Merge pull request #42 from philips-software/feature/pki

HSDP PKI support
philips-software · Feb 4, 2021 · 5a93c5d · 5a93c5d
2 parents 7f11c3d + c66a1c2
commit 5a93c5d
Show file tree

Hide file tree

Showing 17 changed files with 931 additions and 31 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,7 @@
 *.out
 *.tf
 *.exe
+b.sh
 .swp
 .DS_Store
 terraform-provider-hsdp

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## v0.11.0
+- NEW: HSDP PKI initial support
+
 ## v0.10.0
 - NEW: DICOM config support
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax = docker/dockerfile:1-experimental
 
-ARG hsdp_provider_version=0.9.5
+ARG hsdp_provider_version=0.10.1
 FROM --platform=${BUILDPLATFORM} golang:1.16rc1-alpine3.13 AS build
 ARG TARGETOS
 ARG TARGETARCH

diff --git a/buildscript.sh b/buildscript.sh
diff --git a/docs/data-sources/pki_policy.md b/docs/data-sources/pki_policy.md
@@ -0,0 +1,22 @@
+# hsdp_pki_policy
+Retrieves the HSDP PKI Policy CA and CRL
+
+# Example Usage
+
+```hcl
+
+data "hsdp_pki_policy" "info" {
+}
+
+output "policy_ca" {
+  value = hsdp_pki_policy.info.ca_pem
+}
+```
+# Argument reference
+* `region` - (Optional) the HSDP PKI regional selection
+* `environment` - (Optional) the HSDP PKI environment to use [`client_test` | `prod`]
+
+# Attribute reference
+
+* `ca_pem` - The root CA in PEM format
+* `crl_pem` - The root CRL in PEM format
diff --git a/docs/data-sources/pki_root.md b/docs/data-sources/pki_root.md
@@ -0,0 +1,26 @@
+# hsdp_pki_root
+Retrieves the HSDP PKI Root CA and CRL
+
+# Example Usage
+
+```hcl
+
+data "hsdp_pki_root" "info" {
+}
+
+output "root_ca" {
+  value = hsdp_pki_root.info.ca_pem
+}
+
+output "root_crl" {
+  value = hsdp_pki_root.info.crl_pem
+}
+```
+# Argument reference
+* `region` - (Optional) the HSDP PKI regional selection
+* `environment` - (Optional) the HSDP PKI environment to use [`client_test` | `prod`]
+
+# Attribute reference
+
+* `ca_pem` - The root CA in PEM format
+* `crl_pem` - The root CRL in PEM format
diff --git a/docs/resources/dicom_store_config.md b/docs/resources/dicom_store_config.md
@@ -31,7 +31,6 @@ resource "hsdp_dicom_store_config" "dicom" {
   * `mpi_endpoint` - the FHIR mpi endpoint
 
