provider/digitalocean: Add support for certificates
Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty
This commit is contained in:
parent
6681a86211
commit
45ad54c816
|
@ -0,0 +1,119 @@
|
|||
package digitalocean
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/digitalocean/godo"
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
)
|
||||
|
||||
func resourceDigitalOceanCertificate() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Create: resourceDigitalOceanCertificateCreate,
|
||||
Read: resourceDigitalOceanCertificateRead,
|
||||
Delete: resourceDigitalOceanCertificateDelete,
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"name": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"private_key": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"leaf_certificate": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"certificate_chain": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"not_after": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
|
||||
"sha1_fingerprint": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func buildCertificateRequest(d *schema.ResourceData) (*godo.CertificateRequest, error) {
|
||||
req := &godo.CertificateRequest{
|
||||
Name: d.Get("name").(string),
|
||||
PrivateKey: d.Get("private_key").(string),
|
||||
LeafCertificate: d.Get("leaf_certificate").(string),
|
||||
CertificateChain: d.Get("certificate_chain").(string),
|
||||
}
|
||||
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func resourceDigitalOceanCertificateCreate(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*godo.Client)
|
||||
|
||||
log.Printf("[INFO] Create a Certificate Request")
|
||||
|
||||
certReq, err := buildCertificateRequest(d)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Certificate Create: %#v", certReq)
|
||||
cert, _, err := client.Certificates.Create(context.Background(), certReq)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error creating Certificate: %s", err)
|
||||
}
|
||||
|
||||
d.SetId(cert.ID)
|
||||
|
||||
return resourceDigitalOceanCertificateRead(d, meta)
|
||||
}
|
||||
|
||||
func resourceDigitalOceanCertificateRead(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*godo.Client)
|
||||
|
||||
log.Printf("[INFO] Reading the details of the Certificate %s", d.Id())
|
||||
cert, _, err := client.Certificates.Get(context.Background(), d.Id())
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error retrieving Certificate: %s", err)
|
||||
}
|
||||
|
||||
d.Set("name", cert.Name)
|
||||
d.Set("not_after", cert.NotAfter)
|
||||
d.Set("sha1_fingerprint", cert.SHA1Fingerprint)
|
||||
|
||||
return nil
|
||||
|
||||
}
|
||||
|
||||
func resourceDigitalOceanCertificateDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*godo.Client)
|
||||
|
||||
log.Printf("[INFO] Deleting Certificate: %s", d.Id())
|
||||
_, err := client.Certificates.Delete(context.Background(), d.Id())
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error deleting Certificate: %s", err)
|
||||
}
|
||||
|
||||
d.SetId("")
|
||||
return nil
|
||||
|
||||
}
|
|
@ -0,0 +1,117 @@
|
|||
package digitalocean
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/digitalocean/godo"
|
||||
"github.com/hashicorp/terraform/helper/acctest"
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
)
|
||||
|
||||
func TestAccDigitalOceanCertificate_Basic(t *testing.T) {
|
||||
var cert godo.Certificate
|
||||
rInt := acctest.RandInt()
|
||||
leafCertMaterial, privateKeyMaterial, err := acctest.RandTLSCert("Acme Co")
|
||||
if err != nil {
|
||||
t.Fatalf("Cannot generate test TLS certificate: %s", err)
|
||||
}
|
||||
rootCertMaterial, _, err := acctest.RandTLSCert("Acme Go")
|
||||
if err != nil {
|
||||
t.Fatalf("Cannot generate test TLS certificate: %s", err)
|
||||
}
|
||||
certChainMaterial := fmt.Sprintf("%s\n%s", strings.TrimSpace(rootCertMaterial), leafCertMaterial)
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckDigitalOceanCertificateDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
ExpectNonEmptyPlan: true,
|
||||
Config: testAccCheckDigitalOceanCertificateConfig_basic(rInt, privateKeyMaterial, leafCertMaterial, certChainMaterial),
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckDigitalOceanCertificateExists("digitalocean_certificate.foobar", &cert),
|
||||
resource.TestCheckResourceAttr(
|
||||
"digitalocean_certificate.foobar", "name", fmt.Sprintf("certificate-%d", rInt)),
|
||||
resource.TestCheckResourceAttr(
|
||||
"digitalocean_certificate.foobar", "private_key", fmt.Sprintf("%s\n", privateKeyMaterial)),
|
||||
resource.TestCheckResourceAttr(
|
||||
"digitalocean_certificate.foobar", "leaf_certificate", fmt.Sprintf("%s\n", leafCertMaterial)),
|
||||
resource.TestCheckResourceAttr(
|
||||
