terraform/builtin/providers/aws/resource_aws_iam_server_cer...

package aws

import (
	"crypto/sha1"
	"encoding/hex"
	"fmt"
	"log"
	"strings"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/awserr"
	"github.com/aws/aws-sdk-go/service/iam"
	"github.com/hashicorp/terraform/helper/resource"
	"github.com/hashicorp/terraform/helper/schema"
)

func resourceAwsIAMServerCertificate() *schema.Resource {
	return &schema.Resource{
		Create: resourceAwsIAMServerCertificateCreate,
		Read:   resourceAwsIAMServerCertificateRead,
		Delete: resourceAwsIAMServerCertificateDelete,

		Schema: map[string]*schema.Schema{
			"certificate_body": &schema.Schema{
				Type:      schema.TypeString,
				Required:  true,
				ForceNew:  true,
				StateFunc: normalizeCert,
			},

			"certificate_chain": &schema.Schema{
				Type:      schema.TypeString,
				Optional:  true,
				ForceNew:  true,
				StateFunc: normalizeCert,
			},

			"path": &schema.Schema{
				Type:     schema.TypeString,
				Optional: true,
				Default:  "/",
				ForceNew: true,
			},

			"private_key": &schema.Schema{
				Type:      schema.TypeString,
				Required:  true,
				ForceNew:  true,
				StateFunc: normalizeCert,
			},

			"name": &schema.Schema{
				Type:          schema.TypeString,
				Optional:      true,
				Computed:      true,
				ForceNew:      true,
				ConflictsWith: []string{"name_prefix"},
				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
					value := v.(string)
					if len(value) > 128 {
						errors = append(errors, fmt.Errorf(
							"%q cannot be longer than 128 characters", k))
					}
					return
				},
			},

			"name_prefix": &schema.Schema{
				Type:     schema.TypeString,
				Optional: true,
				ForceNew: true,
				ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {
					value := v.(string)
					if len(value) > 30 {
						errors = append(errors, fmt.Errorf(
							"%q cannot be longer than 30 characters, name is limited to 128", k))
					}
					return
				},
			},

			"arn": &schema.Schema{
				Type:     schema.TypeString,
				Optional: true,
				Computed: true,
			},
		},
	}
}

func resourceAwsIAMServerCertificateCreate(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).iamconn

	var sslCertName string
	if v, ok := d.GetOk("name"); ok {
		sslCertName = v.(string)
	} else if v, ok := d.GetOk("name_prefix"); ok {
		sslCertName = resource.PrefixedUniqueId(v.(string))
	} else {
		sslCertName = resource.UniqueId()
	}

	createOpts := &iam.UploadServerCertificateInput{
		CertificateBody:       aws.String(d.Get("certificate_body").(string)),
		PrivateKey:            aws.String(d.Get("private_key").(string)),
		ServerCertificateName: aws.String(sslCertName),
	}

	if v, ok := d.GetOk("certificate_chain"); ok {
		createOpts.CertificateChain = aws.String(v.(string))
	}

	if v, ok := d.GetOk("path"); ok {
		createOpts.Path = aws.String(v.(string))
	}

	log.Printf("[DEBUG] Creating IAM Server Certificate with opts: %s", createOpts)
	resp, err := conn.UploadServerCertificate(createOpts)
	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			return fmt.Errorf("[WARN] Error uploading server certificate, error: %s: %s", awsErr.Code(), awsErr.Message())
		}
		return fmt.Errorf("[WARN] Error uploading server certificate, error: %s", err)
	}

	d.SetId(*resp.ServerCertificateMetadata.ServerCertificateId)
	d.Set("name", sslCertName)

	return resourceAwsIAMServerCertificateRead(d, meta)
}

func resourceAwsIAMServerCertificateRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).iamconn
	resp, err := conn.GetServerCertificate(&iam.GetServerCertificateInput{
		ServerCertificateName: aws.String(d.Get("name").(string)),
	})

	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			if awsErr.Code() == "NoSuchEntity" {
				log.Printf("[WARN] IAM Server Cert (%s) not found, removing from state", d.Id())
				d.SetId("")
				return nil
			}
			return fmt.Errorf("[WARN] Error reading IAM Server Certificate: %s: %s", awsErr.Code(), awsErr.Message())
		}
		return fmt.Errorf("[WARN] Error reading IAM Server Certificate: %s", err)
	}

