-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKI: Add support for CPS URL in custom policy identifiers #1495
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
package internal | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it might be better to instead make this live under There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 makes sense |
||
|
||
import ( | ||
"encoding/json" | ||
"strings" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
"github.com/hashicorp/terraform-provider-vault/helper" | ||
) | ||
|
||
// ReadPolicyIdentifierBlocks converts the `policy_identifiers` list and `policy_identifier` blocks | ||
// into a list of strings (the OIDs) or the JSON serialization of the `policy_identifier` blocks, | ||
// respectively. | ||
func ReadPolicyIdentifierBlocks(policyIdentifierBlocks *schema.Set) string { | ||
if policyIdentifierBlocks == nil || policyIdentifierBlocks.Len() == 0 { | ||
return "" | ||
} | ||
|
||
var newPolicyIdentifiers []map[string]interface{} | ||
|
||
// If the `policy_identifier` blocks are present, send them as JSON, which is only supported by Vault 1.11+. | ||
newPolicyIdentifiers = make([]map[string]interface{}, 0, policyIdentifierBlocks.Len()) | ||
for _, iPolicyIdentifier := range policyIdentifierBlocks.List() { | ||
policyIdentifier := iPolicyIdentifier.(map[string]interface{}) | ||
newPolicyIdentifiers = append(newPolicyIdentifiers, policyIdentifier) | ||
} | ||
// we know these maps are safe to marshal | ||
policyIdentifiersJson, _ := json.Marshal(newPolicyIdentifiers) | ||
return string(policyIdentifiersJson) | ||
} | ||
|
||
// MakePkiPolicyIdentifiersListOrSet converts the Vault "policy_identifiers" response | ||
// into either a list of OIDs, i.e., ["1.2.3","4.5.6"], or a set to represent | ||
// `policy_identifier` blocks. We return either of these so that round-tripping is stable, | ||
// and to preserve backwards compatibility with previous versions of Vault. | ||
func MakePkiPolicyIdentifiersListOrSet(rawPolicyIdentifiers []interface{}) ([]string, *schema.Set, error) { | ||
policyIdentifiers := make([]string, 0, len(rawPolicyIdentifiers)) | ||
newPolicyIdentifiers := schema.NewSet(pkiPolicyIdentifierHash, []interface{}{}) | ||
for _, iIdentifier := range rawPolicyIdentifiers { | ||
policyString := iIdentifier.(string) | ||
if strings.HasPrefix(policyString, "{") && strings.HasSuffix(policyString, "}") { | ||
var policyMap = map[string]string{} | ||
err := json.Unmarshal([]byte(policyString), &policyMap) | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
newPolicyIdentifiers.Add(policyMap) | ||
} else { | ||
// older Vault version with oid-only response | ||
policyIdentifiers = append(policyIdentifiers, policyString) | ||
} | ||
} | ||
|
||
if newPolicyIdentifiers.Len() == 0 { | ||
return policyIdentifiers, nil, nil | ||
} | ||
return nil, newPolicyIdentifiers, nil | ||
} | ||
|
||
func pkiPolicyIdentifierHash(v interface{}) int { | ||
m := v.(map[string]string) | ||
s, _ := json.Marshal(m) // won't fail since we know the argument is a map[string]string | ||
return helper.HashCodeString(string(s)) | ||
} |
Original file line number | Diff line number | Diff line change | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -9,7 +9,7 @@ import ( | |||||||||||||||||||
|
