From 435ce67e0a66d1b80499e8544227bcca405bfcc1 Mon Sep 17 00:00:00 2001 From: Ben Hughes Date: Tue, 26 Nov 2024 16:42:45 +0000 Subject: [PATCH] Add cn_validations property to pki_secret_backend_role (#1820) --- CHANGELOG.md | 1 + internal/consts/consts.go | 2 +- vault/resource_pki_secret_backend_role.go | 13 ++++++++++--- vault/resource_pki_secret_backend_role_test.go | 7 +++++++ website/docs/r/pki_secret_backend_role.html.md | 2 ++ 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04937f440c..547d1ac769 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ FEATURES: * Update `vault_database_secret_backend_connection`to support `password_authentication` for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL ([#2371](https://github.com/hashicorp/terraform-provider-vault/pull/2371)) * Add support for `external_id` field for the `vault_aws_auth_backend_sts_role` resource ([#2370](https://github.com/hashicorp/terraform-provider-vault/pull/2370)) * Add support for ACME configuration with the `vault_pki_secret_backend_config_acme` resource. Requires Vault 1.14+ ([#2157](https://github.com/hashicorp/terraform-provider-vault/pull/2157)). +* Update `vault_pki_secret_backend_role` to support the `cn_validations` role field ([#1820](https://github.com/hashicorp/terraform-provider-vault/pull/1820)). ## 4.5.0 (Nov 19, 2024) diff --git a/internal/consts/consts.go b/internal/consts/consts.go index 86a56b734e..7ec79457cb 100644 --- a/internal/consts/consts.go +++ b/internal/consts/consts.go @@ -444,7 +444,7 @@ const ( FieldDefaultDirectoryPolicy = "default_directory_policy" FieldDnsResolver = "dns_resolver" FieldEabPolicy = "eab_policy" - + FieldCnValidations = "cn_validations" /* common environment variables */ diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index 644fe2a007..a2a599403d 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -50,6 +50,7 @@ var pkiSecretListFields = []string{ consts.FieldAllowedSerialNumbers, consts.FieldExtKeyUsage, consts.FieldExtKeyUsageOIDs, + consts.FieldCnValidations, } var pkiSecretBooleanFields = []string{ @@ -423,9 +424,15 @@ func pkiSecretBackendRoleResource() *schema.Resource { Required: false, Optional: true, Description: "Defines allowed Subject serial numbers.", - Elem: &schema.Schema{ - Type: schema.TypeString, - }, + Elem: &schema.Schema{Type: schema.TypeString}, + }, + consts.FieldCnValidations: { + Type: schema.TypeList, + Required: false, + Optional: true, + Computed: true, + Description: "Specify validations to run on the Common Name field of the certificate.", + Elem: &schema.Schema{Type: schema.TypeString}, }, consts.FieldAllowedUserIds: { Type: schema.TypeList, diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index 9bc15c9bac..6293a786c0 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -180,6 +180,9 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), + resource.TestCheckResourceAttr(resourceName, "cn_validations.#", "2"), + resource.TestCheckTypeSetElemAttr(resourceName, "cn_validations.*", "email"), + resource.TestCheckTypeSetElemAttr(resourceName, "cn_validations.*", "hostname"), } resource.Test(t, resource.TestCase{ ProviderFactories: providerFactories, @@ -320,6 +323,8 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"), resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), + resource.TestCheckResourceAttr(resourceName, "cn_validations.#", "1"), + resource.TestCheckTypeSetElemAttr(resourceName, "cn_validations.*", "disabled"), ), }, { @@ -391,6 +396,7 @@ resource "vault_pki_secret_backend_role" "test" { basic_constraints_valid_for_non_ca = false not_before_duration = "45m" allowed_serial_numbers = ["*"] + cn_validations = ["email", "hostname"] } `, path, name, roleTTL, maxTTL, extraConfig) } @@ -446,6 +452,7 @@ resource "vault_pki_secret_backend_role" "test" { basic_constraints_valid_for_non_ca = false not_before_duration = "45m" allowed_serial_numbers = ["*"] + cn_validations = ["disabled"] }`, path, name, policyIdentifiers) } diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index d25ab50d76..e7739937ce 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -86,6 +86,8 @@ The following arguments are supported: * `client_flag` - (Optional) Flag to specify certificates for client use +* `cn_validations` - (Optional) Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * `code_signing_flag` - (Optional) Flag to specify certificates for code signing use * `email_protection_flag` - (Optional) Flag to specify certificates for email protection use