Vault terraform provider and pki v4.2

alain · May 21, 2024, 8:50pm

We use the terraform vault provider to manage a vault system, and started working PKI. I went through the example:

And while I had no issues withthe the example, There are a few oddities that I’m not certain is a bug, my missunderstanding, or my automation. For the example, you are constantly adding code to TF file, until the whole thing is created. My question is how to handle rotating a certificate. From what I see from the docs, you can use the “vault_pki_secret_backend_config_issuers” setting the “option default_follows_latet_issuer = true”.

While the example in the provider docs works when setting the root, the id of the issuer is not present when using set_certificate in the intermediate certificates. Additionaly, once I added the the resource “vault_pki_secret_backend_config_issuers” and set the follow_latest_issuers = true, I had to remove it to get the default to move to my next set_signed resource. Once I placed it back, it would morve default to what was coded in the resource.

Is there a guide or something on managing the rotation and creation of certificates ? Or is this one of those things - since the state will change - that does not make sense to manage in TF ?

alain · May 21, 2024, 9:00pm

I need to correct something - Adding a new issuing did “move default forward”, but running the same terraform, move it back.

Here is the block:

resource "vault_pki_secret_backend_config_issuers" "config" {
  backend                       = vault_mount.test_org_v1_ica2_v1.path
  default                       = "c022c8fb-e2f6-25db-d6dd-265ba840e85d"
  default_follows_latest_issuer = true
}

When I add a new issuing:

resource "vault_pki_secret_backend_root_sign_intermediate" "test_org_v1_sign_ica2_v4_by_ica1_v1" {
 depends_on = [
   vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1,
 ]
 backend              = local.ica1_path
 csr                  = vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1.csr
 common_name          = "Intermediate CA2 v1.4"
 ...


resource "vault_pki_secret_backend_intermediate_set_signed" "test_org_v1_ica2_v4_signed_cert" {
 depends_on  = [vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v4_by_ica1_v1]
 backend     = vault_mount.test_org_v1_ica2_v1.path
 certificate = format("%s\n%s", vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v4_by_ica1_v1.certificate, file("../${path.module}/cacerts/test_org_v1_ica1_v1.crt"))
}

It is fine - default goes from my v.1.3 to my v1.4. But If I run the same code again - without changes, will relink to the hardcoded ( v1.3) issuing form the config issuers block.

Topic		Replies	Views
Using Vault terraform to manage root CA rotation Vault hcp-terraform , vault	4	590	August 7, 2023
Trouble adding signed certificates to CA Terraform Providers vault	0	1781	September 29, 2021
PKI: Trying to understand lack of returned issuer ref Vault	0	128	March 7, 2024
How to use set_signed correctly with terraform Vault	2	1354	September 16, 2021
Create an independent copy of the root certificate authority Vault vault	6	743	November 20, 2022

Vault terraform provider and pki v4.2

Related topics