Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Support allowed_domains_template on ssh_secret_backend_role. Fixes hashicorp#1675 #1676

Merged
merged 2 commits into from
May 30, 2023
Merged

Support allowed_domains_template on ssh_secret_backend_role. Fixes hashicorp#1675 #1676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
867820f
Support allowed_domains_template on ssh_secret_backend_role. Fixes ha…
laugmanuel Nov 23, 2022
5997071
Update website/docs/r/ssh_secret_backend_role.html.md
laugmanuel May 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions vault/resource_ssh_secret_backend_role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,11 @@ func sshSecretBackendRoleResource() *schema.Resource {
Type: schema.TypeString,
Optional: true,
},
"allowed_domains_template": {
Type: schema.TypeBool,
Optional: true,
Computed: true,
},
"allowed_domains": {
Type: schema.TypeString,
Optional: true,
Expand Down Expand Up @@ -203,12 +208,13 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
path := sshRoleResourcePath(backend, name)

data := map[string]interface{}{
"key_type": d.Get("key_type").(string),
"allow_bare_domains": d.Get("allow_bare_domains").(bool),
"allow_host_certificates": d.Get("allow_host_certificates").(bool),
"allow_subdomains": d.Get("allow_subdomains").(bool),
"allow_user_certificates": d.Get("allow_user_certificates").(bool),
"allow_user_key_ids": d.Get("allow_user_key_ids").(bool),
"key_type": d.Get("key_type").(string),
"allow_bare_domains": d.Get("allow_bare_domains").(bool),
"allow_host_certificates": d.Get("allow_host_certificates").(bool),
"allow_subdomains": d.Get("allow_subdomains").(bool),
"allow_user_certificates": d.Get("allow_user_certificates").(bool),
"allow_user_key_ids": d.Get("allow_user_key_ids").(bool),
"allowed_domains_template": d.Get("allowed_domains_template").(bool),
}

if v, ok := d.GetOk("allowed_critical_options"); ok {
Expand Down Expand Up @@ -360,7 +366,7 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
fields := []string{
"key_type", "allow_bare_domains", "allow_host_certificates",
"allow_subdomains", "allow_user_certificates", "allow_user_key_ids",
"allowed_critical_options", "allowed_domains",
"allowed_critical_options", "allowed_domains_template", "allowed_domains",
"cidr_list", "allowed_extensions", "default_extensions",
"default_critical_options", "allowed_users_template",
"allowed_users", "default_user", "key_id_format",
Expand Down
3 changes: 3 additions & 0 deletions vault/resource_ssh_secret_backend_role_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "allow_user_certificates", "true"),
resource.TestCheckResourceAttr(resourceName, "allow_user_key_ids", "false"),
resource.TestCheckResourceAttr(resourceName, "allowed_critical_options", ""),
resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "false"),
resource.TestCheckResourceAttr(resourceName, "allowed_domains", ""),
resource.TestCheckResourceAttr(resourceName, "allowed_extensions", ""),
resource.TestCheckResourceAttr(resourceName, "default_extensions.%", "0"),
Expand All @@ -54,6 +55,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "allow_user_certificates", "false"),
resource.TestCheckResourceAttr(resourceName, "allow_user_key_ids", "true"),
resource.TestCheckResourceAttr(resourceName, "allowed_critical_options", "foo,bar"),
resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "true"),
resource.TestCheckResourceAttr(resourceName, "allowed_domains", "example.com,foo.com"),
resource.TestCheckResourceAttr(resourceName, "allowed_extensions", "ext1,ext2"),
resource.TestCheckResourceAttr(resourceName, "default_extensions.ext1", ""),
Expand Down Expand Up @@ -215,6 +217,7 @@ resource "vault_ssh_secret_backend_role" "test_role" {
allow_user_certificates = false
allow_user_key_ids = true
allowed_critical_options = "foo,bar"
allowed_domains_template = true
allowed_domains = "example.com,foo.com"
allowed_extensions = "ext1,ext2"
default_extensions = { "ext1" = "" }
Expand Down
3 changes: 3 additions & 0 deletions website/docs/r/ssh_secret_backend_role.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ The following arguments are supported:

* `allowed_critical_options` - (Optional) Specifies a comma-separated list of critical options that certificates can have when signed.

* `allowed_domains_template` - (Optional) Specifies if `allowed_domains` can be declared using
identity template policies. Non-templated domains are also permitted.

* `allowed_domains` - (Optional) The list of domains for which a client can request a host certificate.

* `cidr_list` - (Optional) The comma-separated string of CIDR blocks for which this role is applicable.
Expand Down