fix: 2107: Add missing schema fields and tests for ext_key_usage_oids (…

…#2108) * fix: 2107: Add missing schema fields and tests for ext_key_usage_oids * doc: 2104: add missing changelog entry * fix: 2107: Apply format fixes & CHANGELOG * Update CHANGELOG.md --------- Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
hashicorp · Dec 11, 2023 · a11653b · a11653b
1 parent 86e6f61
commit a11653b
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 ## Unreleased
 
+FEATURES:
+* Add support for `ext_key_usage_oids` in `vault_pki_secret_backend_role` ([#2108](/~https://github.com/hashicorp/terraform-provider-vault/pull/2108))
+
 BUGS:
 * fix `vault_kv_secret_v2` drift when "data" is in secret name/path ([#2104](/~https://github.com/hashicorp/terraform-provider-vault/pull/2104))
 

diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -280,6 +280,7 @@ const (
 	FieldEmailProtectionFlag           = "email_protection_flag"
 	FieldKeyUsage                      = "key_usage"
 	FieldExtKeyUsage                   = "ext_key_usage"
+	FieldExtKeyUsageOIDs               = "ext_key_usage_oids"
 	FieldUseCSRCommonName              = "use_csr_common_name"
 	FieldUseCSRSans                    = "use_csr_sans"
 	FieldOU                            = "ou"

diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go
@@ -49,6 +49,7 @@ var pkiSecretListFields = []string{
 	consts.FieldAllowedDomains,
 	consts.FieldAllowedSerialNumbers,
 	consts.FieldExtKeyUsage,
+	consts.FieldExtKeyUsageOIDs,
 }
 
 var pkiSecretBooleanFields = []string{
@@ -271,6 +272,15 @@ func pkiSecretBackendRoleResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			consts.FieldExtKeyUsageOIDs: {
+				Type:        schema.TypeList,
+				Required:    false,
+				Optional:    true,
+				Description: "A list of extended key usage OIDs.",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			consts.FieldUseCSRCommonName: {
 				Type:        schema.TypeBool,
 				Required:    false,

diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go
@@ -61,6 +61,8 @@ func TestPkiSecretBackendRole_policy_identifier(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "key_usage.1", "KeyAgreement"),
 		resource.TestCheckResourceAttr(resourceName, "key_usage.2", "KeyEncipherment"),
 		resource.TestCheckResourceAttr(resourceName, "ext_key_usage.#", "0"),
+		resource.TestCheckResourceAttr(resourceName, "ext_key_usage_oids.#", "1"),
+		resource.TestCheckResourceAttr(resourceName, "ext_key_usage_oids.0", "1.3.6.1.4.1.311.4"),
 		resource.TestCheckResourceAttr(resourceName, "use_csr_common_name", "true"),
 		resource.TestCheckResourceAttr(resourceName, "use_csr_sans", "true"),
 		resource.TestCheckResourceAttr(resourceName, "ou.0", "test"),
@@ -160,6 +162,8 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "key_usage.1", "KeyAgreement"),
 		resource.TestCheckResourceAttr(resourceName, "key_usage.2", "KeyEncipherment"),
 		resource.TestCheckResourceAttr(resourceName, "ext_key_usage.#", "0"),
+		resource.TestCheckResourceAttr(resourceName, "ext_key_usage_oids.#", "1"),
+		resource.TestCheckResourceAttr(resourceName, "ext_key_usage_oids.0", "1.3.6.1.4.1.311.4"),
 		resource.TestCheckResourceAttr(resourceName, "use_csr_common_name", "true"),
 		resource.TestCheckResourceAttr(resourceName, "use_csr_sans", "true"),
 		resource.TestCheckResourceAttr(resourceName, "ou.0", "test"),
@@ -298,6 +302,8 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "key_usage.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "key_usage.0", "DigitalSignature"),
 					resource.TestCheckResourceAttr(resourceName, "ext_key_usage.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "ext_key_usage_oids.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "ext_key_usage_oids.0", "1.3.6.1.4.1.311.4"),
 					resource.TestCheckResourceAttr(resourceName, "use_csr_common_name", "true"),
 					resource.TestCheckResourceAttr(resourceName, "use_csr_sans", "true"),
 					resource.TestCheckResourceAttr(resourceName, "ou.0", "test"),
@@ -368,6 +374,7 @@ resource "vault_pki_secret_backend_role" "test" {
   key_type                           = "rsa"
   key_bits                           = 2048
   ext_key_usage                      = []
+  ext_key_usage_oids                 = ["1.3.6.1.4.1.311.4"]
   use_csr_common_name                = true
   use_csr_sans                       = true
   ou                                 = ["test"]
@@ -422,6 +429,7 @@ resource "vault_pki_secret_backend_role" "test" {
   key_bits = 2048
   key_usage = ["DigitalSignature"]
   ext_key_usage = []
+  ext_key_usage_oids = ["1.3.6.1.4.1.311.4"]
   use_csr_common_name = true
   use_csr_sans = true
   ou = ["test"]

diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md
@@ -101,6 +101,8 @@ The following arguments are supported:
 
 * `ext_key_usage` - (Optional) Specify the allowed extended key usage constraint on issued certificates
 
+* `ext_key_usage_oids` - (Optional) Specify the allowed extended key usage OIDs constraint on issued certificates
+
 * `use_csr_common_name` - (Optional) Flag to use the CN in the CSR
 
 * `use_csr_sans` - (Optional) Flag to use the SANs in the CSR