Feature Request (Vault SSH Secret Backend CA): Support Management of Cert Signing Roles

[toddmichael]

Request

I've successfully mounted and configured SSH CA like so:

resource "vault_mount" "demo" {
  type = "ssh"
  path = "ssh-client-signer"
}

resource "vault_ssh_secret_backend_ca" "demo" {
  backend              = "${vault_mount.demo.path}"
  generate_signing_key = true
}

The missing piece to the puzzle is the configuration of a signing role. Step 4 of the SSH Certificates --> Signing Key & Role Configuration document provides instructions for doing this via CLI:

$ vault write ssh-client-signer/roles/my-role -<<"EOH"
{
  "allow_user_certificates": true,
  "allowed_users": "*",
  "default_extensions": [
    {
      "permit-pty": ""
    }
  ],
  "key_type": "ca",
  "default_user": "ubuntu",
  "ttl": "30m0s"
}
EOH

It would be ideal if such roles could be managed via Terraform, similar to what vault_cert_auth_backend_role provides for the cert auth backend.

Reference

I noticed Issue #104, the text of which mentions roles, but it's been closed so my assumption is that the scope of work, at least thus far, focused on basic configuration (minus role support).

Happy to provide further details upon request. Cheers.

[toddmichael]

Any feedback on this one? Seems pretty straightforward, but that's cuz I wrote it ;-) Let me know if otherwise. Thanks.

[SudoerWithAnOpinion]

This feels like a vital need, seeing as how Vault is depreciating the SSH/Dynamic Keys secrets backend. Without being able to configure ssh roles in Terraform (or the SSH OTP), no one will be able to use Terraform to for SSH keys without a janky work-around.

Can anyone chime in if I've missed something in the docs on how to do this?