plumb thru root cert tll to the aws ca provider (#11449)

* plumb thru root cert ttl to the aws ca provider Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11449.txt Co-authored-by: Dhia Ayachi <dhia@hashicorp.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
3 years ago · 61bd417a82
parent 25961355c1
commit 61bd417a82
5 changed files with 35 additions and 10 deletions
--- a/.changelog/11449.txt
+++ b/.changelog/11449.txt
@ -0,0 +1,3 @@
+```release-note:feature
+ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate.
+```
--- a/agent/connect/ca/provider_aws.go
+++ b/agent/connect/ca/provider_aws.go
@ -33,9 +33,6 @@ const (
 	// leaf cert.
 	LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"

-	// RootTTL is the validity duration for root certs we create.
-	AWSRootTTL = 5 * 365 * 24 * time.Hour
-
 	// IntermediateTTL is the validity duration for the intermediate certs we
 	// create.
 	AWSIntermediateTTL = 1 * 365 * 24 * time.Hour
@ -211,7 +208,7 @@ func (a *AWSProvider) ensureCA() error {
 	}

 	// Self-sign it as a root
-	certPEM, err := a.signCSR(csrPEM, RootTemplateARN, AWSRootTTL)
+	certPEM, err := a.signCSR(csrPEM, RootTemplateARN, a.config.RootCertTTL)
 	if err != nil {
 		return err
 	}
--- a/agent/connect/ca/provider_aws_test.go
+++ b/agent/connect/ca/provider_aws_test.go
@ -5,6 +5,7 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+	"time"

 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/acmpca"
@ -41,6 +42,7 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
 			cfg := map[string]interface{}{
 				"PrivateKeyType": tc.KeyType,
 				"PrivateKeyBits": tc.KeyBits,
+				"RootCertTTL":    "8761h",
 			}
 			provider := testAWSProvider(t, testProviderConfigPrimary(t, cfg))
 			defer provider.Cleanup(true, nil)
@ -69,10 +71,37 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
 			require.Equal(tc.KeyType, keyType)
 			require.Equal(tc.KeyBits, keyBits)

+			// Ensure that the root cert ttl is withing the configured value
+			// computation is similar to how we are passing the TTL thru the aws client
+			expectedTime := time.Now().AddDate(0, 0, int(8761*60*time.Minute/day)).UTC()
+			require.WithinDuration(expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
+
 			// Sign a leaf with it
 			testSignAndValidate(t, provider, rootPEM, nil)
 		})
 	}
+
+	t.Run("Test default root ttl for aws ca provider", func(t *testing.T) {
+
+		provider := testAWSProvider(t, testProviderConfigPrimary(t, nil))
+		defer provider.Cleanup(true, nil)
+
+		// Generate the root
+		require.NoError(t, provider.GenerateRoot())
+
+		// Fetch Active Root
+		rootPEM, err := provider.ActiveRoot()
+		require.NoError(t, err)
+
+		// Ensure they use the right key type
+		rootCert, err := connect.ParseCert(rootPEM)
+		require.NoError(t, err)
+
+		// Ensure that the root cert ttl is withing the configured value
+		// computation is similar to how we are passing the TTL thru the aws client
+		expectedTime := time.Now().AddDate(0, 0, int(87600*60*time.Minute/day)).UTC()
+		require.WithinDuration(t, expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
+	})
 }

 func testSignAndValidate(t *testing.T, p Provider, rootPEM string, intermediatePEMs []string) {
--- a/website/content/docs/agent/options.mdx
+++ b/website/content/docs/agent/options.mdx
@ -1271,9 +1271,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
      Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
      intermediate certificate TTL.

-      This setting currently applies only to the consul connect and Vault CA providers. It is
-      ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
-      CA provider is 5 years and not configurable at this time.
+      This setting applies to all Consul CA providers.

      For the Vault provider, this value is only used if the backend is not initialized at first.

--- a/website/content/partials/http_api_connect_ca_common_options.mdx
+++ b/website/content/partials/http_api_connect_ca_common_options.mdx
@ -39,9 +39,7 @@ The following configuration options are supported by all CA providers:
  Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
  intermediate certificate TTL.

-  This setting currently applies only to the consul connect and Vault CA providers. It is
-  ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
-  CA provider is 5 years and not configurable at this time.
+  This setting applies to all Consul CA providers.

  For the Vault provider, this value is only used if the backend is not initialized at first.