Skip to content

Commit

Permalink
Support not_before_duration property in pki_secret_backend_role (hash…
Browse files Browse the repository at this point in the history 
…icorp#698)

* Support not_before_duration property in pki_secret_backend_role

* Add default value for not_before_duration

* Properly Vault set the default if it is not set via terraform
  • Loading branch information
@shwuandwing
shwuandwing authored Mar 7, 2020
1 parent 7c6cbd4 commit 7665d06
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 0 deletions.
13 changes: 13 additions & 0 deletions vault/resource_pki_secret_backend_role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,14 @@ func pkiSecretBackendRoleResource() *schema.Resource {
Description: "Flag to mark basic constraints valid when issuing non-CA certificates.",
Default: false,
},
"not_before_duration": {
Type: schema.TypeString,
Required: false,
Optional: true,
Computed: true,
Description: "Specifies the duration by which to backdate the NotBefore property.",
ValidateFunc: validateDuration,
},
},
}
}
Expand Down Expand Up @@ -366,6 +374,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
"no_store": d.Get("no_store"),
"require_cn": d.Get("require_cn"),
"basic_constraints_valid_for_non_ca": d.Get("basic_constraints_valid_for_non_ca"),
"not_before_duration": d.Get("not_before_duration"),
}

if len(allowedDomains) > 0 {
Expand Down Expand Up @@ -454,6 +463,8 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string))
}

notBeforeDuration := flattenVaultDuration(secret.Data["not_before_duration"])

d.Set("backend", backend)
d.Set("name", name)
d.Set("ttl", secret.Data["ttl"])
Expand Down Expand Up @@ -490,6 +501,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
d.Set("require_cn", secret.Data["require_cn"])
d.Set("policy_identifiers", policyIdentifiers)
d.Set("basic_constraints_valid_for_non_ca", secret.Data["basic_constraints_valid_for_non_ca"])
d.Set("not_before_duration", notBeforeDuration)

return nil
}
Expand Down Expand Up @@ -555,6 +567,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
"no_store": d.Get("no_store"),
"require_cn": d.Get("require_cn"),
"basic_constraints_valid_for_non_ca": d.Get("basic_constraints_valid_for_non_ca"),
"not_before_duration": d.Get("not_before_duration"),
}

if len(allowedDomains) > 0 {
Expand Down
4 changes: 4 additions & 0 deletions vault/resource_pki_secret_backend_role_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.#", "1"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.0", "1.2.3.4"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "basic_constraints_valid_for_non_ca", "false"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "not_before_duration", "45m"),
),
},
{
Expand Down Expand Up @@ -110,6 +111,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.#", "1"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.0", "1.2.3.4"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "basic_constraints_valid_for_non_ca", "false"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "not_before_duration", "45m"),
),
},
},
Expand Down Expand Up @@ -160,6 +162,7 @@ resource "vault_pki_secret_backend_role" "test" {
require_cn = true
policy_identifiers = ["1.2.3.4"]
basic_constraints_valid_for_non_ca = false
not_before_duration = "45m"
}`, path, name)
}

Expand Down Expand Up @@ -207,6 +210,7 @@ resource "vault_pki_secret_backend_role" "test" {
require_cn = true
policy_identifiers = ["1.2.3.4"]
basic_constraints_valid_for_non_ca = false
not_before_duration = "45m"
}`, path, name)
}

Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/pki_secret_backend_role.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ The following arguments are supported:

* `basic_constraints_valid_for_non_ca` - (Optional) Flag to mark basic constraints valid when issuing non-CA certificates

* `not_before_duration` - (Optional) Specifies the duration by which to backdate the NotBefore property.

## Attributes Reference

No additional attributes are exported by this resource.
Expand Down

0 comments on commit 7665d06

Please sign in to comment.