Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI: Add support for CPS URL in custom policy identifiers #1495

Merged
merged 4 commits into from
Jun 10, 2022
Merged

PKI: Add support for CPS URL in custom policy identifiers #1495

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9420e15
PKI: Add support for CPS URL in custom policy identifiers
Jun 9, 2022
99d3530
Address review comments
Jun 9, 2022
cfd52c9
Rename internal/pki.go to internal/pki/policy_identifier.go
Jun 9, 2022
5c4d3a7
Address review comments
Jun 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions internal/pki.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
package internal
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I was thinking more of moving this code to a package called pki under internal/, sorry if I wasn't clear.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be better to instead make this live under internal/pki and call it something like package pki. We did something similar for packages like internal/consts and internal/identity/entity. Importing might make things more explictly clear as well with things like pki.ReadPolicyIdentifierBlocks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 makes sense


import (
"encoding/json"
"strings"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-provider-vault/helper"
)

// ReadPolicyIdentifierBlocks converts the `policy_identifiers` list and `policy_identifier` blocks
// into a list of strings (the OIDs) or the JSON serialization of the `policy_identifier` blocks,
// respectively.
func ReadPolicyIdentifierBlocks(policyIdentifierBlocks *schema.Set) string {
if policyIdentifierBlocks == nil || policyIdentifierBlocks.Len() == 0 {
return ""
}

var newPolicyIdentifiers []map[string]interface{}

// If the `policy_identifier` blocks are present, send them as JSON, which is only supported by Vault 1.11+.
newPolicyIdentifiers = make([]map[string]interface{}, 0, policyIdentifierBlocks.Len())
for _, iPolicyIdentifier := range policyIdentifierBlocks.List() {
policyIdentifier := iPolicyIdentifier.(map[string]interface{})
newPolicyIdentifiers = append(newPolicyIdentifiers, policyIdentifier)
}
// we know these maps are safe to marshal
policyIdentifiersJson, _ := json.Marshal(newPolicyIdentifiers)
return string(policyIdentifiersJson)
}

// MakePkiPolicyIdentifiersListOrSet converts the Vault "policy_identifiers" response
// into either a list of OIDs, i.e., ["1.2.3","4.5.6"], or a set to represent
// `policy_identifier` blocks. We return either of these so that round-tripping is stable,
// and to preserve backwards compatibility with previous versions of Vault.
func MakePkiPolicyIdentifiersListOrSet(rawPolicyIdentifiers []interface{}) ([]string, *schema.Set, error) {
policyIdentifiers := make([]string, 0, len(rawPolicyIdentifiers))
newPolicyIdentifiers := schema.NewSet(pkiPolicyIdentifierHash, []interface{}{})
for _, iIdentifier := range rawPolicyIdentifiers {
policyString := iIdentifier.(string)
if strings.HasPrefix(policyString, "{") && strings.HasSuffix(policyString, "}") {
var policyMap = map[string]string{}
err := json.Unmarshal([]byte(policyString), &policyMap)
if err != nil {
return nil, nil, err
}
newPolicyIdentifiers.Add(policyMap)
} else {
// older Vault version with oid-only response
policyIdentifiers = append(policyIdentifiers, policyString)
}
}

if newPolicyIdentifiers.Len() == 0 {
return policyIdentifiers, nil, nil
}
return nil, newPolicyIdentifiers, nil
}

func pkiPolicyIdentifierHash(v interface{}) int {
m := v.(map[string]string)
s, _ := json.Marshal(m) // won't fail since we know the argument is a map[string]string
return helper.HashCodeString(string(s))
}
78 changes: 54 additions & 24 deletions vault/resource_pki_secret_backend_role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"

"github.com/hashicorp/terraform-provider-vault/internal"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

Expand Down Expand Up @@ -283,14 +283,43 @@ func pkiSecretBackendRoleResource() *schema.Resource {
Default: true,
},
"policy_identifiers": {
Type: schema.TypeList,
Required: false,
Optional: true,
Description: "Specify the list of allowed policies IODs.",
Type: schema.TypeList,
Required: false,
Optional: true,
Description: "Specify the list of allowed policies OIDs.",
ConflictsWith: []string{"policy_identifier"},
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"policy_identifier": {
vinay-gopalan marked this conversation as resolved.
Show resolved Hide resolved
Type: schema.TypeSet,
Optional: true,
Description: "Policy identifier block; can only be used with Vault 1.11+",
ConflictsWith: []string{"policy_identifiers"},
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"oid": {
Type: schema.TypeString,
Required: true,
Optional: false,
Description: "OID",
},
"cps": {
Type: schema.TypeString,
Required: false,
Optional: true,
Description: "Optional CPS URL",
},
"notice": {
Type: schema.TypeString,
Required: false,
Optional: true,
Description: "Optional notice",
},
},
},
},
"basic_constraints_valid_for_non_ca": {
Type: schema.TypeBool,
Required: false,
Expand Down Expand Up @@ -354,11 +383,8 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
extKeyUsage = append(extKeyUsage, iUsage.(string))
}

