feat: support default_extensions_template in SSH

CHANGELOG.md

@@ -10,6 +10,7 @@ FEATURES:
 * Update `vault_gcp_secret_impersonated_account` to support setting `ttl` ([#2318](https://github.com/hashicorp/terraform-provider-vault/pull/2318))
 * Add support for `connection_timeout` field for the `vault_ldap_auth_backend` resource ([#2358](https://github.com/hashicorp/terraform-provider-vault/pull/2358))
 * Add support for Rootless Configuration for Static Roles to Postgres DB ([#2341](https://github.com/hashicorp/terraform-provider-vault/pull/2341))
+* Add support for `default_extensions_template` field for the `vault_ssh_secret_backend_role` resource ([#2361](https://github.com/hashicorp/terraform-provider-vault/pull/2361))
 
 ## 4.4.0 (Aug 7, 2024)
 

internal/consts/consts.go

@@ -508,6 +508,7 @@ const (
 	/*
 		Vault version constants
 	*/
+	VaultVersion180 = "1.8.0"
 	VaultVersion190 = "1.9.0"
 	VaultVersion110 = "1.10.0"
 	VaultVersion111 = "1.11.0"

internal/provider/meta.go

@@ -35,6 +35,8 @@ const (
 var (
 	MaxHTTPRetriesCCC int
 
+	VaultVersion180 = version.Must(version.NewSemver(consts.VaultVersion110))
+	VaultVersion190 = version.Must(version.NewSemver(consts.VaultVersion190))
 	VaultVersion110 = version.Must(version.NewSemver(consts.VaultVersion110))
 	VaultVersion111 = version.Must(version.NewSemver(consts.VaultVersion111))
 	VaultVersion112 = version.Must(version.NewSemver(consts.VaultVersion112))

vault/resource_ssh_secret_backend_role.go

@@ -91,6 +91,11 @@ func sshSecretBackendRoleResource() *schema.Resource {
 			Type:     schema.TypeMap,
 			Optional: true,
 		},
+		"default_extensions_template": {
+			Type:     schema.TypeBool,
+			Optional: true,
+			Default:  false,
+		},
 		"default_critical_options": {
 			Type:     schema.TypeMap,
 			Optional: true,
@@ -243,6 +248,12 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 		data["default_extensions"] = v
 	}
 
+	if provider.IsAPISupported(meta, provider.VaultVersion180) {
+		if v, ok := d.GetOk("default_extensions_template"); ok {
+			data["default_extensions_template"] = v.(bool)
+		}
+	}
+
 	if v, ok := d.GetOk("default_critical_options"); ok {
 		data["default_critical_options"] = v
 	}
@@ -364,6 +375,10 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 		"max_ttl", "ttl", "algorithm_signer", "not_before_duration",
 	}
 
+	if provider.IsAPISupported(meta, provider.VaultVersion180) {
+		fields = append(fields, []string{"default_extensions_template"}...)
+	}
+
 	if provider.IsAPISupported(meta, provider.VaultVersion112) {
 		fields = append(fields, []string{"default_user_template", "allowed_domains_template"}...)
 	}

vault/resource_ssh_secret_backend_role_test.go

@@ -47,7 +47,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "algorithm_signer", "default"),
 		resource.TestCheckResourceAttr(resourceName, "max_ttl", "0"),
 		resource.TestCheckResourceAttr(resourceName, "ttl", "0"),
-		// 30s is the default value vault uese.
+		// 30s is the default value vault uses.
 		// https://developer.hashicorp.com/vault/api-docs/secret/ssh#not_before_duration
 		resource.TestCheckResourceAttr(resourceName, "not_before_duration", "30"),
 		resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "false"),
@@ -181,6 +181,33 @@ func TestAccSSHSecretBackendRole_template(t *testing.T) {
 	})
 }
 
