From 88fb724af81224ba4f3e1b018d8d906f7b193f0e Mon Sep 17 00:00:00 2001
From: Karol Stepniewski <kstepniewski@vmware.com>
Date: Thu, 11 Feb 2016 22:56:11 -0800
Subject: [PATCH] Add optional cacert_file parameter to openstack provider

Official OpenStack clients support specifing custom CA certificate file
that should be used when communicating with OpenStack server. This patch
adds similar behavior to Terraform OpenStack provider, by:
- Using OS_CACERT environmental variable, if available
- Using cacert_file provider parameter, if configured
---
 builtin/providers/openstack/config.go   | 21 +++++++++++++++++++++
 builtin/providers/openstack/provider.go |  6 ++++++
 2 files changed, 27 insertions(+)

diff --git a/builtin/providers/openstack/config.go b/builtin/providers/openstack/config.go
index f18465538..47ba00f85 100644
--- a/builtin/providers/openstack/config.go
+++ b/builtin/providers/openstack/config.go
@@ -2,7 +2,9 @@ package openstack
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 
 	"github.com/rackspace/gophercloud"
@@ -21,6 +23,7 @@ type Config struct {
 	DomainName       string
 	Insecure         bool
 	EndpointType     string
+	CACertFile       string
 
 	osClient *gophercloud.ProviderClient
 }
@@ -51,6 +54,24 @@ func (c *Config) loadAndValidate() error {
 		return err
 	}
 
+	if c.CACertFile != "" {
+
+		caCert, err := ioutil.ReadFile(c.CACertFile)
+		if err != nil {
+			return err
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		config := &tls.Config{
+			RootCAs: caCertPool,
+		}
+
+		transport := &http.Transport{TLSClientConfig: config}
+		client.HTTPClient.Transport = transport
+	}
+
 	if c.Insecure {
 		// Configure custom TLS settings.
 		config := &tls.Config{InsecureSkipVerify: true}
diff --git a/builtin/providers/openstack/provider.go b/builtin/providers/openstack/provider.go
index 6d6845acb..cb198425e 100644
--- a/builtin/providers/openstack/provider.go
+++ b/builtin/providers/openstack/provider.go
@@ -66,6 +66,11 @@ func Provider() terraform.ResourceProvider {
 				Optional:    true,
 				DefaultFunc: envDefaultFuncAllowMissing("OS_ENDPOINT_TYPE"),
 			},
+			"cacert_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: envDefaultFuncAllowMissing("OS_CACERT"),
+			},
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
@@ -108,6 +113,7 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 		DomainName:       d.Get("domain_name").(string),
 		Insecure:         d.Get("insecure").(bool),
 		EndpointType:     d.Get("endpoint_type").(string),
+		CACertFile:       d.Get("cacert_file").(string),
 	}
 
 	if err := config.loadAndValidate(); err != nil {