From d90641b7bce38b45e63dc54d0f51de1d21b31925 Mon Sep 17 00:00:00 2001 From: Teemu Matilainen Date: Tue, 13 Dec 2022 10:39:25 +0200 Subject: [PATCH] Add "allow_wildcard_certificates" attribute to the "vault_pki_secret_backend_role" resource Support configuring the `allow_wildcard_certificates` attribute in the `vault_pki_secret_backend_role` resource. The default is `true` as in Vault API. Resolves #1419 --- vault/resource_pki_secret_backend_role.go | 10 ++++++++++ vault/resource_pki_secret_backend_role_test.go | 5 +++++ website/docs/r/pki_secret_backend_role.html.md | 2 ++ 3 files changed, 17 insertions(+) diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index 1b42c12b9..3a5d4290b 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -106,6 +106,13 @@ func pkiSecretBackendRoleResource() *schema.Resource { Description: "Flag to allow any name", Default: false, }, + "allow_wildcard_certificates": { + Type: schema.TypeBool, + Required: false, + Optional: true, + Description: "Flag to allow wildcard certificates", + Default: true, + }, "enforce_hostnames": { Type: schema.TypeBool, Required: false, @@ -399,6 +406,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error "allowed_domains_template": d.Get("allowed_domains_template"), "allow_glob_domains": d.Get("allow_glob_domains"), "allow_any_name": d.Get("allow_any_name"), + "allow_wildcard_certificates": d.Get("allow_wildcard_certificates"), "enforce_hostnames": d.Get("enforce_hostnames"), "allow_ip_sans": d.Get("allow_ip_sans"), "allowed_uri_sans": d.Get("allowed_uri_sans"), @@ -545,6 +553,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("allow_subdomains", secret.Data["allow_subdomains"]) d.Set("allow_glob_domains", secret.Data["allow_glob_domains"]) d.Set("allow_any_name", secret.Data["allow_any_name"]) + d.Set("allow_wildcard_certificates", secret.Data["allow_wildcard_certificates"]) d.Set("enforce_hostnames", secret.Data["enforce_hostnames"]) d.Set("allow_ip_sans", secret.Data["allow_ip_sans"]) d.Set("allowed_uri_sans", secret.Data["allowed_uri_sans"]) @@ -623,6 +632,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error "allow_subdomains": d.Get("allow_subdomains"), "allow_glob_domains": d.Get("allow_glob_domains"), "allow_any_name": d.Get("allow_any_name"), + "allow_wildcard_certificates": d.Get("allow_wildcard_certificates"), "enforce_hostnames": d.Get("enforce_hostnames"), "allow_ip_sans": d.Get("allow_ip_sans"), "allowed_uri_sans": d.Get("allowed_uri_sans"), diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index 8c3167a6e..a83243098 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -41,6 +41,7 @@ func TestPkiSecretBackendRole_policy_identifier(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"), resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"), resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"), + resource.TestCheckResourceAttr(resourceName, "allow_wildcard_certificates", "true"), resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"), resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"), @@ -138,6 +139,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"), resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"), resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"), + resource.TestCheckResourceAttr(resourceName, "allow_wildcard_certificates", "true"), resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"), resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"), @@ -235,6 +237,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"), resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"), resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"), + resource.TestCheckResourceAttr(resourceName, "allow_wildcard_certificates", "false"), resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"), resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"), resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"), @@ -296,6 +299,7 @@ resource "vault_pki_secret_backend_role" "test" { allow_subdomains = true allow_glob_domains = false allow_any_name = false + allow_wildcard_certificates = true enforce_hostnames = true allow_ip_sans = true allowed_uri_sans = ["uri.test.domain"] @@ -347,6 +351,7 @@ resource "vault_pki_secret_backend_role" "test" { allow_subdomains = true allow_glob_domains = false allow_any_name = false + allow_wildcard_certificates = false enforce_hostnames = true allow_ip_sans = true allowed_uri_sans = ["uri.test.domain"] diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index 5a57c6fee..d1a2752ed 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -63,6 +63,8 @@ The following arguments are supported: * `allow_any_name` - (Optional) Flag to allow any name +* `allow_wildcard_certificates` - (Optional) Flag to allow wildcard certificates + * `enforce_hostnames` - (Optional) Flag to allow only valid host names * `allow_ip_sans` - (Optional) Flag to allow IP SANs