ssh role add missing parameters

vault/resource_ssh_secret_backend_role.go

@@ -75,6 +75,14 @@ func sshSecretBackendRoleResource() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"default_extensions": {
+				Type:     schema.TypeMap,
+				Optional: true,
+			},
+			"default_critical_options": {
+				Type:     schema.TypeMap,
+				Optional: true,
+			},
 			"allowed_users": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -134,6 +142,14 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 		data["allowed_extensions"] = v.(string)
 	}
 
+	if v, ok := d.GetOk("default_extensions"); ok {
+		data["default_extensions"] = v
+	}
+
+	if v, ok := d.GetOk("default_critical_options"); ok {
+		data["default_critical_options"] = v
+	}
+
 	if v, ok := d.GetOk("allowed_users"); ok {
 		data["allowed_users"] = v.(string)
 	}
@@ -206,6 +222,8 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("allowed_critical_options", role.Data["allowed_critical_options"])
 	d.Set("allowed_domains", role.Data["allowed_domains"])
 	d.Set("allowed_extensions", role.Data["allowed_extensions"])
+	d.Set("default_extensions", role.Data["default_extensions"])
+	d.Set("default_critical_options", role.Data["default_critical_options"])
 	d.Set("allowed_users", role.Data["allowed_users"])
 	d.Set("default_user", role.Data["default_user"])
 	d.Set("key_id_format", role.Data["key_id_format"])

vault/resource_ssh_secret_backend_role_test.go

@@ -31,6 +31,8 @@ func TestAccSSHSecretBackendRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_critical_options", ""),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_domains", ""),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_extensions", ""),
+					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_extensions.%", "0"),
+					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_critical_options.%", "0"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_users", ""),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_user", ""),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "key_id_format", ""),
@@ -52,6 +54,8 @@ func TestAccSSHSecretBackendRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_critical_options", "foo,bar"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_domains", "example.com,foo.com"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_extensions", "ext1,ext2"),
+					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_extensions.ext1", ""),
+					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_critical_options.opt1", ""),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_users", "usr1,usr2"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_user", "usr"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "key_id_format", "{{role_name}}-test"),
@@ -85,6 +89,8 @@ func TestAccSSHSecretBackendRole_import(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_critical_options", "foo,bar"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_domains", "example.com,foo.com"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_extensions", "ext1,ext2"),
+					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_extensions.ext1", ""),
+					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_critical_options.opt1", ""),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_users", "usr1,usr2"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_user", "usr"),
 					resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "key_id_format", "{{role_name}}-test"),
@@ -155,6 +161,8 @@ resource "vault_ssh_secret_backend_role" "test_role" {
 	allowed_critical_options = "foo,bar"
 	allowed_domains          = "example.com,foo.com"
 	allowed_extensions       = "ext1,ext2"
+	default_extensions       = { "ext1" = "" }
+	default_critical_options = { "opt1" = "" }
 	allowed_users            = "usr1,usr2"
 	default_user             = "usr"
 	key_id_format            = "{{role_name}}-test"

website/docs/r/ssh_secret_backend_role.html.md

@@ -52,6 +52,10 @@ The following arguments are supported:
 
 * `allowed_extensions` - (Optional) Specifies a comma-separated list of extensions that certificates can have when signed.
 
+* `default_extensions` - (Optional) Specifies a map of extensions that certificates have when signed.
+
+* `default_critical_options` - (Optional) Specifies a map of critical options that certificates have when signed.
+
 * `allowed_users` - (Optional) Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
 
 * `default_user` - (Optional) Specifies the default username for which a credential will be generated.