Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Revoke cert automatically when vault_pki_secret_backend_cert resource is destroyed. #719

Closed
jesmg opened this issue Apr 7, 2020 · 7 comments · Fixed by #1411
Closed

Feature request: Revoke cert automatically when vault_pki_secret_backend_cert resource is destroyed. #719

jesmg opened this issue Apr 7, 2020 · 7 comments · Fixed by #1411
Assignees
@benashz
Labels
pki-enhancements
Milestone
3.5.0

Comments

@jesmg
Copy link
Contributor

jesmg commented Apr 7, 2020

Hello,

I'm using Vault for my internal PKI, and the Terraform provider for Vault in order to manage my certificates as code.

When I destroy a resource of type vault_pki_secret_backend_cert, it is deleted from the Terraform state. But the certificate is going to still be valid.

I believe the certificate should be automatically revoked when a resource of type vault_pki_secret_backend_cert is destroyed, since revokation is the equivalent of "deleting a certificate" in a PKI.

Thank you,
Regards!
@pezhore
Copy link

pezhore commented May 4, 2020

I was surprised to see that this wasn't the default behavior - one would assume if the cert was requested to be destroyed the equivalent action would be to revoke the cert. Can anyone from Hashicorp weigh in on this?

@Elvirarp92
Copy link

I got the same use case and I agree with the above posters - revoking the certificate should be the default behavior.

@aacecandev
Copy link

I have a similar use case where when deleting the certificate I have to assume a manual step to revoke the certificate.

Please put some attention in this issue and let's see if we can find a workaround or a better implementation.

Thanks in advance

@115100
Copy link

115100 commented Jul 7, 2021

Do maintainers think this is a good idea? I can raise a PR if needed.

@jesmg
Copy link
Contributor Author

jesmg commented Jul 7, 2021

I have been using Vault as PKI since this issue was opened (three instances, in fact) and still thinking this feature is important to have

@donwoodruff
Copy link

I have to agree - I came here because I honestly couldn't believe that this was what a sane person would think was a good default. Perhaps - if there are scenarios where it is so, then an attribute to control whether the cert is killed in vault when it is killed in terraform would be a compromise (and it can even default to current behavior)

@jesmg jesmg mentioned this issue Oct 31, 2021
Closed
@jesmg
Copy link
Contributor Author

jesmg commented Oct 31, 2021

I have sent a pull request solving the feature request. As suggested by @donwoodruff, I added an argument in order to deactivate this (or activate, really I don't have any preference about the default value).

@benashz benashz added this to the 3.5.0 milestone Apr 5, 2022
@benashz benashz self-assigned this Apr 5, 2022
@benashz benashz mentioned this issue Apr 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benashz benashz

Labels
pki-enhancements
Projects
None yet
Milestone
3.5.0
7 participants
@pezhore @jesmg @115100 @Elvirarp92 @aacecandev @benashz @donwoodruff