||||||||||||||||||||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||||||||||||||||||||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" | ||||||||||||||||||||
|
||||||||||||||||||||
"github.com/hashicorp/terraform-provider-vault/internal" | ||||||||||||||||||||
"github.com/hashicorp/terraform-provider-vault/internal/provider" | ||||||||||||||||||||
) | ||||||||||||||||||||
|
||||||||||||||||||||
|
@@ -283,14 +283,43 @@ func pkiSecretBackendRoleResource() *schema.Resource { | |||||||||||||||||||
Default: true, | ||||||||||||||||||||
}, | ||||||||||||||||||||
"policy_identifiers": { | ||||||||||||||||||||
Type: schema.TypeList, | ||||||||||||||||||||
Required: false, | ||||||||||||||||||||
Optional: true, | ||||||||||||||||||||
Description: "Specify the list of allowed policies IODs.", | ||||||||||||||||||||
Type: schema.TypeList, | ||||||||||||||||||||
Required: false, | ||||||||||||||||||||
Optional: true, | ||||||||||||||||||||
Description: "Specify the list of allowed policies OIDs.", | ||||||||||||||||||||
ConflictsWith: []string{"policy_identifier"}, | ||||||||||||||||||||
Elem: &schema.Schema{ | ||||||||||||||||||||
Type: schema.TypeString, | ||||||||||||||||||||
}, | ||||||||||||||||||||
}, | ||||||||||||||||||||
"policy_identifier": { | ||||||||||||||||||||
vinay-gopalan marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||
Type: schema.TypeSet, | ||||||||||||||||||||
Optional: true, | ||||||||||||||||||||
Description: "Policy identifier block; can only be used with Vault 1.11+", | ||||||||||||||||||||
ConflictsWith: []string{"policy_identifiers"}, | ||||||||||||||||||||
Elem: &schema.Resource{ | ||||||||||||||||||||
Schema: map[string]*schema.Schema{ | ||||||||||||||||||||
"oid": { | ||||||||||||||||||||
Type: schema.TypeString, | ||||||||||||||||||||
Required: true, | ||||||||||||||||||||
Optional: false, | ||||||||||||||||||||
Description: "OID", | ||||||||||||||||||||
}, | ||||||||||||||||||||
"cps": { | ||||||||||||||||||||
Type: schema.TypeString, | ||||||||||||||||||||
Required: false, | ||||||||||||||||||||
Optional: true, | ||||||||||||||||||||
Description: "Optional CPS URL", | ||||||||||||||||||||
}, | ||||||||||||||||||||
"notice": { | ||||||||||||||||||||
Type: schema.TypeString, | ||||||||||||||||||||
Required: false, | ||||||||||||||||||||
Optional: true, | ||||||||||||||||||||
Description: "Optional notice", | ||||||||||||||||||||
}, | ||||||||||||||||||||
}, | ||||||||||||||||||||
}, | ||||||||||||||||||||
}, | ||||||||||||||||||||
"basic_constraints_valid_for_non_ca": { | ||||||||||||||||||||
Type: schema.TypeBool, | ||||||||||||||||||||
Required: false, | ||||||||||||||||||||
|
@@ -354,11 +383,8 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error | |||||||||||||||||||
extKeyUsage = append(extKeyUsage, iUsage.(string)) | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
iPolicyIdentifiers := d.Get("policy_identifiers").([]interface{}) | ||||||||||||||||||||
policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers)) | ||||||||||||||||||||
for _, iIdentifier := range iPolicyIdentifiers { | ||||||||||||||||||||
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) | ||||||||||||||||||||
} | ||||||||||||||||||||
policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) | ||||||||||||||||||||
policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We can probably drop these with the suggestion below.
