diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b92642d5f..a93376077c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ FEATURES: * Update `vault_pki_secret_backend_root_cert` and `vault_pki_secret_backend_root_sign_intermediate` to support the new fields for the name constraints extension. Requires Vault 1.19+ ([#2396](https://github.com/hashicorp/terraform-provider-vault/pull/2396)). +* Update `vault_pki_secret_backend_issuer` resource with the new issuer configuration fields to control certificate verification. Requires Vault Enterprise 1.19+ ([#2400](https://github.com/hashicorp/terraform-provider-vault/pull/2400)). BUGS: diff --git a/internal/consts/consts.go b/internal/consts/consts.go index 4b7face987..7e928655d6 100644 --- a/internal/consts/consts.go +++ b/internal/consts/consts.go @@ -14,450 +14,455 @@ const ( FieldPath = "path" // FieldMount should be used for all new non-backend-mounting resources. // In other words, resources that depend on a backend-mounting resource should use this. - FieldMount = "mount" - FieldBindDN = "binddn" - FieldBindPass = "bindpass" - FieldCertificate = "certificate" - FieldClientTLSCert = "client_tls_cert" - FieldClientTLSKey = "client_tls_key" - FieldDistinguishedNames = "distinguished_names" - FieldUPNDomain = "upndomain" - FieldStartTLS = "starttls" - FieldConnectionTimeout = "connection_timeout" - FieldRequestTimeout = "request_timeout" - FieldSchema = "schema" - FieldPasswordPolicy = "password_policy" - FieldLength = "length" - FieldInsecureTLS = "insecure_tls" - FieldURL = "url" - FieldUserAttr = "userattr" - FieldUserDN = "userdn" - FieldRotationPeriod = "rotation_period" - FieldPaths = "paths" - FieldParameters = "parameters" - FieldMethod = "method" - FieldNamespace = "namespace" - FieldUseRootNamespace = "use_root_namespace" - FieldNamespaceID = "namespace_id" - FieldNamespacePath = "namespace_path" - FieldPathFQ = "path_fq" - FieldData = "data" - FieldDisableRead = "disable_read" - FieldName = "name" - FieldVersion = "version" - FieldMetadata = "metadata" - FieldNames = "names" - FieldLeaseID = "lease_id" - FieldLeaseDuration = "lease_duration" - FieldLeaseRenewable = "lease_renewable" - FieldDepth = "depth" - FieldDataJSON = "data_json" - FieldDN = "dn" - FieldRole = "role" - FieldRoles = "roles" - FieldDescription = "description" - FieldTTL = "ttl" - FieldMaxTTL = "max_ttl" - FieldDefaultLeaseTTL = "default_lease_ttl_seconds" - FieldDefaultTTL = "default_ttl" - FieldMaxLeaseTTL = "max_lease_ttl_seconds" - FieldAuditNonHMACRequestKeys = "audit_non_hmac_request_keys" - FieldAuditNonHMACResponseKeys = "audit_non_hmac_response_keys" - FieldLastPassword = "last_password" - FieldLastVaultRotation = "last_vault_rotation" - FieldLocal = "local" - FieldSealWrap = "seal_wrap" - FieldExternalEntropyAccess = "external_entropy_access" - FieldAWS = "aws" - FieldPKCS = "pkcs" - FieldAzure = "azure" - FieldLibrary = "library" - FieldKeyLabel = "key_label" - FieldKeyID = "key_id" - FieldMechanism = "mechanism" - FieldPin = "pin" - FieldSlot = "slot" - FieldTokenLabel = "token_label" - FieldCurve = "curve" - FieldKeyBits = "key_bits" - FieldForceRWSession = "force_rw_session" - FieldAccessKey = "access_key" - FieldSecretKey = "secret_key" - FieldEndpoint = "endpoint" - FieldKeyType = "key_type" - FieldKMSKey = "kms_key" - FieldRegion = "region" - FieldTenantID = "tenant_id" - FieldClientID = "client_id" - FieldClientSecret = "client_secret" - FieldEnvironment = "environment" - FieldVaultName = "vault_name" - FieldKeyName = "key_name" - FieldResource = "resource" - FieldAllowGenerateKey = "allow_generate_key" - FieldAllowReplaceKey = "allow_replace_key" - FieldAllowStoreKey = "allow_store_key" - FieldAnyMount = "any_mount" - FieldID = "id" - FieldUUID = "uuid" - FieldMountAccessor = "mount_accessor" - FieldUsername = "username" - FieldPassword = "password" - FieldPasswordFile = "password_file" - FieldClientAuth = "client_auth" - FieldAuthLoginGeneric = "auth_login" - FieldAuthLoginUserpass = "auth_login_userpass" - FieldAuthLoginAWS = "auth_login_aws" - FieldAuthLoginCert = "auth_login_cert" - FieldAuthLoginGCP = "auth_login_gcp" - FieldAuthLoginKerberos = "auth_login_kerberos" - FieldAuthLoginRadius = "auth_login_radius" - FieldAuthLoginOCI = "auth_login_oci" - FieldAuthLoginOIDC = "auth_login_oidc" - FieldAuthLoginJWT = "auth_login_jwt" - FieldAuthLoginAzure = "auth_login_azure" - FieldAuthLoginTokenFile = "auth_login_token_file" - FieldIAMHttpRequestMethod = "iam_http_request_method" - FieldIAMRequestURL = "iam_request_url" - FieldIAMRequestBody = "iam_request_body" - FieldIAMRequestHeaders = "iam_request_headers" - FieldAWSAccessKeyID = "aws_access_key_id" - FieldAWSSecretAccessKey = "aws_secret_access_key" - FieldAWSSessionToken = "aws_session_token" - FieldAWSRoleARN = "aws_role_arn" - FieldAWSRoleSessionName = "aws_role_session_name" - FieldAWSWebIdentityTokenFile = "aws_web_identity_token_file" - FieldAWSSTSEndpoint = "aws_sts_endpoint" - FieldAWSIAMEndpoint = "aws_iam_endpoint" - FieldAWSProfile = "aws_profile" - FieldAWSRegion = "aws_region" - FieldAWSSharedCredentialsFile = "aws_shared_credentials_file" - FieldHeaderValue = "header_value" - FieldDisableRemount = "disable_remount" - FieldCACertFile = "ca_cert_file" - FieldCACertDir = "ca_cert_dir" - FieldCertFile = "cert_file" - FieldKeyFile = "key_file" - FieldSkipTLSVerify = "skip_tls_verify" - FieldTLSServerName = "tls_server_name" - FieldAddress = "address" - FieldJWT = "jwt" - FieldCredentials = "credentials" - FieldClientEmail = "client_email" - FieldServiceAccount = "service_account" - FieldAuthorization = "authorization" - FieldToken = "token" - FieldService = "service" - FieldRealm = "realm" - FieldKeytabPath = "keytab_path" - FieldKRB5ConfPath = "krb5conf_path" - FieldDisableFastNegotiation = "disable_fast_negotiation" - FieldRemoveInstanceName = "remove_instance_name" - FieldAuthType = "auth_type" - FieldRequestHeaders = "request_headers" - FieldCallbackAddress = "callback_address" - FieldCallbackListenerAddress = "callback_listener_address" - FieldScope = "scope" - FieldSubscriptionID = "subscription_id" - FieldResourceGroupName = "resource_group_name" - FieldVMName = "vm_name" - FieldVMSSName = "vmss_name" - FieldUsernameFormat = "username_format" - FieldIntegrationKey = "integration_key" - FieldAPIHostname = "api_hostname" - FieldPushInfo = "push_info" - FieldUsePasscode = "use_passcode" - FieldIssuer = "issuer" - FieldPeriod = "period" - FieldKeySize = "key_size" - FieldQRSize = "qr_size" - FieldAlgorithm = "algorithm" - FieldDigits = "digits" - FieldSkew = "skew" - FieldMaxValidationAttempts = "max_validation_attempts" - FieldOrgName = "org_name" - FieldAPIToken = "api_token" - FieldBaseURL = "base_url" - FieldPrimaryEmail = "primary_email" - FieldSettingsFileBase64 = "settings_file_base64" - FieldUseSignature = "use_signature" - FieldIdpURL = "idp_url" - FieldAdminURL = "admin_url" - FieldAuthenticatorURL = "authenticator_url" - FieldOrgAlias = "org_alias" - FieldType = "type" - FieldMethodID = "method_id" - FieldMFAMethodIDs = "mfa_method_ids" - FieldAccessors = "accessors" - FieldAuthMethodAccessors = "auth_method_accessors" - FieldAuthMethodTypes = "auth_method_types" - FieldIdentityGroupIDs = "identity_group_ids" - FieldIdentityEntityIDs = "identity_entity_ids" - FieldWrappingAccessor = "wrapping_accessor" - FieldRoleName = "role_name" - FieldPolicies = "policies" - FieldNoParent = "no_parent" - FieldNoDefaultPolicy = "no_default_policy" - FieldRenewable = "renewable" - FieldExplicitMaxTTL = "explicit_max_ttl" - FieldWrappingTTL = "wrapping_ttl" - FieldDisplayName = "display_name" - FieldNumUses = "num_uses" - FieldRenewMinLease = "renew_min_lease" - FieldRenewIncrement = "renew_increment" - FieldLeaseStarted = "lease_started" - FieldClientToken = "client_token" - FieldWrappedToken = "wrapped_token" - FieldOrphan = "orphan" - FieldVaultVersionOverride = "vault_version_override" - FieldSkipGetVaultVersion = "skip_get_vault_version" - FieldMemberEntityIDs = "member_entity_ids" - FieldMemberGroupIDs = "member_group_ids" - FieldExclusive = "exclusive" - FieldGroupID = "group_id" - FieldGroupName = "group_name" - FieldExternal = "external" - FieldInternal = "internal" - FieldFailureTolerance = "failure_tolerance" - FieldHealthy = "healthy" - FieldLeader = "leader" - FieldOptimisticFailureTolerance = "optimistic_failure_tolerance" - FieldVoters = "voters" - FieldRedundancyZones = "redundancy_zones" - FieldRedundancyZonesJSON = "redundancy_zones_json" - FieldServers = "servers" - FieldServersJSON = "servers_json" - FieldUpgradeInfo = "upgrade_info" - FieldUpgradeInfoJSON = "upgrade_info_json" - FieldMaxVersions = "max_versions" - FieldCASRequired = "cas_required" - FieldDeleteVersionAfter = "delete_version_after" - FieldCustomMetadata = "custom_metadata" - FieldCustomMetadataJSON = "custom_metadata_json" - FieldIAMAlias = "iam_alias" - FieldIAMMetadata = "iam_metadata" - FieldEC2Alias = "ec2_alias" - FieldEC2Metadata = "ec2_metadata" - FieldPublicKey = "public_key" - FieldPrivateKey = "private_key" - FieldImpersonatedAccount = "impersonated_account" - FieldServiceAccountEmail = "service_account_email" - FieldTokenScopes = "token_scopes" - FieldServiceAccountProject = "service_account_project" - FieldOrganizationID = "organization_id" - FieldProjectID = "project_id" - FieldIPAddresses = "ip_addresses" - FieldCIDRBlocks = "cidr_blocks" - FieldProjectRoles = "project_roles" - FieldCreationLDIF = "creation_ldif" - FieldDeletionLDIF = "deletion_ldif" - FieldRollbackLDIF = "rollback_ldif" - FieldUsernameTemplate = "username_template" - FieldServiceAccountNames = "service_account_names" - FieldDisableCheckInEnforcement = "disable_check_in_enforcement" - FieldSkipChildToken = "skip_child_token" - FieldTokenPolicies = "token_policies" - FieldManagedKeyName = "managed_key_name" - FieldManagedKeyID = "managed_key_id" - FieldIssuerRef = "issuer_ref" - FieldAllowLocalhost = "allow_localhost" - FieldAllowedDomains = "allowed_domains" - FieldAllowedDomainsTemplate = "allowed_domains_template" - FieldAllowBareDomains = "allow_bare_domains" - FieldAllowSubdomains = "allow_subdomains" - FieldAllowGlobDomains = "allow_glob_domains" - FieldAllowAnyName = "allow_any_name" - FieldEnforceHostnames = "enforce_hostnames" - FieldAllowIPSans = "allow_ip_sans" - FieldAllowedURISans = "allowed_uri_sans" - FieldAllowedURISansTemplate = "allowed_uri_sans_template" - FieldAllowedUserIds = "allowed_user_ids" - FieldAllowWildcardCertificates = "allow_wildcard_certificates" - FieldAllowedOtherSans = "allowed_other_sans" - FieldServerFlag = "server_flag" - FieldClientFlag = "client_flag" - FieldCodeSigningFlag = "code_signing_flag" - FieldEmailProtectionFlag = "email_protection_flag" - FieldKeyUsage = "key_usage" - FieldExtKeyUsage = "ext_key_usage" - FieldExtKeyUsageOIDs = "ext_key_usage_oids" - FieldUseCSRCommonName = "use_csr_common_name" - FieldUseCSRSans = "use_csr_sans" - FieldOU = "ou" - FieldOrganization = "organization" - FieldCountry = "country" - FieldLocality = "locality" - FieldProvince = "province" - FieldStreetAddress = "street_address" - FieldPostalCode = "postal_code" - FieldGenerateLease = "generate_lease" - FieldNoStore = "no_store" - FieldRequireCN = "require_cn" - FieldPolicyIdentifiers = "policy_identifiers" - FieldPolicyIdentifier = "policy_identifier" - FieldBasicConstraintsValidForNonCA = "basic_constraints_valid_for_non_ca" - FieldNotBeforeDuration = "not_before_duration" - FieldAllowedSerialNumbers = "allowed_serial_numbers" - FieldOID = "oid" - FieldCPS = "cps" - FieldNotice = "notice" - FieldCommonName = "common_name" - FieldAltNames = "alt_names" - FieldFormat = "format" - FieldPrivateKeyFormat = "private_key_format" - FieldOu = "ou" - FieldIssuingCA = "issuing_ca" - FieldSerial = "serial" - FieldSerialNumber = "serial_number" - FieldIPSans = "ip_sans" - FieldURISans = "uri_sans" - FieldOtherSans = "other_sans" - FieldMaxPathLength = "max_path_length" - FieldExcludeCNFromSans = "exclude_cn_from_sans" - FieldPermittedDNSDomains = "permitted_dns_domains" - FieldExcludedDNSDomains = "excluded_dns_domains" - FieldPermittedIPRanges = "permitted_ip_ranges" - FieldExcludedIPRanges = "excluded_ip_ranges" - FieldPermittedEmailAddresses = "permitted_email_addresses" - FieldExcludedEmailAddresses = "excluded_email_addresses" - FieldPermittedURIDomains = "permitted_uri_domains" - FieldExcludedURIDomains = "excluded_uri_domains" - FieldIssuerName = "issuer_name" - FieldUserIds = "user_ids" - FieldIssuerID = "issuer_id" - FieldKeyRef = "key_ref" - FieldPemBundle = "pem_bundle" - FieldCAChain = "ca_chain" - FieldCSR = "csr" - FieldUseCSRValues = "use_csr_values" - FieldCertificateBundle = "certificate_bundle" - FieldRevoke = "revoke" - FieldPrivateKeyType = "private_key_type" - FieldAddBasicConstraints = "add_basic_constraints" - FieldExported = "exported" - FieldExpiration = "expiration" - FieldAutoRenew = "auto_renew" - FieldMinSecondsRemaining = "min_seconds_remaining" - FieldRenewPending = "renew_pending" - FieldImportedIssuers = "imported_issuers" - FieldImportedKeys = "imported_keys" - FieldExisting = "existing" - FieldLeafNotAfterBehavior = "leaf_not_after_behavior" - FieldManualChain = "manual_chain" - FieldUsage = "usage" - FieldKeys = "keys" - FieldKeyInfo = "key_info" - FieldKeyInfoJSON = "key_info_json" - FieldRevocationSignatureAlgorithm = "revocation_signature_algorithm" - FieldIssuingCertificates = "issuing_certificates" - FieldCRLDistributionPoints = "crl_distribution_points" - FieldOCSPServers = "ocsp_servers" - FieldEnableAIAURLTemplating = "enable_aia_url_templating" - FieldCredentialConfig = "credential_config" - FieldDBName = "db_name" - FieldCreationStatements = "creation_statements" - FieldRevocationStatements = "revocation_statements" - FieldRollbackStatements = "rollback_statements" - FieldRenewStatements = "renew_statements" - FieldCredentialType = "credential_type" - FieldFilename = "filename" - FieldDefault = "default" - FieldRotationStatements = "rotation_statements" - FieldRotationSchedule = "rotation_schedule" - FieldRotationWindow = "rotation_window" - FieldKubernetesCACert = "kubernetes_ca_cert" - FieldDisableLocalCAJWT = "disable_local_ca_jwt" - FieldKubernetesHost = "kubernetes_host" - FieldServiceAccountJWT = "service_account_jwt" - FieldDisableISSValidation = "disable_iss_validation" - FieldPEMKeys = "pem_keys" - FieldSetNamespaceFromToken = "set_namespace_from_token" - FieldAzureRoles = "azure_roles" - FieldRoleID = "role_id" - FieldAzureGroups = "azure_groups" - FieldObjectID = "object_id" - FieldApplicationObjectID = "application_object_id" - FieldPermanentlyDelete = "permanently_delete" - FieldSignInAudience = "sign_in_audience" - FieldTags = "tags" - FieldSkipStaticRoleImportRotation = "skip_static_role_import_rotation" - FieldSkipImportRotation = "skip_import_rotation" - FieldCustomTags = "custom_tags" - FieldSecretNameTemplate = "secret_name_template" - FieldIAMEndpoint = "iam_endpoint" - FieldSTSEndpoint = "sts_endpoint" - FieldSTSFallbackEndpoints = "sts_fallback_endpoints" - FieldIdentityTokenAudience = "identity_token_audience" - FieldIdentityTokenTTL = "identity_token_ttl" - FieldRoleArn = "role_arn" - FieldAccessor = "accessor" - FieldOptions = "options" - FieldAllowedManagedKeys = "allowed_managed_keys" - FieldIdentityTokenKey = "identity_token_key" - FieldCIDRList = "cidr_list" - FieldSecretID = "secret_id" - FieldWrappingToken = "wrapping_token" - FieldWithWrappedAccessor = "with_wrapped_accessor" - FieldExternalID = "external_id" - FieldAppName = "app_name" - FieldInstallationID = "installation_id" - FieldAppID = "app_id" - FieldAIAPath = "aia_path" - FieldTLSMinVersion = "tls_min_version" - FieldTLSMaxVersion = "tls_max_version" - FieldCaseSensitiveNames = "case_sensitive_names" - FieldMaxPageSize = "max_page_size" - FieldUserFilter = "userfilter" - FieldDiscoverDN = "discoverdn" - FieldDenyNullBind = "deny_null_bind" - FieldGroupFilter = "groupfilter" - FieldGroupDN = "groupdn" - FieldGroupAttr = "groupattr" - FieldUsernameAsAlias = "username_as_alias" - FieldUseTokenGroups = "use_token_groups" - FieldTitle = "title" - FieldMessageBase64 = "message_base64" - FieldAuthenticated = "authenticated" - FieldStartTime = "start_time" - FieldEndTime = "end_time" - FieldLink = "link" - FieldGranularity = "granularity" - FieldGranularityLevel = "granularity_level" - FieldEC2Endpoint = "ec2_endpoint" - FieldSTSRegion = "sts_region" - FieldSTSFallbackRegions = "sts_fallback_regions" - FieldIAMServerIDHeaderValue = "iam_server_id_header_value" - FieldListingVisibility = "listing_visibility" - FieldPassthroughRequestHeaders = "passthrough_request_headers" - FieldAllowedResponseHeaders = "allowed_response_headers" - FieldDelegatedAuthAccessors = "delegated_auth_accessors" - FieldPluginVersion = "plugin_version" - FieldUseMSGraphAPI = "use_microsoft_graph_api" - FieldEnabled = "enabled" - FieldDefaultMount = "default_mount" - FieldDefaultPathPolicy = "default_path_policy" - FieldLabelToPathPolicy = "label_to_path_policy" - FieldAuthenticators = "authenticators" - FieldEnableSentinelParsing = "enable_sentinel_parsing" - FieldAuditFields = "audit_fields" - FieldLastUpdated = "last_updated" - FieldCustomEndpoint = "custom_endpoint" - FieldPrivateKeyID = "private_key_id" - FieldTune = "tune" - FieldMaxRetries = "max_retries" - FieldSessionTags = "session_tags" - FieldSelfManagedPassword = "self_managed_password" - FieldAllowedIssuers = "allowed_issuers" - FieldAllowedRoles = "allowed_roles" - FieldAllowRoleExtKeyUsage = "allow_role_ext_key_usage" - FieldDefaultDirectoryPolicy = "default_directory_policy" - FieldDnsResolver = "dns_resolver" - FieldEabPolicy = "eab_policy" - FieldCnValidations = "cn_validations" - FieldsCreatedOn = "created_on" - FieldEabKey = "key" - FieldAcmeDirectory = "acme_directory" - FieldEabId = "eab_id" + FieldMount = "mount" + FieldBindDN = "binddn" + FieldBindPass = "bindpass" + FieldCertificate = "certificate" + FieldClientTLSCert = "client_tls_cert" + FieldClientTLSKey = "client_tls_key" + FieldDistinguishedNames = "distinguished_names" + FieldUPNDomain = "upndomain" + FieldStartTLS = "starttls" + FieldConnectionTimeout = "connection_timeout" + FieldRequestTimeout = "request_timeout" + FieldSchema = "schema" + FieldPasswordPolicy = "password_policy" + FieldLength = "length" + FieldInsecureTLS = "insecure_tls" + FieldURL = "url" + FieldUserAttr = "userattr" + FieldUserDN = "userdn" + FieldRotationPeriod = "rotation_period" + FieldPaths = "paths" + FieldParameters = "parameters" + FieldMethod = "method" + FieldNamespace = "namespace" + FieldUseRootNamespace = "use_root_namespace" + FieldNamespaceID = "namespace_id" + FieldNamespacePath = "namespace_path" + FieldPathFQ = "path_fq" + FieldData = "data" + FieldDisableRead = "disable_read" + FieldName = "name" + FieldVersion = "version" + FieldMetadata = "metadata" + FieldNames = "names" + FieldLeaseID = "lease_id" + FieldLeaseDuration = "lease_duration" + FieldLeaseRenewable = "lease_renewable" + FieldDepth = "depth" + FieldDataJSON = "data_json" + FieldDN = "dn" + FieldRole = "role" + FieldRoles = "roles" + FieldDescription = "description" + FieldTTL = "ttl" + FieldMaxTTL = "max_ttl" + FieldDefaultLeaseTTL = "default_lease_ttl_seconds" + FieldDefaultTTL = "default_ttl" + FieldMaxLeaseTTL = "max_lease_ttl_seconds" + FieldAuditNonHMACRequestKeys = "audit_non_hmac_request_keys" + FieldAuditNonHMACResponseKeys = "audit_non_hmac_response_keys" + FieldLastPassword = "last_password" + FieldLastVaultRotation = "last_vault_rotation" + FieldLocal = "local" + FieldSealWrap = "seal_wrap" + FieldExternalEntropyAccess = "external_entropy_access" + FieldAWS = "aws" + FieldPKCS = "pkcs" + FieldAzure = "azure" + FieldLibrary = "library" + FieldKeyLabel = "key_label" + FieldKeyID = "key_id" + FieldMechanism = "mechanism" + FieldPin = "pin" + FieldSlot = "slot" + FieldTokenLabel = "token_label" + FieldCurve = "curve" + FieldKeyBits = "key_bits" + FieldForceRWSession = "force_rw_session" + FieldAccessKey = "access_key" + FieldSecretKey = "secret_key" + FieldEndpoint = "endpoint" + FieldKeyType = "key_type" + FieldKMSKey = "kms_key" + FieldRegion = "region" + FieldTenantID = "tenant_id" + FieldClientID = "client_id" + FieldClientSecret = "client_secret" + FieldEnvironment = "environment" + FieldVaultName = "vault_name" + FieldKeyName = "key_name" + FieldResource = "resource" + FieldAllowGenerateKey = "allow_generate_key" + FieldAllowReplaceKey = "allow_replace_key" + FieldAllowStoreKey = "allow_store_key" + FieldAnyMount = "any_mount" + FieldID = "id" + FieldUUID = "uuid" + FieldMountAccessor = "mount_accessor" + FieldUsername = "username" + FieldPassword = "password" + FieldPasswordFile = "password_file" + FieldClientAuth = "client_auth" + FieldAuthLoginGeneric = "auth_login" + FieldAuthLoginUserpass = "auth_login_userpass" + FieldAuthLoginAWS = "auth_login_aws" + FieldAuthLoginCert = "auth_login_cert" + FieldAuthLoginGCP = "auth_login_gcp" + FieldAuthLoginKerberos = "auth_login_kerberos" + FieldAuthLoginRadius = "auth_login_radius" + FieldAuthLoginOCI = "auth_login_oci" + FieldAuthLoginOIDC = "auth_login_oidc" + FieldAuthLoginJWT = "auth_login_jwt" + FieldAuthLoginAzure = "auth_login_azure" + FieldAuthLoginTokenFile = "auth_login_token_file" + FieldIAMHttpRequestMethod = "iam_http_request_method" + FieldIAMRequestURL = "iam_request_url" + FieldIAMRequestBody = "iam_request_body" + FieldIAMRequestHeaders = "iam_request_headers" + FieldAWSAccessKeyID = "aws_access_key_id" + FieldAWSSecretAccessKey = "aws_secret_access_key" + FieldAWSSessionToken = "aws_session_token" + FieldAWSRoleARN = "aws_role_arn" + FieldAWSRoleSessionName = "aws_role_session_name" + FieldAWSWebIdentityTokenFile = "aws_web_identity_token_file" + FieldAWSSTSEndpoint = "aws_sts_endpoint" + FieldAWSIAMEndpoint = "aws_iam_endpoint" + FieldAWSProfile = "aws_profile" + FieldAWSRegion = "aws_region" + FieldAWSSharedCredentialsFile = "aws_shared_credentials_file" + FieldHeaderValue = "header_value" + FieldDisableRemount = "disable_remount" + FieldCACertFile = "ca_cert_file" + FieldCACertDir = "ca_cert_dir" + FieldCertFile = "cert_file" + FieldKeyFile = "key_file" + FieldSkipTLSVerify = "skip_tls_verify" + FieldTLSServerName = "tls_server_name" + FieldAddress = "address" + FieldJWT = "jwt" + FieldCredentials = "credentials" + FieldClientEmail = "client_email" + FieldServiceAccount = "service_account" + FieldAuthorization = "authorization" + FieldToken = "token" + FieldService = "service" + FieldRealm = "realm" + FieldKeytabPath = "keytab_path" + FieldKRB5ConfPath = "krb5conf_path" + FieldDisableFastNegotiation = "disable_fast_negotiation" + FieldRemoveInstanceName = "remove_instance_name" + FieldAuthType = "auth_type" + FieldRequestHeaders = "request_headers" + FieldCallbackAddress = "callback_address" + FieldCallbackListenerAddress = "callback_listener_address" + FieldScope = "scope" + FieldSubscriptionID = "subscription_id" + FieldResourceGroupName = "resource_group_name" + FieldVMName = "vm_name" + FieldVMSSName = "vmss_name" + FieldUsernameFormat = "username_format" + FieldIntegrationKey = "integration_key" + FieldAPIHostname = "api_hostname" + FieldPushInfo = "push_info" + FieldUsePasscode = "use_passcode" + FieldIssuer = "issuer" + FieldPeriod = "period" + FieldKeySize = "key_size" + FieldQRSize = "qr_size" + FieldAlgorithm = "algorithm" + FieldDigits = "digits" + FieldSkew = "skew" + FieldMaxValidationAttempts = "max_validation_attempts" + FieldOrgName = "org_name" + FieldAPIToken = "api_token" + FieldBaseURL = "base_url" + FieldPrimaryEmail = "primary_email" + FieldSettingsFileBase64 = "settings_file_base64" + FieldUseSignature = "use_signature" + FieldIdpURL = "idp_url" + FieldAdminURL = "admin_url" + FieldAuthenticatorURL = "authenticator_url" + FieldOrgAlias = "org_alias" + FieldType = "type" + FieldMethodID = "method_id" + FieldMFAMethodIDs = "mfa_method_ids" + FieldAccessors = "accessors" + FieldAuthMethodAccessors = "auth_method_accessors" + FieldAuthMethodTypes = "auth_method_types" + FieldIdentityGroupIDs = "identity_group_ids" + FieldIdentityEntityIDs = "identity_entity_ids" + FieldWrappingAccessor = "wrapping_accessor" + FieldRoleName = "role_name" + FieldPolicies = "policies" + FieldNoParent = "no_parent" + FieldNoDefaultPolicy = "no_default_policy" + FieldRenewable = "renewable" + FieldExplicitMaxTTL = "explicit_max_ttl" + FieldWrappingTTL = "wrapping_ttl" + FieldDisplayName = "display_name" + FieldNumUses = "num_uses" + FieldRenewMinLease = "renew_min_lease" + FieldRenewIncrement = "renew_increment" + FieldLeaseStarted = "lease_started" + FieldClientToken = "client_token" + FieldWrappedToken = "wrapped_token" + FieldOrphan = "orphan" + FieldVaultVersionOverride = "vault_version_override" + FieldSkipGetVaultVersion = "skip_get_vault_version" + FieldMemberEntityIDs = "member_entity_ids" + FieldMemberGroupIDs = "member_group_ids" + FieldExclusive = "exclusive" + FieldGroupID = "group_id" + FieldGroupName = "group_name" + FieldExternal = "external" + FieldInternal = "internal" + FieldFailureTolerance = "failure_tolerance" + FieldHealthy = "healthy" + FieldLeader = "leader" + FieldOptimisticFailureTolerance = "optimistic_failure_tolerance" + FieldVoters = "voters" + FieldRedundancyZones = "redundancy_zones" + FieldRedundancyZonesJSON = "redundancy_zones_json" + FieldServers = "servers" + FieldServersJSON = "servers_json" + FieldUpgradeInfo = "upgrade_info" + FieldUpgradeInfoJSON = "upgrade_info_json" + FieldMaxVersions = "max_versions" + FieldCASRequired = "cas_required" + FieldDeleteVersionAfter = "delete_version_after" + FieldCustomMetadata = "custom_metadata" + FieldCustomMetadataJSON = "custom_metadata_json" + FieldIAMAlias = "iam_alias" + FieldIAMMetadata = "iam_metadata" + FieldEC2Alias = "ec2_alias" + FieldEC2Metadata = "ec2_metadata" + FieldPublicKey = "public_key" + FieldPrivateKey = "private_key" + FieldImpersonatedAccount = "impersonated_account" + FieldServiceAccountEmail = "service_account_email" + FieldTokenScopes = "token_scopes" + FieldServiceAccountProject = "service_account_project" + FieldOrganizationID = "organization_id" + FieldProjectID = "project_id" + FieldIPAddresses = "ip_addresses" + FieldCIDRBlocks = "cidr_blocks" + FieldProjectRoles = "project_roles" + FieldCreationLDIF = "creation_ldif" + FieldDeletionLDIF = "deletion_ldif" + FieldRollbackLDIF = "rollback_ldif" + FieldUsernameTemplate = "username_template" + FieldServiceAccountNames = "service_account_names" + FieldDisableCheckInEnforcement = "disable_check_in_enforcement" + FieldSkipChildToken = "skip_child_token" + FieldTokenPolicies = "token_policies" + FieldManagedKeyName = "managed_key_name" + FieldManagedKeyID = "managed_key_id" + FieldIssuerRef = "issuer_ref" + FieldAllowLocalhost = "allow_localhost" + FieldAllowedDomains = "allowed_domains" + FieldAllowedDomainsTemplate = "allowed_domains_template" + FieldAllowBareDomains = "allow_bare_domains" + FieldAllowSubdomains = "allow_subdomains" + FieldAllowGlobDomains = "allow_glob_domains" + FieldAllowAnyName = "allow_any_name" + FieldEnforceHostnames = "enforce_hostnames" + FieldAllowIPSans = "allow_ip_sans" + FieldAllowedURISans = "allowed_uri_sans" + FieldAllowedURISansTemplate = "allowed_uri_sans_template" + FieldAllowedUserIds = "allowed_user_ids" + FieldAllowWildcardCertificates = "allow_wildcard_certificates" + FieldAllowedOtherSans = "allowed_other_sans" + FieldServerFlag = "server_flag" + FieldClientFlag = "client_flag" + FieldCodeSigningFlag = "code_signing_flag" + FieldEmailProtectionFlag = "email_protection_flag" + FieldKeyUsage = "key_usage" + FieldExtKeyUsage = "ext_key_usage" + FieldExtKeyUsageOIDs = "ext_key_usage_oids" + FieldUseCSRCommonName = "use_csr_common_name" + FieldUseCSRSans = "use_csr_sans" + FieldOU = "ou" + FieldOrganization = "organization" + FieldCountry = "country" + FieldLocality = "locality" + FieldProvince = "province" + FieldStreetAddress = "street_address" + FieldPostalCode = "postal_code" + FieldGenerateLease = "generate_lease" + FieldNoStore = "no_store" + FieldRequireCN = "require_cn" + FieldPolicyIdentifiers = "policy_identifiers" + FieldPolicyIdentifier = "policy_identifier" + FieldBasicConstraintsValidForNonCA = "basic_constraints_valid_for_non_ca" + FieldNotBeforeDuration = "not_before_duration" + FieldAllowedSerialNumbers = "allowed_serial_numbers" + FieldOID = "oid" + FieldCPS = "cps" + FieldNotice = "notice" + FieldCommonName = "common_name" + FieldAltNames = "alt_names" + FieldFormat = "format" + FieldPrivateKeyFormat = "private_key_format" + FieldOu = "ou" + FieldIssuingCA = "issuing_ca" + FieldSerial = "serial" + FieldSerialNumber = "serial_number" + FieldIPSans = "ip_sans" + FieldURISans = "uri_sans" + FieldOtherSans = "other_sans" + FieldMaxPathLength = "max_path_length" + FieldExcludeCNFromSans = "exclude_cn_from_sans" + FieldPermittedDNSDomains = "permitted_dns_domains" + FieldExcludedDNSDomains = "excluded_dns_domains" + FieldPermittedIPRanges = "permitted_ip_ranges" + FieldExcludedIPRanges = "excluded_ip_ranges" + FieldPermittedEmailAddresses = "permitted_email_addresses" + FieldExcludedEmailAddresses = "excluded_email_addresses" + FieldPermittedURIDomains = "permitted_uri_domains" + FieldExcludedURIDomains = "excluded_uri_domains" + FieldIssuerName = "issuer_name" + FieldUserIds = "user_ids" + FieldIssuerID = "issuer_id" + FieldKeyRef = "key_ref" + FieldPemBundle = "pem_bundle" + FieldCAChain = "ca_chain" + FieldCSR = "csr" + FieldUseCSRValues = "use_csr_values" + FieldCertificateBundle = "certificate_bundle" + FieldRevoke = "revoke" + FieldPrivateKeyType = "private_key_type" + FieldAddBasicConstraints = "add_basic_constraints" + FieldExported = "exported" + FieldExpiration = "expiration" + FieldAutoRenew = "auto_renew" + FieldMinSecondsRemaining = "min_seconds_remaining" + FieldRenewPending = "renew_pending" + FieldImportedIssuers = "imported_issuers" + FieldImportedKeys = "imported_keys" + FieldExisting = "existing" + FieldLeafNotAfterBehavior = "leaf_not_after_behavior" + FieldManualChain = "manual_chain" + FieldUsage = "usage" + FieldKeys = "keys" + FieldKeyInfo = "key_info" + FieldKeyInfoJSON = "key_info_json" + FieldRevocationSignatureAlgorithm = "revocation_signature_algorithm" + FieldIssuingCertificates = "issuing_certificates" + FieldCRLDistributionPoints = "crl_distribution_points" + FieldOCSPServers = "ocsp_servers" + FieldEnableAIAURLTemplating = "enable_aia_url_templating" + FieldCredentialConfig = "credential_config" + FieldDBName = "db_name" + FieldCreationStatements = "creation_statements" + FieldRevocationStatements = "revocation_statements" + FieldRollbackStatements = "rollback_statements" + FieldRenewStatements = "renew_statements" + FieldCredentialType = "credential_type" + FieldFilename = "filename" + FieldDefault = "default" + FieldRotationStatements = "rotation_statements" + FieldRotationSchedule = "rotation_schedule" + FieldRotationWindow = "rotation_window" + FieldKubernetesCACert = "kubernetes_ca_cert" + FieldDisableLocalCAJWT = "disable_local_ca_jwt" + FieldKubernetesHost = "kubernetes_host" + FieldServiceAccountJWT = "service_account_jwt" + FieldDisableISSValidation = "disable_iss_validation" + FieldPEMKeys = "pem_keys" + FieldSetNamespaceFromToken = "set_namespace_from_token" + FieldAzureRoles = "azure_roles" + FieldRoleID = "role_id" + FieldAzureGroups = "azure_groups" + FieldObjectID = "object_id" + FieldApplicationObjectID = "application_object_id" + FieldPermanentlyDelete = "permanently_delete" + FieldSignInAudience = "sign_in_audience" + FieldTags = "tags" + FieldSkipStaticRoleImportRotation = "skip_static_role_import_rotation" + FieldSkipImportRotation = "skip_import_rotation" + FieldCustomTags = "custom_tags" + FieldSecretNameTemplate = "secret_name_template" + FieldIAMEndpoint = "iam_endpoint" + FieldSTSEndpoint = "sts_endpoint" + FieldSTSFallbackEndpoints = "sts_fallback_endpoints" + FieldIdentityTokenAudience = "identity_token_audience" + FieldIdentityTokenTTL = "identity_token_ttl" + FieldRoleArn = "role_arn" + FieldAccessor = "accessor" + FieldOptions = "options" + FieldAllowedManagedKeys = "allowed_managed_keys" + FieldIdentityTokenKey = "identity_token_key" + FieldCIDRList = "cidr_list" + FieldSecretID = "secret_id" + FieldWrappingToken = "wrapping_token" + FieldWithWrappedAccessor = "with_wrapped_accessor" + FieldExternalID = "external_id" + FieldAppName = "app_name" + FieldInstallationID = "installation_id" + FieldAppID = "app_id" + FieldAIAPath = "aia_path" + FieldTLSMinVersion = "tls_min_version" + FieldTLSMaxVersion = "tls_max_version" + FieldCaseSensitiveNames = "case_sensitive_names" + FieldMaxPageSize = "max_page_size" + FieldUserFilter = "userfilter" + FieldDiscoverDN = "discoverdn" + FieldDenyNullBind = "deny_null_bind" + FieldGroupFilter = "groupfilter" + FieldGroupDN = "groupdn" + FieldGroupAttr = "groupattr" + FieldUsernameAsAlias = "username_as_alias" + FieldUseTokenGroups = "use_token_groups" + FieldTitle = "title" + FieldMessageBase64 = "message_base64" + FieldAuthenticated = "authenticated" + FieldStartTime = "start_time" + FieldEndTime = "end_time" + FieldLink = "link" + FieldGranularity = "granularity" + FieldGranularityLevel = "granularity_level" + FieldEC2Endpoint = "ec2_endpoint" + FieldSTSRegion = "sts_region" + FieldSTSFallbackRegions = "sts_fallback_regions" + FieldIAMServerIDHeaderValue = "iam_server_id_header_value" + FieldListingVisibility = "listing_visibility" + FieldPassthroughRequestHeaders = "passthrough_request_headers" + FieldAllowedResponseHeaders = "allowed_response_headers" + FieldDelegatedAuthAccessors = "delegated_auth_accessors" + FieldPluginVersion = "plugin_version" + FieldUseMSGraphAPI = "use_microsoft_graph_api" + FieldEnabled = "enabled" + FieldDefaultMount = "default_mount" + FieldDefaultPathPolicy = "default_path_policy" + FieldLabelToPathPolicy = "label_to_path_policy" + FieldAuthenticators = "authenticators" + FieldEnableSentinelParsing = "enable_sentinel_parsing" + FieldAuditFields = "audit_fields" + FieldLastUpdated = "last_updated" + FieldCustomEndpoint = "custom_endpoint" + FieldPrivateKeyID = "private_key_id" + FieldTune = "tune" + FieldMaxRetries = "max_retries" + FieldSessionTags = "session_tags" + FieldSelfManagedPassword = "self_managed_password" + FieldAllowedIssuers = "allowed_issuers" + FieldAllowedRoles = "allowed_roles" + FieldAllowRoleExtKeyUsage = "allow_role_ext_key_usage" + FieldDefaultDirectoryPolicy = "default_directory_policy" + FieldDnsResolver = "dns_resolver" + FieldEabPolicy = "eab_policy" + FieldCnValidations = "cn_validations" + FieldsCreatedOn = "created_on" + FieldEabKey = "key" + FieldAcmeDirectory = "acme_directory" + FieldEabId = "eab_id" + FieldDisableCriticalExtensionChecks = "disable_critical_extension_checks" + FieldDisablePathLengthChecks = "disable_path_length_checks" + FieldDisableNameChecks = "disable_name_checks" + FieldDisableNameConstraintChecks = "disable_name_constraint_checks" + /* common environment variables */ diff --git a/vault/data_source_pki_secret_backend_issuer.go b/vault/data_source_pki_secret_backend_issuer.go index 0c48e16de2..dbb2fc7e0a 100644 --- a/vault/data_source_pki_secret_backend_issuer.go +++ b/vault/data_source_pki_secret_backend_issuer.go @@ -78,6 +78,26 @@ func pkiSecretBackendIssuerDataSource() *schema.Resource { Computed: true, Description: "Allowed usages for this issuer.", }, + consts.FieldDisableCriticalExtensionChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.", + }, + consts.FieldDisablePathLengthChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.", + }, + consts.FieldDisableNameChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.", + }, + consts.FieldDisableNameConstraintChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain", + }, }, } } @@ -113,6 +133,13 @@ func readPKISecretBackendIssuer(ctx context.Context, d *schema.ResourceData, met consts.FieldManualChain, consts.FieldUsage, } + if supportPkiCertVerifyDisableChecksFields(meta) { + issuerComputedFields = append(issuerComputedFields, + consts.FieldDisableCriticalExtensionChecks, + consts.FieldDisablePathLengthChecks, + consts.FieldDisableNameChecks, + consts.FieldDisableNameConstraintChecks) + } for _, k := range issuerComputedFields { if err := d.Set(k, resp.Data[k]); err != nil { @@ -122,3 +149,7 @@ func readPKISecretBackendIssuer(ctx context.Context, d *schema.ResourceData, met return nil } + +func supportPkiCertVerifyDisableChecksFields(meta interface{}) bool { + return provider.IsAPISupported(meta, provider.VaultVersion119) && provider.IsEnterpriseSupported(meta) +} diff --git a/vault/data_source_pki_secret_backend_issuer_test.go b/vault/data_source_pki_secret_backend_issuer_test.go index