Venafi Certificate Management
Venafi Certificate Management
Requesting Access
This is for special cases where automatic certificate creation is unavailable. Please do not request this access unless told to do so.
Groups:
AIDE_0085665_venafiAIDE_0085665_venafi_read
Integration with Terraform Enterprise (TFE)
A proposed integration has been created, such that Venafi certificates can begin to be managed alongside the Azure VM's infrastructure-as-code (IaC) supporting Epic on Azure.
The integration takes shape primarily as a Github Action workflow. The initial work on this effort focuses on accomplishing the following tasks:
- Using a Github repo secret/Vault token, retrieve from Vault certificate material that has been pre-authorized by CyberArk for a user (
svc_eoa_crt). - With the pre-authorized certificate, request from CyberArk the
svc_eoa_crtuser password. - With the
svc_eoa_crtpassword, retrieve an access token from the Venafi API. This assumes that the given service account has already gone through the process of getting the correct AD group added for Venafi SDK Access. - With the access token for Venafi in hand, update the TFE workspace such that an appropriate variable contains the value.
- Kick off the TFE workspace run.
Each one of these steps is effectively 1 or more API calls orchestrated by Github Actions as cURL commands, in the Github Action yaml utilized by the TFE workspace's Github repo.
flowchart TD
subgraph VAULT_TO_TFE [GitHub Flow: Vault -> TFE]
A[Using token, retrieve certificate secret from Vault]
A --> B[Call CyberArk using client cert to get svc account password]
B --> C[Use svc account password to retrieve Venafi access token]
C --> D[Update Venafi access token in TFE workspace variable via API]
D --> E[Trigger TFE run via API]
end
Departure from current state (4/8/2025)
The above TFE integration is a departure from the current paradigm of updating a given branch in a terraform Github repo for a given subscription, and then kicking off a PR from that branch, which typically initiates a terraform plan in TFE, due to the Version Control workflow workspace type which they have been typically.
Instead we would be looking to allow the Github action to be initiated from a PR instead (so Github action vs TFE workspace run), which would perform the API calls needed for steps 1-5 above and conclude with the TFE workspace being run with the correct value for the Venafi access token.
It is likely that most if not all of the TFE workspaces would need to be changed to reflect this change, and developers would have to be accustomed to the fact that something different would be happening as the initial steps prior to a TFE workspace running.