search

Venafi / terraform-provider-venafi

HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.
https://www.terraform.io/docs/providers/venafi/
Mozilla Public License 2.0
16 stars 20 forks source link

Server Admin property in custom_fields is not handled properly #83

Closed klewan closed 2 years ago

klewan commented 2 years ago

PROBLEM SUMMARY

Server Admin property in custom_fields requires providing accounts in PrefixedUniversal format, what is very inconvenient and, in practice, is of no use. When accounts names are supplied as arguments then certificate metadata presents this attribute as 'AD+XXX:unknown/deleted -1)'.

STEPS TO REPRODUCE

resource "venafi_certificate" "site" {

  common_name = "${local.site_name}.${local.site_domain}"

  san_dns = [
      "${local.site_name}.${local.site_domain}"
  ]
  algorithm = "RSA"
  rsa_bits = "2048"

  # This doesn't work. When accounts are provided by name, then the Certficate Service Admin property shows 'AD+XXX:unknown/deleted -1)'
  # custom_fields = {
  #     "Server Admin" = "AD+XXX:USER1|AD+XXX:USER2"
  # }

  # When PrefixedUniversal format is supplied, then this is processed successfully, but is of no use.

  custom_fields = {
      "Server Admin" = "AD+XXX:52c5b950dbe2ce479ec0e3a7d57852bd|AD+XXX:1e7e55617edda24c8b74a3bd55ad133b"
  }

}

EXPECTED RESULTS

resource "venafi_certificate" "site" {

  common_name = "${local.site_name}.${local.site_domain}"

  san_dns = [
      "${local.site_name}.${local.site_domain}"
  ]
  algorithm = "RSA"
  rsa_bits = "2048"

  custom_fields = {
      "Server Admin" = "AD+XXX:USER1|AD+XXX:USER2"
  }
}

COMMENTS/WORKAROUNDS none

luispresuelVenafi commented 2 years ago

Hi, @klewan, thank you to reaching out. This doesn't seem to be a bug, but more of a result of constraints defined in your custom fields of your TPP instance. Our Terraform provider only passes that data as they are defined in the Terraform configuration to the endpoint in order for certificate enrolling, and all its constraints are defined at TPP.

klewan commented 2 years ago

Hi @luispresuelVenafi Thank you. Would it be possible to deliver Terraform data source to do this translation, i.e. user to its ID (internal TPP representation), so we could concatenate the outputs and have it ready to pass that data to venafi_certifcate resource?

tr1ck3r commented 2 years ago

Hi @klewan the behavior you're seeing around the syntax for Identity custom fields is the behavior of the POST /vedsdk/certificates/request API method which is documented here for the CustomFields parameter:

Identity Selector: Specify an array of one or more identities, such as a group or individual approver. Use the PrefixedUniversal format that represents a valid identity. For example: AD+venqa:85e3ce9bec25b34780ebfd85a4d73451.

You can request enhancements or "ideas" for the TPP API in the Venafi Warrior Community. If TPP is enhanced to allow human-friendly syntax for Identity custom fields, Terraform and all of our other open source integrations that support custom fields would be able to use it.

We're currently working to update our Certificate Policy Management feature to support specifying certificate contacts in the human-friendly syntax you described so that may be more in line with your need.

klewan commented 2 years ago

Hi @tr1ck3r Would it be possible to have a Terraform data source based on /vedsdk/Identity/Validate POST request (e.g. body: {"ID": { "PrefixedName": "AD+venqa:USER_FRIENDLY_NAME" } }) that fetches json.ID.PrefixedUniversal output and exposes it? Then we'd be able to pass this value to custom fields in a proper format.