diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index 8bedbeaeb..1accfeaf8 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -297,6 +297,14 @@ func pkiSecretBackendRoleResource() *schema.Resource { Description: "Flag to mark basic constraints valid when issuing non-CA certificates.", Default: false, }, + "not_before_duration": { + Type: schema.TypeString, + Required: false, + Optional: true, + Computed: true, + Description: "Specifies the duration by which to backdate the NotBefore property.", + ValidateFunc: validateDuration, + }, }, } } @@ -366,6 +374,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error "no_store": d.Get("no_store"), "require_cn": d.Get("require_cn"), "basic_constraints_valid_for_non_ca": d.Get("basic_constraints_valid_for_non_ca"), + "not_before_duration": d.Get("not_before_duration"), } if len(allowedDomains) > 0 { @@ -454,6 +463,8 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) } + notBeforeDuration := flattenVaultDuration(secret.Data["not_before_duration"]) + d.Set("backend", backend) d.Set("name", name) d.Set("ttl", secret.Data["ttl"]) @@ -490,6 +501,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("require_cn", secret.Data["require_cn"]) d.Set("policy_identifiers", policyIdentifiers) d.Set("basic_constraints_valid_for_non_ca", secret.Data["basic_constraints_valid_for_non_ca"]) + d.Set("not_before_duration", notBeforeDuration) return nil } @@ -555,6 +567,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error "no_store": d.Get("no_store"), "require_cn": d.Get("require_cn"), "basic_constraints_valid_for_non_ca": d.Get("basic_constraints_valid_for_non_ca"), + "not_before_duration": d.Get("not_before_duration"), } if len(allowedDomains) > 0 { diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index 0bd0f734d..39181e532 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -64,6 +64,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.#", "1"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.0", "1.2.3.4"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "basic_constraints_valid_for_non_ca", "false"), + resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "not_before_duration", "45m"), ), }, { @@ -110,6 +111,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.#", "1"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "policy_identifiers.0", "1.2.3.4"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "basic_constraints_valid_for_non_ca", "false"), + resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "not_before_duration", "45m"), ), }, }, @@ -160,6 +162,7 @@ resource "vault_pki_secret_backend_role" "test" { require_cn = true policy_identifiers = ["1.2.3.4"] basic_constraints_valid_for_non_ca = false + not_before_duration = "45m" }`, path, name) } @@ -207,6 +210,7 @@ resource "vault_pki_secret_backend_role" "test" { require_cn = true policy_identifiers = ["1.2.3.4"] basic_constraints_valid_for_non_ca = false + not_before_duration = "45m" }`, path, name) } diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index 425222957..6cd358e72 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -101,6 +101,8 @@ The following arguments are supported: * `basic_constraints_valid_for_non_ca` - (Optional) Flag to mark basic constraints valid when issuing non-CA certificates +* `not_before_duration` - (Optional) Specifies the duration by which to backdate the NotBefore property. + ## Attributes Reference No additional attributes are exported by this resource.