ea81ba08bb..9631690611 100644 --- a/vault/data_source_pki_secret_backend_issuer_test.go +++ b/vault/data_source_pki_secret_backend_issuer_test.go @@ -5,13 +5,13 @@ package vault import ( "fmt" + "github.com/hashicorp/terraform-provider-vault/internal/provider" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-provider-vault/internal/consts" - "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/testutil" ) @@ -40,6 +40,67 @@ func TestAccDataSourcePKISecretIssuer(t *testing.T) { }) } +func TestAccDataSourcePKISecretIssuer_verify_disable_fields(t *testing.T) { + backend := acctest.RandomWithPrefix("tf-test-pki-backend") + issuerName := acctest.RandomWithPrefix("tf-test-pki-issuer") + dataName := "data.vault_pki_secret_backend_issuer.test" + resource.Test(t, resource.TestCase{ + ProviderFactories: providerFactories, + PreCheck: func() { + testutil.TestEntPreCheck(t) + SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion119) + }, + Steps: []resource.TestStep{ + { + Config: testPKISecretIssuerDataSource(backend, issuerName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(dataName, consts.FieldIssuerName, issuerName), + resource.TestCheckResourceAttrSet(dataName, consts.FieldIssuerID), + resource.TestCheckResourceAttrSet(dataName, consts.FieldKeyID), + resource.TestCheckResourceAttrSet(dataName, consts.FieldCertificate), + + resource.TestCheckResourceAttr(dataName, consts.FieldDisableCriticalExtensionChecks, "false"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisablePathLengthChecks, "false"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisableNameChecks, "false"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisableNameConstraintChecks, "false"), + ), + }, + { + Config: testPKISecretIssuerDataSource_verify_disable_fields(backend, issuerName, "true"), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(dataName, consts.FieldIssuerName, issuerName), + resource.TestCheckResourceAttrSet(dataName, consts.FieldIssuerID), + resource.TestCheckResourceAttrSet(dataName, consts.FieldKeyID), + resource.TestCheckResourceAttrSet(dataName, consts.FieldCertificate), + + resource.TestCheckResourceAttr(dataName, consts.FieldDisableCriticalExtensionChecks, "true"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisablePathLengthChecks, "true"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisableNameChecks, "true"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisableNameConstraintChecks, "true"), + ), + }, + // As above, but leave FieldDisableNameChecks false as a spot check + { + Config: testPKISecretIssuerDataSource_verify_disable_fields(backend, issuerName, "false"), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(dataName, consts.FieldIssuerName, issuerName), + resource.TestCheckResourceAttrSet(dataName, consts.FieldIssuerID), + resource.TestCheckResourceAttrSet(dataName, consts.FieldKeyID), + resource.TestCheckResourceAttrSet(dataName, consts.FieldCertificate), + + resource.TestCheckResourceAttr(dataName, consts.FieldDisableCriticalExtensionChecks, "true"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisablePathLengthChecks, "true"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisableNameChecks, "false"), + resource.TestCheckResourceAttr(dataName, consts.FieldDisableNameConstraintChecks, "true"), + ), + }, + }, + }) +} + func testPKISecretIssuerDataSource(path, issuerName string) string { return fmt.Sprintf(` resource "vault_mount" "test" { @@ -61,3 +122,40 @@ data "vault_pki_secret_backend_issuer" "test" { issuer_ref = vault_pki_secret_backend_root_cert.test.issuer_id }`, path, issuerName) } + +func testPKISecretIssuerDataSource_verify_disable_fields(path, issuerName, disableNameChecks string) string { + return fmt.Sprintf(` +resource "vault_mount" "test" { + path = "%s" + type = "pki" + description = "PKI secret engine mount" +} + +resource "vault_pki_secret_backend_root_cert" "test" { + backend = vault_mount.test.path + type = "internal" + common_name = "test" + ttl = "86400" + issuer_name = "%s" +} + +resource "vault_pki_secret_backend_issuer" "test" { + backend = vault_mount.test.path + issuer_ref = vault_pki_secret_backend_root_cert.test.issuer_id + issuer_name = "%s" + + disable_critical_extension_checks = "true" + disable_path_length_checks = "true" + disable_name_checks = "%s" + disable_name_constraint_checks = "true" +} + +data "vault_pki_secret_backend_issuer" "test" { + backend = vault_mount.test.path + issuer_ref = vault_pki_secret_backend_root_cert.test.issuer_id + + # Depend on vault_pki_secret_backend_issuer.test so that the data + # is gathered after the issuer is updated. + depends_on = [vault_pki_secret_backend_issuer.test] +}`, path, issuerName, issuerName, disableNameChecks) +} diff --git a/vault/resource_pki_secret_backend_issuer.go b/vault/resource_pki_secret_backend_issuer.go index 15399d3432..31f9cfadfb 100644 --- a/vault/resource_pki_secret_backend_issuer.go +++ b/vault/resource_pki_secret_backend_issuer.go @@ -105,6 +105,26 @@ func pkiSecretBackendIssuerResource() *schema.Resource { Optional: true, Description: "Specifies that the AIA URL values should be templated.", }, + consts.FieldDisableCriticalExtensionChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.", + }, + consts.FieldDisablePathLengthChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.", + }, + consts.FieldDisableNameChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.", + }, + consts.FieldDisableNameConstraintChecks: { + Type: schema.TypeBool, + Optional: true, + Description: "This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain", + }, consts.FieldIssuerID: { Type: schema.TypeString, Computed: true, @@ -164,6 +184,15 @@ func pkiSecretBackendIssuerUpdate(ctx context.Context, d *schema.ResourceData, m consts.FieldEnableAIAURLTemplating, } + if supportPkiCertVerifyDisableChecksFields(meta) { + configurableFields = append(configurableFields, + consts.FieldDisableCriticalExtensionChecks, + consts.FieldDisablePathLengthChecks, + consts.FieldDisableNameChecks, + consts.FieldDisableNameConstraintChecks, + ) + } + var patchRequired bool data := map[string]interface{}{} for _, k := range configurableFields { @@ -243,6 +272,15 @@ func pkiSecretBackendIssuerRead(ctx context.Context, d *schema.ResourceData, met consts.FieldIssuerID, } + if supportPkiCertVerifyDisableChecksFields(meta) { + fields = append(fields, + consts.FieldDisableCriticalExtensionChecks, + consts.FieldDisablePathLengthChecks, + consts.FieldDisableNameChecks, + consts.FieldDisableNameConstraintChecks, + ) + } + for _, k := range fields { if v, ok := resp.Data[k]; ok { if err := d.Set(k, v); err != nil { diff --git a/vault/resource_pki_secret_backend_issuer_test.go b/vault/resource_pki_secret_backend_issuer_test.go index 845f2d1e6a..ca6de772ea 100644 --- a/vault/resource_pki_secret_backend_issuer_test.go +++ b/vault/resource_pki_secret_backend_issuer_test.go @@ -81,6 +81,120 @@ func TestAccPKISecretBackendIssuer_basic(t *testing.T) { }) } +func TestAccPKISecretBackendIssuer_verify_disable_fields(t *testing.T) { + backend := acctest.RandomWithPrefix("tf-test-pki") + resourceType := "vault_pki_secret_backend_issuer" + resourceName := resourceType + ".test" + + issuerName := acctest.RandomWithPrefix("tf-pki-issuer") + + config_disable_all := fmt.Sprintf(`%s = "true" + %s = "true" + %s = "true" + %s = "true"`, + consts.FieldDisableCriticalExtensionChecks, + consts.FieldDisablePathLengthChecks, + consts.FieldDisableNameChecks, + consts.FieldDisableNameConstraintChecks) + + resource.Test(t, resource.TestCase{ + ProviderFactories: providerFactories, + PreCheck: func() { + testutil.TestEntPreCheck(t) + SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion119) + }, + CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypePKI, consts.FieldBackend), + Steps: []resource.TestStep{ + // Check all disable_ fields default to false + { + Config: testAccPKISecretBackendIssuer_basic(backend, ""), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(resourceName, consts.FieldIssuerName, ""), + resource.TestCheckResourceAttr(resourceName, consts.FieldLeafNotAfterBehavior, "err"), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerRef), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerID), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableCriticalExtensionChecks, "false"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisablePathLengthChecks, "false"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameChecks, "false"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameConstraintChecks, "false"), + ), + }, + // Set all the certificate verification check disable_ fields to true + { + Config: testAccPKISecretBackendIssuer_basic(backend, config_disable_all), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(resourceName, consts.FieldIssuerName, ""), + resource.TestCheckResourceAttr(resourceName, consts.FieldLeafNotAfterBehavior, "err"), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerRef), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerID), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableCriticalExtensionChecks, "true"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisablePathLengthChecks, "true"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameChecks, "true"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameConstraintChecks, "true"), + ), + }, + { + Config: testAccPKISecretBackendIssuer_basic(backend, + fmt.Sprintf(`issuer_name = "%s"`, issuerName)), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(resourceName, consts.FieldIssuerName, issuerName), + resource.TestCheckResourceAttr(resourceName, consts.FieldLeafNotAfterBehavior, "err"), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerRef), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerID), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableCriticalExtensionChecks, "false"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisablePathLengthChecks, "false"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameChecks, "false"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameConstraintChecks, "false"), + ), + }, + { + Config: testAccPKISecretBackendIssuer_basic(backend, + fmt.Sprintf(`issuer_name = "%s" + %s`, issuerName, config_disable_all)), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(resourceName, consts.FieldIssuerName, issuerName), + resource.TestCheckResourceAttr(resourceName, consts.FieldLeafNotAfterBehavior, "err"), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerRef), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerID), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableCriticalExtensionChecks, "true"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisablePathLengthChecks, "true"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameChecks, "true"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDisableNameConstraintChecks, "true"), + ), + }, + // confirm error case when updating issuer by sending invalid option + { + Config: testAccPKISecretBackendIssuer_basic(backend, + fmt.Sprintf(`issuer_name = "%s" + leaf_not_after_behavior = "invalid"`, issuerName)), + ExpectError: regexp.MustCompile("error updating issuer data"), + }, + // ensure JSON merge patch functions as expected. No overwrites + { + Config: testAccPKISecretBackendIssuer_basic(backend, + fmt.Sprintf(`issuer_name = "%s" + leaf_not_after_behavior = "truncate"`, issuerName)), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), + resource.TestCheckResourceAttr(resourceName, consts.FieldIssuerName, issuerName), + resource.TestCheckResourceAttr(resourceName, consts.FieldLeafNotAfterBehavior, "truncate"), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerRef), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldIssuerID), + ), + }, + // ignore changes in 'usage' field since it can be returned in any order + // example, error in attribute equivalence in following + // Import returns "crl-signing,read-only,issuing-certificates" + // TF state returns "read-only,issuing-certificates,crl-signing" + testutil.GetImportTestStep(resourceName, false, nil, consts.FieldUsage), + }, + }) +} + func testAccPKISecretBackendIssuer_basic(path, extraFields string) string { return fmt.Sprintf(` resource "vault_mount" "test" {