"digitalocean_certificate.foobar", "certificate_chain", fmt.Sprintf("%s\n", certChainMaterial)),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckDigitalOceanCertificateDestroy(s *terraform.State) error {
|
||||
client := testAccProvider.Meta().(*godo.Client)
|
||||
|
||||
for _, rs := range s.RootModule().Resources {
|
||||
if rs.Type != "digitalocean_certificate" {
|
||||
continue
|
||||
}
|
||||
|
||||
_, _, err := client.Certificates.Get(context.Background(), rs.Primary.ID)
|
||||
|
||||
if err != nil && !strings.Contains(err.Error(), "404") {
|
||||
return fmt.Errorf(
|
||||
"Error waiting for certificate (%s) to be destroyed: %s",
|
||||
rs.Primary.ID, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func testAccCheckDigitalOceanCertificateExists(n string, cert *godo.Certificate) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
rs, ok := s.RootModule().Resources[n]
|
||||
if !ok {
|
||||
return fmt.Errorf("Not found: %s", n)
|
||||
}
|
||||
|
||||
if rs.Primary.ID == "" {
|
||||
return fmt.Errorf("No Certificate ID is set")
|
||||
}
|
||||
|
||||
client := testAccProvider.Meta().(*godo.Client)
|
||||
|
||||
c, _, err := client.Certificates.Get(context.Background(), rs.Primary.ID)
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if c.ID != rs.Primary.ID {
|
||||
return fmt.Errorf("Certificate not found")
|
||||
}
|
||||
|
||||
*cert = *c
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func testAccCheckDigitalOceanCertificateConfig_basic(rInt int, privateKeyMaterial, leafCert, certChain string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "digitalocean_certificate" "foobar" {
|
||||
name = "certificate-%d"
|
||||
private_key = <<EOF
|
||||
%s
|
||||
EOF
|
||||
|
||||
leaf_certificate = <<EOF
|
||||
%s
|
||||
EOF
|
||||
|
||||
certificate_chain = <<EOF
|
||||
%s
|
||||
EOF
|
||||
}`, rInt, privateKeyMaterial, leafCert, certChain)
|
||||
}
|
|
@ -1,13 +1,14 @@
|
|||
package acctest
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
crand "crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"math/rand"
|
||||
"strings"
|
||||
"time"
|
||||
|
@ -58,23 +59,71 @@ func RandStringFromCharSet(strlen int, charSet string) string {
|
|||
// RandSSHKeyPair generates a public and private SSH key pair. The public key is
|
||||
// returned in OpenSSH format, and the private key is PEM encoded.
|
||||
func RandSSHKeyPair(comment string) (string, string, error) {
|
||||
privateKey, err := rsa.GenerateKey(crand.Reader, 1024)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
var privateKeyBuffer bytes.Buffer
|
||||
privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
|
||||
if err := pem.Encode(bufio.NewWriter(&privateKeyBuffer), privateKeyPEM); err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
privateKey, privateKeyPEM, err := genPrivateKey()
|
||||
|
||||
publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
keyMaterial := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(publicKey)))
|
||||
return fmt.Sprintf("%s %s", keyMaterial, comment), privateKeyBuffer.String(), nil
|
||||
return fmt.Sprintf("%s %s", keyMaterial, comment), privateKeyPEM, nil
|
||||
}
|
||||
|
||||
// RandTLSCert generates a self-signed TLS certificate with a newly created
|
||||
// private key, and returns both the cert and the private key PEM encoded.
|
||||
func RandTLSCert(orgName string) (string, string, error) {
|
||||
template := &x509.Certificate{
|
||||
SerialNumber: big.NewInt(int64(RandInt())),
|
||||
Subject: pkix.Name{
|
||||
Organization: []string{orgName},
|
||||
},
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().Add(24 * time.Hour),
|
||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
|
||||
privateKey, privateKeyPEM, err := genPrivateKey()
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
cert, err := x509.CreateCertificate(crand.Reader, template, template, &privateKey.PublicKey, privateKey)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
certPEM, err := pemEncode(cert, "CERTIFICATE")
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
return certPEM, privateKeyPEM, nil
|
||||
}
|
||||
|
||||
func genPrivateKey() (*rsa.PrivateKey, string, error) {
|
||||
privateKey, err := rsa.GenerateKey(crand.Reader, 1024)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
privateKeyPEM, err := pemEncode(x509.MarshalPKCS1PrivateKey(privateKey), "RSA PRIVATE KEY")
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
return privateKey, privateKeyPEM, nil
|
||||
}
|
||||
|
||||
func pemEncode(b []byte, block string) (string, error) {
|
||||
var buf bytes.Buffer
|
||||
pb := &pem.Block{Type: block, Bytes: b}
|
||||
if err := pem.Encode(&buf, pb); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return buf.String(), nil
|
||||
}
|
||||
|
||||
// Seeds random with current timestamp
|
||||
|
|
Loading…
Reference in New Issue