 # Attribute reference
-* `data_management_url` - Data management API endpoint URL
 * `qido_url` - QIDO API endpoint URL
 * `stow_url` - STOW API endpoint URL
 * `wado_url` - WADO API endpoint URL
diff --git a/docs/resources/pki_cert.md b/docs/resources/pki_cert.md
@@ -0,0 +1,43 @@
+# hsdp_pki_cert
+Create and manage HSDP PKI leaf certificates
+
+## Example usage
+
+```hcl
+resource "hsdp_pki_cert" "cert" {
+  tenant_id = hsdp_pki_tenant.tenant.id
+  role      = "ec384"
+  
+  common_name = "myapp.com"
+  alt_name    = "myapp.io"
+  ip_sans     = []
+  uri_sans    = []
+  other_sans  = []
+  ttl         = "720h"
+  
+  exclude_cn_from_sans = false
+}
+```
+
+## Argument reference
+* `tenant_id` - (Required) The tenant ID to create this certificate under
+* `role` - (Required) the Role to use as defined under a PKI Tenant resource
+* `common_name` - (Required) The common name to use
+* `alt_name` - (Optional) Alternative name to use
+* `ip_sans` - (Optional, list(string)) A list of IP SANS to include
+* `uri_sans` - (Optional, list(string)) A list of URI SANS to include
+* `other_sans` - (Optional, list(string)) A list of other SANS to include
+* `ttl` - (Optional, string regex `[0-9]+[hms]$`) The TTL, example `720h` for 1 month
+* `exclude_cn_from_sans` - (Optional) Exclude common name from SAN 
+
+## Attribute reference
+* `cert_pem` - The certificate in PEM format
+* `private_key_pem` - The private key in PEM format
+* `issuing_ca_pem` - The issuing CA certicate in PEM format
+* `serial_number` - The certificate serial number (equal to resource ID)
+* `expiration` - (int) The Unix timestamp when the certificate will expire
+* `ca_chain_pem` - The full CA chain in PEM format
+
+## Importing
+Importing a HSDP PKI certificate is supported but not recommended as the private key will be missing,
+rendering the resource more or less useless in most cases. You can import a certificate using the serial number
diff --git a/docs/resources/pki_tenant.md b/docs/resources/pki_tenant.md
@@ -0,0 +1,68 @@
+# hsdp_pki_tenant
+
+Onboard tenant to PKI Service. Cloud foundry users with SpaceDeveloper role can onboard tenant
+
+> This resource is only available when `uaa_*` (Cloud foundry) and `iam` credentials are set
+
+## Example usage
+
+```hcl
+resource "hsdp_pki_tenant" "tenant" {
+  organization_name = "client-my-org"
+  space_name = "prod"
+  
+  iam_orgs = [
+    var.iam_org_id
+  ]
+  
+  ca {
+    common_name = "Common Name Here"
+  }
+  
+  role {
+    name = "ec384"
+    allow_any_name = true
+    allow_ip_sans = true
+    allow_subdomains = true
+    allowed_domains = []
+    allowed_other_sans = []
+    allowed_uri_sans = []
+    client_flag = true
+    server_flag = true
+    enforce_hostnames = false
+    key_bits = 384
+    key_type = "ec"
+  }
+}
+```
+
+## Argument reference 
+The following arguments are supported:
+
+* `organization_name` - (Required) The CF organization name to use
+* `space_name` - (Required) The CF space name to verify the user is part of
+* `role` - (Required) A role definition. Muliple roles are supported
+* `ca` - (Required) The Certificate Authority information to use.
+  * `common_name` - (Required) The common name to use
+
+Each `role` definition takes the following arguments:
+* `name` - (Required) The role name. This is used for lookup
+* `key_type` - (Required) The key type. Values [`ec`, `rsa`]
+* `key_bits` - (Required, int) Key length. Typically `384` for `ec` key types. 
+* `client_flags` - (Required, bool) Allow use on clients
+* `server_flags` - (Required, bool) Allow use on servers
+* `allow_any_name` - (Required, bool) Allow any name
+* `allow_ip_sans` - (Required, bool) Allow IP Subject Alternative Names (SAN)
+* `allow_subdomains` - (Required, bool) Allow subdomains to be created
+* `allow_any_name` - (Required, bool) Allow any name to be used
+* `allowed_domains` - (Optional, list(string)) List of allowed domains
+* `allowed_other_sans` - (Optional, list(string)) List of allowed other SANs
+* `allowed_uri_sans` - (Optional, list(string)) List of allowed URI SANs
+* `enforce_hostnames` - (Optional, bool) Enforce hostnames. Default: `false`
+
+## Attribute reference
+The following attributes are exported:
+
+* `id` - The HSDP PKI `logical_path` of the tenant. The Terraform provider uses this as the Tenant ID
+* `logical_path` - Same as `id`. This is for consistency.
+* `private_key_pem` - The private key in PEM format
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/herkyl/patchwerk v0.0.0-20190629103337-f0ea77068152
 	github.com/loafoe/easyssh-proxy/v2 v2.0.2
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
-	github.com/philips-software/go-hsdp-api v0.34.3-0.20210201100117-4907c0e61bdf
+	github.com/philips-software/go-hsdp-api v0.34.4
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.6.1
 	github.com/zclconf/go-cty v1.7.1 // indirect

