diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index 81ca7bae4..03ebdfc12 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -134,6 +134,13 @@ func pkiSecretBackendRoleResource() *schema.Resource { Type: schema.TypeString, }, }, + "allowed_uri_sans_template": { + Type: schema.TypeBool, + Required: false, + Optional: true, + Description: "Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}})", + Default: false, + }, "allowed_other_sans": { Type: schema.TypeList, Required: false, @@ -362,6 +369,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error "enforce_hostnames": d.Get("enforce_hostnames"), "allow_ip_sans": d.Get("allow_ip_sans"), "allowed_uri_sans": d.Get("allowed_uri_sans"), + "allowed_uri_sans_template": d.Get("allowed_uri_sans_template"), "allowed_other_sans": d.Get("allowed_other_sans"), "server_flag": d.Get("server_flag"), "client_flag": d.Get("client_flag"), @@ -487,6 +495,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("enforce_hostnames", secret.Data["enforce_hostnames"]) d.Set("allow_ip_sans", secret.Data["allow_ip_sans"]) d.Set("allowed_uri_sans", secret.Data["allowed_uri_sans"]) + d.Set("allowed_uri_sans_template", secret.Data["allowed_uri_sans_template"]) d.Set("allowed_other_sans", secret.Data["allowed_other_sans"]) d.Set("server_flag", secret.Data["server_flag"]) d.Set("client_flag", secret.Data["client_flag"]) @@ -557,6 +566,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error "enforce_hostnames": d.Get("enforce_hostnames"), "allow_ip_sans": d.Get("allow_ip_sans"), "allowed_uri_sans": d.Get("allowed_uri_sans"), + "allowed_uri_sans_template": d.Get("allowed_uri_sans_template"), "allowed_other_sans": d.Get("allowed_other_sans"), "server_flag": d.Get("server_flag"), "client_flag": d.Get("client_flag"), diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index 1e3b7286a..68bc472f9 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -85,7 +85,10 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_any_name", "false"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "enforce_hostnames", "true"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_ip_sans", "true"), + resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans.#", "2"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans.0", "uri.test.domain"), + resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans.1", "spiffe://{{identity.entity.name}}"), + resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_uri_sans_template", "true"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_other_sans.0", "1.2.3.4.5.5;UTF8:test"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "server_flag", "true"), resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "client_flag", "true"), @@ -191,7 +194,8 @@ resource "vault_pki_secret_backend_role" "test" { allow_any_name = false enforce_hostnames = true allow_ip_sans = true - allowed_uri_sans = ["uri.test.domain"] + allowed_uri_sans = ["uri.test.domain", "spiffe://{{identity.entity.name}}"] + allowed_uri_sans_template = true allowed_other_sans = ["1.2.3.4.5.5;UTF8:test"] server_flag = true client_flag = true diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index dadfe0b68..0ec4e8b1c 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -64,6 +64,8 @@ The following arguments are supported: * `allowed_uri_sans` - (Optional) Defines allowed URI SANs +* `allowed_uri_sans_template` - (Optional) Flag, if set, `allowed_uri_sans` can be specified using identity template expressions such as `{{identity.entity.aliases..name}}`. + * `allowed_other_sans` - (Optional) Defines allowed custom SANs * `server_flag` - (Optional) Flag to specify certificates for server use