Skip to content

Commit

Permalink
Add self_managed_certificate_nonsensitive
Browse files Browse the repository at this point in the history
Signed-off-by: Andy Lo-A-Foe <[email protected]>
  • Loading branch information
loafoe committed Oct 9, 2024
1 parent fd0bee0 commit 2e67d17
Show file tree
Hide file tree
Showing 3 changed files with 132 additions and 25 deletions.
3 changes: 3 additions & 0 deletions docs/resources/iam_service.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,9 @@ The following arguments are supported:
* `self_managed_expires_on` - (Deprecated, Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
* `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service.
This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key`
* `self_managed_certificate_nonsensitive` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service.
This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key`


Check failure on line 86 in docs/resources/iam_service.md

View workflow job for this annotation

GitHub Actions / markdownlint

Multiple consecutive blank lines

docs/resources/iam_service.md:86 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md012.md

Check failure on line 86 in docs/resources/iam_service.md

View workflow job for this annotation

GitHub Actions / markdownlint

Multiple consecutive blank lines

docs/resources/iam_service.md:86 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.35.0/doc/md012.md
## Attributes Reference

Expand Down
57 changes: 32 additions & 25 deletions internal/services/iam/service/resource_iam_service.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ func ResourceIAMService() *schema.Resource {
Importer: &schema.ResourceImporter{
StateContext: schema.ImportStatePassthroughContext,
},
SchemaVersion: 5,
SchemaVersion: 6,
CreateContext: resourceIAMServiceCreate,
ReadContext: resourceIAMServiceRead,
UpdateContext: resourceIAMServiceUpdate,
Expand All @@ -43,6 +43,11 @@ func ResourceIAMService() *schema.Resource {
Upgrade: patchIAMServiceV4,
Version: 4,
},
{
Type: ResourceIAMServiceV5().CoreConfigSchema().ImpliedType(),
Upgrade: patchIAMServiceV5,
Version: 5,
},
},

Schema: map[string]*schema.Schema{
Expand Down Expand Up @@ -100,6 +105,15 @@ func ResourceIAMService() *schema.Resource {
Optional: true,
Description: "X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" +
"Mutually exclusive with `self_managed_private_key`",
ConflictsWith: []string{"self_managed_certificate_nonsensitive"},
},
"self_managed_certificate_nonsensitive": {
Type: schema.TypeString,
Sensitive: false,
Optional: true,
Description: "X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" +
"Mutually exclusive with `self_managed_certificate`",
ConflictsWith: []string{"self_managed_certificate"},
},
"private_key": {
Type: schema.TypeString,
Expand Down Expand Up @@ -162,15 +176,17 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int
selfExpiresOn := d.Get("self_managed_expires_on").(string)
selfPrivateKey := d.Get("self_managed_private_key").(string)
selfCertificate := d.Get("self_managed_certificate").(string)
selfCertificateNS := d.Get("self_managed_certificate_nonsensitive").(string)
if selfCertificateNS != "" {
selfCertificate = selfCertificateNS
}

if selfPrivateKey == "" && selfExpiresOn != "" {
return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_expires_on' value without also specifying the 'self_managed_private_key'"))
}
if selfCertificate != "" && selfExpiresOn != "" {
return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_expires_on' value in combination with 'self_managed_certificate'"))
}
if selfCertificate != "" && selfPrivateKey != "" {
return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))
}

var createdService *iam.Service

Expand Down Expand Up @@ -201,7 +217,7 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int
}
// Set certificate if set from publicKey
if selfCertificate != "" {
diags = setSelfManagedCertificate(client, *createdService, d)
diags = setSelfManagedCertificate(client, *createdService, selfCertificate)
if len(diags) > 0 {
_, _, _ = client.Services.DeleteService(*createdService) // Cleanup
return diags
Expand Down Expand Up @@ -316,23 +332,18 @@ func resourceIAMServiceUpdate(ctx context.Context, d *schema.ResourceData, m int
_, _, _ = client.Services.AddScopes(s, []string{}, toAdd)
}
}
if d.HasChange("self_managed_expires_on") || d.HasChange("self_managed_private_key") || d.HasChange("self_managed_certificate") {
_, newPrivateKey := d.GetChange("self_managed_private_key")
if d.HasChange("self_managed_certificate") ||
d.HasChange("self_managed_certificate_nonsensitive") {
_, newCertificate := d.GetChange("self_managed_certificate")
privateKey := d.Get("private_key").(string)
_, newCertificateNS := d.GetChange("self_managed_certificate_nonsensitive")
if newCertificateNS.(string) != "" {
newCertificate = newCertificateNS.(string)
}

