"
 	FieldKubernetesHost                = "kubernetes_host"
 
@@ -4,8 +4,10 @@
 package vault
 
 import (
-	"encoding/json"
+	"context"
 	"fmt"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"log"
 	"regexp"
 	"strings"
@@ -20,39 +22,44 @@ var (
 	databaseSecretBackendStaticRoleNameFromPathRegex    = regexp.MustCompile("^.+/static-roles/(.+$)")
 )
 
+var staticRoleFields = []string{
+	consts.FieldRotationPeriod,
+	consts.FieldRotationStatements,
+	consts.FieldDBName,
+}
+
 func databaseSecretBackendStaticRoleResource() *schema.Resource {
 	return &schema.Resource{
-		Create: databaseSecretBackendStaticRoleWrite,
-		Read:   provider.ReadWrapper(databaseSecretBackendStaticRoleRead),
-		Update: databaseSecretBackendStaticRoleWrite,
-		Delete: databaseSecretBackendStaticRoleDelete,
-		Exists: databaseSecretBackendStaticRoleExists,
+		CreateContext: databaseSecretBackendStaticRoleWrite,
+		ReadContext:   provider.ReadContextWrapper(databaseSecretBackendStaticRoleRead),
+		UpdateContext: databaseSecretBackendStaticRoleWrite,
+		DeleteContext: databaseSecretBackendStaticRoleDelete,
 		Importer: &schema.ResourceImporter{
-			State: schema.ImportStatePassthrough,
+			StateContext: schema.ImportStatePassthroughContext,
 		},
 
 		Schema: map[string]*schema.Schema{
-			"name": {
+			consts.FieldName: {
 				Type:        schema.TypeString,
 				Required:    true,
 				ForceNew:    true,
 				Description: "Unique name for the static role.",
 			},
-			"backend": {
+			consts.FieldBackend: {
 				Type:        schema.TypeString,
 				Required:    true,
 				ForceNew:    true,
 				Description: "The path of the Database Secret Backend the role belongs to.",
 			},
-			"username": {
+			consts.FieldUsername: {
 				Type:        schema.TypeString,
 				Required:    true,
 				ForceNew:    true,
 				Description: "The database username that this role corresponds to.",
 			},
-			"rotation_period": {
+			consts.FieldRotationPeriod: {
 				Type:        schema.TypeInt,
-				Required:    true,
+				Optional:    true,
 				Description: "The amount of time Vault should wait before rotating the password, in seconds.",
 				ValidateFunc: func(v interface{}, k string) (ws []string, errs []error) {
 					value := v.(int)
@@ -62,13 +69,24 @@ func databaseSecretBackendStaticRoleResource() *schema.Resource {
 					return
 				},
 			},
-			"db_name": {
+			consts.FieldRotationSchedule: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A cron-style string that will define the schedule on which rotations should occur.",
+			},
+			consts.FieldRotationWindow: {
+				Type:     schema.TypeInt,
+				Optional: true,
+				Description: "The amount of time in seconds in which the rotations are allowed to occur starting " +
+					"from a given rotation_schedule.",
+			},
+			consts.FieldDBName: {
 				Type:        schema.TypeString,
 				Required:    true,
 				ForceNew:    true,
 				Description: "Database connection to use for this role.",
 			},
-			"rotation_statements": {
+			consts.FieldRotationStatements: {
 				Type:        schema.TypeList,
 				Optional:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
@@ -78,43 +96,56 @@ func databaseSecretBackendStaticRoleResource() *schema.Resource {
 	}
 }
 
-func databaseSecretBackendStaticRoleWrite(d *schema.ResourceData, meta interface{}) error {
+func databaseSecretBackendStaticRoleWrite(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, e := provider.GetClient(d, meta)
 	if e != nil {
-		return e
+		return diag.FromErr(e)
 	}
 
-	backend := d.Get("backend").(string)
-	name := d.Get("name").(string)
+	backend := d.Get(consts.FieldBackend).(string)
+	name := d.Get(consts.FieldName).(string)
 
 	path := databaseSecretBackendStaticRolePath(backend, name)
 
 	data := map[string]interface{}{
-		"username":            d.Get("username"),
-		"rotation_period":     d.Get("rotation_period"),
-		"db_name":             d.Get("db_name"),
+		"username":            d.Get(consts.FieldUsername),
+		"db_name":             d.Get(consts.FieldDBName),
 		"rotation_statements": []string{},
 	}
 
-	if v, ok := d.GetOkExists("rotation_statements"); ok && v != "" {
-		data["rotation_statements"] = v
+	useAPIVer115 := provider.IsAPISupported(meta, provider.VaultVersion115)
+	if useAPIVer115 {
+		if v, ok := d.GetOk(consts.FieldRotationSchedule); ok && v != "" {
+			data[consts.FieldRotationSchedule] = v
+		}
+		if v, ok := d.GetOk(consts.FieldRotationWindow); ok && v != "" {
+			data[consts.FieldRotationWindow] = v
+		}
+	}
+
+	if v, ok := d.GetOk(consts.FieldRotationStatements); ok && v != "" {
+		data[consts.FieldRotationStatements] = v
+	}
+
+	if v, ok := d.GetOk(consts.FieldRotationPeriod); ok && v != "" {
+		data[consts.FieldRotationPeriod] = v
 	}
 
 	log.Printf("[DEBUG] Creating static role %q on database backend %q", name, backend)
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
-		return fmt.Errorf("error creating static role %q for backend %q: %s", name, backend, err)
+		return diag.Errorf("error creating static role %q for backend %q: %s", name, backend, err)
 	}
 	log.Printf("[DEBUG] Created static role %q on AWS backend %q", name, backend)
 
 	d.SetId(path)
-	return databaseSecretBackendStaticRoleRead(d, meta)
+	return databaseSecretBackendStaticRoleRead(ctx, d, meta)
 }
 
