terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add ACME support for PKI resource

Open igor-nikiforov opened this issue 1 year ago • 5 comments

Starting from Vault 1.14 added support for ACME protocol - https://www.hashicorp.com/blog/vault-1-14-brings-acme-for-pki-aws-roles-and-more-improvements

It would be great to have support for following resources to be able configure ACME from Terraform:

igor-nikiforov avatar Jul 18 '23 19:07 igor-nikiforov

Hi there,

We were looking for this too.
A PR was opened to add cluster configuration as a first step.

I'll try to get the ACME configuration up too.
There is one part I haven't looked at yet, and have doubts.
It's about the headers' configuration and how this part should be handled by the provider.

vault secrets tune \
      -passthrough-request-headers=If-Modified-Since \
      -allowed-response-headers=Last-Modified \
      -allowed-response-headers=Location \
      -allowed-response-headers=Replay-Nonce \
      -allowed-response-headers=Link \
      pki_int

Viper61 avatar Jul 22 '23 21:07 Viper61

I think the enable_templating option is also missing from vault_pki_secret_backend_config_urls based on the instructions in the tutorial.

jeffsanicola avatar Sep 14 '23 18:09 jeffsanicola

I was able to setup ACME + Cluster configuration using vault_generic_endpoint resource as temporary workaround. But unfortunately this resource does not support POST method which is required by acme/new-eab endpoint. So for now there no way to automate EAB token creation using only bare TF resources.

@fairclothjm just wondering is there any ETA for full ACME support in Vault provider? Thanks.

igor-nikiforov avatar Dec 30 '23 03:12 igor-nikiforov

@igor-nikiforov Hello, unfortunately we don't have an ETA for full ACME support. We will update this issue once we get an update.

fairclothjm avatar Jan 02 '24 16:01 fairclothjm

Based on what I learned with previous PRs, I attempted to add a full ACME configuration resource. @fairclothjm Can you have a look on it please ?

On the tune side, I understand from the doc that it can be read/written to the sys/mounts/<name>/tune endpoint. From there, I was thinking about adding a tune option to getMountSchema.

However, I noticed a couple implementation already in place. For authentication resources, there is a authMountTuneSchema. Some others are there as party of the backend like resource_ad_secret_backend or resource_nomad_secret_backend.

Should we do the same thing and add it as part of the resource_pki_secret_backend_config_acme ?

Viper61 avatar Feb 26 '24 19:02 Viper61