Add PKI EST configuration support

CHANGELOG.md

@@ -6,6 +6,7 @@ FEATURES:
 * Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 
 * Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
 * Add support for new WIF fields in `vault_azure_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2250](https://github.com/hashicorp/terraform-provider-vault/pull/2250))
+* Add new data source and resource `vault_pki_secret_backend_config_est`. Requires Vault 1.16+. *Available only for Vault Enterprise* ([#2246](https://github.com/hashicorp/terraform-provider-vault/pull/2246))
 
 IMPROVEMENTS:
 * return a useful error when delete fails for the `vault_jwt_auth_backend_role` resource: ([#2232](https://github.com/hashicorp/terraform-provider-vault/pull/2232))

internal/consts/consts.go

@@ -424,6 +424,14 @@ const (
 	FieldDelegatedAuthAccessors        = "delegated_auth_accessors"
 	FieldPluginVersion                 = "plugin_version"
 	FieldUseMSGraphAPI                 = "use_microsoft_graph_api"
+	FieldEnabled                       = "enabled"
+	FieldDefaultMount                  = "default_mount"
+	FieldDefaultPathPolicy             = "default_path_policy"
+	FieldLabelToPathPolicy             = "label_to_path_policy"
+	FieldAuthenticators                = "authenticators"
+	FieldEnableSentinelParsing         = "enable_sentinel_parsing"
+	FieldAuditFields                   = "audit_fields"
+	FieldLastUpdated                   = "last_updated"
 
 	/*
 		common environment variables

vault/data_source_pki_secret_backend_config_est.go

@@ -0,0 +1,165 @@
+package vault
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/vault/api"
+)
+
+func pkiSecretBackendConfigEstDataSource() *schema.Resource {
+	return &schema.Resource{
+		Description: "Reads Vault PKI EST configuration",
+		ReadContext: provider.ReadContextWrapper(readPKISecretBackendConfigEst),
+		Schema: map[string]*schema.Schema{
+			consts.FieldBackend: {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Path where PKI engine is mounted",
+			},
+			consts.FieldEnabled: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Specifies whether EST is enabled",
+			},
+			consts.FieldDefaultMount: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster",
+			},
+			consts.FieldDefaultPathPolicy: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>",
+			},
+			consts.FieldLabelToPathPolicy: {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: "A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths",
+			},
+			consts.FieldAuthenticators: {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Lists the mount accessors EST should delegate authentication requests towards",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cert": {
+							Type:        schema.TypeMap,
+							Optional:    true,
+							Description: "The accessor and cert_role properties for cert auth backends",
+						},
+						"userpass": {
+							Type:        schema.TypeMap,
+							Optional:    true,
+							Description: "The accessor property for user pass auth backends",
+						},
+					},
+				},
+			},
+			consts.FieldEnableSentinelParsing: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If set, parse out fields from the provided CSR making them available for Sentinel policies",
+			},
+			consts.FieldAuditFields: {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			consts.FieldLastUpdated: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "A read-only timestamp representing the last time the configuration was updated",
+			},
+		},
+	}
+}
+
+func readPKISecretBackendConfigEst(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if err := verifyPkiEstFeatureSupported(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client, err := provider.GetClient(d, meta)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed getting client: %w", err))
+	}
+
+	backend := d.Get(consts.FieldBackend).(string)
+	path := pkiSecretBackendConfigEstPath(backend)
+
+	if err := readEstConfig(ctx, d, client, path); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func readEstConfig(ctx context.Context, d *schema.ResourceData, client *api.Client, path string) error {
+	resp, err := client.Logical().ReadWithContext(ctx, path)
+	if err != nil {
+		return fmt.Errorf("error reading from Vault: %w", err)
+	}
+	if resp == nil {
+		return fmt.Errorf("got nil response from Vault from path: %q", path)
+	}
+
+	d.SetId(path)
+
+	keyComputedFields := []string{
+		consts.FieldEnabled,
+		consts.FieldDefaultMount,
+		consts.FieldDefaultPathPolicy,
+		consts.FieldLabelToPathPolicy,
+		consts.FieldEnableSentinelParsing,
+		consts.FieldAuditFields,
+		consts.FieldLastUpdated,
+	}
+
+	for _, k := range keyComputedFields {
+		if fieldVal, ok := resp.Data[k]; ok {
+			if err := d.Set(k, fieldVal); err != nil {
+				return fmt.Errorf("failed setting field [%s] with val [%s]: %w", k, fieldVal, err)
+			}
+		}
+	}
+
+	if authenticators, authOk := resp.Data[consts.FieldAuthenticators]; authOk {
+		if err := d.Set(consts.FieldAuthenticators, []interface{}{authenticators}); err != nil {
+			return fmt.Errorf("failed setting field [%s] with val [%s]: %w", consts.FieldAuthenticators, authenticators, err)
+		}
+	}
+
+	return nil
+}
+
+// verifyPkiEstFeatureSupported verifies that we are talking to a Vault enterprise edition
+// and its version 1.16.0 or higher, returns nil if the above is met, otherwise an error
+func verifyPkiEstFeatureSupported(meta interface{}) error {
+	currentVersion := meta.(*provider.ProviderMeta).GetVaultVersion()
+
+	minVersion := provider.VaultVersion116
+	if !provider.IsAPISupported(meta, minVersion) {
+		return fmt.Errorf("feature not enabled on current Vault version. min version required=%s; "+
+			"current vault version=%s", minVersion, currentVersion)
+	}
+
+	if !provider.IsEnterpriseSupported(meta) {
+		return errors.New("feature requires Vault Enterprise")
+	}
+	return nil
+}
+
+func pkiSecretBackendConfigEstPath(backend string) string {
+	return strings.Trim(backend, "/") + "/config/est"
+}

