add option to revoke certificate with private key

CHANGELOG.md

@@ -1,6 +1,7 @@
 ## Unreleased
 
 FEATURES:
+* Add support for certificate revocation with `revoke_with_key` in `vault_pki_secret_backend_cert`
 * Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)).
 * Add support for `inheritable` on `vault_quota_rate_limit` and `vault_quota_lease_count`. Requires Vault 1.15+.: ([#2133](https://github.com/hashicorp/terraform-provider-vault/pull/2133)).
 * Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 

internal/consts/consts.go

@@ -325,6 +325,7 @@ const (
 	FieldUseCSRValues                  = "use_csr_values"
 	FieldCertificateBundle             = "certificate_bundle"
 	FieldRevoke                        = "revoke"
+	FieldRevokeWithKey                 = "revoke_with_key"
 	FieldPrivateKeyType                = "private_key_type"
 	FieldAddBasicConstraints           = "add_basic_constraints"
 	FieldExported                      = "exported"

vault/resource_pki_secret_backend_cert.go

@@ -172,6 +172,12 @@ func pkiSecretBackendCertResource() *schema.Resource {
 				Default:     false,
 				Description: "Revoke the certificate upon resource destruction.",
 			},
+			consts.FieldRevokeWithKey: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Revoke the certificate with private key method",
+			},
 			consts.FieldIssuerRef: {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -366,21 +372,33 @@ func pkiSecretBackendCertDelete(_ context.Context, d *schema.ResourceData, meta
 		}
 
 		backend := d.Get(consts.FieldBackend).(string)
-		path := strings.Trim(backend, "/") + "/revoke"
 
+		privateKey := d.Get(consts.FieldPrivateKey).(string)
 		serialNumber := d.Get(consts.FieldSerialNumber).(string)
 		commonName := d.Get(consts.FieldCommonName).(string)
+		revokeWithKey := d.Get(consts.FieldRevokeWithKey).(bool)
 		data := map[string]interface{}{
 			consts.FieldSerialNumber: serialNumber,
 		}
+		if revokeWithKey {
+			data["private_key"] = privateKey
+		}
+		var path string
+		if revokeWithKey {
+			path = strings.Trim(backend, "/") + "/revoke-with-key"
+		} else {
+			path = strings.Trim(backend, "/") + "/revoke"
+		}
 
 		log.Printf("[DEBUG] Revoking certificate %q with serial number %q on PKI secret backend %q",
 			commonName, serialNumber, backend)
 		_, err := client.Logical().Write(path, data)
+
 		if err != nil {
 			return diag.Errorf("error revoking certificate %q with serial number %q for PKI secret backend %q: %s",
 				commonName, serialNumber, backend, err)
 		}
+
 		log.Printf("[DEBUG] Successfully revoked certificate %q with serial number %q on PKI secret backend %q",
 			commonName,
 			serialNumber, backend)

vault/resource_pki_secret_backend_cert_test.go

@@ -30,6 +30,7 @@ type testPKICertStore struct {
 	expiration       int64
 	expirationWindow int64
 	expectRevoked    bool
+	revokeWithKey    bool
 }
 
 func TestPkiSecretBackendCert_basic(t *testing.T) {
@@ -54,7 +55,7 @@ func TestPkiSecretBackendCert_basic(t *testing.T) {
 		CheckDestroy:      testCheckMountDestroyed("vault_mount", consts.MountTypePKI, consts.FieldPath),
 		Steps: []resource.TestStep{
 			{
-				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, false),
+				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, false, false),
 				Check: resource.ComposeTestCheckFunc(
 					append(checks,
 						resource.TestCheckResourceAttr(resourceName, "revoke", "false"),
@@ -65,7 +66,7 @@ func TestPkiSecretBackendCert_basic(t *testing.T) {
 			},
 			{
 				// revoke the cert, expect a new one is re-issued
-				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, true),
+				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, true, false),
 				Check: resource.ComposeTestCheckFunc(
 					append(checks,
 						resource.TestCheckResourceAttr(resourceName, "revoke", "true"),
@@ -76,7 +77,7 @@ func TestPkiSecretBackendCert_basic(t *testing.T) {
 			},
 			{
 				// remove the cert to test revocation flow (expect no revocation)
-				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, false, false),
+				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, false, false, false),
 				Check: resource.ComposeTestCheckFunc(
 					testPKICertRevocation(intermediatePath, store),
 				),
@@ -86,17 +87,28 @@ func TestPkiSecretBackendCert_basic(t *testing.T) {
 					meta := testProvider.Meta().(*provider.ProviderMeta)
 					return !meta.IsAPISupported(provider.VaultVersion113), nil
 				},
-				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, false),
+				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, false, false),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "user_ids.0", "foo"),
 					resource.TestCheckResourceAttr(resourceName, "user_ids.1", "bar"),
 				),
 			},
+			{
+				// revoke the cert with key
+				Config: testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath, true, true, true),
+				Check: resource.ComposeTestCheckFunc(
+					append(checks,
+						resource.TestCheckResourceAttr(resourceName, "revoke", "true"),
+						testPKICertRevocation(intermediatePath, store),
+						testCapturePKICert(resourceName, store),
+					)...,
+				),
+			},
 		},
 	})
 }
 
-func testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath string, withCert, revoke bool) string {
+func testPkiSecretBackendCertConfig_basic(rootPath, intermediatePath string, withCert, revoke bool, revokeWithKey bool) string {
 	fragments := []string{
 		fmt.Sprintf(`
 resource "vault_mount" "test-root" {
@@ -178,8 +190,9 @@ resource "vault_pki_secret_backend_cert" "test" {
   ttl                   = "720h"
   min_seconds_remaining = 60
   revoke                = %t
+  revoke_with_key       = %t
 }
-`, revoke))
+`, revoke, revokeWithKey))
 	}
 
 	return strings.Join(fragments, "\n")

website/docs/r/pki_secret_backend_cert.html.md

@@ -69,6 +69,8 @@ The following arguments are supported:
 
 * `revoke` - If set to `true`, the certificate will be revoked on resource destruction. 
 
+* `revoke_with_key` - if set to `true`, use method `revoke-with-key` to revoke the certificate on resource destruction. Used to revoke certificate without using privileged operation.
+
 ## Attributes Reference
 
 In addition to the fields above, the following attributes are exported: