diff --git a/vault/resource_ssh_secret_backend_ca.go b/vault/resource_ssh_secret_backend_ca.go index 7a25f9600..25e883685 100644 --- a/vault/resource_ssh_secret_backend_ca.go +++ b/vault/resource_ssh_secret_backend_ca.go @@ -41,6 +41,19 @@ func sshSecretBackendCAResource() *schema.Resource { ForceNew: true, Description: "Whether Vault should generate the signing key pair internally.", }, + "key_type": { + Type: schema.TypeString, + Default: "ssh-rsa", + Optional: true, + ForceNew: true, + Description: "Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.", + }, + "key_bits": { + Type: schema.TypeInt, + Optional: true, + ForceNew: true, + Description: "Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`.", + }, "private_key": { Type: schema.TypeString, Optional: true, @@ -78,6 +91,12 @@ func sshSecretBackendCACreate(d *schema.ResourceData, meta interface{}) error { if publicKey, ok := d.Get("public_key").(string); ok { data["public_key"] = publicKey } + if keyType, ok := d.Get("key_type").(string); ok { + data["key_type"] = keyType + } + if keyBits, ok := d.Get("key_bits").(int); ok { + data["key_bits"] = keyBits + } log.Printf("[DEBUG] Writing CA information on SSH backend %q", backend) _, err := client.Logical().Write(backend+"/config/ca", data) @@ -121,7 +140,7 @@ func sshSecretBackendCARead(d *schema.ResourceData, meta interface{}) error { d.Set("public_key", secret.Data["public_key"]) d.Set("backend", backend) - // the API doesn't return private_key and generate_signing_key + // the API doesn't return private_key, generate_signing_key, key_type, or key_bits. // So... if they drift, they drift. return nil diff --git a/website/docs/r/ssh_secret_backend_ca.html.md b/website/docs/r/ssh_secret_backend_ca.html.md index 9b6cb4d58..64716d5fb 100644 --- a/website/docs/r/ssh_secret_backend_ca.html.md +++ b/website/docs/r/ssh_secret_backend_ca.html.md @@ -36,6 +36,10 @@ The following arguments are supported: * `generate_signing_key` - (Optional) Whether Vault should generate the signing key pair internally. Defaults to true +* `key_type` - (Optional) Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + +* `key_bits` - (Optional) Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + * `public_key` - (Optional) The public key part the SSH CA key pair; required if generate_signing_key is false. * `private_key` - (Optional) The private key part the SSH CA key pair; required if generate_signing_key is false.