Closed tr1ck3r closed 8 months ago
This was written several years back and some things have changed. The goal now should always be to get an access/refresh token pair and store them in the Terraform state so they can be used for certificate and policy API operations. If provided, neither the username
, password
, p12_keycert
nor p12_password
should ever be persisted to the Terraform state because their compromise poses a greater risk (potentially significantly greater) than compromise of the access_token
and/or refresh_token
.
When an access_token
reaches the expiration window and there is a refresh_token
stored, terraform apply
should result in the refresh token being used to obtain a new token pair... no other option would be available because username
, password
, p12_keycert
, and p12_password
will not be available (not stored in the state).
@luispresuelVenafi Now that there is venafi-token provider and a venafi-token_credential resource is this still required? It sounds like that resource addresses this issue so this might be able to be closed.
@brental I agree, this has been adressed in Terraform Token Provider. I'll close this issue. Thank you for the reminder on closing this one :smile:
BUSINESS PROBLEM Allow the Venafi Terraform Provider to self-manage its access to Trust Protection Platform via token authentication where initialization begins with either username/password, client certificate, or refresh token.
PROPOSED SOLUTION
venafi_credential
ResourceArguments (input):
username
password
(sensitive)p12_keycert
(base64-encoded PKCS#12 keystore containing a client certificate, private key, and chain certificates)p12_password
(sensitive)refresh_token
(sensitive)refresh_window
(number of days)client_id
(optional, defaults tohashicorp-terraform-by-venafi
)Attributes (output):
access_token
(sensitive, intended to be fed intovenafi_certificate
resource)expiration
(date/time)refresh_token
(sensitive)On terraform apply:
expiration
is setexpiration
> now -refresh_window
andrefresh_token
is set, then get new token(s) by calling POST /vedauth/authorize/tokenusername
&password
are set, then get new token(s) by calling POST /vedauth/authorizep12_keycert
&p12_password
are set, then get new token(s) by calling POST /vedauth/authorize/certificateexpiration
is not set) andusername
&password
are set, then get new token(s) by calling POST /vedauth/authorizep12_keycert
&p12_password
are set, then get new token(s) by calling POST /vedauth/authorize/certificaterefresh_token
is set, then get new token(s) by calling POST /vedauth/authorize/tokenusername
&password
are set, then get new token(s) by calling POST /vedauth/authorizep12_keycert
&p12_password
are set, then get new token(s) by calling POST /vedauth/authorize/certificateOn terraform destroy:
access_token
is set, revoke token by calling GET /vedauth/revoke/tokenCURRENT ALTERNATIVES Use VCert CLI
getcred
or direct REST API /vedauth calls to get anaccess_token
which can then be used directly by thevenafi_certificate
resource (work-in-progress #22).