vault-ca-demo
vault-ca-demo copied to clipboard
Published
20 hours ago •
stvdilln
stvdilln
Fix minor typos and warnings in commented root_ca sections
For my demo purposes I wanted to leverage the root_ca within vault itself, but found a typo (missing quote) and a warning.
I also added key_usage values to the roles to avoid diffs on subsequent terraform plan invocations, e.g. this was happening:
Terraform will perform the following actions:
# vault_pki_secret_backend_role.role-server-cer will be updated in-place
~ resource "vault_pki_secret_backend_role" "role-server-cer" {
allow_any_name = false
allow_bare_domains = false
allow_glob_domains = false
allow_ip_sans = true
allow_localhost = true
allow_subdomains = true
allowed_domains = [
"mydomain.com",
]
allowed_other_sans = []
allowed_uri_sans = []
backend = "pki-int-ca"
basic_constraints_valid_for_non_ca = false
client_flag = false
code_signing_flag = false
country = [
"usa",
]
email_protection_flag = false
enforce_hostnames = true
ext_key_usage = []
generate_lease = false
id = "pki-int-ca/roles/server-cert-for-mydomain.com"
key_bits = 2048
key_type = "rsa"
~ key_usage = [
- "DigitalSignature",
- "KeyAgreement",
- "KeyEncipherment",
]
locality = [
"Beverly Hills",
]
max_ttl = "63113904"
name = "server-cert-for-mydomain.com"
no_store = true
not_before_duration = "0s"
organization = [
"My Company",
]
ou = [
"development",
]
policy_identifiers = []
postal_code = []
province = []
require_cn = true
server_flag = true
street_address = []
ttl = "2592000"
use_csr_common_name = true
use_csr_sans = true
}
# vault_pki_secret_backend_role.vault-client-cert will be updated in-place
~ resource "vault_pki_secret_backend_role" "vault-client-cert" {
allow_any_name = false
allow_bare_domains = true
allow_glob_domains = false
allow_ip_sans = true
allow_localhost = true
allow_subdomains = false
allowed_domains = [
"mydomain.com",
]
allowed_other_sans = []
allowed_uri_sans = []
backend = "pki-int-ca"
basic_constraints_valid_for_non_ca = false
client_flag = true
code_signing_flag = false
country = [
"usa",
]
email_protection_flag = false
enforce_hostnames = true
ext_key_usage = []
generate_lease = false
id = "pki-int-ca/roles/client-cert-for-mydomain.com"
key_bits = 2048
key_type = "rsa"
~ key_usage = [
- "DigitalSignature",
- "KeyAgreement",
- "KeyEncipherment",
]
locality = [
"Beverly Hills",
]
max_ttl = "63113904"
name = "client-cert-for-mydomain.com"
no_store = true
not_before_duration = "0s"
organization = [
"My Company",
]
ou = [
"development",
]
policy_identifiers = []
postal_code = []
province = []
require_cn = true
server_flag = true
street_address = []
ttl = "2592000"
use_csr_common_name = true
use_csr_sans = true
}
Plan: 0 to add, 2 to change, 0 to destroy.
@stvdilln have you taken a look at this? Any objection to merging the changes?