This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!
The venafi-token
provider streamlines the process of rotating tokens from a Trust Protection Platform (TLSPDC)
instance. It provides a resource that allows tokens to be managed and rotated when they expire or a custom refresh
threshold (in days) is met.
Make sure that you are protecting your terraform state file as per the best practices by Hashicorp: https://developer.hashicorp.com/terraform/language/state/sensitive-data.
This is an important step to prevent data breaches or leaks of sensitive data like usernames, passwords, tokens, secrets, etc.
The Trust Protection Platform REST API (WebSDK) must be secured with a certificate. Generally, the certificate is issued by a CA that is not publicly trusted so establishing trust is a critical part of your setup.
Two methods can be used to establish trust. Both require the trust anchor
(root CA certificate) of the WebSDK certificate. If you have administrative
access, you can import the root certificate into the trust store for your
operating system. If you don't have administrative access, or prefer not to
make changes to your system configuration, save the root certificate to a file
in PEM format (e.g. /opt/venafi/bundle.pem) and include it using the
trust_bundle
parameter of your Venafi provider.
The venafi-token
Provider for HashiCorp Terraform is an officially verified integration. As such, releases are
published to the Terraform Registry where they are
available for terraform init
to automatically download whenever the provider is referenced by a configuration file.
No setup steps are required to use an official release of this provider other than to download and install Terraform
itself.
To use a pre-release or custom built version of this provider, manually install the plugin binary into
required directory using the prescribed
subdirectory structure
that must align with how the provider is referenced in the required_providers
block of the configuration file.
-
Declare the
venafi-token
provider as required for your plan:terraform { required_providers { venafi-token = { source = "Venafi/venafi-token" } } required_version = ">= 0.13" }
-
Declare a credential resource in your terraform plan:
resource "venafi-token_credential" "example" {}
-
Import the credential resource.
!> NOTE: It is very important that the resource is imported and not created. It holds sensitive data should not be displayed during the terraform plan.
!> Detailed documentation on how to build the import string can be found here.terraform import venafi-token_credential.example 'url=<value>,trust_bundle=<value>,refresh_token=<value>'
-
Assign the
access token
fromvenafi-token_credential.example
to the venafi provider block:provider "venafi" { alias = "tpp_token" url = var.TPP_URL zone = var.TPP_ZONE trust_bundle = file(var.TRUST_BUNDLE) access_token = venafi-token_credential.example.access_token }
-
Run your terraform plan:
terraform apply
Copyright © Venafi, Inc. All rights reserved.
This solution is licensed under the Mozilla Public License, Version 2.0. See LICENSE for the full license text.
Please direct questions/comments to [email protected].