diff --git a/go.sum b/go.sum
@@ -149,7 +149,6 @@ github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwc
 github.com/creachadair/staticfile v0.1.3/go.mod h1:a3qySzCIXEprDGxk6tSxSI+dBBdLzqeBOMhZ+o2d3pM=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA=
 github.com/daaku/go.zipexe v1.0.0/go.mod h1:z8IiR6TsVLEYKwXAoE/I+8ys/sDkgTzSL0CLnGVd57E=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -165,8 +164,6 @@ github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/elastic/go-sysinfo v1.1.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
-github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -436,7 +433,6 @@ github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
 github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
-github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -570,10 +566,8 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU=
-github.com/philips-software/go-hsdp-api v0.34.1 h1:hgP/mYeytKZ9DgUvMlrzAJgUtad6s7goVR4cV9vO7E0=
-github.com/philips-software/go-hsdp-api v0.34.1/go.mod h1:nqa3LCYKcRiiGlfSGV3hC8SEpEHPcWoBPp2l+bCtbME=
-github.com/philips-software/go-hsdp-api v0.34.3-0.20210201100117-4907c0e61bdf h1:KkFfNFB4iqCbmVdHtF8fGWZYGL3eGl0U/xaoeT7nHxU=
-github.com/philips-software/go-hsdp-api v0.34.3-0.20210201100117-4907c0e61bdf/go.mod h1:nqa3LCYKcRiiGlfSGV3hC8SEpEHPcWoBPp2l+bCtbME=
+github.com/philips-software/go-hsdp-api v0.34.4 h1:n84zqf4MUafzU9AWEqY+quwBgRJXjlG2yYc7G5I2UvQ=
+github.com/philips-software/go-hsdp-api v0.34.4/go.mod h1:vkJQW6KIyuPZ2mXpcSywrgey+KccZv/LTyfBGdevK9I=
 github.com/philips-software/go-hsdp-signer v1.3.0 h1:Si1voDE/GHzthmxpasPdntbu8aUW6EYJfI6gHVf7BCc=
 github.com/philips-software/go-hsdp-signer v1.3.0/go.mod h1:/QehZ/+Aks2t1TFpjhF/7ZSB8PJIIJHzLc03rOqwLw0=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
@@ -601,17 +595,14 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/serenize/snaker v0.0.0-20201027110005-a7ad2135616e/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs=
@@ -686,9 +677,6 @@ github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
 github.com/zclconf/go-cty v1.7.1 h1:AvsC01GMhMLFL8CgEYdHGM+yLnnDOwhPAYcgTkeF0Gw=
 github.com/zclconf/go-cty v1.7.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
-go.elastic.co/apm v1.8.0/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0=
-go.elastic.co/apm/module/apmhttp v1.8.0/go.mod h1:9LPFlEON51/lRbnWDfqAWErihIiAFDUMfMV27YjoWQ8=
-go.elastic.co/fastjson v1.0.0/go.mod h1:PmeUOMMtLHQr9ZS9J9owrAVg0FkaZDRZJEFTTGHtchs=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
@@ -856,7 +844,6 @@ golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1088,7 +1075,6 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
 k8s.io/api v0.17.3/go.mod h1:YZ0OTkuw7ipbe305fMpIdf3GLXZKRigjtZaV5gzC2J0=
 k8s.io/apiextensions-apiserver v0.17.3/go.mod h1:CJbCyMfkKftAd/X/V6OTHYhVn7zXnDdnkUjS1h0GTeY=
 k8s.io/apimachinery v0.17.3/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=

diff --git a/hsdp/config.go b/hsdp/config.go
@@ -10,6 +10,7 @@ import (
 	"github.com/philips-software/go-hsdp-api/console"
 	"github.com/philips-software/go-hsdp-api/dicom"
 	"github.com/philips-software/go-hsdp-api/iam"
+	"github.com/philips-software/go-hsdp-api/pki"
 	"github.com/philips-software/go-hsdp-api/s3creds"
 	"net/http"
 	"os"
@@ -36,11 +37,13 @@ type Config struct {
 	cartelClient     *cartel.Client
 	s3credsClient    *s3creds.Client
 	consoleClient    *console.Client
+	pkiClient        *pki.Client
 	debugFile        *os.File
 	credsClientErr   error
 	cartelClientErr  error
 	iamClientErr     error
 	consoleClientErr error
+	pkiClientErr     error
 	TimeZone         string
 
 	ma *jsonformat.Marshaller
@@ -62,6 +65,19 @@ func (c *Config) ConsoleClient() (*console.Client, error) {
 	return c.consoleClient, c.consoleClientErr
 }
 
+func (c *Config) PKIClient(regionEnvironment ...string) (*pki.Client, error) {
+	if len(regionEnvironment) == 2 && c.consoleClient != nil && c.iamClient != nil {
+		region := regionEnvironment[0]
+		environment := regionEnvironment[1]
+		return pki.NewClient(c.consoleClient, c.iamClient, &pki.Config{
+			Region:      region,
+			Environment: environment,
+			DebugLog:    c.DebugLog,
+		})
+	}
+	return c.pkiClient, c.pkiClientErr
+}
+
 func (c *Config) CredentialsClientWithLogin(username, password string) (*s3creds.Client, error) {
 	if c.iamClientErr != nil {
 		return nil, c.iamClientErr
@@ -239,3 +255,27 @@ func (c *Config) getDICOMConfigClient(url string) (*dicom.Client, error) {
 	}
 	return client, nil
 }
+
+func (c *Config) setupPKIClient() {
+	if c.iamClientErr != nil {
+		c.pkiClientErr = fmt.Errorf("IAM client error in setupPKIClient: %w", c.iamClientErr)
+		return
+	}
+	if c.consoleClientErr != nil {
+		c.pkiClientErr = fmt.Errorf("Console client error in setupPKIClient: %w", c.consoleClientErr)
+		return
+	}
+	client, err := pki.NewClient(c.consoleClient, c.iamClient, &pki.Config{
+		Region:      c.Region,
+		Environment: c.Environment,
+		DebugLog:    c.DebugLog,
+	})
+	if err != nil {
+		c.pkiClient = nil
+		c.pkiClientErr = err
+		return
+	}
+	c.pkiClient = client
+	c.pkiClientErr = nil
+	return
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ @@
     *.out
     *.tf
     *.exe
+    b.sh
     .swp
     .DS_Store
     terraform-provider-hsdp
@@ Expand Down @@