Make PKI generate-root idempotent

[matthewceroni]

I was under the impression that API calls are idempotent (as stated here https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration/).

In attempting to follow the above configuration guide I am trying to setup the PKI backend. Part of the configuration is to generate the root certificate.

vault write pki/root/generate/internal common_name=xxxx ttl=87600

However if I run this multiple times it generates a new root certificate each time. That isn't idempotent and presents a problem in provisioning of Vault via Infrastructure as Code. Now I need to determine whether something has been done or not.

The version of Vault I am using is 0.7.0.

[jefferai]

Vault calls are not idempotent. Some of them are, and it's a nice thing to strive for, but not all can be. In that blog post, the specific calls that Seth was using were idempotent, but it is not a guarantee across Vault.

I'm happy to have the generate-root endpoint not create a cert if one already exists but there would also need to be a delete method added. If you're interested in adding such a feature it wouldn't be hard.