Dynamic Client P12 file for TFC

[peterees]

Have been engaging with Peter Fiddles via Customer Success Engineer

BUSINESS PROBLEM
We have been looking to consume the terraform provider for Venafi to enable automation and update business processes for developers using TFC within our organisation. We have written a wrapper module that replaces manual checks for custom field and other metadata that requesters that are required to provide so that we can streamline the registration authority's processes.

Via the provider config we have been able to utilise cloud native secrets management solutions to dynamically provide trust bundle and client P12 password all for consumers to utilise, however was not successfully able to provide the p12 file through this way due to what we believe is how TFC operates with files potentially not being present on the local runner's filesystem when dynamically being pulled at plan / apply stages.

We chose client cert authentication for our organisation after looking at the variety of mechanisms and found this was the best that suited our needs.

PROPOSED SOLUTION
Please investigate updating the venafi provider to allow for the client certificate p12 to be provided in a more dynamic fashion so that we can achieve our vision of providing a just in time access model to sensitive data and files.

CURRENT ALTERNATIVES
We are currently having to keep the p12 within our codebase so that it is then provided to the runner on execution within TFC.

VENAFI EXPERIENCE
We have utilised Venafi for approximately 10 years however automation of this kind has been something we have been pushing forward within the last 6-8 months as we adopt more devops and agile methods within our organisation. By providing this we can truely allow developers to move at speed and remove roadblocks of requiring manual stages within our certificate request process and championing ongoing utilisation of such enterprise products.

[hawksight]

Some experimental code the potentially resolve the issue: master...aidy:terraform-provider-venafi:pkcs12_data

Does so by providing a pkcs12_data input to the provider as an alternative to the filepath option currently supported.

[marcos-albornoz]

The code looks good, but it's missing to add the files cert.p12 and cert-legacy.p12 in order to get the added unit test working successfully... Also it's missing the unit test to evaluate the code logic added in the func providerConfigure()

[aidy]

The code looks good, but it's missing to add the files cert.p12 and cert-legacy.p12 in order to get the added unit test working successfully...

Those files are present in the diff that @hawksight provided. That unit test is pending being added as part of #152

[hawksight]