search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Enhancement]: Add support for the exclude_cn_from_sans attribute to the vault_pki_secret_backend_role resource #2165

Open n2ux opened 4 months ago

n2ux commented 4 months ago

Description

Vault PKI roles have an exclude_cn_from_sans boolean attribute. If the attribute is true the given common_name will not be included in DNS or Email Subject Alternate Names (as appropriate). This is useful if the role is for something that is not a hostname or email address.

Affected Resource(s) and/or Data Source(s)

vault_pki_secret_backend_role

Potential Terraform Configuration

resource "vault_pki_secret_backend_role" "role" {
  backend = "pki"
  name = "role"
  issuer_ref = "default"
  ttl = 63072000
  basic_constraints_valid_for_non_ca = true
  allow_any_name = true
  enforce_hostnames = false
  allow_localhost = false
  allow_wildcard_certificates = false
  key_type = "rsa"
  key_bits = 0
  key_usage = ["DigitalSignature", "KeyAgreement", "KeyEncipherment", "DataEncipherment"]
  client_flag = true
  server_flag = false
  ext_key_usage = ["ClientAuth"]
  allow_ip_sans = false
  allowed_serial_numbers = ["*"]
  organization = ["MyOrg"]
  ou = ["myou"]
  exclude_cn_from_sans = true
}

References

https://developer.hashicorp.com/vault/api-docs/secret/pki#exclude_cn_from_sans-1

Would you like to implement a fix?

None