Add PKI EST configuration support

[stevendpclark]

Description

This PR adds new data source and resource types for the PKI EST configuration API. The PR is built on top of #2235 as EST support requires the new mount fields.

This also requires Vault 1.16.3+ent at a minimum as the following fixes are required for this to work correctly

• Add missing delegated_auth_accessors config field to /sys/mounts/<path> response vault#26876
• https://github.com/hashicorp/vault-enterprise/pull/5785

Sample TF script used for testing (along with the added tests)

variable "pki_int_path" {
  type    = string
  default = "pki-int"
}

variable "est_pass" {
  type    = string
  default = "estpass"
}

resource "vault_mount" "pki_root" {
  path        = "pki-root"
  type        = "pki"
  description = "PKI root mount"

  max_lease_ttl_seconds = "31536000"
}

resource "vault_pki_secret_backend_key" "root_key" {
  backend  = vault_mount.pki_root.path
  type     = "internal"
  key_name = "root-ca-key"
  key_type = "rsa"
  key_bits = 4096
}

resource "vault_pki_secret_backend_root_cert" "root_cert" {
  backend              = vault_mount.pki_root.path
  type                 = "existing"
  key_ref              = vault_pki_secret_backend_key.root_key.key_name
  common_name          = "Root CA"
  ttl                  = "364d"
  format               = "pem"
  exclude_cn_from_sans = true
  ou                   = "My OU"
  organization         = "My organization"
}

resource "vault_auth_backend" "cert" {
  type = "cert"

  tune {
    max_lease_ttl = "10s"
  }
}

resource "vault_auth_backend" "userpass" {
  type = "userpass"

  tune {
    max_lease_ttl = "10s"
  }
}

resource "vault_policy" "est_policy" {
  name   = "est-policy"
  policy = <<EOT
path "${var.pki_int_path}/est/*" {
  capabilities = ["read", "update", "create"]
}

path "${var.pki_int_path}/roles/est-clients/*" {
  capabilities = ["read", "update", "create"]
}
EOT
}

resource "vault_cert_auth_backend_role" "cert" {
  backend = vault_auth_backend.cert.path

  name           = "est-ca"
  display_name   = "EST Client CA"
  certificate    = vault_pki_secret_backend_root_cert.root_cert.certificate
  token_policies = [vault_policy.est_policy.name]
  token_type     = "batch"
}

resource "vault_generic_endpoint" "est_user" {
  path                 = format("auth/%s/users/estuser", vault_auth_backend.userpass.path)
  ignore_absent_fields = true

  data_json = <<EOT
{
  "policies": ["${vault_policy.est_policy.name}"],
  "password": "${var.est_pass}"
}
EOT
}

resource "vault_mount" "int" {
  path        = var.pki_int_path
  type        = "pki"
  description = "PKI EST mount"

  delegated_auth_accessors = [vault_auth_backend.userpass.accessor, vault_auth_backend.cert.accessor]
  allowed_response_headers = ["Content-Transfer-Encoding", "Content-Length", "WWW-Authenticate"]
  max_lease_ttl_seconds    = "31536000"
}

resource "vault_pki_secret_backend_key" "int_key" {
  backend  = vault_mount.int.path
  type     = "internal"
  key_name = "int-ca-key"
  key_type = "ec"
}

resource "vault_pki_secret_backend_intermediate_cert_request" "int_est_csr" {
  backend = vault_mount.int.path

  type    = "existing"
  key_ref = vault_pki_secret_backend_key.int_key.key_name

  common_name = "Intermediary EST Authority"
}

resource "vault_pki_secret_backend_root_sign_intermediate" "root_sign_est_intermediary" {
  backend = vault_mount.pki_root.path

  common_name = vault_pki_secret_backend_intermediate_cert_request.int_est_csr.common_name
  csr         = vault_pki_secret_backend_intermediate_cert_request.int_est_csr.csr
  ttl         = "31d"
}

resource "vault_pki_secret_backend_intermediate_set_signed" "int_est" {
  backend = vault_mount.int.path

  certificate = vault_pki_secret_backend_root_sign_intermediate.root_sign_est_intermediary.certificate
}

resource "vault_pki_secret_backend_role" "est_clients" {
  backend = vault_mount.int.path

  name             = "est-clients"
  max_ttl          = "30h"
  allow_ip_sans    = true
  allow_subdomains = true
  allow_any_name   = true
  require_cn       = false
  no_store         = true
}

resource "vault_pki_secret_backend_config_est" "est_config" {
  backend = vault_mount.int.path

  enabled             = true
  default_mount       = true
  default_path_policy = format("role:%s", vault_pki_secret_backend_role.est_clients.name)
  label_to_path_policy = {
    "test-label" : format("role:%s", vault_pki_secret_backend_role.est_clients.name),
    "sign-all" : "sign-verbatim"
  }
  authenticators {
    cert = {
      accessor  = vault_auth_backend.cert.accessor
      cert_role = vault_cert_auth_backend_role.cert.name
    }
    userpass = {
      accessor = vault_auth_backend.userpass.accessor
    }
  }
  enable_sentinel_parsing = true
  audit_fields = ["csr", "common_name", "alt_names", "ip_sans", "uri_sans", "other_sans",
    "signature_bits", "exclude_cn_from_sans", "ou", "organization", "country",
    "locality", "province", "street_address", "postal_code", "serial_number",
  "use_pss", "key_type", "key_bits", "add_basic_constraints"]
}

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[vinay-gopalan]

Looking great! Thanks for working on this, had a few comments/suggestions :)

[fairclothjm]

Why is this marked as Computed? If we don't set the value in the config, does Vault return a default?

[fairclothjm]

Sorry, I just realized this is a data source so please disregard. :)

[stevendpclark]

No worries, but that is the reason on FieldAuditFields within the resource Computed is set, we get back a default set of values from Vault if not set.

[stevendpclark]

Updated PR to the latest version of main as #2235 was merged, along with disabling a test to workaround an unreleased bug (will be in 1.16.3) in Vault Enterprise https://github.com/hashicorp/vault-enterprise/pull/5785

[vinay-gopalan]

PR looks great! Had some comments/suggestions on a few documentation lines, but nothing blocking. Thanks for working on this!