Suggested change
|
||||||||||||||||||||
|
||||||||||||||||||||
iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) | ||||||||||||||||||||
allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) | ||||||||||||||||||||
|
@@ -413,8 +439,10 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error | |||||||||||||||||||
data["ext_key_usage"] = extKeyUsage | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
if len(policyIdentifiers) > 0 { | ||||||||||||||||||||
data["policy_identifiers"] = policyIdentifiers | ||||||||||||||||||||
if len(policyIdentifiersList) > 0 { | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think calling |
||||||||||||||||||||
data["policy_identifiers"] = policyIdentifiersList | ||||||||||||||||||||
} else if policyIdentifierBlocks != "" { | ||||||||||||||||||||
data["policy_identifiers"] = policyIdentifierBlocks | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think calling
Suggested change
|
||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
if len(allowedSerialNumbers) > 0 { | ||||||||||||||||||||
|
@@ -488,10 +516,9 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { | |||||||||||||||||||
extKeyUsage = append(extKeyUsage, iUsage.(string)) | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
iPolicyIdentifiers := secret.Data["policy_identifiers"].([]interface{}) | ||||||||||||||||||||
policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers)) | ||||||||||||||||||||
for _, iIdentifier := range iPolicyIdentifiers { | ||||||||||||||||||||
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) | ||||||||||||||||||||
legacyPolicyIdentifiers, newPolicyIdentifiers, err := internal.MakePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this might panic here on the type assertion in the case of a value other than There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||||||||||||||||||||
if err != nil { | ||||||||||||||||||||
return err | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
notBeforeDuration := flattenVaultDuration(secret.Data["not_before_duration"]) | ||||||||||||||||||||
|
@@ -537,7 +564,11 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { | |||||||||||||||||||
d.Set("generate_lease", secret.Data["generate_lease"]) | ||||||||||||||||||||
d.Set("no_store", secret.Data["no_store"]) | ||||||||||||||||||||
d.Set("require_cn", secret.Data["require_cn"]) | ||||||||||||||||||||
d.Set("policy_identifiers", policyIdentifiers) | ||||||||||||||||||||
if len(legacyPolicyIdentifiers) > 0 { | ||||||||||||||||||||
d.Set("policy_identifiers", legacyPolicyIdentifiers) | ||||||||||||||||||||
} else { | ||||||||||||||||||||
d.Set("policy_identifier", newPolicyIdentifiers) | ||||||||||||||||||||
} | ||||||||||||||||||||
d.Set("basic_constraints_valid_for_non_ca", secret.Data["basic_constraints_valid_for_non_ca"]) | ||||||||||||||||||||
d.Set("not_before_duration", notBeforeDuration) | ||||||||||||||||||||
d.Set("allowed_serial_numbers", allowedSerialNumbers) | ||||||||||||||||||||
|
@@ -572,11 +603,8 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error | |||||||||||||||||||
extKeyUsage = append(extKeyUsage, iUsage.(string)) | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
iPolicyIdentifiers := d.Get("policy_identifiers").([]interface{}) | ||||||||||||||||||||
policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers)) | ||||||||||||||||||||
for _, iIdentifier := range iPolicyIdentifiers { | ||||||||||||||||||||
policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) | ||||||||||||||||||||
} | ||||||||||||||||||||
policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) | ||||||||||||||||||||
policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||||
|
||||||||||||||||||||
iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) | ||||||||||||||||||||
allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) | ||||||||||||||||||||
|
@@ -631,8 +659,10 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error | |||||||||||||||||||
data["ext_key_usage"] = extKeyUsage | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
if len(policyIdentifiers) > 0 { | ||||||||||||||||||||
data["policy_identifiers"] = policyIdentifiers | ||||||||||||||||||||
if len(policyIdentifiersList) > 0 { | ||||||||||||||||||||
data["policy_identifiers"] = policyIdentifiersList | ||||||||||||||||||||
} else if policyIdentifierBlocks != "" { | ||||||||||||||||||||
data["policy_identifiers"] = policyIdentifierBlocks | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same suggestion as in the
Suggested change
|
||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
if len(allowedSerialNumbers) > 0 { | ||||||||||||||||||||
|
Original file line number | Diff line number | Diff line change | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -7,11 +7,98 @@ import ( | |||||||||||||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" | ||||||||||||||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" | ||||||||||||||