vault/data_source_pki_secret_backend_config_est_test.go

@@ -0,0 +1,52 @@
+package vault
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/terraform-provider-vault/testutil"
+)
+
+func TestAccDataSourcePKISecretConfigEst(t *testing.T) {
+	backend := acctest.RandomWithPrefix("tf-test-pki-backend")
+	dataName := "data.vault_pki_secret_backend_config_est.test"
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion116)
+		},
+		Steps: []resource.TestStep{
+			{
+				// Note this is more thoroughly tested within TestAccPKISecretBackendConfigEst_basic
+				// we don't want to start having test failures if Vault changes default values.
+				Config: testPKISecretEmptyEstConfigDataSource(backend),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldEnabled),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldDefaultMount),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldEnableSentinelParsing),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
+				),
+			},
+		},
+	})
+}
+
+func testPKISecretEmptyEstConfigDataSource(path string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "test" {
+	path        = "%s"
+	type        = "pki"
+    description = "PKI secret engine mount"
+}
+
+data "vault_pki_secret_backend_config_est" "test" {
+  backend = vault_mount.test.path
+}`, path)
+}

vault/provider.go

@@ -167,6 +167,10 @@ var (
 			Resource:      UpdateSchemaResource(raftAutopilotStateDataSource()),
 			PathInventory: []string{"/sys/storage/raft/autopilot/state"},
 		},
+		"vault_pki_secret_backend_config_est": {
+			Resource:      UpdateSchemaResource(pkiSecretBackendConfigEstDataSource()),
+			PathInventory: []string{"/pki/config/est"},
+		},
 		"vault_pki_secret_backend_issuer": {
 			Resource:      UpdateSchemaResource(pkiSecretBackendIssuerDataSource()),
 			PathInventory: []string{"/pki/issuer/{issuer_ref}"},
@@ -583,6 +587,10 @@ var (
 			Resource:      UpdateSchemaResource(pkiSecretBackendConfigClusterResource()),
 			PathInventory: []string{"/pki/config/cluster"},
 		},
+		"vault_pki_secret_backend_config_est": {
+			Resource:      UpdateSchemaResource(pkiSecretBackendConfigEstResource()),
+			PathInventory: []string{"/pki/config/est"},
+		},
 		"vault_pki_secret_backend_config_urls": {
 			Resource:      UpdateSchemaResource(pkiSecretBackendConfigUrlsResource()),
 			PathInventory: []string{"/pki/config/urls"},