Add "allow_wildcard_certificates" attribute to the "vault_pki_secret_…

…backend_role" resource Support configuring the `allow_wildcard_certificates` attribute in the `vault_pki_secret_backend_role` resource. The default is `true` as in Vault API. Resolves hashicorp#1419
tmatilai · Dec 13, 2022 · d90641b · d90641b
1 parent 8949384
commit d90641b
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go
@@ -106,6 +106,13 @@ func pkiSecretBackendRoleResource() *schema.Resource {
 				Description: "Flag to allow any name",
 				Default:     false,
 			},
+			"allow_wildcard_certificates": {
+				Type:        schema.TypeBool,
+				Required:    false,
+				Optional:    true,
+				Description: "Flag to allow wildcard certificates",
+				Default:     true,
+			},
 			"enforce_hostnames": {
 				Type:        schema.TypeBool,
 				Required:    false,
@@ -399,6 +406,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
 		"allowed_domains_template":           d.Get("allowed_domains_template"),
 		"allow_glob_domains":                 d.Get("allow_glob_domains"),
 		"allow_any_name":                     d.Get("allow_any_name"),
+		"allow_wildcard_certificates":        d.Get("allow_wildcard_certificates"),
 		"enforce_hostnames":                  d.Get("enforce_hostnames"),
 		"allow_ip_sans":                      d.Get("allow_ip_sans"),
 		"allowed_uri_sans":                   d.Get("allowed_uri_sans"),
@@ -545,6 +553,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("allow_subdomains", secret.Data["allow_subdomains"])
 	d.Set("allow_glob_domains", secret.Data["allow_glob_domains"])
 	d.Set("allow_any_name", secret.Data["allow_any_name"])
+	d.Set("allow_wildcard_certificates", secret.Data["allow_wildcard_certificates"])
 	d.Set("enforce_hostnames", secret.Data["enforce_hostnames"])
 	d.Set("allow_ip_sans", secret.Data["allow_ip_sans"])
 	d.Set("allowed_uri_sans", secret.Data["allowed_uri_sans"])
@@ -623,6 +632,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
 		"allow_subdomains":                   d.Get("allow_subdomains"),
 		"allow_glob_domains":                 d.Get("allow_glob_domains"),
 		"allow_any_name":                     d.Get("allow_any_name"),
+		"allow_wildcard_certificates":        d.Get("allow_wildcard_certificates"),
 		"enforce_hostnames":                  d.Get("enforce_hostnames"),
 		"allow_ip_sans":                      d.Get("allow_ip_sans"),
 		"allowed_uri_sans":                   d.Get("allowed_uri_sans"),

diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go
@@ -41,6 +41,7 @@ func TestPkiSecretBackendRole_policy_identifier(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"),
 		resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"),
 		resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"),
+		resource.TestCheckResourceAttr(resourceName, "allow_wildcard_certificates", "true"),
 		resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"),
 		resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"),
 		resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"),
@@ -138,6 +139,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"),
 		resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"),
 		resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"),
+		resource.TestCheckResourceAttr(resourceName, "allow_wildcard_certificates", "true"),
 		resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"),
 		resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"),
 		resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"),
@@ -235,6 +237,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"),
 					resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"),
 					resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"),
+					resource.TestCheckResourceAttr(resourceName, "allow_wildcard_certificates", "false"),
 					resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"),
 					resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"),
 					resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"),
@@ -296,6 +299,7 @@ resource "vault_pki_secret_backend_role" "test" {
   allow_subdomains                   = true
   allow_glob_domains                 = false
   allow_any_name                     = false
+  allow_wildcard_certificates        = true
   enforce_hostnames                  = true
   allow_ip_sans                      = true
   allowed_uri_sans                   = ["uri.test.domain"]
@@ -347,6 +351,7 @@ resource "vault_pki_secret_backend_role" "test" {
   allow_subdomains = true
   allow_glob_domains = false
   allow_any_name = false
+  allow_wildcard_certificates = false
   enforce_hostnames = true
   allow_ip_sans = true
   allowed_uri_sans = ["uri.test.domain"]

diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md
@@ -63,6 +63,8 @@ The following arguments are supported:
 
 * `allow_any_name` - (Optional) Flag to allow any name
 
+* `allow_wildcard_certificates` - (Optional) Flag to allow wildcard certificates
+
 * `enforce_hostnames` - (Optional) Flag to allow only valid host names
 
 * `allow_ip_sans` - (Optional) Flag to allow IP SANs