Closed klewan closed 2 years ago
Hi, @klewan, thank you to reaching out. This doesn't seem to be a bug, but more of a result of constraints defined in your custom fields of your TPP instance. Our Terraform provider only passes that data as they are defined in the Terraform configuration to the endpoint in order for certificate enrolling, and all its constraints are defined at TPP.
Hi @luispresuelVenafi Thank you. Would it be possible to deliver Terraform data source to do this translation, i.e. user to its ID (internal TPP representation), so we could concatenate the outputs and have it ready to pass that data to venafi_certifcate resource?
Hi @klewan the behavior you're seeing around the syntax for Identity custom fields is the behavior of the POST /vedsdk/certificates/request
API method which is documented here for the CustomFields
parameter:
Identity Selector: Specify an array of one or more identities, such as a group or individual approver. Use the PrefixedUniversal format that represents a valid identity. For example: AD+venqa:85e3ce9bec25b34780ebfd85a4d73451.
You can request enhancements or "ideas" for the TPP API in the Venafi Warrior Community. If TPP is enhanced to allow human-friendly syntax for Identity custom fields, Terraform and all of our other open source integrations that support custom fields would be able to use it.
We're currently working to update our Certificate Policy Management feature to support specifying certificate contacts in the human-friendly syntax you described so that may be more in line with your need.
Hi @tr1ck3r Would it be possible to have a Terraform data source based on /vedsdk/Identity/Validate POST request (e.g. body: {"ID": { "PrefixedName": "AD+venqa:USER_FRIENDLY_NAME" } }) that fetches json.ID.PrefixedUniversal output and exposes it? Then we'd be able to pass this value to custom fields in a proper format.
PROBLEM SUMMARY
Server Admin property in custom_fields requires providing accounts in PrefixedUniversal format, what is very inconvenient and, in practice, is of no use. When accounts names are supplied as arguments then certificate metadata presents this attribute as 'AD+XXX:unknown/deleted -1)'.
STEPS TO REPRODUCE
EXPECTED RESULTS
COMMENTS/WORKAROUNDS none