iPolicyIdentifiers := d.Get("policy_identifiers").([]interface{})
policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers))
for _, iIdentifier := range iPolicyIdentifiers {
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string))
}
policyIdentifiersList := d.Get("policy_identifiers").([]interface{})
policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably drop these with the suggestion below.

Suggested change
policyIdentifiersList := d.Get("policy_identifiers").([]interface{})
policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set))


iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{})
allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers))
Expand Down Expand Up @@ -413,8 +439,10 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
data["ext_key_usage"] = extKeyUsage
}

if len(policyIdentifiers) > 0 {
data["policy_identifiers"] = policyIdentifiers
if len(policyIdentifiersList) > 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think calling d.GetOk() on each field would probably do the same, and then we could avoid the extra variable assignments above.

data["policy_identifiers"] = policyIdentifiersList
} else if policyIdentifierBlocks != "" {
data["policy_identifiers"] = policyIdentifierBlocks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think calling d.GetOk() on each field would probably do the same, and then we could drop the extra variable assignments above.

Suggested change
if len(policyIdentifiersList) > 0 {
data["policy_identifiers"] = policyIdentifiersList
} else if policyIdentifierBlocks != "" {
data["policy_identifiers"] = policyIdentifierBlocks
if v, ok := d.GetOk("policy_identifiers"); ok {
data["policy_identifiers"] = v
} else if v, ok := d.GetOk("policy_identifier"); ok {
data["policy_identifiers"] = internal.ReadPolicyIdentifierBlocks(v.(*schema.Set))
}

}

if len(allowedSerialNumbers) > 0 {
Expand Down Expand Up @@ -488,10 +516,9 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
extKeyUsage = append(extKeyUsage, iUsage.(string))
}

iPolicyIdentifiers := secret.Data["policy_identifiers"].([]interface{})
policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers))
for _, iIdentifier := range iPolicyIdentifiers {
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string))
legacyPolicyIdentifiers, newPolicyIdentifiers, err := internal.MakePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{}))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might panic here on the type assertion in the case of a value other than []interface{}. We probably want to call MakePkiPolicyIdentifiersListOrSet() conditionally when policy_identifiers in the resp.Data, and guard against the type assert panic.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

if err != nil {
return err
}

notBeforeDuration := flattenVaultDuration(secret.Data["not_before_duration"])
Expand Down Expand Up @@ -537,7 +564,11 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
d.Set("generate_lease", secret.Data["generate_lease"])
d.Set("no_store", secret.Data["no_store"])
d.Set("require_cn", secret.Data["require_cn"])
d.Set("policy_identifiers", policyIdentifiers)
if len(legacyPolicyIdentifiers) > 0 {
d.Set("policy_identifiers", legacyPolicyIdentifiers)
} else {
d.Set("policy_identifier", newPolicyIdentifiers)
}
d.Set("basic_constraints_valid_for_non_ca", secret.Data["basic_constraints_valid_for_non_ca"])
d.Set("not_before_duration", notBeforeDuration)
d.Set("allowed_serial_numbers", allowedSerialNumbers)
Expand Down Expand Up @@ -572,11 +603,8 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
extKeyUsage = append(extKeyUsage, iUsage.(string))
}

iPolicyIdentifiers := d.Get("policy_identifiers").([]interface{})
policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers))
for _, iIdentifier := range iPolicyIdentifiers {
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string))
}
policyIdentifiersList := d.Get("policy_identifiers").([]interface{})
policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
policyIdentifiersList := d.Get("policy_identifiers").([]interface{})
policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set))


iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{})
allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers))
Expand Down Expand Up @@ -631,8 +659,10 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
data["ext_key_usage"] = extKeyUsage
}

if len(policyIdentifiers) > 0 {
data["policy_identifiers"] = policyIdentifiers
if len(policyIdentifiersList) > 0 {
data["policy_identifiers"] = policyIdentifiersList
} else if policyIdentifierBlocks != "" {
data["policy_identifiers"] = policyIdentifierBlocks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same suggestion as in the Read() method. Ideally we would merge the two and rely on d.HasChange(), but I think that is probably out of scope for this PR.