	// these values should always be present, and have a default if not set in
	// configuration, and so safe to reference with nil checks
	d.Set("certificate_body", normalizeCert(resp.ServerCertificate.CertificateBody))

	c := normalizeCert(resp.ServerCertificate.CertificateChain)
	if c != "" {
		d.Set("certificate_chain", c)
	}

	d.Set("path", resp.ServerCertificate.ServerCertificateMetadata.Path)
	d.Set("arn", resp.ServerCertificate.ServerCertificateMetadata.Arn)

	return nil
}

func resourceAwsIAMServerCertificateDelete(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).iamconn
	log.Printf("[INFO] Deleting IAM Server Certificate: %s", d.Id())
	err := resource.Retry(3*time.Minute, func() *resource.RetryError {
		_, err := conn.DeleteServerCertificate(&iam.DeleteServerCertificateInput{
			ServerCertificateName: aws.String(d.Get("name").(string)),
		})

		if err != nil {
			if awsErr, ok := err.(awserr.Error); ok {
				if awsErr.Code() == "DeleteConflict" && strings.Contains(awsErr.Message(), "currently in use by arn") {
					log.Printf("[WARN] Conflict deleting server certificate: %s, retrying", awsErr.Message())
					return resource.RetryableError(err)
				}
				if awsErr.Code() == "NoSuchEntity" {
					log.Printf("[WARN] IAM Server Certificate (%s) not found, removing from state", d.Id())
					d.SetId("")
					return nil
				}
			}
			return resource.NonRetryableError(err)
		}
		return nil
	})

	if err != nil {
		return err
	}

	d.SetId("")
	return nil
}

func normalizeCert(cert interface{}) string {
	if cert == nil || cert == (*string)(nil) {
		return ""
	}

	switch cert.(type) {
	case string:
		hash := sha1.Sum([]byte(strings.TrimSpace(cert.(string))))
		return hex.EncodeToString(hash[:])
	case *string:
		hash := sha1.Sum([]byte(strings.TrimSpace(*cert.(*string))))
		return hex.EncodeToString(hash[:])
	default:
		return ""
	}
}
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`package aws`

			`import (`
			`"crypto/sha1"`
			`"encoding/hex"`
			`"fmt"`
provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00			`"log"`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`"strings"`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`"time"`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00
provider/aws: handle upstream aws-sdk-go repo move `awslabs/aws-sdk-go => aws/aws-sdk-go` Congrats to upstream on the promotion. :) 2015-06-03 20:36:57 +02:00			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/awserr"`
			`"github.com/aws/aws-sdk-go/service/iam"`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`"github.com/hashicorp/terraform/helper/resource"`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`"github.com/hashicorp/terraform/helper/schema"`
			`)`

			`func resourceAwsIAMServerCertificate() *schema.Resource {`
			`return &schema.Resource{`
			`Create: resourceAwsIAMServerCertificateCreate,`
			`Read: resourceAwsIAMServerCertificateRead,`
			`Delete: resourceAwsIAMServerCertificateDelete,`

			`Schema: map[string]*schema.Schema{`
			`"certificate_body": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`ForceNew: true,`
			`StateFunc: normalizeCert,`
			`},`

			`"certificate_chain": &schema.Schema{`
fmt 2015-06-24 07:31:24 +02:00			`Type: schema.TypeString,`
			`Optional: true,`
			`ForceNew: true,`
Normalize certificate chains as well as certificate bodies when creating AWS IAM SSL certificates 2015-06-21 07:40:09 +02:00			`StateFunc: normalizeCert,`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`},`

			`"path": &schema.Schema{`
provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00			`Type: schema.TypeString,`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`Optional: true,`
provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00			`Default: "/",`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`ForceNew: true,`
			`},`

			`"private_key": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`ForceNew: true,`
			`StateFunc: normalizeCert,`
			`},`

			`"name": &schema.Schema{`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`Type: schema.TypeString,`
			`Optional: true,`
			`Computed: true,`
			`ForceNew: true,`
			`ConflictsWith: []string{"name_prefix"},`
			`ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {`
			`value := v.(string)`
update name length 2016-02-18 00:03:31 +01:00			`if len(value) > 128 {`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`errors = append(errors, fmt.Errorf(`
update name length 2016-02-18 00:03:31 +01:00			`"%q cannot be longer than 128 characters", k))`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`}`
			`return`
			`},`
			`},`

