BUSINESS PROBLEM
In order to fully the support the certificate renewal use case for some pull provisioning targets like F5 an "asset name" is needed that is effectively unique while also meaningful to a person (i.e. a UUID will not suffice). The standard TPP naming convention for this has worked well but is based on attributes of the certificate and those attributes aren't readily available to Terraform (namely the Valid To and Serial Number).
PROPOSED SOLUTION
I believe the need would be addressed if the venafi_certificate resource was enhanced to include an asset_name property that gets automatically populated by terraform apply whenever a new certificate is enrolled. The naming convention should be as follows:
If the certificate has a common name:
{Common Name}_{Last 4 chars of Serial Number}_{Valid To UTC date as YYMMDD}
If the certificate has no common name but has at least one DNS SAN:
{any DNS SAN}_{Last 4 chars of Serial Number}_{Valid To UTC date as YYMMDD}
If the certificate has no common name or DNS SANs:
{Serial Number}_{Valid To UTC date as YYMMDD}
_e.g. "www.company.com_a9f0_220514" or "450000b51360f9ccaabc8c9a5600020000b513220514"
CURRENT ALTERNATIVES
Generate a context-less random ID that is not meaningful to a person looking at the results on their hosting devices. More difficult to troubleshoot or validate that processes are working as intended.
BUSINESS PROBLEM In order to fully the support the certificate renewal use case for some pull provisioning targets like F5 an "asset name" is needed that is effectively unique while also meaningful to a person (i.e. a UUID will not suffice). The standard TPP naming convention for this has worked well but is based on attributes of the certificate and those attributes aren't readily available to Terraform (namely the Valid To and Serial Number).
PROPOSED SOLUTION I believe the need would be addressed if the
venafi_certificateresource was enhanced to include anasset_nameproperty that gets automatically populated by terraform apply whenever a new certificate is enrolled. The naming convention should be as follows:If the certificate has a common name:
If the certificate has no common name but has at least one DNS SAN:
If the certificate has no common name or DNS SANs:
_e.g. "www.company.com_a9f0_220514" or "450000b51360f9ccaabc8c9a5600020000b513220514"
CURRENT ALTERNATIVES Generate a context-less random ID that is not meaningful to a person looking at the results on their hosting devices. More difficult to troubleshoot or validate that processes are working as intended.
VENAFI EXPERIENCE Lots and lots 😃