Add "venafi_credential" resource for automating TPP token request/refresh

[tr1ck3r]

BUSINESS PROBLEM Allow the Venafi Terraform Provider to self-manage its access to Trust Protection Platform via token authentication where initialization begins with either username/password, client certificate, or refresh token.

PROPOSED SOLUTION venafi_credential Resource

Arguments (input):

• username
• password (sensitive)
• p12_keycert (base64-encoded PKCS#12 keystore containing a client certificate, private key, and chain certificates)
• p12_password (sensitive)
• refresh_token (sensitive)
• refresh_window (number of days)
• client_id (optional, defaults to hashicorp-terraform-by-venafi)

Attributes (output):

• access_token (sensitive, intended to be fed into venafi_certificate resource)
• expiration (date/time)
• refresh_token (sensitive)

On terraform apply:

1. if expiration is set
   1. if expiration > now - refresh_window and
      1. refresh_token is set, then get new token(s) by calling POST /vedauth/authorize/token
      2. username & password are set, then get new token(s) by calling POST /vedauth/authorize
      3. p12_keycert & p12_password are set, then get new token(s) by calling POST /vedauth/authorize/certificate
   2. else do nothing
2. else (expiration is not set) and
   1. username & password are set, then get new token(s) by calling POST /vedauth/authorize
   2. p12_keycert & p12_password are set, then get new token(s) by calling POST /vedauth/authorize/certificate
   3. refresh_token is set, then get new token(s) by calling POST /vedauth/authorize/token

• if POST /vedauth/authorize/token fails above and
  1. username & password are set, then get new token(s) by calling POST /vedauth/authorize
  2. p12_keycert & p12_password are set, then get new token(s) by calling POST /vedauth/authorize/certificate

On terraform destroy:

1. if access_token is set, revoke token by calling GET /vedauth/revoke/token

CURRENT ALTERNATIVES Use VCert CLI getcred or direct REST API /vedauth calls to get an access_token which can then be used directly by the venafi_certificate resource (work-in-progress #22).

[tr1ck3r]

This was written several years back and some things have changed. The goal now should always be to get an access/refresh token pair and store them in the Terraform state so they can be used for certificate and policy API operations. If provided, neither the username, password, p12_keycert nor p12_password should ever be persisted to the Terraform state because their compromise poses a greater risk (potentially significantly greater) than compromise of the access_token and/or refresh_token.

When an access_token reaches the expiration window and there is a refresh_token stored, terraform apply should result in the refresh token being used to obtain a new token pair... no other option would be available because username, password, p12_keycert, and p12_password will not be available (not stored in the state).

[brental]

@luispresuelVenafi Now that there is venafi-token provider and a venafi-token_credential resource is this still required? It sounds like that resource addresses this issue so this might be able to be closed.

[luispresuelVenafi]

@brental I agree, this has been adressed in Terraform Token Provider. I'll close this issue. Thank you for the reminder on closing this one :smile: