Description

not_after argument is not supported on the vault_pki_secret_backend_root_sign_intermediate resource. This is a valid argument according to the Vault PKI API.

Although ttl argument can be used, it is impossible to use that to set Y10K as a "not valid after" value.

From Vault PKI 'root/sign-intermediate' API:

Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z

Affected Resource(s) and/or Data Source(s)

• vault_pki_secret_backend_root_sign_intermediate

Potential Terraform Configuration

resource "vault_pki_secret_backend_root_sign_intermediate" "int" {
  backend        = "pki"
  csr            = vault_pki_secret_backend_intermediate_cert_request.int.csr
  common_name    = "My Intermediate"
  not_after      = "9999-12-31T23:59:59Z"
}

References

• pki/root/sign-intermediate API spec: https://developer.hashicorp.com/vault/api-docs/secret/pki#not_after-2
• PKI - Add missing parameters in some resources #1510 mentioned this, although not_after argument was not implemented

Would you like to implement a fix?

No