When using certificate authentication with the provider, you are unable to pass a scope along with your clientID.
This means your plan with fail with a Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request.
This is very difficult to debug as the backend does not seem to much if anything about the error. You have to look at IIS logs and even then, no detail.
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Failed to initialize Venafi client
│
│ with provider["registry.terraform.io/venafi/venafi"],
│ on main.tf line 1, in provider "venafi":
│ 1: provider "venafi" {
│
│ Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request
ENVIRONMENT DETAILS
> tf version
Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.7.0
+ provider registry.terraform.io/venafi/venafi v0.21.1
Your version of Terraform is out of date! The latest version
is 1.9.8. You can update by downloading from https://www.terraform.io/downloads.html
COMMENTS/WORKAROUNDS
There is no workaround, other than to use another authentication option.
The only available option is the access_token where clientID and scope are already set out of band.
Username / Password still refer to API Key endpoints that are long gone.
PROBLEM SUMMARY
When using certificate authentication with the provider, you are unable to pass a scope along with your clientID. This means your plan with fail with a
Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request
.This is very difficult to debug as the backend does not seem to much if anything about the error. You have to look at IIS logs and even then, no detail.
I found that the API endpoint this uses requires a scope to be set:
If you try to
curl
the same endpoint you will see that you do get a 400 Bad Request response, when you attempt to even set an empty scope:Output snippet:
STEPS TO REPRODUCE
Configure your provider with your p12 cert and password. Also pass clientID
See plan output below.
EXPECTED RESULTS
It works.
ACTUAL RESULTS
ENVIRONMENT DETAILS
COMMENTS/WORKAROUNDS
There is no workaround, other than to use another authentication option. The only available option is the access_token where clientID and scope are already set out of band. Username / Password still refer to API Key endpoints that are long gone.