hashicorp · psekar · Jan 5, 2024 · Oct 30, 2023 · Jan 5, 2024 · Jan 5, 2024
@@ -89,6 +89,7 @@ resource "boundary_credential_library_vault_ssh_certificate" "baz" {
 
 ### Optional
 
+- `additional_valid_principals` (List of String) Principals to be signed as "valid_principles" in addition to username.
 - `critical_options` (Map of String) Specifies a map of the critical options that the certificate should be signed for.
 - `description` (String) The Vault credential library description.
 - `extensions` (Map of String) Specifies a map of the extensions that the certificate should be signed for.

diff --git a/go.mod b/go.mod
@@ -4,9 +4,9 @@ go 1.21
 
 require (
 	github.com/YakDriver/regexache v0.23.0
-	github.com/hashicorp/boundary v0.13.1-0.20231012004550-1ed0a13004b9
-	github.com/hashicorp/boundary/api v0.0.41
-	github.com/hashicorp/boundary/sdk v0.0.37
+	github.com/hashicorp/boundary v0.14.2
+	github.com/hashicorp/boundary/api v0.0.42
+	github.com/hashicorp/boundary/sdk v0.0.38
 	github.com/hashicorp/cap v0.4.0
 	github.com/hashicorp/cap/ldap v0.0.0-20230918191608-899e3f8e8cd6
 	github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637
@@ -51,7 +51,7 @@ require (
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/cli v23.0.1+incompatible // indirect
-	github.com/docker/docker v23.0.3+incompatible // indirect
+	github.com/docker/docker v24.0.7+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
@@ -187,7 +187,7 @@ require (
 	google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
-	google.golang.org/grpc v1.58.2 // indirect
+	google.golang.org/grpc v1.58.3 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

diff --git a/go.sum b/go.sum
@@ -144,8 +144,8 @@ github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy
 github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.3+incompatible h1:9GhVsShNWz1hO//9BNg/dpMnZW25KydO4wtVxWAIbho=
-github.com/docker/docker v23.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
+github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
@@ -291,12 +291,12 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
-github.com/hashicorp/boundary v0.13.1-0.20231012004550-1ed0a13004b9 h1:XMz92IUDuRTOKCEHt1mKqLKNQhorIpLiuZR59ujlzD0=
-github.com/hashicorp/boundary v0.13.1-0.20231012004550-1ed0a13004b9/go.mod h1:l702HZsPDsSt29xismb6d0cip2TLu1uTb4vpFQoT3UM=
-github.com/hashicorp/boundary/api v0.0.41 h1:HfeB/L6q2RneYvRj5ETCi/9BuXFOmhDoPlEnafoNAag=
-github.com/hashicorp/boundary/api v0.0.41/go.mod h1:WnI0eRlP03Kw3wlW+z5va2vvG1OAupZHPsPuEm4pLiQ=
-github.com/hashicorp/boundary/sdk v0.0.37 h1:efuNqw9+u+VsUY1/rBHBgQqTCmWsxMR4aa9k1Fh+aSs=
-github.com/hashicorp/boundary/sdk v0.0.37/go.mod h1:jn9j5mM8v2pOk8aLeJNIszdm7WBf4gRSP68iy8Iu5Q0=
+github.com/hashicorp/boundary v0.14.2 h1:FeJaYBNSguS4JgOAhb5M8KqrdABkgLWFyts1VIMOSvE=
+github.com/hashicorp/boundary v0.14.2/go.mod h1:T+1hjugsMr2U0i5/eFHUIB9Pxp1Z+qJ657Tj7Wx6bmA=
+github.com/hashicorp/boundary/api v0.0.42 h1:GOymhgjteiX6+xs5t+vYiYB5C7YVCVnJsEq9fYgT4j8=
+github.com/hashicorp/boundary/api v0.0.42/go.mod h1:WnI0eRlP03Kw3wlW+z5va2vvG1OAupZHPsPuEm4pLiQ=
+github.com/hashicorp/boundary/sdk v0.0.38 h1:u1PhzTgaclX166GkSV4GzRrrg+Mj9QjHnsWCLkaT2U0=
+github.com/hashicorp/boundary/sdk v0.0.38/go.mod h1:jn9j5mM8v2pOk8aLeJNIszdm7WBf4gRSP68iy8Iu5Q0=
 github.com/hashicorp/cap v0.4.0 h1:FAdBqLcZNPLkZ9WsYPtTvI9egjrhwElDalhArYToI7I=
 github.com/hashicorp/cap v0.4.0/go.mod h1:dHTmyMIVbzT981XxRoci5G//dfWmd/HhuNiCH6J5+IA=
 github.com/hashicorp/cap/ldap v0.0.0-20230918191608-899e3f8e8cd6 h1:m8tI0HwZu7XrscYAS/7sWhYJ/uwjY8sqJnyNFSzT2j0=
@@ -1138,8 +1138,8 @@ google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
-google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I=
-google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
+google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
+google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

