Add cn_validations property to pki_secret_backend_role

hashicorp · May 16, 2023 · 8ed1156 · 8ed1156
1 parent 4346ded
commit 8ed1156
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 4 deletions.
diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go
@@ -344,9 +344,15 @@ func pkiSecretBackendRoleResource() *schema.Resource {
 				Required:    false,
 				Optional:    true,
 				Description: "Defines allowed Subject serial numbers.",
-				Elem: &schema.Schema{
-					Type: schema.TypeString,
-				},
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"cn_validations": {
+				Type:        schema.TypeList,
+				Required:    false,
+				Optional:    true,
+				Computed:    true,
+				Description: "Specify validations to run on the Common Name field of the certificate.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
 		},
 	}
@@ -393,6 +399,12 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
 		allowedSerialNumbers = append(allowedSerialNumbers, iSerialNumber.(string))
 	}
 
+	iCnValidations := d.Get("cn_validations").([]interface{})
+	cnValidations := make([]string, 0, len(iCnValidations))
+	for _, iCnValidation := range iCnValidations {
+		cnValidations = append(cnValidations, iCnValidation.(string))
+	}
+
 	data := map[string]interface{}{
 		"ttl":                                d.Get("ttl"),
 		"max_ttl":                            d.Get("max_ttl"),
@@ -450,6 +462,10 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
 		data["allowed_serial_numbers"] = allowedSerialNumbers
 	}
 
+	if len(cnValidations) > 0 {
+		data["cn_validations"] = cnValidations
+	}
+
 	log.Printf("[DEBUG] Creating role %s on PKI secret backend %q", name, backend)
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
@@ -580,6 +596,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("basic_constraints_valid_for_non_ca", secret.Data["basic_constraints_valid_for_non_ca"])
 	d.Set("not_before_duration", notBeforeDuration)
 	d.Set("allowed_serial_numbers", allowedSerialNumbers)
+	d.Set("cn_validations", secret.Data["cn_validations"])
 
 	return nil
 }
@@ -617,6 +634,12 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
 		allowedSerialNumbers = append(allowedSerialNumbers, iSerialNumber.(string))
 	}
 
+	iCnValidations := d.Get("cn_validations").([]interface{})
+	cnValidations := make([]string, 0, len(iCnValidations))
+	for _, iCnValidation := range iCnValidations {
+		cnValidations = append(cnValidations, iCnValidation.(string))
+	}
+
 	data := map[string]interface{}{
 		"ttl":                                d.Get("ttl"),
 		"max_ttl":                            d.Get("max_ttl"),
@@ -650,6 +673,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
 		"require_cn":                         d.Get("require_cn"),
 		"basic_constraints_valid_for_non_ca": d.Get("basic_constraints_valid_for_non_ca"),
 		"not_before_duration":                d.Get("not_before_duration"),
+		"cn_validations":                     d.Get("cn_validations"),
 	}
 
 	if len(allowedDomains) > 0 {
@@ -674,6 +698,10 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
 		data["allowed_serial_numbers"] = allowedSerialNumbers
 	}
 
+	if len(cnValidations) > 0 {
+		data["cn_validations"] = cnValidations
+	}
+
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
 		return fmt.Errorf("error updating PKI secret backend role %q: %s", path, err)

diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go
@@ -326,6 +326,7 @@ resource "vault_pki_secret_backend_role" "test" {
   basic_constraints_valid_for_non_ca = false
   not_before_duration                = "45m"
   allowed_serial_numbers             = ["*"]
+  cn_validations					 = ["email", "hostname"]
 }
 `, path, name, roleTTL, maxTTL, policyIdentifiers)
 }
@@ -378,6 +379,7 @@ resource "vault_pki_secret_backend_role" "test" {
   basic_constraints_valid_for_non_ca = false
   not_before_duration = "45m"
   allowed_serial_numbers = ["*"]
+  cn_validations = ["disabled"]
 }`, path, name, policyIdentifiers)
 }
 

diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md
@@ -75,11 +75,13 @@ The following arguments are supported:
 
 * `client_flag` - (Optional) Flag to specify certificates for client use
 
+*  `cn_validations` - (Optional) Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
+
 * `code_signing_flag` - (Optional) Flag to specify certificates for code signing use
 
 * `email_protection_flag` - (Optional) Flag to specify certificates for email protection use
 
-* `key_type` - (Optional) The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`  
+* `key_type` - (Optional) The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
   Defaults to `rsa`
 
 * `key_bits` - (Optional) The number of bits of generated keys