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform" | ||||||||||||||
|
||||||||||||||
"github.com/hashicorp/terraform-provider-vault/internal/provider" | ||||||||||||||
"github.com/hashicorp/terraform-provider-vault/testutil" | ||||||||||||||
) | ||||||||||||||
|
||||||||||||||
var testLegacyPolicyIdentifiers = `policy_identifiers = ["1.2.3.4"]` | ||||||||||||||
|
||||||||||||||
func TestPkiSecretBackendRole_policy_identifier(t *testing.T) { | ||||||||||||||
testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) | ||||||||||||||
// TODO: this can be merged with TestPkiSecretBackendRole_basic after Vault 1.11 is released. | ||||||||||||||
swenson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||
newPolicyIdentifiers := `policy_identifier { | ||||||||||||||
oid = "1.2.3.4.5" | ||||||||||||||
cps = "https://example.com/cps" | ||||||||||||||
notice = "Some notice" | ||||||||||||||
} | ||||||||||||||
policy_identifier { | ||||||||||||||
oid = "1.2.3.4.5.6" | ||||||||||||||
}` | ||||||||||||||
|
||||||||||||||
backend := acctest.RandomWithPrefix("pki") | ||||||||||||||
name := acctest.RandomWithPrefix("role") | ||||||||||||||
resourceName := "vault_pki_secret_backend_role.test" | ||||||||||||||
|
||||||||||||||
checks := []resource.TestCheckFunc{ | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "name", name), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "backend", backend), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allow_localhost", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allowed_domains.#", "1"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allowed_domains.0", "test.domain"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allow_bare_domains", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "allowed_other_sans.0", "1.2.3.4.5.5;UTF8:test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "server_flag", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "client_flag", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "code_signing_flag", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "key_type", "rsa"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "key_bits", "2048"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "key_usage.#", "3"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "key_usage.0", "DigitalSignature"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "key_usage.1", "KeyAgreement"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "key_usage.2", "KeyEncipherment"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "ext_key_usage.#", "0"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "use_csr_common_name", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "use_csr_sans", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "ou.0", "test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "organization.0", "test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "country.0", "test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "locality.0", "test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "province.0", "test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "street_address.0", "123 test"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "postal_code.0", "12345"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "generate_lease", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "no_store", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "require_cn", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), | ||||||||||||||
} | ||||||||||||||
resource.Test(t, resource.TestCase{ | ||||||||||||||
Providers: testProviders, | ||||||||||||||
PreCheck: func() { testutil.TestAccPreCheck(t) }, | ||||||||||||||
CheckDestroy: testPkiSecretBackendRoleCheckDestroy, | ||||||||||||||
Steps: []resource.TestStep{ | ||||||||||||||
{ | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), | ||||||||||||||
Check: resource.ComposeTestCheckFunc( | ||||||||||||||
append(checks, | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), | ||||||||||||||
)..., | ||||||||||||||
), | ||||||||||||||
}, | ||||||||||||||
{ | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, newPolicyIdentifiers), | ||||||||||||||
Check: resource.ComposeTestCheckFunc( | ||||||||||||||
append(checks, | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifier.#", "2"), | ||||||||||||||
resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5", "cps": "https://example.com/cps", "notice": "Some notice"}), | ||||||||||||||
resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5.6"}), | ||||||||||||||
)..., | ||||||||||||||
), | ||||||||||||||
}, | ||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It would be good to add an Similar to:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||||||||||||||
}, | ||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We might want test that the two fields are mutually exclusive by adding a terraform-provider-vault/vault/data_source_gcp_auth_backend_role_test.go Lines 99 to 104 in 70a1872
