diff --git a/CHANGELOG.md b/CHANGELOG.md index 7195aff62..f4e7e476a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ FEATURES: * Add support for signature_bits field to `vault_pki_secret_backend_role`, `vault_pki_secret_backend_root_cert`, `vault_pki_secret_backend_root_sign_intermediate` and `vault_pki_secret_backend_intermediate_cert_request` ([#2401])(https://github.com/hashicorp/terraform-provider-vault/pull/2401) * Add support for key_usage and serial_number to `vault_pki_secret_backend_intermediate_cert_request` ([#2404])(https://github.com/hashicorp/terraform-provider-vault/pull/2404) * Add support for `skip_import_rotation` in `vault_database_secret_backend_static_role`. Requires Vault Enterprise 1.18.5+ ([#2386](https://github.com/hashicorp/terraform-provider-vault/pull/2386)). +* Update `vault_pki_secret_backend_config_acme` to support the `max_ttl` field. [#](ttps://github.com/hashicorp/terraform-provider-vault/pull/) BUGS: diff --git a/vault/resource_pki_secret_backend_config_acme.go b/vault/resource_pki_secret_backend_config_acme.go index a72e11467..704e3fa58 100644 --- a/vault/resource_pki_secret_backend_config_acme.go +++ b/vault/resource_pki_secret_backend_config_acme.go @@ -27,6 +27,7 @@ var ( consts.FieldAllowedIssuers, consts.FieldEabPolicy, consts.FieldDnsResolver, + consts.FieldMaxTTL, } ) @@ -97,6 +98,11 @@ func pkiSecretBackendConfigACMEResource() *schema.Resource { Description: "DNS resolver to use for domain resolution on this mount. " + "Must be in the format :, with both parts mandatory.", }, + consts.FieldMaxTTL: { + Type: schema.TypeString, + Optional: true, + Description: "Specifies the maximum TTL for certificates issued by ACME.", + }, }, } } diff --git a/vault/resource_pki_secret_backend_config_acme_test.go b/vault/resource_pki_secret_backend_config_acme_test.go index b646f4ed9..177f48744 100644 --- a/vault/resource_pki_secret_backend_config_acme_test.go +++ b/vault/resource_pki_secret_backend_config_acme_test.go @@ -29,7 +29,7 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) { CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypePKI, consts.FieldBackend), Steps: []resource.TestStep{ { - Config: testPkiSecretBackendConfigACME(backend, "sign-verbatim", "*", "*", "not-required", "", + Config: testPkiSecretBackendConfigACME(backend, "sign-verbatim", "*", "*", "not-required", "", "90d", false, false), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), @@ -39,11 +39,12 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, consts.FieldAllowedIssuers+".0", "*"), resource.TestCheckResourceAttr(resourceName, consts.FieldEabPolicy, "not-required"), resource.TestCheckResourceAttr(resourceName, consts.FieldDnsResolver, ""), + resource.TestCheckResourceAttr(resourceName, consts.FieldMaxTTL, "90d"), ), }, { Config: testPkiSecretBackendConfigACME(backend, "forbid", "test", "*", "new-account-required", - "1.1.1.1:8443", true, false), + "1.1.1.1:8443", "30d", true, false), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), resource.TestCheckResourceAttr(resourceName, consts.FieldEnabled, "true"), @@ -52,10 +53,11 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, consts.FieldAllowedIssuers+".0", "*"), resource.TestCheckResourceAttr(resourceName, consts.FieldEabPolicy, "new-account-required"), resource.TestCheckResourceAttr(resourceName, consts.FieldDnsResolver, "1.1.1.1:8443"), + resource.TestCheckResourceAttr(resourceName, consts.FieldMaxTTL, "30d"), ), }, { - Config: testPkiSecretBackendConfigACME(backend, "role:test", "*", "*", "always-required", "", + Config: testPkiSecretBackendConfigACME(backend, "role:test", "*", "*", "always-required", "", "1h", true, true), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, consts.FieldBackend, backend), @@ -66,6 +68,7 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, consts.FieldAllowedIssuers+".0", "*"), resource.TestCheckResourceAttr(resourceName, consts.FieldEabPolicy, "always-required"), resource.TestCheckResourceAttr(resourceName, consts.FieldDnsResolver, ""), + resource.TestCheckResourceAttr(resourceName, consts.FieldMaxTTL, "1h"), ), }, testutil.GetImportTestStep(resourceName, false, nil), @@ -74,7 +77,7 @@ func TestPkiSecretBackendConfigACME_basic(t *testing.T) { } func testPkiSecretBackendConfigACME(path, default_directory_policy, allowed_roles, allowed_issuers, - eab_policy, dns_resolver string, enabled, allow_role_ext_key_usage bool) string { + eab_policy, dns_resolver, max_ttl string, enabled, allow_role_ext_key_usage bool) string { return fmt.Sprintf(` resource "vault_mount" "test" { path = "%s" @@ -108,6 +111,7 @@ resource "vault_pki_secret_backend_config_acme" "test" { default_directory_policy = "%s" dns_resolver = "%s" eab_policy = "%s" + max_ttl = "%s" }`, path, enabled, allowed_issuers, allowed_roles, allow_role_ext_key_usage, - default_directory_policy, dns_resolver, eab_policy) + default_directory_policy, dns_resolver, eab_policy, max_ttl) } diff --git a/website/docs/r/pki_secret_backend_config_acme.html.md b/website/docs/r/pki_secret_backend_config_acme.html.md index b52a9f386..5dda58a7b 100644 --- a/website/docs/r/pki_secret_backend_config_acme.html.md +++ b/website/docs/r/pki_secret_backend_config_acme.html.md @@ -66,6 +66,8 @@ The following arguments are supported: * `eab_policy` - (Optional) Specifies the policy to use for external account binding behaviour. Allowed values are `not-required`, `new-account-required` or `always-required`. +* `max_ttl` - (Optional) The maximum TTL for certificates issued by ACME. + ## Attributes Reference No additional attributes are exported by this resource.