Username & password authentication to use Oauth instead of APIKey endpoint

[antstacks]

BUSINESS PROBLEM Submitting on behalf of a customer: As a part of the policies in place at the organization, they use short lived access tokens. With the recent deprecation of username and password functionality in the Venafi provider, it has made the process very difficult. Before, terraform handled the entire process of getting the token, but now that process has to be performed out of bounds. This has caused a significant impedance as the action of getting a token has to be performed daily as a manual process now.

Its worth mentioning as well that the field is deprecated, but doesn't mention from what TPP version it actually breaks. (If this message is coming from Venafi, than not sure how easy it would be to rectify that error handling.)

Deprecated User / Pass

Setup:

export VENAFI_USER="$(jq -cr '.username' ~/.keys/venafi/tpp/demo-1/admin.json)" VENAFI_PASS="$(jq -cr '.password' ~/.keys/venafi/tpp/demo-1/admin.json)"

> tf plan -out plan -refresh
╷
│ Warning: Argument is deprecated
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 10, in provider "venafi":
│   10: provider "venafi" {
│
│ , please use access_token instead
│
│ (and 3 more similar warnings elsewhere)
╵
╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 10, in provider "venafi":
│   10: provider "venafi" {
│
│ Failed to build config for Venafi issuer: : vcert error: your data contains problems: auth error: unexpected
│ status code on TPP Authorize. Status: 401 API keys are deprecated. Instead, you should be using an API
│ integration and a vedauth/Authorize endpoint. See the getting a token help topic.
╵

PROPOSED SOLUTION Changing the integration to point to the Oauth endpoint to enable retrieving an access token in bounds. Or could allow for access token and refresh token input to where terraform could utilize the refresh token functionality to automatically refresh the short lived tokens. Similar to https://github.com/Venafi/terraform-provider-venafi/pull/102

CURRENT ALTERNATIVES I believe we could get a license from Venafi support to re-enable api key if absolutely necessary.

VENAFI EXPERIENCE Customer that is well versed in TPP.

[hawksight]

As noted by Venafi colleagues this issue is in the same spirit as:

• 25

• 103

• 102

I'd like to add that currently the documentation of the provider is not entirely clear. Yes username and password are deprecated but it doesn't make it clear what versions of Venafi Trust Protection Platform the API Key functionality is removed.

I think that the API Key functionality is removed in 22.2 from here.

Adding a note on this might just be helpful to give customers the full picture. I'll see if I can PR something to enhance that documentation.

[brental]

Similar to #25 this issue seems like it would be handled by the venafi-token provider and a venafi-token_credential resource. Could it also be closed?

[brental]

@luispresuelVenafi Can this be closed similar to #25 ?

[luispresuelVenafi]

Thank you for the highlight here @brental , yeah we can close this issue as automation for Tokens can be handled by our other provider, Terraform Token Provider, along with this one.

[harshavmb]

Hi All,

If you are still looking for an alternate solution in addition to token-provider, please have a look at curl-provider-0.7.0.

This IMO works better than token provider as it's a data provider fetching token on each run. An example config ::

provider "curl" {}

data "curl_request" "create_token" {
  http_method = "POST"
  uri         = var.venafi_oauth_url
  data = jsonencode({
    username  = sensitive(var.venafi_username)
    password  = sensitive(var.venafi_password)
    client_id = var.venafi_client_id
    scope     = var.venafi_scope
  })
  headers = {
    Content-Type = "application/json"
  }
}

## then you wire the token here directly
provider "venafi" {
  url          = var.venafi_url
  access_token = jsondecode(data.curl_request.create_token.response_body).access_token
  zone         = var.venafi_zone
}