Suggested change
if len(policyIdentifiersList) > 0 {
data["policy_identifiers"] = policyIdentifiersList
} else if policyIdentifierBlocks != "" {
data["policy_identifiers"] = policyIdentifierBlocks
if v, ok := d.GetOk("policy_identifiers"); ok {
data["policy_identifiers"] = v
} else if v, ok := d.GetOk("policy_identifier"); ok {
data["policy_identifiers"] = internal.ReadPolicyIdentifierBlocks(v.(*schema.Set))
}

}

if len(allowedSerialNumbers) > 0 {
Expand Down
113 changes: 100 additions & 13 deletions vault/resource_pki_secret_backend_role_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,98 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"

"github.com/hashicorp/terraform-provider-vault/internal/provider"
"github.com/hashicorp/terraform-provider-vault/testutil"
)

var testLegacyPolicyIdentifiers = `policy_identifiers = ["1.2.3.4"]`

func TestPkiSecretBackendRole_policy_identifier(t *testing.T) {
testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
// TODO: this can be merged with TestPkiSecretBackendRole_basic after Vault 1.11 is released.
swenson marked this conversation as resolved.
Show resolved Hide resolved
newPolicyIdentifiers := `policy_identifier {
oid = "1.2.3.4.5"
cps = "https://example.com/cps"
notice = "Some notice"
}
policy_identifier {
oid = "1.2.3.4.5.6"
}`

backend := acctest.RandomWithPrefix("pki")
name := acctest.RandomWithPrefix("role")
resourceName := "vault_pki_secret_backend_role.test"

checks := []resource.TestCheckFunc{
resource.TestCheckResourceAttr(resourceName, "name", name),
resource.TestCheckResourceAttr(resourceName, "backend", backend),
resource.TestCheckResourceAttr(resourceName, "allow_localhost", "true"),
resource.TestCheckResourceAttr(resourceName, "allowed_domains.#", "1"),
resource.TestCheckResourceAttr(resourceName, "allowed_domains.0", "test.domain"),
resource.TestCheckResourceAttr(resourceName, "allow_bare_domains", "false"),
resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"),
resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"),
resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"),
resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"),
resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"),
resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"),
resource.TestCheckResourceAttr(resourceName, "allowed_other_sans.0", "1.2.3.4.5.5;UTF8:test"),
resource.TestCheckResourceAttr(resourceName, "server_flag", "true"),
resource.TestCheckResourceAttr(resourceName, "client_flag", "true"),
resource.TestCheckResourceAttr(resourceName, "code_signing_flag", "false"),
resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"),
resource.TestCheckResourceAttr(resourceName, "key_type", "rsa"),
resource.TestCheckResourceAttr(resourceName, "key_bits", "2048"),
resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"),
resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"),
resource.TestCheckResourceAttr(resourceName, "key_usage.#", "3"),
resource.TestCheckResourceAttr(resourceName, "key_usage.0", "DigitalSignature"),
resource.TestCheckResourceAttr(resourceName, "key_usage.1", "KeyAgreement"),
resource.TestCheckResourceAttr(resourceName, "key_usage.2", "KeyEncipherment"),
resource.TestCheckResourceAttr(resourceName, "ext_key_usage.#", "0"),
resource.TestCheckResourceAttr(resourceName, "use_csr_common_name", "true"),
resource.TestCheckResourceAttr(resourceName, "use_csr_sans", "true"),
resource.TestCheckResourceAttr(resourceName, "ou.0", "test"),
resource.TestCheckResourceAttr(resourceName, "organization.0", "test"),
resource.TestCheckResourceAttr(resourceName, "country.0", "test"),
resource.TestCheckResourceAttr(resourceName, "locality.0", "test"),
resource.TestCheckResourceAttr(resourceName, "province.0", "test"),
resource.TestCheckResourceAttr(resourceName, "street_address.0", "123 test"),
resource.TestCheckResourceAttr(resourceName, "postal_code.0", "12345"),
resource.TestCheckResourceAttr(resourceName, "generate_lease", "false"),
resource.TestCheckResourceAttr(resourceName, "no_store", "false"),
resource.TestCheckResourceAttr(resourceName, "require_cn", "true"),
resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"),
resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"),
}
resource.Test(t, resource.TestCase{
Providers: testProviders,
PreCheck: func() { testutil.TestAccPreCheck(t) },
CheckDestroy: testPkiSecretBackendRoleCheckDestroy,
Steps: []resource.TestStep{
{
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers),
Check: resource.ComposeTestCheckFunc(
append(checks,
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"),
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"),
)...,
),
},
{
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, newPolicyIdentifiers),
Check: resource.ComposeTestCheckFunc(
append(checks,
resource.TestCheckResourceAttr(resourceName, "policy_identifier.#", "2"),
resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5", "cps": "https://example.com/cps", "notice": "Some notice"}),
resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5.6"}),
)...,
),
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to add an import TestStep after each Config step. This will ensure that a terraform import will work.

Similar to:

terraform-provider-vault/vault/resource_database_secrets_mount_test.go

Lines 64 to 69 in 187d3e4

{
ResourceName: resourcePath,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: importIgnoreKeys,
},

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want test that the two fields are mutually exclusive by adding a ExpectError TestStep similar to:

terraform-provider-vault/vault/data_source_gcp_auth_backend_role_test.go

Lines 99 to 104 in 70a1872

{
Config: testAccGCPAuthBackendRoleDataSourceConfig(backend, name),
ExpectError: regexp.MustCompile(
fmt.Sprintf("role not found at %q", gcpRoleResourcePath(backend, name)),
),
},

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, perfect. I had wanted to do that, but didn't quite know how. That helps.

})
}

func TestPkiSecretBackendRole_basic(t *testing.T) {
backend := acctest.RandomWithPrefix("pki")
name := acctest.RandomWithPrefix("role")
Expand Down Expand Up @@ -56,18 +143,18 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "generate_lease", "false"),
resource.TestCheckResourceAttr(resourceName, "no_store", "false"),
resource.TestCheckResourceAttr(resourceName, "require_cn", "true"),
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"),
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"),
resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"),
resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"),
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"),
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"),
}
resource.Test(t, resource.TestCase{
Providers: testProviders,
PreCheck: func() { testutil.TestAccPreCheck(t) },
CheckDestroy: testPkiSecretBackendRoleCheckDestroy,
Steps: []resource.TestStep{
{
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200),
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers),
Check: resource.ComposeTestCheckFunc(
append(checks,
resource.TestCheckResourceAttr(resourceName, "ttl", "3600"),
Expand All @@ -76,7 +163,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
),
},
{
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0),
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0, testLegacyPolicyIdentifiers),
Check: resource.ComposeTestCheckFunc(
append(checks,
resource.TestCheckResourceAttr(resourceName, "ttl", "0"),
Expand All @@ -85,7 +172,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
),
},
{
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200),
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers),
Check: resource.ComposeTestCheckFunc(
append(checks,
resource.TestCheckResourceAttr(resourceName, "ttl", "3600"),
Expand All @@ -94,7 +181,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
),
},
{
Config: testPkiSecretBackendRoleConfig_updated(name, backend),
Config: testPkiSecretBackendRoleConfig_updated(name, backend, testLegacyPolicyIdentifiers),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "name", name),
resource.TestCheckResourceAttr(resourceName, "backend", backend),
Expand Down Expand Up @@ -146,7 +233,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
})
}

func testPkiSecretBackendRoleConfig_basic(name, path string, roleTTL, maxTTL int) string {
func testPkiSecretBackendRoleConfig_basic(name, path string, roleTTL, maxTTL int, policyIdentifiers string) string {
return fmt.Sprintf(`
resource "vault_mount" "pki" {
path = "%s"
Expand Down Expand Up @@ -188,15 +275,15 @@ resource "vault_pki_secret_backend_role" "test" {
generate_lease = false
no_store = false
require_cn = true
policy_identifiers = ["1.2.3.4"]
%s
basic_constraints_valid_for_non_ca = false
not_before_duration = "45m"
allowed_serial_numbers = ["*"]
}
`, path, name, roleTTL, maxTTL)
`, path, name, roleTTL, maxTTL, policyIdentifiers)
}

func testPkiSecretBackendRoleConfig_updated(name, path string) string {
func testPkiSecretBackendRoleConfig_updated(name, path string, policyIdentifiers string) string {
return fmt.Sprintf(`
resource "vault_mount" "pki" {
path = "%s"
Expand Down Expand Up @@ -240,11 +327,11 @@ resource "vault_pki_secret_backend_role" "test" {
generate_lease = false
no_store = false
require_cn = true
policy_identifiers = ["1.2.3.4"]
%s
basic_constraints_valid_for_non_ca = false
not_before_duration = "45m"
allowed_serial_numbers = ["*"]
}`, path, name)
}`, path, name, policyIdentifiers)
}

func testPkiSecretBackendRoleCheckDestroy(s *terraform.State) error {
Expand Down
Loading