if newPrivateKey.(string) == "" && newCertificate.(string) == "" && privateKey == "" {
if newCertificate.(string) == "" {
return resourceIAMServiceRead(ctx, d, m) // Don't update anything
}
if newCertificate.(string) != "" && newPrivateKey.(string) != "" {
return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))
}
if newPrivateKey.(string) != "" {
diags = setSelfManagedPrivateKey(client, s, d)
}
if newCertificate.(string) != "" {
diags = setSelfManagedCertificate(client, s, d)
}
diags = setSelfManagedCertificate(client, s, newCertificate.(string))
if len(diags) > 0 {
return diags
}
Expand Down Expand Up @@ -402,16 +413,15 @@ func setSelfManagedPrivateKey(client *iam.Client, service iam.Service, d *schema
return diags
}

func setSelfManagedCertificate(client *iam.Client, service iam.Service, d *schema.ResourceData) diag.Diagnostics {
func setSelfManagedCertificate(client *iam.Client, service iam.Service, selfCertificate string) diag.Diagnostics {
var diags diag.Diagnostics

selfCertificate := d.Get("self_managed_certificate").(string)
fixedPEM := iam.FixPEM(selfCertificate)
block, _ := pem.Decode([]byte(fixedPEM))
if block == nil {
block, _ = pem.Decode([]byte(selfCertificate)) // Try unmodified decode
if block == nil {
return diag.FromErr(fmt.Errorf("error decoding 'self_managed_certificate'"))
return diag.FromErr(fmt.Errorf("error decoding certificate"))
}
}
cert, err := x509.ParseCertificate(block.Bytes)
Expand All @@ -424,10 +434,7 @@ func setSelfManagedCertificate(client *iam.Client, service iam.Service, d *schem
}
_, _, err = client.Services.UpdateServiceCertificateDER(service, block.Bytes)
if err != nil {
return diag.FromErr(fmt.Errorf("setting certificate: %w", err))
}
if fixedPEM != "" {
_ = d.Set("private_key", nil)
return diag.FromErr(fmt.Errorf("error setting certificate: %w", err))
}
return diags
}
97 changes: 97 additions & 0 deletions internal/services/iam/service/resource_iam_service_v5.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
package service

import (
"context"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/philips-software/terraform-provider-hsdp/internal/tools"
)

// Upgrades an IAM Service resource from v4 to v5
func patchIAMServiceV5(_ context.Context, rawState map[string]interface{}, _ interface{}) (map[string]interface{}, error) {
if rawState == nil {
rawState = map[string]interface{}{}
}
return rawState, nil
}

func ResourceIAMServiceV5() *schema.Resource {
return &schema.Resource{
// This is only used for state migration, so the CRUD
// callbacks are no longer relevant
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
DiffSuppressFunc: tools.SuppressCaseDiffs,
},
"description": {
Type: schema.TypeString,
ForceNew: true,
Required: true,
},
"application_id": {
Type: schema.TypeString,
ForceNew: true,
Required: true,
},
"validity": {
Type: schema.TypeInt,
Optional: true,
Default: 12,
ForceNew: true,
ValidateFunc: validation.IntBetween(1, 600),
},
"token_validity": {
Type: schema.TypeInt,
Optional: true,
Default: 1800,
ValidateFunc: validation.IntBetween(0, 2592000),
},
"self_managed_private_key": {
Type: schema.TypeString,
Sensitive: true,
Optional: true,
},
"self_managed_certificate": {
Type: schema.TypeString,
Optional: true,
Deprecated: "Use 'self_managed_private_key' instead. This will be removed in a future version",
},
"private_key": {
Type: schema.TypeString,
Sensitive: true,
Computed: true,
},
"service_id": {
Type: schema.TypeString,
Computed: true,
},
"organization_id": {
Type: schema.TypeString,
Computed: true,
},
"expires_on": {
Type: schema.TypeString,
Optional: true,
Computed: true,
DiffSuppressFunc: tools.SuppressWhenGenerated,
},
"scopes": {
Type: schema.TypeSet,
MaxItems: 100,
MinItems: 1, // openid
Required: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"default_scopes": {
Type: schema.TypeSet,
MaxItems: 100,
MinItems: 1, // openid
Required: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
},
}
}

0 comments on commit 2e67d17

Please sign in to comment.