Support configuring DNS SANs for X509 SVIDs using WorkloadIdentity re…

…source (#50676) (#50761) * Extend the protobuf * Wire up DNS SAN field to issuance code * Regenerate tfschema * Add DNS SANs to the audit event * Add test * Rename to x509 * Add test/check that validates hostname generated * Fix TS proto * Update lib/auth/machineid/workloadidentityv1/decision_test.go --------- Co-authored-by: Tim Buckley <tim@goteleport.com>
gravitational · Jan 6, 2025 · eeb8c7e · eeb8c7e
1 parent f438b5e
commit eeb8c7e
Show file tree

Hide file tree

Showing 9 changed files with 368 additions and 47 deletions.
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go
diff --git a/api/proto/teleport/workloadidentity/v1/resource.proto b/api/proto/teleport/workloadidentity/v1/resource.proto
@@ -60,6 +60,15 @@ message WorkloadIdentityRules {
   repeated WorkloadIdentityRule allow = 1;
 }
 
+// Configuration specific to the issuance of X509-SVIDs.
+message WorkloadIdentitySPIFFEX509 {
+  // The DNS Subject Alternative Names (SANs) that should be included in an
+  // X509-SVID issued using this WorkloadIdentity.
+  //
+  // Each entry in this list supports templating using attributes.
+  repeated string dns_sans = 1;
+}
+
 // Configuration pertaining to the issuance of SPIFFE-compatible workload
 // identity credentials.
 message WorkloadIdentitySPIFFE {
@@ -73,6 +82,8 @@ message WorkloadIdentitySPIFFE {
   // credential produced by this WorkloadIdentity. This can be used to provide
   // additional context that can be used to select between multiple credentials.
   string hint = 2;
+  // Configuration specific to X509-SVIDs.
+  WorkloadIdentitySPIFFEX509 x509 = 3;
 }
 
 // The spec for the WorkloadIdentity resource.

diff --git a/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx b/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx
@@ -66,4 +66,11 @@ Optional:
 
 - `hint` (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.
 - `id` (String) The path of the SPIFFE ID that will be issued to the workload.  This should be prefixed with a forward-slash ("/").  This field supports templating using attributes.
+- `x509` (Attributes) Configuration specific to X509-SVIDs. (see [below for nested schema](#nested-schema-for-specspiffex509))
+
+### Nested Schema for `spec.spiffe.x509`
+
+Optional:
+
+- `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity.  Each entry in this list supports templating using attributes.
 
diff --git a/docs/pages/reference/terraform-provider/resources/workload_identity.mdx b/docs/pages/reference/terraform-provider/resources/workload_identity.mdx
@@ -91,4 +91,11 @@ Optional:
 
 - `hint` (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.
 - `id` (String) The path of the SPIFFE ID that will be issued to the workload.  This should be prefixed with a forward-slash ("/").  This field supports templating using attributes.
+- `x509` (Attributes) Configuration specific to X509-SVIDs. (see [below for nested schema](#nested-schema-for-specspiffex509))
+
+### Nested Schema for `spec.spiffe.x509`
+
+Optional:
+
+- `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity.  Each entry in this list supports templating using attributes.