Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI: Add support for CPS URL in custom policy identifiers #1494

Closed
wants to merge 1 commit into from
Closed

PKI: Add support for CPS URL in custom policy identifiers #1494

wants to merge 1 commit into from

Conversation

swenson
Copy link
Contributor

@swenson swenson commented Jun 9, 2022
edited
Loading

Update the vault_resource_pki_secret_backend_role to support
specifying the CPS URL when specifying policy identifiers in line with
the recent changes to the PKI Secrets Engine in Vault 1.11:
hashicorp/vault#15751

We do this by deprecating the existing policy_identifiers argument and
creating a new block, policy_identifier, which can be specified
multiple times.

If both policy_identifiers and policy_identifier blocks are present,
then policy_identifier is ignored. (Otherwise, refreshing would delete
one or the other, and the state wouldn't have round trip stability.)

This was also tested locally with, for example, a terraform file like:

provider "vault" {
}

resource "vault_mount" "pki" {
  path                      = "pki"
  type                      = "pki"
  default_lease_ttl_seconds = 3600
  max_lease_ttl_seconds     = 86400
}

resource "vault_pki_secret_backend_role" "role" {
  name = "example-dot-com"
  backend = vault_mount.pki.path
  allowed_domains = ["example.com"]
  allow_subdomains = true
  allow_bare_domains = true
  allow_glob_domains = true
  allow_ip_sans = true
  allow_localhost = "true"
  generate_lease = true
  organization = ["Hashi test"]
  country = ["USA"]
  locality = ["Area 51"]
  province = ["NV"]
  max_ttl = "720h"
  policy_identifiers = ["2.5.29.32","1.2.3"]
  // or
  policy_identifier {
    oid = "2.5.29.32"
    cps = "https://example.com/cps"
    notice = "Some notice"
  }
  policy_identifier {
    oid = "1.2.3"
  }
}

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

resource/pki_secret_backend_role: Add policy_identifier block, deprecate policy_identifiers

Output from acceptance testing:

$ make testacc TESTARGS="-v ./vault -run .*TestPkiSecretBackendRole.*"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -v -v ./vault -run .*TestPkiSecretBackendRole.* -timeout 30m ./...
=== RUN   TestPkiSecretBackendRole_basic
--- PASS: TestPkiSecretBackendRole_basic (5.07s)
PASS
ok  	github.com/hashicorp/terraform-provider-vault/vault	5.562s
...

PKI: Add support for CPS URL in custom policy identifiers
3c08ad3 
Update the `vault_resource_pki_secret_backend_role` to support
specifying the CPS URL when specifying policy identifiers in line with
the recent changes to the PKI Secrets Engine in Vault 1.11:
hashicorp/vault#15751

We do this by deprecating the existing `policy_identifiers` argument and
creating a new block, `policy_identifier`, which can be specified
multiple times.

If both `policy_identifiers` and `policy_identifier` blocks are present,
then `policy_identifier` is ignored. (Otherwise, refreshing would delete
one or the other, and the state wouldn't have round trip stability.)

This was also tested locally with, for example, a terraform file like:

```hcl
provider "vault" {
}

resource "vault_mount" "pki" {
  path                      = "pki"
  type                      = "pki"
  default_lease_ttl_seconds = 3600
  max_lease_ttl_seconds     = 86400
}

resource "vault_pki_secret_backend_role" "role" {
  name = "example-dot-com"
  backend = vault_mount.pki.path
  allowed_domains = ["example.com"]
  allow_subdomains = true
  allow_bare_domains = true
  allow_glob_domains = true
  allow_ip_sans = true
  allow_localhost = "true"
  generate_lease = true
  organization = ["Hashi test"]
  country = ["USA"]
  locality = ["Area 51"]
  province = ["NV"]
  max_ttl = "720h"
  policy_identifiers = ["2.5.29.32","1.2.3"]
  // or
  policy_identifier {
    oid = "2.5.29.32"
    cps = "https://example.com/cps"
    notice = "Some notice"
  }
  policy_identifier {
    oid = "1.2.3"
  }
}
```
@swenson swenson closed this Jun 9, 2022
@swenson
Copy link
Contributor Author

swenson commented Jun 9, 2022

Opened against wrong branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz Awaiting requested review from benashz

@vinay-gopalan vinay-gopalan Awaiting requested review from vinay-gopalan

Assignees
No one assigned
Labels
documentation size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@swenson