Venafi PKI role allowed_domains parameter not being enforced

[jeffwhite06]

PROBLEM SUMMARY When specifying allowed_domains parameter on the role, the role should only issue certificates within the provided allowed domains.

This may be one of many constraints not being enforced. I also tested allow_wildcard_certificates = false and was also able to create a wildcard certificate.

According to the documentation: https://developer.hashicorp.com/vault/docs/secrets/venafi These constraints should be enforced.

STEPS TO REPRODUCE Run terraform code provisioning the Venafi mount and role. Include the allowed_domains in the role creation. Attempt to issue a certificate using the role, with a domain name that is outside of the allowed domains.

resource "vault_mount" "venafi" {
  path        = "venafi"
  type        = "venafi-pki-backend"
  description = "Venafi PKI Secrets Engine"
}

resource "vault_generic_endpoint" "venafi" {
  path = "${vault_mount.venafi.path}/venafi/tpp"

  data_json = jsonencode({
    url          = <venafi_url>
    access_token = <access_token>
    zone         = <venafi_zone>
  })
}

resource "vault_generic_endpoint" "role" {
  path = "venafi/roles/tpp"

  data_json = jsonencode({
    venafi_secret    = "tpp"
    chain_option     = "last"
    generate_lease   = true
    store_by         = "cn"
    store_pkey       = true
    allowed_domains  = ["example.com"]
    allow_subdomains = true
  })

  depends_on = [vault_generic_endpoint.venafi]
}

resource "vault_pki_secret_backend_cert" "issue" {
  backend = vault_mount.venafi.path
  name    = "tpp"

  common_name = "test.otherdomain.com"

  depends_on = [vault_generic_endpoint.role]
}

EXPECTED RESULTS We expect that the creation of this certificate would be denied because the common_name domain requested is not within the allowed_domains on the role.

ACTUAL RESULTS The certificate gets created:

  # vault_generic_endpoint.role will be created
  + resource "vault_generic_endpoint" "role" {
      + data_json            = (sensitive value)
      + disable_delete       = false
      + disable_read         = false
      + id                   = (known after apply)
      + ignore_absent_fields = false
      + path                 = "venafi/roles/tpp"
      + write_data           = (known after apply)
      + write_data_json      = (known after apply)
    }

  # vault_generic_endpoint.venafi will be created
  + resource "vault_generic_endpoint" "venafi" {
      + data_json            = (sensitive value)
      + disable_delete       = false
      + disable_read         = false
      + id                   = (known after apply)
      + ignore_absent_fields = false
      + path                 = "venafi/venafi/tpp"
      + write_data           = (known after apply)
      + write_data_json      = (known after apply)
    }

  # vault_mount.venafi will be created
  + resource "vault_mount" "venafi" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + description                  = "Venafi PKI Secrets Engine"
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "venafi"
      + seal_wrap                    = (known after apply)
      + type                         = "venafi-pki-backend"
    }

  # vault_pki_secret_backend_cert.issue will be created
  + resource "vault_pki_secret_backend_cert" "issue" {
      + auto_renew            = false
      + backend               = "venafi"
      + ca_chain              = (known after apply)
      + certificate           = (known after apply)
      + common_name           = "test.otherdomain.com"
      + expiration            = (known after apply)
      + format                = "pem"
      + id                    = (known after apply)
      + issuing_ca            = (known after apply)
      + min_seconds_remaining = 604800
      + name                  = "tpp"
      + private_key           = (sensitive value)
      + private_key_format    = "der"
      + private_key_type      = (known after apply)
      + renew_pending         = (known after apply)
      + revoke                = false
      + serial_number         = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_mount.venafi: Creating...
vault_mount.venafi: Creation complete after 1s [id=venafi]
vault_generic_endpoint.venafi: Creating...
vault_generic_endpoint.venafi: Creation complete after 0s [id=venafi/venafi/tpp]
vault_generic_endpoint.role: Creating...
vault_generic_endpoint.role: Creation complete after 0s [id=venafi/roles/tpp]
vault_pki_secret_backend_cert.issue: Creating...
vault_pki_secret_backend_cert.issue: Still creating... [10s elapsed]
vault_pki_secret_backend_cert.issue: Creation complete after 16s [id=venafi/tpp/test.otherdomain.com]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

ENVIRONMENT DETAILS HCP Vault v1.14.3 Terraform 1.6.1 Terraform Vault provider v3.21.0

COMMENTS/WORKAROUNDS

[luispresuelVenafi]

Hi @jeffwhite06 , thank you for reaching out!

This is not bug, this is intended, let me quote a colleague:

the allowed_domains and allow_subdomains parameters are silently ignored the same as any invalid parameter would be. The documentation was written with a focus on showing how easy it is to transition away from the native Vault PKI to our secrets engine (i.e. just add the venafi_secret and you can keep the rest of the parameters the way they are—we’ll just ignore them if they don’t apply any longer). Now that we know most people are adopting our secrets engine from the beginning as opposed to transitioning from the native Vault PKI, I think we can remove those parameters from the README so there isn’t any confusion.

And this make sense, because we want you to manage policies or do policy enforcement within the Venafi Control Plane (either you are using TLSPC, previously know as VaaS or TLSPDC, previously know as TPP).

This is more of a issue in our README but not a bug in the code, so I'll remove it. We do need to update our documentation.

Thank you for raising the concern!