Add support for PKI User ID's #1936
Conversation
|
@fairclothjm Test added for the role configuration. |
|
@czembower Thanks, I am getting the following test failure: Also, it looks like we only added test coverage for the new field in resource_pki_secret_backend_role.go but not resource_pki_secret_backend_cert.go. |
|
@fairclothjm, thank you. Is it possible that you're running the test against a non-current version of Vault? I get that error on 1.12.x, but not 1.13.0+ (when UID support was added to core). Regarding the certificate creation test, I don't see precedent in the code for extensively testing certificate creation with all optional parameters, nor do I see conditional tests based on the Vault version, as we have with the role resource. I might need some guidance here if this test is indeed required. |
|
@czembower Yes, you are correct. Sorry about that! Also, looks like I somehow force pushed to your branch. I didn't expect that since your PR is coming from a Fork. Anyway, the following patch should fix your issues. It looks like diff --git a/vault/resource_pki_secret_backend_cert.go b/vault/resource_pki_secret_backend_cert.go
index 9ef67851..c73499b5 100644
--- a/vault/resource_pki_secret_backend_cert.go
+++ b/vault/resource_pki_secret_backend_cert.go
@@ -234,7 +234,7 @@ func pkiSecretBackendCertCreate(ctx context.Context, d *schema.ResourceData, met
}
// add UID if supported
- if provider.IsAPISupported(meta, provider.VaultVersion111) {
+ if provider.IsAPISupported(meta, provider.VaultVersion113) {
if userIds, ok := d.GetOk(consts.FieldUserIds); ok {
m := util.ToStringArray(userIds.([]interface{}))
if len(m) > 0 {
diff --git a/vault/resource_pki_secret_backend_cert_test.go b/vault/resource_pki_secret_backend_cert_test.go
index 5f176eb1..d3de3f8b 100644
--- a/vault/resource_pki_secret_backend_cert_test.go
+++ b/vault/resource_pki_secret_backend_cert_test.go
@@ -81,6 +81,17 @@ func TestPkiSecretBackendCert_basic(t *testing.T) {
testPKICertRevocation(intermediatePath, store),
),
},
+ {
+ SkipFunc: func() (bool, error) {
+ meta := testProvider.Meta().(*provider.ProviderMeta)
+ return !meta.IsAPISupported(provider.VaultVersion113), nil
+ },
+ Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, false),
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr(resourceName, "user_ids.0", "foo"),
+ resource.TestCheckResourceAttr(resourceName, "user_ids.1", "bar"),
+ ),
+ },
},
})
}
@@ -149,6 +160,7 @@ resource "vault_pki_secret_backend_role" "test" {
allowed_domains = ["test.my.domain"]
allow_subdomains = true
allowed_uri_sans = ["spiffe://test.my.domain"]
+ allowed_user_ids = ["foo", "bar"]
max_ttl = "3600"
key_usage = ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
}
@@ -162,6 +174,7 @@ resource "vault_pki_secret_backend_cert" "test" {
name = vault_pki_secret_backend_role.test.name
common_name = "cert.test.my.domain"
uri_sans = ["spiffe://test.my.domain"]
+ user_ids = ["foo", "bar"]
ttl = "720h"
min_seconds_remaining = 60
revoke = %t
diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go
index e6468858..50e21bea 100644
--- a/vault/resource_pki_secret_backend_role.go
+++ b/vault/resource_pki_secret_backend_role.go
@@ -487,7 +487,7 @@ func pkiSecretBackendRoleCreate(ctx context.Context, d *schema.ResourceData, met
}
}
- if provider.IsAPISupported(meta, provider.VaultVersion111) {
+ if provider.IsAPISupported(meta, provider.VaultVersion113) {
if allowedUserIds, ok := d.GetOk(consts.FieldAllowedUserIds); ok {
ifcList := allowedUserIds.([]interface{})
list := make([]string, 0, len(ifcList))
diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go
index af968571..daf8581a 100644
--- a/vault/resource_pki_secret_backend_role_test.go
+++ b/vault/resource_pki_secret_backend_role_test.go
@@ -253,7 +253,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
{
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
- return !meta.IsAPISupported(provider.VaultVersion111), nil
+ return !meta.IsAPISupported(provider.VaultVersion113), nil
},
Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, `allowed_user_ids = ["test"]`),
Check: resource.TestCheckResourceAttr(resourceName, "allowed_user_ids.0", "test"),
|
|
@fairclothjm Whoops, updated to 1.13 for the API check. Thank you for that! |
|
@czembower Thanks! That diff I included above also has a test for |
|
@fairclothjm thanks for this. I'm worried that adding the UID params to the terraform resources in the cert test also needs to be conditional based on the API version, right? Wouldn't we need to add a What do you recommend? |
|
Assuming the source code is correctly guarding those fields, then the Vault version checks should make sure those are ignored. I just ran your branch against 1.12.2 and added a print: |
|
Most recent build from a duplicate branch: https://github.com/hashicorp/terraform-provider-vault/actions/runs/5672094453 ✅ |
|
@czembower I forgot to ask that you update the changelog. Something like: diff --git a/CHANGELOG.md b/CHANGELOG.md
index f125236e..c3e6a376 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Unreleased
+FEATURES:
+* Add support for User ID configuration for PKI Secrets Engine: ([#1936](https://github.com/hashicorp/terraform-provider-vault/pull/1936))
+
## 3.18.0 (Jul 12, 2023)
FEATURES:
* Add support to set default issuers configuration for PKI Secrets Engine: ([#1937](https://github.com/hashicorp/terraform-provider-vault/pull/1937))
|
Co-authored-by: Mason-776 <mh776f@att.com>
Updates vault_pki_secret_backend_role and vault_pki_secret_backend_cert resources to support User ID feature available in Vault 1.13. This PR replaces a previous version (now closed) that required extensive rebasing.
Community Note