			`"name_prefix": &schema.Schema{`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`Type: schema.TypeString,`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`Optional: true,`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`ForceNew: true,`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) {`
			`value := v.(string)`
update name length 2016-02-18 00:03:31 +01:00			`if len(value) > 30 {`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`errors = append(errors, fmt.Errorf(`
update name length 2016-02-18 00:03:31 +01:00			`"%q cannot be longer than 30 characters, name is limited to 128", k))`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`}`
			`return`
			`},`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`},`

			`"arn": &schema.Schema{`
			`Type: schema.TypeString,`
			`Optional: true,`
			`Computed: true,`
			`},`
			`},`
			`}`
			`}`

			`func resourceAwsIAMServerCertificateCreate(d *schema.ResourceData, meta interface{}) error {`
			`conn := meta.(*AWSClient).iamconn`

provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`var sslCertName string`
			`if v, ok := d.GetOk("name"); ok {`
			`sslCertName = v.(string)`
			`} else if v, ok := d.GetOk("name_prefix"); ok {`
			`sslCertName = resource.PrefixedUniqueId(v.(string))`
			`} else {`
			`sslCertName = resource.UniqueId()`
			`}`

provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`createOpts := &iam.UploadServerCertificateInput{`
			`CertificateBody: aws.String(d.Get("certificate_body").(string)),`
			`PrivateKey: aws.String(d.Get("private_key").(string)),`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`ServerCertificateName: aws.String(sslCertName),`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`}`

			`if v, ok := d.GetOk("certificate_chain"); ok {`
			`createOpts.CertificateChain = aws.String(v.(string))`
			`}`

provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00			`if v, ok := d.GetOk("path"); ok {`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`createOpts.Path = aws.String(v.(string))`
			`}`

provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00			`log.Printf("[DEBUG] Creating IAM Server Certificate with opts: %s", createOpts)`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`resp, err := conn.UploadServerCertificate(createOpts)`
			`if err != nil {`
			`if awsErr, ok := err.(awserr.Error); ok {`
			`return fmt.Errorf("[WARN] Error uploading server certificate, error: %s: %s", awsErr.Code(), awsErr.Message())`
			`}`
			`return fmt.Errorf("[WARN] Error uploading server certificate, error: %s", err)`
			`}`

provider/aws: Update to aws-sdk 0.9.0 rc1 2015-08-17 20:27:16 +02:00			`d.SetId(*resp.ServerCertificateMetadata.ServerCertificateId)`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`d.Set("name", sslCertName)`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00
			`return resourceAwsIAMServerCertificateRead(d, meta)`
			`}`

			`func resourceAwsIAMServerCertificateRead(d *schema.ResourceData, meta interface{}) error {`
			`conn := meta.(*AWSClient).iamconn`
			`resp, err := conn.GetServerCertificate(&iam.GetServerCertificateInput{`
			`ServerCertificateName: aws.String(d.Get("name").(string)),`
			`})`

			`if err != nil {`
			`if awsErr, ok := err.(awserr.Error); ok {`
provider/aws: Improve error handling in IAM Server Certificates (#6442) * provider/aws: Improve error handling in IAM Server Certificates * rename test, add additional empty check 2016-05-02 22:36:50 +02:00			`if awsErr.Code() == "NoSuchEntity" {`
			`log.Printf("[WARN] IAM Server Cert (%s) not found, removing from state", d.Id())`
			`d.SetId("")`
			`return nil`
			`}`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`return fmt.Errorf("[WARN] Error reading IAM Server Certificate: %s: %s", awsErr.Code(), awsErr.Message())`
			`}`
			`return fmt.Errorf("[WARN] Error reading IAM Server Certificate: %s", err)`
			`}`