+func TestAccSSHSecretBackendRole_extensionsTemplate(t *testing.T) {
+	backend := acctest.RandomWithPrefix("tf-test/ssh")
+	name := acctest.RandomWithPrefix("tf-test-role")
+	resourceName := "vault_ssh_secret_backend_role.test_role"
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion112)
+		},
+		CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSSHSecretBackendRoleConfig_extensionsTemplate(name, backend),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, "backend", backend),
+					resource.TestCheckResourceAttr(resourceName, "default_extensions.test_extension", "ssh-{{identity.entity.id}}-user"),
+					resource.TestCheckResourceAttr(resourceName, "default_extensions_template", "true"),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil),
+		},
+	})
+}
+
 func testAccSSHSecretBackendRoleCheckDestroy(s *terraform.State) error {
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "vault_ssh_secret_backend_role" {
@@ -251,28 +278,29 @@ resource "vault_mount" "example" {
 	}
 	fragments = append(fragments, fmt.Sprintf(`
 resource "vault_ssh_secret_backend_role" "test_role" {
-  name                     = "%s"
-  backend                  = vault_mount.example.path
-  allow_bare_domains       = true
-  allow_host_certificates  = true
-  allow_subdomains         = true
-  allow_user_certificates  = false
-  allow_user_key_ids       = true
-  allowed_critical_options = "foo,bar"
-  allowed_domains          = "example.com,foo.com"
-  allowed_domains_template = true
-  allowed_extensions       = "ext1,ext2"
-  default_extensions       = { "ext1" = "" }
-  default_critical_options = { "opt1" = "" }
-  allowed_users_template   = true
-  allowed_users            = "usr1,usr2"
-  default_user             = "usr"
-  key_id_format            = "{{role_name}}-test"
-  key_type                 = "ca"
-  algorithm_signer         = "rsa-sha2-256"
-  max_ttl                  = "86400"
-  ttl                      = "43200"
-  not_before_duration      = "3000"
+  name                        = "%s"
+  backend                     = vault_mount.example.path
+  allow_bare_domains          = true
+  allow_host_certificates     = true
+  allow_subdomains            = true
+  allow_user_certificates     = false
+  allow_user_key_ids          = true
+  allowed_critical_options    = "foo,bar"
+  allowed_domains             = "example.com,foo.com"
+  allowed_domains_template    = true
+  allowed_extensions          = "ext1,ext2"
+  default_extensions          = { "ext1" = "" }
+  default_extensions_template = true
+  default_critical_options    = { "opt1" = "" }
+  allowed_users_template      = true
+  allowed_users               = "usr1,usr2"
+  default_user                = "usr"
+  key_id_format               = "{{role_name}}-test"
+  key_type                    = "ca"
+  algorithm_signer            = "rsa-sha2-256"
+  max_ttl                     = "86400"
+  ttl                         = "43200"
+  not_before_duration         = "3000"
   %s
 `, name, extraFields))
 
@@ -330,3 +358,27 @@ resource "vault_ssh_secret_backend_role" "test_role" {
 
 	return config
 }
+
+func testAccSSHSecretBackendRoleConfig_extensionsTemplate(name, path string) string {
+	config := fmt.Sprintf(`
+resource "vault_mount" "example" {
+  path = "%s"
+  type = "ssh"
+}
+
+resource "vault_ssh_secret_backend_role" "test_role" {
+  name    = "%s"
+  backend = vault_mount.example.path
+  default_extensions = {
+	"test_extension" = "ssh-{{identity.entity.id}}-user"
+  }
+  default_extensions_template   = true
+  default_user                  = "ssh-user"
+  key_type                      = "ca"
+  allow_user_certificates       = true
+}
+
+`, path, name)
+
+	return config
+}

website/docs/r/ssh_secret_backend_role.html.md

@@ -73,6 +73,8 @@ The following arguments are supported:
 
 * `default_extensions` - (Optional) Specifies a map of extensions that certificates have when signed.
 
+* `default_extensions_template` - (Optional) If set, `default_extensions` can be specified using identity template values. A non-templated user is also permitted.
+
 * `default_critical_options` - (Optional) Specifies a map of critical options that certificates have when signed.
 
 * `allowed_users_template` - (Optional) Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.