enable support for ssh valid certs additional valid principals field (#…

…512)

* enable support for ssh valid certs additional valid principals field

* chore: Bump Dependencies to 0.14.3 Release

---------

Co-authored-by: Danielle Miu <[email protected]>
Co-authored-by: prsekar <[email protected]>

docs/resources/credential_library_vault_ssh_certificate.md

@@ -89,6 +89,7 @@ resource "boundary_credential_library_vault_ssh_certificate" "baz" {
 
 ### Optional
 
+- `additional_valid_principals` (List of String) Principals to be signed as "valid_principles" in addition to username.
 - `critical_options` (Map of String) Specifies a map of the critical options that the certificate should be signed for.
 - `description` (String) The Vault credential library description.
 - `extensions` (Map of String) Specifies a map of the extensions that the certificate should be signed for.

internal/provider/resource_credential_library_vault_ssh_certificate.go

@@ -14,15 +14,16 @@ import (
 )
 
 const (
-	credentialLibraryVaultSshCertificateType               = "vault-ssh-certificate"
-	credentialLibraryVaultSshCertificatePathKey            = "path"
-	credentialLibraryVaultSshCertificateUsernameKey        = "username"
-	credentialLibraryVaultSshCertificateKeyTypeKey         = "key_type"
-	credentialLibraryVaultSshCertificateKeyBitsKey         = "key_bits"
-	credentialLibraryVaultSshCertificateTtlKey             = "ttl"
-	credentialLibraryVaultSshCertificateKeyIdKey           = "key_id"
-	credentialLibraryVaultSshCertificateCriticalOptionsKey = "critical_options"
-	credentialLibraryVaultSshCertificateExtensionsKey      = "extensions"
+	credentialLibraryVaultSshCertificateType                         = "vault-ssh-certificate"
+	credentialLibraryVaultSshCertificatePathKey                      = "path"
+	credentialLibraryVaultSshCertificateUsernameKey                  = "username"
+	credentialLibraryVaultSshCertificateKeyTypeKey                   = "key_type"
+	credentialLibraryVaultSshCertificateKeyBitsKey                   = "key_bits"
+	credentialLibraryVaultSshCertificateTtlKey                       = "ttl"
+	credentialLibraryVaultSshCertificateKeyIdKey                     = "key_id"
+	credentialLibraryVaultSshCertificateCriticalOptionsKey           = "critical_options"
+	credentialLibraryVaultSshCertificateExtensionsKey                = "extensions"
+	credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey = "additional_valid_principals"
 )
 
 var libraryVaultSshCertificateAttrs = []string{
@@ -34,6 +35,7 @@ var libraryVaultSshCertificateAttrs = []string{
 	credentialLibraryVaultSshCertificateKeyIdKey,
 	credentialLibraryVaultSshCertificateCriticalOptionsKey,
 	credentialLibraryVaultSshCertificateExtensionsKey,
+	credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey,
 }
 
 func resourceCredentialLibraryVaultSshCertificate() *schema.Resource {
@@ -110,6 +112,14 @@ func resourceCredentialLibraryVaultSshCertificate() *schema.Resource {
 				Type:        schema.TypeMap,
 				Optional:    true,
 			},
+			credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey: {
+				Description: "Principals to be signed as \"valid_principles\" in addition to username.",
+				Type:        schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+			},
 		},
 	}
 }
@@ -185,6 +195,13 @@ func resourceCredentialLibraryCreateVaultSshCertificate(ctx context.Context, d *
 			opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryExtensions(e))
 		}
 	}
+	if v, ok := d.GetOk(credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey); ok {
+		avp := []string{}
+		for _, vv := range v.([]interface{}) {
+			avp = append(avp, vv.(string))
+		}
+		opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals(avp))
+	}
 
 	var credentialStoreId string
 	cid, ok := d.GetOk(credentialStoreIdKey)
@@ -375,6 +392,17 @@ func resourceCredentialLibraryUpdateVaultSshCertificate(ctx context.Context, d *
 		}
 		opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryExtensions(e))
 	}
+	if d.HasChange(credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey) {
+		// set defaults first in case the value was omitted and we want to remove it
+		opts = append(opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals())
+		if v, ok := d.GetOk(credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey); ok {
+			avp := []string{}
+			for _, vv := range v.([]interface{}) {
+				avp = append(avp, vv.(string))
+			}
+			opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals(avp))
+		}
+	}
 
 	if len(opts) > 0 {
 		opts = append(opts, credentiallibraries.WithAutomaticVersioning(true))

internal/provider/resource_credential_library_vault_ssh_certificate_test.go

@@ -69,6 +69,9 @@ resource "boundary_credential_library_vault_ssh_certificate" "ext_co_example" {
 	critical_options = {
 	  force-command = "/bin/foo"
 	}
+	additional_valid_principals = [
+	  "principal-1"
+	]
 }`, vaultSshCertCredLibName,
 	vaultSshCertCredLibDesc,
 	vaultSshCertCredLibPath,
@@ -86,6 +89,10 @@ resource "boundary_credential_library_vault_ssh_certificate" "ext_co_example" {
 	  permit-pty            = ""
 	  permit-X11-forwarding = ""
     }
+	additional_valid_principals = [
+	  "principal-2",
+	  "principal-3"
+	]
 }`, vaultSshCertCredLibName,
 	vaultSshCertCredLibDesc,
 	vaultSshCertCredLibPath,
@@ -161,13 +168,14 @@ func TestAccCredentialLibraryVaultSshCertificate(t *testing.T) {
 			},
 			importStep(vaultSshCertCredResc),
 			{
-				// create with extensions and critical options
+				// create with extensions, critical options, and additional valid principals
 				Config: testConfig(url, fooOrg, firstProjectFoo, credStoreRes, vaultSshCertCredLibResourceExtensionsCriticalOpts),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, NameKey, vaultSshCertCredLibName),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, DescriptionKey, vaultSshCertCredLibDesc),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultPathKey, vaultSshCertCredLibPath),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateUsernameKey, vaultSshCertCredUsername),
+					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey+".#", "1"),
 
 					testAccCheckCredentialLibraryResourceExists(provider, vaultSshCertCredExtCOResc),
 				),
@@ -183,6 +191,7 @@ func TestAccCredentialLibraryVaultSshCertificate(t *testing.T) {
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateUsernameKey, vaultSshCertCredUsername),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateCriticalOptionsKey+".%", "0"),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateExtensionsKey+".%", "2"),
+					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey+".#", "2"),
 
 					testAccCheckCredentialLibraryResourceExists(provider, vaultSshCertCredExtCOResc),
 				),
@@ -198,6 +207,7 @@ func TestAccCredentialLibraryVaultSshCertificate(t *testing.T) {
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateUsernameKey, vaultSshCertCredUsername),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateCriticalOptionsKey+".%", "2"),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateExtensionsKey+".%", "1"),
+					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey+".#", "0"),
 
 					testAccCheckCredentialLibraryResourceExists(provider, vaultSshCertCredExtCOResc),
 				),