Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose contacts as native argument in venafi_policy #156

Open
hawksight opened this issue Nov 7, 2024 · 0 comments
Open

Expose contacts as native argument in venafi_policy #156

hawksight opened this issue Nov 7, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@hawksight
Copy link

hawksight commented Nov 7, 2024
edited
Loading

Relates to #81 but applies to venafi_policy instead of venafi_certificate.

BUSINESS PROBLEM

As a platform administrator I configure many vendor resources via terraform. I just want to set the right contacts for a policy easily within terraform. My problem is that it's hard to know where to configure this.

Whilst it can be done in the JSON, if I want to iterate over a venafi_policy resource for multiple tenants or teams, it can be hard to get the right escaping and formatting to pass in contact names in the JSON format.

PROPOSED SOLUTION

Expose contacts as native argument to the venafi_policy terraform resource:

resource "venafi_policy" "internal_policy" {
    zone = "My Business App\\Enterprise Trusted Certs"
    policy_specification = file("/path-to/internal-policy.json")
    contacts = ["dave", "bob", "Igor", "Florence"]
}

CURRENT ALTERNATIVES

As stated in this comment, you can set this in the JSON file, but it is currently not documented on the documented reference link.

{
  "policy": {},
  "defaults": {},
  "users": [
    "tppadmin",
    "team-1"
  ],
  "approvers": [
    "local:{1716fc1f-c05b-46d0-b308-048bde614a39}",
    "AD+XXXXX:9d599add13b7ea4ebd0592eb14cdcd3f"
  ]
}

This forces someone unfamiliar with Venafi specific knowledge to craft a JSON file that will be accepted. Research, understand, test etc. The platform team may not need to use JSON for any other settings and could in theory not specify a policy at all, and rely on locked values of the parent zone.

The end goal may be:

resource "venafi_policy" "cloud_tenant_1" {
    zone = "Certificates\\Cloud Platform\\tenant-1"
    contacts = ["Albus", "Harry"]
}

Where all the relevant PKI controls are set in Certificates\\Cloud Platform, so no JSON settings are required. Or a completely bare template is generated within the provider resource and contacts inserted from argument reference into JSON on the terraform user's behalf. Therefore making it easier to use the terraform resource.

VENAFI EXPERIENCE

Raising on behalf of a customer's experience. Keen to make it easier for Cloud / Platform engineers to manage resource in more terraform native wats.

If this was a good user improvement, I would also suggest extracting some other commonly used parameters into native arguments for venafi_policy too. For example:

  • Allowed Domains:
  • Allow Wildcards:
  • Key Algorithm:
  • Key Strength (bits):
@hawksight hawksight added the enhancement New feature or request label Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hawksight