Support allowed_domains_template on vault_ssh_secret_backend_role

[laugmanuel]

Hi,

we've been using vault_ssh_secret_backend_role for a long time to manage a SSH secret engine for signing SSH host certs.
To limit the permissions of every given server, we used templating inside of allowed_domains. This worked fine for the last years.

Vault release 1.12.0 introduced a new field for that endpoint called allowed_domains_template (see hashicorp/vault#16056). This is set to false by default. Due to this behaviour change, the templating inside allowed_domains no longer works out of the box and the hosts can't update their SSH host cert.

Terraform Version

not relevant

Affected Resource(s)

• vault_ssh_secret_backend_role

Terraform Configuration Files

resource "vault_ssh_secret_backend_role" "server" {
  name                    = "server"
  backend                 = vault_mount.ssh.path
  key_type                = "ca"
  algorithm_signer        = "rsa-sha2-512"
  allow_host_certificates = true
  allowed_users_template  = true

  # this is missing at the moment
  # allowed_domains_template = true
 
  allow_bare_domains = true
  allowed_domains    = "{{ identity.entity.aliases.${vault_auth_backend.cert.accessor}.name }}"
}

Debug Output

not relevant

Panic Output

not relevant

Expected Behavior

The resource supports the new field

Actual Behavior

The resource does not support the field so far

Steps to Reproduce

1. Update a Vault to >= 1.12.0
2. use the above snippet to configure ssh_secret_backend_role with host_certificates
3. Login using a SSH cert (cert auth backend) and try to sign the cert using the above method

Important Factoids

References

hashicorp/vault#16056