Skip to content

[Enhancement]: Make /revoke path work consistently with /issue path #2606

New issue
New issue
Open
Open
[Enhancement]: Make /revoke path work consistently with /issue path#2606
Labels
enhancement
@jskirde

Description

@jskirde
jskirde
opened on Sep 19, 2025

Description

We currently use a partner vault-pki engine plugin (https://developer.hashicorp.com/vault/integrations?filter=pki) and issue new certificates using the resources vault_pki_secret_backend_cert or vault_pki_secret_backend_sign. These both work as expected.
However, upon a destroy operation, these fail due to an inconsistency between the path used by the provider and the path expected by the vault-pki partner engine. The partner engine is expecting <backend>/revoke/<name> but the vault provider simply performs <backend>/revoke.
At first I assumed this inconsistency was the partner's mistake and I set about trying to find documentation that describes the interface between the partner / community plugins but found very little documentation to support this.

However, I can see is issue and sign are consistent in their calculation of a path:
resource_pki_secret_backend_cert.go

func pkiSecretBackendCertPath(backend string, name string) string {
	return strings.Trim(backend, "/") + "/issue/" + strings.Trim(name, "/")
}

resource_pki_secret_backend_sign.go

func pkiSecretBackendIssuePath(backend string, name string) string {
	return strings.Trim(backend, "/") + "/sign/" + strings.Trim(name, "/")
}

but when it comes to revocation, it seems consistency went out the window:

		if revokeWithKey {
			data["private_key"] = d.Get(consts.FieldPrivateKey).(string)
			path = strings.Trim(backend, "/") + "/revoke-with-key"
		} else {
			path = strings.Trim(backend, "/") + "/revoke"
		}

Can we get the "name" added to the /revoke path so that it is consistent with the issue/sign operations? If this is breaking for the vault-pki engine (which I suspect it is), then can we add a boolean switch to allow this to happen ... something like revokeWithName
Can we also get some clear development guides created that demonstrate the expected interface between vault and engine plugins so that the interoperability with Terraform is not impacted?

Affected Resource(s) and/or Data Source(s)

No response

Potential Terraform Configuration



References


No response


Would you like to implement a fix?


None
Metadata
Metadata
Assignees
No one assigned
    Labels
    enhancement
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions