Fix creation of vault_pki_secret_backend_root_sign_intermediate resource with zero path length

[vaerh]

Description

When filling the data map, values are incorrectly evaluated using the GetOk function, so zero integer values are discarded. For this reason it is not possible to set the max_path_length = 0 restriction for a certificate.

Checklist

• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestPkiSecretBackendRootSignIntermediate*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestPkiSecretBackendRootSignIntermediate* -timeout 30m ./...
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/consts   [no test files]
ok      github.com/hashicorp/terraform-provider-vault/codegen   (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/internal/identity/entity  (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/mfa     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/group   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/pki      [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/sync     [no test files]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/provider (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/util/mountutil    [no test files]
ok      github.com/hashicorp/terraform-provider-vault/testutil  (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/vault     48.623s
...

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[rismalrv]

+1

[rismalrv]

sorry to bother, any timeline it get merge?

[stevendpclark]

Hi @vaerh, would you mind signing the CLA? I'm not exactly sure what is going on as there are conflicting messages in this PR, perhaps the email used on the commit didn't match the Github user (just a guess)?

[vaerh]

I was surprised by two posts myself. I signed the CLA back in May when I created the PR. I have two email addresses in my profile and will check a little later to see what's going on.

[stevendpclark]

Thanks @vaerh! If possible could you look into adding a test case for the field so we protect against further regressions? If time is an issue, please let me know and I can look into it.

[vaerh]

No problem. It'll take a little time

[vaerh]

@stevendpclark Completed.

[stevendpclark]

Hey @vaerh,

Thanks for adding the test! I've spotted a few issues in the test that was added

• Currently the test fails TestPkiSecretBackendRootSignIntermediate_basic_der as the certificate is not PEM encoded but a base64 encoded der
• I believe the reflect.DeepEqual needs to be negated but it is also comparing a string and an int which I don't believe will ever work.
• I just noticed that we have the same issue of max_path_length within vault_pki_secret_backend_root_cert
• We are missing a changelog entry for this bug.

That was a lot of different feedback, if you wish I've codified it all within this gist as a patch. I didn't feel comfortable pushing this to your main branch on this PR so feel free to apply it.

Thanks again!

[vaerh]

I apologize for my inattention here. I'll fix it!
I suggest not to create a new PR and solve the problem in this one...

[vaerh]

@stevendpclark Thank you very much for your help!

A little offtopic, do you know if there are any plans to add the ability to change keyUsage for root and intermediate certificates?

[stevendpclark]

Hey @vaerh,

Thanks for fixing that up, there seems to be a conflict on the changelog file, would you mind fixing that up and I can merge this in.

A little offtopic, do you know if there are any plans to add the ability to change keyUsage for root and intermediate certificates?

If you are referring to Vault itself, I believe you can now do that on 1.18.x. If it is in regard to syncing up that functionality within TFVP it's on the to do list but I'd be happy to review any submission if you'd be interested in contributing.

[stevendpclark]

Thanks @vaerh for the contribution!

[vaerh]

You're welcome, it was a pleasure working with you!

Some time ago I needed to create a PKI specifying keyUsage, but the existing TFVP option didn't work as expected and diving into the Vault code I couldn't find any parameters that could be affected.
I'll have to look again to see what has changed recently.