Add cn_validations property to pki_secret_backend_role

hashicorp · Aug 3, 2023 · e60abfa · e60abfa
1 parent 67b1e2b
commit e60abfa
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -352,6 +352,7 @@ const (
 	FieldCredentialType                = "credential_type"
 	FieldFilename                      = "filename"
 	FieldDefault                       = "default"
+	FieldCnValidations                 = "cn_validations"
 	/*
 		common environment variables
 	*/

diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go
@@ -50,6 +50,7 @@ var pkiSecretListFields = []string{
 	consts.FieldAllowedSerialNumbers,
 	consts.FieldExtKeyUsage,
 	consts.FieldKeyUsage,
+	consts.FieldCnValidations,
 }
 
 var pkiSecretBooleanFields = []string{
@@ -414,9 +415,15 @@ func pkiSecretBackendRoleResource() *schema.Resource {
 				Required:    false,
 				Optional:    true,
 				Description: "Defines allowed Subject serial numbers.",
-				Elem: &schema.Schema{
-					Type: schema.TypeString,
-				},
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			consts.FieldCnValidations: {
+				Type:        schema.TypeList,
+				Required:    false,
+				Optional:    true,
+				Computed:    true,
+				Description: "Specify validations to run on the Common Name field of the certificate.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
 			consts.FieldAllowedUserIds: {
 				Type:        schema.TypeList,

diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go
@@ -371,6 +371,7 @@ resource "vault_pki_secret_backend_role" "test" {
   basic_constraints_valid_for_non_ca = false
   not_before_duration                = "45m"
   allowed_serial_numbers             = ["*"]
+  cn_validations					 = ["email", "hostname"]
 }
 `, path, name, roleTTL, maxTTL, extraConfig)
 }
@@ -425,6 +426,7 @@ resource "vault_pki_secret_backend_role" "test" {
   basic_constraints_valid_for_non_ca = false
   not_before_duration = "45m"
   allowed_serial_numbers = ["*"]
+  cn_validations = ["disabled"]
 }`, path, name, policyIdentifiers)
 }
 

diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md
@@ -86,6 +86,8 @@ The following arguments are supported:
 
 * `client_flag` - (Optional) Flag to specify certificates for client use
 
+* `cn_validations` - (Optional) Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`
+
 * `code_signing_flag` - (Optional) Flag to specify certificates for code signing use
 
 * `email_protection_flag` - (Optional) Flag to specify certificates for email protection use