hashicorp#2410: add max_ttl to pki acme config

CHANGELOG.md

@@ -8,6 +8,7 @@ FEATURES:
 * Add support for signature_bits field to `vault_pki_secret_backend_role`, `vault_pki_secret_backend_root_cert`, `vault_pki_secret_backend_root_sign_intermediate` and `vault_pki_secret_backend_intermediate_cert_request` ([#2401])(https://github.com/hashicorp/terraform-provider-vault/pull/2401)
 * Add support for key_usage and serial_number to `vault_pki_secret_backend_intermediate_cert_request` ([#2404])(https://github.com/hashicorp/terraform-provider-vault/pull/2404)
 * Add support for `skip_import_rotation` in `vault_database_secret_backend_static_role`. Requires Vault Enterprise 1.18.5+ ([#2386](https://github.com/hashicorp/terraform-provider-vault/pull/2386)).
+* Update `vault_pki_secret_backend_config_acme` to support the `max_ttl` field. [#](ttps://github.com/hashicorp/terraform-provider-vault/pull/)
 
 BUGS:
 

vault/resource_pki_secret_backend_config_acme.go

@@ -27,6 +27,7 @@ var (
 		consts.FieldAllowedIssuers,
 		consts.FieldEabPolicy,
 		consts.FieldDnsResolver,
+		consts.FieldMaxTTL,
 	}
 )
 
@@ -97,6 +98,11 @@ func pkiSecretBackendConfigACMEResource() *schema.Resource {
 				Description: "DNS resolver to use for domain resolution on this mount. " +
 					"Must be in the format <host>:<port>, with both parts mandatory.",
 			},
+			consts.FieldMaxTTL: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies the maximum TTL for certificates issued by ACME.",
+			},
 		},
 	}
 }

vault/resource_pki_secret_backend_config_acme_test.go

@@ -29,7 +29,7 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) {
 		CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypePKI, consts.FieldBackend),
 		Steps: []resource.TestStep{
 			{
-				Config: testPkiSecretBackendConfigACME(backend, "sign-verbatim", "*", "*", "not-required", "",
+				Config: testPkiSecretBackendConfigACME(backend, "sign-verbatim", "*", "*", "not-required", "", "90d",
 					false, false),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend),
@@ -39,11 +39,12 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldAllowedIssuers+".0", "*"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldEabPolicy, "not-required"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldDnsResolver, ""),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldMaxTTL, "90d"),
 				),
 			},
 			{
 				Config: testPkiSecretBackendConfigACME(backend, "forbid", "test", "*", "new-account-required",
-					"1.1.1.1:8443", true, false),
+					"1.1.1.1:8443", "30d", true, false),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldEnabled, "true"),
@@ -52,10 +53,11 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldAllowedIssuers+".0", "*"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldEabPolicy, "new-account-required"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldDnsResolver, "1.1.1.1:8443"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldMaxTTL, "30d"),
 				),
 			},
 			{
-				Config: testPkiSecretBackendConfigACME(backend, "role:test", "*", "*", "always-required", "",
+				Config: testPkiSecretBackendConfigACME(backend, "role:test", "*", "*", "always-required", "", "1h",
 					true, true),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend),
@@ -66,6 +68,7 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldAllowedIssuers+".0", "*"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldEabPolicy, "always-required"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldDnsResolver, ""),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldMaxTTL, "1h"),
 				),
 			},
 			testutil.GetImportTestStep(resourceName, false, nil),
@@ -74,7 +77,7 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) {
 }
 
 func testPkiSecretBackendConfigACME(path, default_directory_policy, allowed_roles, allowed_issuers,
-	eab_policy, dns_resolver string, enabled, allow_role_ext_key_usage bool) string {
+	eab_policy, dns_resolver, max_ttl string, enabled, allow_role_ext_key_usage bool) string {
 	return fmt.Sprintf(`
 resource "vault_mount" "test" {
   path = "%s"
@@ -108,6 +111,7 @@ resource "vault_pki_secret_backend_config_acme" "test" {
   default_directory_policy = "%s"
   dns_resolver             = "%s"
   eab_policy               = "%s"
+  max_ttl                  = "%s"
 }`, path, enabled, allowed_issuers, allowed_roles, allow_role_ext_key_usage,
-		default_directory_policy, dns_resolver, eab_policy)
+		default_directory_policy, dns_resolver, eab_policy, max_ttl)
 }

website/docs/r/pki_secret_backend_config_acme.html.md

@@ -66,6 +66,8 @@ The following arguments are supported:
 * `eab_policy` - (Optional) Specifies the policy to use for external account binding behaviour.
   Allowed values are `not-required`, `new-account-required` or `always-required`.
 
+* `max_ttl` - (Optional) The maximum TTL for certificates issued by ACME.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.