Venafi / terraform-provider-venafi

HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.
https://www.terraform.io/docs/providers/venafi/
Mozilla Public License 2.0
17 stars 22 forks source link

Cannot provide a scope for token exchange #153

Open hawksight opened 1 month ago

hawksight commented 1 month ago

PROBLEM SUMMARY

When using certificate authentication with the provider, you are unable to pass a scope along with your clientID. This means your plan with fail with a Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request.

This is very difficult to debug as the backend does not seem to much if anything about the error. You have to look at IIS logs and even then, no detail.

I found that the API endpoint this uses requires a scope to be set:

Screenshot 2024-10-29 at 12 00 05

If you try to curl the same endpoint you will see that you do get a 400 Bad Request response, when you attempt to even set an empty scope:

curl -v -L $VENAFI_URL/vedauth/authorize/certificate \
  --header 'accept: application/json' \
  --header 'content-type: application/json' \
  --cert-type 'P12' \
  --cert "certs/automation-gc.p12:$VENAFI_P12_PASSWORD" \
  --cacert "certs/gcp-ca.crt" \
  -m 20 \
  -d "{\"client_id\": \"$VENAFI_CLIENT_ID\", \"scope\": \"\"}" | jq .

Output snippet:

* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* old SSL session ID is stale, removing
< HTTP/1.1 400 Bad Request
< Cache-Control: private,no-store, no-cache, max-age=0, must-revalidate
< Pragma: no-cache
< Content-Type: application/json; charset=utf-8
< Expires: 0
< Server:
< X-UA-Compatible: IE=Edge
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: strict-origin
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
....
100   142  100    83  100    59    488    347 --:--:-- --:--:-- --:--:--   840
* Connection #0 to host demo-1.tpp.peter-fiddes-gcp.jetstacker.net left intact
{
  "error": "invalid_request",
  "error_description": "Application identifier is missing"
}

STEPS TO REPRODUCE

Configure your provider with your p12 cert and password. Also pass clientID

provider "venafi" {
  url          = var.venafi_url
  p12_cert_filename = "./certs/automation-gc-legacy.p12"
  p12_cert_password = "example"
  client_id         = var.venafi_client_id
}

See plan output below.

EXPECTED RESULTS

It works.

ACTUAL RESULTS

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 1, in provider "venafi":
│    1: provider "venafi" {
│
│ Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request

ENVIRONMENT DETAILS

> tf version
Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.7.0
+ provider registry.terraform.io/venafi/venafi v0.21.1

Your version of Terraform is out of date! The latest version
is 1.9.8. You can update by downloading from https://www.terraform.io/downloads.html

COMMENTS/WORKAROUNDS

There is no workaround, other than to use another authentication option. The only available option is the access_token where clientID and scope are already set out of band. Username / Password still refer to API Key endpoints that are long gone.