-func databaseSecretBackendStaticRoleRead(d *schema.ResourceData, meta interface{}) error {
+func databaseSecretBackendStaticRoleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, e := provider.GetClient(d, meta)
 	if e != nil {
-		return e
+		return diag.FromErr(e)
 	}
 
 	path := d.Id()
@@ -123,20 +154,20 @@ func databaseSecretBackendStaticRoleRead(d *schema.ResourceData, meta interface{
 	if err != nil {
 		log.Printf("[WARN] Removing database static role %q because its ID is invalid", path)
 		d.SetId("")
-		return fmt.Errorf("invalid static role ID %q: %s", path, err)
+		return diag.Errorf("invalid static role ID %q: %s", path, err)
 	}
 
 	backend, err := databaseSecretBackendStaticRoleBackendFromPath(path)
 	if err != nil {
 		log.Printf("[WARN] Removing database static role %q because its ID is invalid", path)
 		d.SetId("")
-		return fmt.Errorf("invalid static role ID %q: %s", path, err)
+		return diag.Errorf("invalid static role ID %q: %s", path, err)
 	}
 
 	log.Printf("[DEBUG] Reading static role from %q", path)
 	role, err := client.Logical().Read(path)
 	if err != nil {
-		return fmt.Errorf("error reading static role %q: %s", path, err)
+		return diag.Errorf("error reading static role %q: %s", path, err)
 	}
 	log.Printf("[DEBUG] Read static role from %q", path)
 	if role == nil {
@@ -145,67 +176,55 @@ func databaseSecretBackendStaticRoleRead(d *schema.ResourceData, meta interface{
 		return nil
 	}
 
-	d.Set("backend", backend)
-	d.Set("name", name)
-	d.Set("username", role.Data["username"])
-	d.Set("db_name", role.Data["db_name"])
+	if err := d.Set(consts.FieldBackend, backend); err != nil {
+		return diag.FromErr(err)
+	}
 
-	if v, ok := role.Data["rotation_period"]; ok {
-		n, err := v.(json.Number).Int64()
-		if err != nil {
-			return fmt.Errorf("unexpected value %q for rotation_period of %q", v, path)
-		}
-		d.Set("rotation_period", n)
+	if err := d.Set(consts.FieldName, name); err != nil {
+		return diag.FromErr(err)
 	}
 
-	var rotation []string
-	if rotationStr, ok := role.Data["rotation_statements"].(string); ok {
-		rotation = append(rotation, rotationStr)
-	} else if rotations, ok := role.Data["rotation_statements"].([]interface{}); ok {
-		for _, cr := range rotations {
-			rotation = append(rotation, cr.(string))
+	if err := d.Set(consts.FieldUsername, role.Data[consts.FieldUsername]); err != nil {
+		return diag.FromErr(err)
+	}
+
+	useAPIVer115 := provider.IsAPISupported(meta, provider.VaultVersion115)
+	if useAPIVer115 {
+		if err := d.Set(consts.FieldRotationSchedule, role.Data[consts.FieldRotationSchedule]); err != nil {
+			return diag.FromErr(err)
+		}
+		if err := d.Set(consts.FieldRotationWindow, role.Data[consts.FieldRotationWindow]); err != nil {
+			return diag.FromErr(err)
 		}
 	}
-	err = d.Set("rotation_statements", rotation)
-	if err != nil {
-		return fmt.Errorf("unexpected value %q for rotation_statements of %s: %s", rotation, path, err)
+
+	for _, k := range staticRoleFields {
+		if v, ok := role.Data[k]; ok {
+			if err := d.Set(k, v); err != nil {
+				return diag.FromErr(err)
+			}
+		}
 	}
 
 	return nil
 }
 
-func databaseSecretBackendStaticRoleDelete(d *schema.ResourceData, meta interface{}) error {
+func databaseSecretBackendStaticRoleDelete(_ context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, e := provider.GetClient(d, meta)
 	if e != nil {
-		return e
+		return diag.FromErr(e)
 	}
 
 	path := d.Id()
 	log.Printf("[DEBUG] Deleting static role %q", path)
 	_, err := client.Logical().Delete(path)
 	if err != nil {
-		return fmt.Errorf("error deleting static role %q: %s", path, err)
+		return diag.Errorf("error deleting static role %q: %s", path, err)
 	}
 	log.Printf("[DEBUG] Deleted static role %q", path)
 	return nil
 }
 
-func databaseSecretBackendStaticRoleExists(d *schema.ResourceData, meta interface{}) (bool, error) {
-	client, e := provider.GetClient(d, meta)
-	if e != nil {
-		return false, e
-	}
-
-	path := d.Id()
-	log.Printf("[DEBUG] Checking if %q exists", path)
-	role, err := client.Logical().Read(path)
-	if err != nil {
-		return true, fmt.Errorf("error checking if %q exists: %s", path, err)
-	}
-	log.Printf("[DEBUG] Checked if %q exists", path)
-	return role != nil, nil
-}
-
 func databaseSecretBackendStaticRolePath(backend, name string) string {
 	return strings.Trim(backend, "/") + "/static-roles/" + strings.Trim(name, "/")
 }