From fb15994b5839c0abb4ada2c0e4e940bd30baf1ef Mon Sep 17 00:00:00 2001
From: Radek SPRTA <mail@radeksprta.eu>
Date: Tue, 2 Apr 2024 10:48:59 +0200
Subject: [PATCH 1/2] feat(ssh): add support for `key_type` parameter

Add support for `key_type` parameter in SSH Secret Engine, so we can
specify types other than the default `ssh-rsa`.
---
 vault/resource_ssh_secret_backend_ca.go      | 7 +++++++
 vault/resource_ssh_secret_backend_ca_test.go | 1 +
 website/docs/r/ssh_secret_backend_ca.html.md | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/vault/resource_ssh_secret_backend_ca.go b/vault/resource_ssh_secret_backend_ca.go
index 7a25f9600c..ebc68d1076 100644
--- a/vault/resource_ssh_secret_backend_ca.go
+++ b/vault/resource_ssh_secret_backend_ca.go
@@ -41,6 +41,13 @@ func sshSecretBackendCAResource() *schema.Resource {
 				ForceNew:    true,
 				Description: "Whether Vault should generate the signing key pair internally.",
 			},
+			"key_type": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "ssh-rsa",
+				ForceNew:    true,
+				Description: "Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true.",
+			},
 			"private_key": {
 				Type:        schema.TypeString,
 				Optional:    true,
diff --git a/vault/resource_ssh_secret_backend_ca_test.go b/vault/resource_ssh_secret_backend_ca_test.go
index 2a0ee2235f..7685937332 100644
--- a/vault/resource_ssh_secret_backend_ca_test.go
+++ b/vault/resource_ssh_secret_backend_ca_test.go
@@ -101,6 +101,7 @@ resource "vault_mount" "test" {
 resource "vault_ssh_secret_backend_ca" "test" {
   backend              = vault_mount.test.path
   generate_signing_key = true
+  key_type             = "ssh-ed25519"
 }`, backend)
 }
 
diff --git a/website/docs/r/ssh_secret_backend_ca.html.md b/website/docs/r/ssh_secret_backend_ca.html.md
index 9b6cb4d587..b3c03b193e 100644
--- a/website/docs/r/ssh_secret_backend_ca.html.md
+++ b/website/docs/r/ssh_secret_backend_ca.html.md
@@ -36,6 +36,8 @@ The following arguments are supported:
 
 * `generate_signing_key` - (Optional) Whether Vault should generate the signing key pair internally. Defaults to true
 
+* `key_type` - (Optional) Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. Defaults to 'ssh-rsa'.
+
 * `public_key` - (Optional) The public key part the SSH CA key pair; required if generate_signing_key is false.
 
 * `private_key` - (Optional) The private key part the SSH CA key pair; required if generate_signing_key is false.

From 90ff7e53274ab87801732ae123852b85f6c2ed02 Mon Sep 17 00:00:00 2001
From: Radek SPRTA <mail@radeksprta.eu>
Date: Tue, 2 Apr 2024 11:58:23 +0200
Subject: [PATCH 2/2] Add changelog entry

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 85116ed822..08a6edbdd3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 ## Unreleased
 
+FEATURES:
+* Add `key_type` support in `vault_ssh_secret_backend_ca`. ([#2218](https://github.com/hashicorp/terraform-provider-vault/pull/2218))
+
 ## 4.2.0 (Mar 27, 2024)
 
 FEATURES: