diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b79c78..5cd233a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ +## 0.17.2 (October 6th, 2023) +Rolls back the error removal from version v0.17.1 + ## 0.17.1 (October 2nd, 2023) -Removes an error thrown during provider configuration. Instead the error is thrown at resource creation. +Removes an error thrown during provider configuration. Instead, the error is thrown at resource creation. This work is necessary to allow the venafi-token provider to successfully manage the tokens of this provider. ## 0.17.0 (September 25, 2023) diff --git a/README.md b/README.md index 7df3bae..44e9dd6 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,11 @@ This solution adds certificate enrollment capabilities to [HashiCorp Terraform]( ## Requirements +### Protection of the terraform state file + +Make sure that you are protecting your terraform state file as per the best practices by Hashicorp: [https://developer.hashicorp.com/terraform/language/state/sensitive-data](https://developer.hashicorp.com/terraform/language/state/sensitive-data). +This is an important step to prevent data breaches or leaks of sensitive data like usernames, passwords, tokens, secrets, etc. + ### Venafi Trust Protection Platform Your certificate authority (CA) must be able to issue a certificate in @@ -77,6 +82,15 @@ make changes to your system configuration, save the root certificate to a file in PEM format (e.g. /opt/venafi/bundle.pem) and include it using the `trust_bundle` parameter of your Venafi provider. +### Trust Protection Platform Token Management +The Venafi provider offers several authentication methods to Trust Protection Platform. All of them work by requesting +an access token that will grant access to the REST API. Automation becomes complex to manage when access tokens are +introduced as they have an expiration date. When that date is met, the token is no longer valid. + +A new [Venafi-token provider](https://registry.terraform.io/providers/Venafi/venafi-token/latest) has been released that +allows customers to manage their access tokens. This way the Venafi provider will always have a valid token to use, and +automation will not be disrupted by token expiration. + ### Venafi as a Service If you are using Venafi as a Service, verify the following: diff --git a/venafi/provider.go b/venafi/provider.go index 5478069..7d9b575 100644 --- a/venafi/provider.go +++ b/venafi/provider.go @@ -185,6 +185,11 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} if !accessTokenMethod && !clientCertMethod && !userPassMethod && !apiKeyMethod && !devMode { tflog.Error(ctx, messageVenafiNoAuthProvided) + diags = append(diags, diag.Diagnostic{ + Severity: diag.Error, + Summary: messageVenafiClientInitFailed, + Detail: fmt.Sprintf("%s: %s", messageVenafiConfigFailed, messageVenafiNoAuthProvided), + }) return nil, diags } diff --git a/venafi/util.go b/venafi/util.go index 483f68c..855333e 100644 --- a/venafi/util.go +++ b/venafi/util.go @@ -138,9 +138,6 @@ func getIssuerHint(is string) util.IssuerHint { func getConnection(ctx context.Context, meta interface{}) (endpoint.Connector, error) { tflog.Info(ctx, "Building Venafi Connector") - if meta == nil { - return nil, fmt.Errorf("%s: %s", messageVenafiClientInitFailed, messageVenafiNoAuthProvided) - } cfg := meta.(*vcert.Config) cl, err := vcert.NewClient(cfg)