			`// these values should always be present, and have a default if not set in`
			`// configuration, and so safe to reference with nil checks`
			`d.Set("certificate_body", normalizeCert(resp.ServerCertificate.CertificateBody))`
provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00
			`c := normalizeCert(resp.ServerCertificate.CertificateChain)`
			`if c != "" {`
			`d.Set("certificate_chain", c)`
			`}`

provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`d.Set("path", resp.ServerCertificate.ServerCertificateMetadata.Path)`
provider/aws: Update to aws-sdk 0.9.0 rc1 2015-08-17 20:27:16 +02:00			`d.Set("arn", resp.ServerCertificate.ServerCertificateMetadata.Arn)`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00
			`return nil`
			`}`

			`func resourceAwsIAMServerCertificateDelete(d *schema.ResourceData, meta interface{}) error {`
			`conn := meta.(*AWSClient).iamconn`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`log.Printf("[INFO] Deleting IAM Server Certificate: %s", d.Id())`
provider/aws: Improve error handling in IAM Server Certificates (#6442) * provider/aws: Improve error handling in IAM Server Certificates * rename test, add additional empty check 2016-05-02 22:36:50 +02:00			`err := resource.Retry(3time.Minute, func() resource.RetryError {`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`_, err := conn.DeleteServerCertificate(&iam.DeleteServerCertificateInput{`
			`ServerCertificateName: aws.String(d.Get("name").(string)),`
			`})`

			`if err != nil {`
			`if awsErr, ok := err.(awserr.Error); ok {`
			`if awsErr.Code() == "DeleteConflict" && strings.Contains(awsErr.Message(), "currently in use by arn") {`
provider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesprovider/aws: Update IAM Server Cert to allow name_prefix, auto generated namesdiff 2016-02-17 23:32:54 +01:00			`log.Printf("[WARN] Conflict deleting server certificate: %s, retrying", awsErr.Message())`
builtin: Refactor resource.Retry to clarify return Change the `RetryFunc` from a plain `error` return type to a specialized `RetryError` which must decide whether it is retryable or not. Add `RetryableError` / `NonRetryableError` factory functions that callers are meant to use to build up these errors. This makes it eminently clear whether or not a given error is retryable from inside the client code. Goal here is to _not_ change any behavior, simply reflect the existing behavior with the new, clearer, API. 2016-03-09 23:53:32 +01:00			`return resource.RetryableError(err)`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`}`
provider/aws: Improve error handling in IAM Server Certificates (#6442) * provider/aws: Improve error handling in IAM Server Certificates * rename test, add additional empty check 2016-05-02 22:36:50 +02:00			`if awsErr.Code() == "NoSuchEntity" {`
			`log.Printf("[WARN] IAM Server Certificate (%s) not found, removing from state", d.Id())`
			`d.SetId("")`
			`return nil`
			`}`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`}`
builtin: Refactor resource.Retry to clarify return Change the `RetryFunc` from a plain `error` return type to a specialized `RetryError` which must decide whether it is retryable or not. Add `RetryableError` / `NonRetryableError` factory functions that callers are meant to use to build up these errors. This makes it eminently clear whether or not a given error is retryable from inside the client code. Goal here is to _not_ change any behavior, simply reflect the existing behavior with the new, clearer, API. 2016-03-09 23:53:32 +01:00			`return resource.NonRetryableError(err)`
providers/aws: Retry deleting IAM Server Cert on dependency violation This will retry deleting a server cert if it throws an error about being in use with an ELB (that we've likely just deleted) Includes test for ELB+IAM SSL cert bug dependency violation 2015-11-12 22:15:47 +01:00			`}`
			`return nil`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`})`

			`if err != nil {`
			`return err`
			`}`

			`d.SetId("")`
			`return nil`
			`}`

			`func normalizeCert(cert interface{}) string {`
provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00			`if cert == nil \|\| cert == (*string)(nil) {`
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`return ""`
			`}`
provider/aws: Fix issue with IAM Server Certificates and Chains 2015-07-28 21:02:26 +02:00
provider/aws: Add IAM Server Certificate resource 2015-05-26 16:52:58 +02:00			`switch cert.(type) {`
			`case string:`
			`hash := sha1.Sum([]byte(strings.TrimSpace(cert.(string))))`
			`return hex.EncodeToString(hash[:])`
			`case *string:`
			`hash := sha1.Sum([]byte(strings.TrimSpace(cert.(string))))`
			`return hex.EncodeToString(hash[:])`
			`default:`
			`return ""`
			`}`
			`}`