Skip to content

Commit

Permalink
Add allowed_uri_sans_template option for vault_pki_secret_backend_role
Browse files Browse the repository at this point in the history
This PR requires hashicorp/vault#10249 to be merged.
One test is right failing until the feature is released in vault.

The following test shall pass when teh feature lands on vault

```bash
TESTARGS="-run TestPkiSecretBackendRole" make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./...) -v -run TestPkiSecretBackendRole -timeout 20m
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/codegen   (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/generated [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/decode    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/encode    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/alphabet    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/role        (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/template    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/transformation      (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
=== RUN   TestPkiSecretBackendRole_basic
    resource_pki_secret_backend_role_test.go:16: Step 2/2 error: Check failed: Check 19/47 error: vault_pki_secret_backend_role.test: Attribute 'allowed_uri_sans_template' expected "true", got "false"
--- FAIL: TestPkiSecretBackendRole_basic (4.00s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-vault/vault     4.255s
FAIL
make: *** [testacc] Error 1
```
  • Loading branch information
harsimranmaan committed Dec 21, 2021
1 parent 26c9eba commit 9c70ba5
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 1 deletion.
10 changes: 10 additions & 0 deletions vault/resource_pki_secret_backend_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,13 @@ func pkiSecretBackendRoleResource() *schema.Resource {
Type: schema.TypeString,
},
},
"allowed_uri_sans_template": {
Type: schema.TypeBool,
Required: false,
Optional: true,
Description: "Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases.<mount accessor>.name}})",
Default: false,
},
"allowed_other_sans": {
Type: schema.TypeList,
Required: false,
Expand Down Expand Up @@ -362,6 +369,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
"enforce_hostnames": d.Get("enforce_hostnames"),
"allow_ip_sans": d.Get("allow_ip_sans"),
"allowed_uri_sans": d.Get("allowed_uri_sans"),
"allowed_uri_sans_template": d.Get("allowed_uri_sans_template"),
"allowed_other_sans": d.Get("allowed_other_sans"),
"server_flag": d.Get("server_flag"),
"client_flag": d.Get("client_flag"),
Expand Down Expand Up @@ -487,6 +495,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
d.Set("enforce_hostnames", secret.Data["enforce_hostnames"])
d.Set("allow_ip_sans", secret.Data["allow_ip_sans"])
d.Set("allowed_uri_sans", secret.Data["allowed_uri_sans"])
d.Set("allowed_uri_sans_template", secret.Data["allowed_uri_sans_template"])
d.Set("allowed_other_sans", secret.Data["allowed_other_sans"])
d.Set("server_flag", secret.Data["server_flag"])
d.Set("client_flag", secret.Data["client_flag"])
Expand Down Expand Up @@ -557,6 +566,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
"enforce_hostnames": d.Get("enforce_hostnames"),
"allow_ip_sans": d.Get("allow_ip_sans"),
"allowed_uri_sans": d.Get("allowed_uri_sans"),
"allowed_uri_sans_template": d.Get("allowed_uri_sans_template"),
"allowed_other_sans": d.Get("allowed_other_sans"),
"server_flag": d.Get("server_flag"),
"client_flag": d.Get("client_flag"),
Expand Down
6 changes: 5 additions & 1 deletion vault/resource_pki_secret_backend_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,10 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_any_name", "false"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "enforce_hostnames", "true"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_ip_sans", "true"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans.#", "2"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans.0", "uri.test.domain"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans.1", "spiffe://{{identity.entity.name}}"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans_template", "true"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_other_sans.0", "1.2.3.4.5.5;UTF8:test"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "server_flag", "true"),
resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "client_flag", "true"),
Expand Down Expand Up @@ -191,7 +194,8 @@ resource "vault_pki_secret_backend_role" "test" {
allow_any_name = false
enforce_hostnames = true
allow_ip_sans = true
allowed_uri_sans = ["uri.test.domain"]
allowed_uri_sans = ["uri.test.domain", "spiffe://{{identity.entity.name}}"]
allowed_uri_sans_template = true
allowed_other_sans = ["1.2.3.4.5.5;UTF8:test"]
server_flag = true
client_flag = true
Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/pki_secret_backend_role.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ The following arguments are supported:

* `allowed_uri_sans` - (Optional) Defines allowed URI SANs

* `allowed_uri_sans_template` - (Optional) Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.

* `allowed_other_sans` - (Optional) Defines allowed custom SANs

* `server_flag` - (Optional) Flag to specify certificates for server use
Expand Down

0 comments on commit 9c70ba5

Please sign in to comment.