Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ACME support for PKI resource #1947

Closed
igor-nikiforov opened this issue Jul 18, 2023 · 7 comments
Closed

Add ACME support for PKI resource #1947

igor-nikiforov opened this issue Jul 18, 2023 · 7 comments
Labels
feature-parity pki

Comments

@igor-nikiforov
Copy link

Starting from Vault 1.14 added support for ACME protocol - https://www.hashicorp.com/blog/vault-1-14-brings-acme-for-pki-aws-roles-and-more-improvements

It would be great to have support for following resources to be able configure ACME from Terraform:
@Viper61 Viper61 mentioned this issue Jul 22, 2023
Merged
@Viper61
Copy link
Contributor

Viper61 commented Jul 22, 2023

Hi there,

We were looking for this too.
A PR was opened to add cluster configuration as a first step.

I'll try to get the ACME configuration up too.
There is one part I haven't looked at yet, and have doubts.
It's about the headers' configuration and how this part should be handled by the provider.

vault secrets tune \
      -passthrough-request-headers=If-Modified-Since \
      -allowed-response-headers=Last-Modified \
      -allowed-response-headers=Location \
      -allowed-response-headers=Replay-Nonce \
      -allowed-response-headers=Link \
      pki_int

@jeffsanicola
Copy link
Contributor

I think the enable_templating option is also missing from vault_pki_secret_backend_config_urls based on the instructions in the tutorial.

@igor-nikiforov
Copy link
Author

I was able to setup ACME + Cluster configuration using vault_generic_endpoint resource as temporary workaround. But unfortunately this resource does not support POST method which is required by acme/new-eab endpoint. So for now there no way to automate EAB token creation using only bare TF resources.

@fairclothjm just wondering is there any ETA for full ACME support in Vault provider? Thanks.

@fairclothjm
Copy link
Contributor

@igor-nikiforov Hello, unfortunately we don't have an ETA for full ACME support. We will update this issue once we get an update.

@Viper61 Viper61 mentioned this issue Feb 17, 2024
Merged
2 tasks
@Viper61 Viper61 mentioned this issue Feb 26, 2024
Merged
2 tasks
@Viper61
Copy link
Contributor

Viper61 commented Feb 26, 2024

Based on what I learned with previous PRs, I attempted to add a full ACME configuration resource.
@fairclothjm Can you have a look on it please ?

On the tune side, I understand from the doc that it can be read/written to the sys/mounts/<name>/tune endpoint.
From there, I was thinking about adding a tune option to getMountSchema.

However, I noticed a couple implementation already in place. For authentication resources, there is a authMountTuneSchema.
Some others are there as party of the backend like resource_ad_secret_backend or resource_nomad_secret_backend.

Should we do the same thing and add it as part of the resource_pki_secret_backend_config_acme ?

@stevendpclark stevendpclark mentioned this issue Nov 19, 2024
Merged
2 tasks
@stevendpclark
Copy link
Contributor

Oops I meant to update this ticket and must have forgotten to post.

Should we do the same thing and add it as part of the resource_pki_secret_backend_config_acme ?

No, the required passthrough and response header fields have been added to the vault_mount resource since this was created. We shouldn't have two resource types managing the same properties.

I believe with #2157 being now merged, thanks again @Viper61!, the only remaining item left on the todo list is EAB token generation which is pending review within #2367

@stevendpclark
Copy link
Contributor

Closing out this request as all the associated resources for PKI ACME have been merged and successfully tested with the following terraform script. Thanks everyone for your contributions on getting this feature within the Vault provider!

resource "vault_mount" "test" {
  path        = "pki"
  type        = "pki"
  description = "PKI secret engine mount"
  passthrough_request_headers = [
    "If-Modified-Since"
  ]
  allowed_response_headers = [
    "Last-Modified",
    "Location",
    "Replay-Nonce",
    "Link"
  ]
}

resource "vault_pki_secret_backend_role" "test" {
  backend          = vault_mount.test.path
  name             = "test-role"
  allowed_domains  = ["local"]
  allow_subdomains = true
  key_type         = "any"
}

resource "vault_pki_secret_backend_root_cert" "test" {
  backend     = vault_mount.test.path
  type        = "internal"
  common_name = "test"
  ttl         = "86400"
  issuer_name = "test-issuer"
}

resource "vault_pki_secret_backend_config_cluster" "pki_config_cluster" {
  backend  = vault_mount.test.path
  path     = "http://127.0.0.1:8200/v1/pki"
  aia_path = "http://127.0.0.1:8200/v1/pki"
}

resource "vault_pki_secret_backend_config_acme" "pki_config_acme" {
  backend                  = vault_mount.test.path
  enabled                  = true
  allowed_issuers          = [vault_pki_secret_backend_root_cert.test.issuer_name]
  allowed_roles            = [vault_pki_secret_backend_role.test.name]
  allow_role_ext_key_usage = true
  default_directory_policy = format("role:%s", vault_pki_secret_backend_role.test.name)
  eab_policy               = "always-required"
}

resource "vault_pki_secret_backend_acme_eab" "test" {
  depends_on = [vault_pki_secret_backend_config_acme.pki_config_acme]
  backend    = vault_mount.test.path
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-parity pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Viper61 @stevendpclark @fairclothjm @igor-nikiforov @jeffsanicola