@@ -14,15 +14,16 @@ import (
 )
 
 const (
-	credentialLibraryVaultSshCertificateType               = "vault-ssh-certificate"
-	credentialLibraryVaultSshCertificatePathKey            = "path"
-	credentialLibraryVaultSshCertificateUsernameKey        = "username"
-	credentialLibraryVaultSshCertificateKeyTypeKey         = "key_type"
-	credentialLibraryVaultSshCertificateKeyBitsKey         = "key_bits"
-	credentialLibraryVaultSshCertificateTtlKey             = "ttl"
-	credentialLibraryVaultSshCertificateKeyIdKey           = "key_id"
-	credentialLibraryVaultSshCertificateCriticalOptionsKey = "critical_options"
-	credentialLibraryVaultSshCertificateExtensionsKey      = "extensions"
+	credentialLibraryVaultSshCertificateType                         = "vault-ssh-certificate"
+	credentialLibraryVaultSshCertificatePathKey                      = "path"
+	credentialLibraryVaultSshCertificateUsernameKey                  = "username"
+	credentialLibraryVaultSshCertificateKeyTypeKey                   = "key_type"
+	credentialLibraryVaultSshCertificateKeyBitsKey                   = "key_bits"
+	credentialLibraryVaultSshCertificateTtlKey                       = "ttl"
+	credentialLibraryVaultSshCertificateKeyIdKey                     = "key_id"
+	credentialLibraryVaultSshCertificateCriticalOptionsKey           = "critical_options"
+	credentialLibraryVaultSshCertificateExtensionsKey                = "extensions"
+	credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey = "additional_valid_principals"
 )
 
 var libraryVaultSshCertificateAttrs = []string{
@@ -34,6 +35,7 @@ var libraryVaultSshCertificateAttrs = []string{
 	credentialLibraryVaultSshCertificateKeyIdKey,
 	credentialLibraryVaultSshCertificateCriticalOptionsKey,
 	credentialLibraryVaultSshCertificateExtensionsKey,
+	credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey,
 }
 
 func resourceCredentialLibraryVaultSshCertificate() *schema.Resource {
@@ -110,6 +112,14 @@ func resourceCredentialLibraryVaultSshCertificate() *schema.Resource {
 				Type:        schema.TypeMap,
 				Optional:    true,
 			},
+			credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey: {
+				Description: "Principals to be signed as \"valid_principles\" in addition to username.",
+				Type:        schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+			},
 		},
 	}
 }
@@ -185,6 +195,13 @@ func resourceCredentialLibraryCreateVaultSshCertificate(ctx context.Context, d *
 			opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryExtensions(e))
 		}
 	}
+	if v, ok := d.GetOk(credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey); ok {
+		avp := []string{}
+		for _, vv := range v.([]interface{}) {
+			avp = append(avp, vv.(string))
+		}
+		opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals(avp))
+	}
 
 	var credentialStoreId string
 	cid, ok := d.GetOk(credentialStoreIdKey)
@@ -375,6 +392,17 @@ func resourceCredentialLibraryUpdateVaultSshCertificate(ctx context.Context, d *
 		}
 		opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryExtensions(e))
 	}
+	if d.HasChange(credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey) {
+		// set defaults first in case the value was omitted and we want to remove it
+		opts = append(opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals())
+		if v, ok := d.GetOk(credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey); ok {
+			avp := []string{}
+			for _, vv := range v.([]interface{}) {
+				avp = append(avp, vv.(string))
+			}
+			opts = append(opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals(avp))
+		}
+	}
 
 	if len(opts) > 0 {
 		opts = append(opts, credentiallibraries.WithAutomaticVersioning(true))

@@ -69,6 +69,9 @@ resource "boundary_credential_library_vault_ssh_certificate" "ext_co_example" {
 	critical_options = {
 	  force-command = "/bin/foo"
 	}
+	additional_valid_principals = [
+	  "principal-1"
+	]
 }`, vaultSshCertCredLibName,
 	vaultSshCertCredLibDesc,
 	vaultSshCertCredLibPath,
@@ -86,6 +89,10 @@ resource "boundary_credential_library_vault_ssh_certificate" "ext_co_example" {
 	  permit-pty            = ""
 	  permit-X11-forwarding = ""
     }
+	additional_valid_principals = [
+	  "principal-2",
+	  "principal-3"
+	]
 }`, vaultSshCertCredLibName,
 	vaultSshCertCredLibDesc,
 	vaultSshCertCredLibPath,
@@ -161,13 +168,14 @@ func TestAccCredentialLibraryVaultSshCertificate(t *testing.T) {
 			},
 			importStep(vaultSshCertCredResc),
 			{
-				// create with extensions and critical options
+				// create with extensions, critical options, and additional valid principals
 				Config: testConfig(url, fooOrg, firstProjectFoo, credStoreRes, vaultSshCertCredLibResourceExtensionsCriticalOpts),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, NameKey, vaultSshCertCredLibName),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, DescriptionKey, vaultSshCertCredLibDesc),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultPathKey, vaultSshCertCredLibPath),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateUsernameKey, vaultSshCertCredUsername),
+					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey+".#", "1"),
 
 					testAccCheckCredentialLibraryResourceExists(provider, vaultSshCertCredExtCOResc),
 				),
@@ -183,6 +191,7 @@ func TestAccCredentialLibraryVaultSshCertificate(t *testing.T) {
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateUsernameKey, vaultSshCertCredUsername),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateCriticalOptionsKey+".%", "0"),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateExtensionsKey+".%", "2"),
+					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey+".#", "2"),
 
 					testAccCheckCredentialLibraryResourceExists(provider, vaultSshCertCredExtCOResc),
 				),
@@ -198,6 +207,7 @@ func TestAccCredentialLibraryVaultSshCertificate(t *testing.T) {
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateUsernameKey, vaultSshCertCredUsername),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateCriticalOptionsKey+".%", "2"),
 					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateExtensionsKey+".%", "1"),
+					resource.TestCheckResourceAttr(vaultSshCertCredExtCOResc, credentialLibraryVaultSshCertificateAdditionalValidPrincipalsKey+".#", "0"),
 
 					testAccCheckCredentialLibraryResourceExists(provider, vaultSshCertCredExtCOResc),
 				),