From f786749588d40688632716650832c030d09806ba Mon Sep 17 00:00:00 2001 From: Russel Vela Date: Fri, 6 Oct 2023 13:59:41 -0600 Subject: [PATCH 1/2] feat(venafi-token): Prepares provider for venafi-token release * Updates README.md with relevant information about the venafi-token provider * Rolls back previous changes that are no longer necessary * Updades CHANGELOG.md --- README.md | 14 ++++++++++++++ venafi/provider.go | 5 +++++ venafi/util.go | 3 --- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7df3bae..44e9dd6 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,11 @@ This solution adds certificate enrollment capabilities to [HashiCorp Terraform]( ## Requirements +### Protection of the terraform state file + +Make sure that you are protecting your terraform state file as per the best practices by Hashicorp: [https://developer.hashicorp.com/terraform/language/state/sensitive-data](https://developer.hashicorp.com/terraform/language/state/sensitive-data). +This is an important step to prevent data breaches or leaks of sensitive data like usernames, passwords, tokens, secrets, etc. + ### Venafi Trust Protection Platform Your certificate authority (CA) must be able to issue a certificate in @@ -77,6 +82,15 @@ make changes to your system configuration, save the root certificate to a file in PEM format (e.g. /opt/venafi/bundle.pem) and include it using the `trust_bundle` parameter of your Venafi provider. +### Trust Protection Platform Token Management +The Venafi provider offers several authentication methods to Trust Protection Platform. All of them work by requesting +an access token that will grant access to the REST API. Automation becomes complex to manage when access tokens are +introduced as they have an expiration date. When that date is met, the token is no longer valid. + +A new [Venafi-token provider](https://registry.terraform.io/providers/Venafi/venafi-token/latest) has been released that +allows customers to manage their access tokens. This way the Venafi provider will always have a valid token to use, and +automation will not be disrupted by token expiration. + ### Venafi as a Service If you are using Venafi as a Service, verify the following: diff --git a/venafi/provider.go b/venafi/provider.go index 5478069..7d9b575 100644 --- a/venafi/provider.go +++ b/venafi/provider.go @@ -185,6 +185,11 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} if !accessTokenMethod && !clientCertMethod && !userPassMethod && !apiKeyMethod && !devMode { tflog.Error(ctx, messageVenafiNoAuthProvided) + diags = append(diags, diag.Diagnostic{ + Severity: diag.Error, + Summary: messageVenafiClientInitFailed, + Detail: fmt.Sprintf("%s: %s", messageVenafiConfigFailed, messageVenafiNoAuthProvided), + }) return nil, diags } diff --git a/venafi/util.go b/venafi/util.go index 483f68c..855333e 100644 --- a/venafi/util.go +++ b/venafi/util.go @@ -138,9 +138,6 @@ func getIssuerHint(is string) util.IssuerHint { func getConnection(ctx context.Context, meta interface{}) (endpoint.Connector, error) { tflog.Info(ctx, "Building Venafi Connector") - if meta == nil { - return nil, fmt.Errorf("%s: %s", messageVenafiClientInitFailed, messageVenafiNoAuthProvided) - } cfg := meta.(*vcert.Config) cl, err := vcert.NewClient(cfg) From ee08640c13c1cdabe0314dca1a41b834f8843225 Mon Sep 17 00:00:00 2001 From: Russel Vela Date: Fri, 6 Oct 2023 18:26:25 -0600 Subject: [PATCH 2/2] feat(venafi-token): Updates CHANGELOG.md --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b79c78..5cd233a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ +## 0.17.2 (October 6th, 2023) +Rolls back the error removal from version v0.17.1 + ## 0.17.1 (October 2nd, 2023) -Removes an error thrown during provider configuration. Instead the error is thrown at resource creation. +Removes an error thrown during provider configuration. Instead, the error is thrown at resource creation. This work is necessary to allow the venafi-token provider to successfully manage the tokens of this provider. ## 0.17.0 (September 25, 2023)