Add key_type and key_bits to vault_ssh_secret_backend_ca (#1454)

hashicorp · Apr 9, 2024 · 60fae0d · 60fae0d
1 parent 996dca5
commit 60fae0d
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/vault/resource_ssh_secret_backend_ca.go b/vault/resource_ssh_secret_backend_ca.go
@@ -41,6 +41,19 @@ func sshSecretBackendCAResource() *schema.Resource {
 				ForceNew:    true,
 				Description: "Whether Vault should generate the signing key pair internally.",
 			},
+			"key_type": {
+				Type:        schema.TypeString,
+				Default:     "ssh-rsa",
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.",
+			},
+			"key_bits": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`.",
+			},
 			"private_key": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -78,6 +91,12 @@ func sshSecretBackendCACreate(d *schema.ResourceData, meta interface{}) error {
 	if publicKey, ok := d.Get("public_key").(string); ok {
 		data["public_key"] = publicKey
 	}
+	if keyType, ok := d.Get("key_type").(string); ok {
+		data["key_type"] = keyType
+	}
+	if keyBits, ok := d.Get("key_bits").(int); ok {
+		data["key_bits"] = keyBits
+	}
 
 	log.Printf("[DEBUG] Writing CA information on SSH backend %q", backend)
 	_, err := client.Logical().Write(backend+"/config/ca", data)
@@ -121,7 +140,7 @@ func sshSecretBackendCARead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("public_key", secret.Data["public_key"])
 	d.Set("backend", backend)
 
-	// the API doesn't return private_key and generate_signing_key
+	// the API doesn't return private_key, generate_signing_key, key_type, or key_bits.
 	// So... if they drift, they drift.
 
 	return nil

diff --git a/website/docs/r/ssh_secret_backend_ca.html.md b/website/docs/r/ssh_secret_backend_ca.html.md
@@ -36,6 +36,10 @@ The following arguments are supported:
 
 * `generate_signing_key` - (Optional) Whether Vault should generate the signing key pair internally. Defaults to true
 
+* `key_type` - (Optional) Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.
+
+* `key_bits` - (Optional) Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`.
+
 * `public_key` - (Optional) The public key part the SSH CA key pair; required if generate_signing_key is false.
 
 * `private_key` - (Optional) The private key part the SSH CA key pair; required if generate_signing_key is false.