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, perfect. I had wanted to do that, but didn't quite know how. That helps. |
||||||||||||||
}) | ||||||||||||||
} | ||||||||||||||
|
||||||||||||||
func TestPkiSecretBackendRole_basic(t *testing.T) { | ||||||||||||||
backend := acctest.RandomWithPrefix("pki") | ||||||||||||||
name := acctest.RandomWithPrefix("role") | ||||||||||||||
|
@@ -56,18 +143,18 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { | |||||||||||||
resource.TestCheckResourceAttr(resourceName, "generate_lease", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "no_store", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "require_cn", "true"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), | ||||||||||||||
} | ||||||||||||||
resource.Test(t, resource.TestCase{ | ||||||||||||||
Providers: testProviders, | ||||||||||||||
PreCheck: func() { testutil.TestAccPreCheck(t) }, | ||||||||||||||
CheckDestroy: testPkiSecretBackendRoleCheckDestroy, | ||||||||||||||
Steps: []resource.TestStep{ | ||||||||||||||
{ | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200), | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), | ||||||||||||||
Check: resource.ComposeTestCheckFunc( | ||||||||||||||
append(checks, | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "ttl", "3600"), | ||||||||||||||
|
@@ -76,7 +163,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { | |||||||||||||
), | ||||||||||||||
}, | ||||||||||||||
{ | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0), | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0, testLegacyPolicyIdentifiers), | ||||||||||||||
Check: resource.ComposeTestCheckFunc( | ||||||||||||||
append(checks, | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "ttl", "0"), | ||||||||||||||
|
@@ -85,7 +172,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { | |||||||||||||
), | ||||||||||||||
}, | ||||||||||||||
{ | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200), | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), | ||||||||||||||
Check: resource.ComposeTestCheckFunc( | ||||||||||||||
append(checks, | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "ttl", "3600"), | ||||||||||||||
|
@@ -94,7 +181,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { | |||||||||||||
), | ||||||||||||||
}, | ||||||||||||||
{ | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_updated(name, backend), | ||||||||||||||
Config: testPkiSecretBackendRoleConfig_updated(name, backend, testLegacyPolicyIdentifiers), | ||||||||||||||
Check: resource.ComposeTestCheckFunc( | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "name", name), | ||||||||||||||
resource.TestCheckResourceAttr(resourceName, "backend", backend), | ||||||||||||||
|
@@ -146,7 +233,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { | |||||||||||||
}) | ||||||||||||||
} | ||||||||||||||
|
||||||||||||||
func testPkiSecretBackendRoleConfig_basic(name, path string, roleTTL, maxTTL int) string { | ||||||||||||||
func testPkiSecretBackendRoleConfig_basic(name, path string, roleTTL, maxTTL int, policyIdentifiers string) string { | ||||||||||||||
return fmt.Sprintf(` | ||||||||||||||
resource "vault_mount" "pki" { | ||||||||||||||
path = "%s" | ||||||||||||||
|
@@ -188,15 +275,15 @@ resource "vault_pki_secret_backend_role" "test" { | |||||||||||||
generate_lease = false | ||||||||||||||
no_store = false | ||||||||||||||
require_cn = true | ||||||||||||||
policy_identifiers = ["1.2.3.4"] | ||||||||||||||
%s | ||||||||||||||
basic_constraints_valid_for_non_ca = false | ||||||||||||||
not_before_duration = "45m" | ||||||||||||||
allowed_serial_numbers = ["*"] | ||||||||||||||
} | ||||||||||||||
`, path, name, roleTTL, maxTTL) | ||||||||||||||
`, path, name, roleTTL, maxTTL, policyIdentifiers) | ||||||||||||||
} | ||||||||||||||
|
||||||||||||||
func testPkiSecretBackendRoleConfig_updated(name, path string) string { | ||||||||||||||
func testPkiSecretBackendRoleConfig_updated(name, path string, policyIdentifiers string) string { | ||||||||||||||
return fmt.Sprintf(` | ||||||||||||||
resource "vault_mount" "pki" { | ||||||||||||||
path = "%s" | ||||||||||||||
|
@@ -240,11 +327,11 @@ resource "vault_pki_secret_backend_role" "test" { | |||||||||||||
generate_lease = false | ||||||||||||||
no_store = false | ||||||||||||||
require_cn = true | ||||||||||||||
policy_identifiers = ["1.2.3.4"] | ||||||||||||||
%s | ||||||||||||||
basic_constraints_valid_for_non_ca = false | ||||||||||||||
not_before_duration = "45m" | ||||||||||||||
allowed_serial_numbers = ["*"] | ||||||||||||||
}`, path, name) | ||||||||||||||
}`, path, name, policyIdentifiers) | ||||||||||||||
} | ||||||||||||||
|
||||||||||||||
func testPkiSecretBackendRoleCheckDestroy(s *terraform.State) error { | ||||||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, I was thinking more of moving this code to a package called
pki
underinternal/
, sorry if I wasn't clear.