Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

venafi_certificate - Add on_destroy retire/revoke capability #162

Open
markekibbe opened this issue Jan 29, 2025 · 0 comments
Open

venafi_certificate - Add on_destroy retire/revoke capability #162

markekibbe opened this issue Jan 29, 2025 · 0 comments
Labels
enhancement New feature or request

Comments

@markekibbe
Copy link

markekibbe commented Jan 29, 2025
edited
Loading

BUSINESS PROBLEM
Current state, the venafi_certificate resource only supports retire functionality on terraform destroy. Being able to support revocation via destroy would allow for increased capabilities for operations personnel. Some operations and policies require revocation over Venafi "Retire" capabilities.

This is noted in the venafi_provider resource documentation in a yellow note field.

PROPOSED SOLUTION
Remove this hard-coded functionality, and add to the venafi_certificate resource an "on_destroy_action" property.

This property would accept 1 of 2 values: <revoke|retire> with a resource default of retire to make this a non-breaking change for any existing implementations.

resource "venafi_certificate" "webserver" {
    common_name = "web.venafi.example"
    on_destroy_action = "revoke"
}

CURRENT ALTERNATIVES
Current solution is manual click-ops via operations teams.
@markekibbe markekibbe added the enhancement New feature or request label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@markekibbe