forked from cloudflare/terraform-provider-cloudflare
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GIN-341: add teams certificates to Gateway and to Gateway account con…
…figuration
- Loading branch information
Showing
8 changed files
with
381 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:new-resource | ||
resource/teams-certificate: add teams certificates to Gateway and Gateway account configurations | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
90 changes: 90 additions & 0 deletions
90
internal/sdkv2provider/resource_cloudflare_teams_certificate_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
package sdkv2provider | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"os" | ||
"testing" | ||
|
||
"github.com/cloudflare/cloudflare-go" | ||
"github.com/cloudflare/terraform-provider-cloudflare/internal/consts" | ||
"github.com/hashicorp/terraform-plugin-testing/helper/resource" | ||
"github.com/hashicorp/terraform-plugin-testing/terraform" | ||
) | ||
|
||
func TestAccCloudflareTeamsCertificate_Basic(t *testing.T) { | ||
// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the Access | ||
// service does not yet support the API tokens and it results in | ||
// misleading state error messages. | ||
if os.Getenv("CLOUDFLARE_API_TOKEN") != "" { | ||
t.Setenv("CLOUDFLARE_API_TOKEN", "") | ||
} | ||
|
||
rnd := generateRandomResourceName() | ||
name := fmt.Sprintf("cloudflare_zero_trust_gateway_certificate.%s", rnd) | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { | ||
testAccPreCheck(t) | ||
}, | ||
ProviderFactories: providerFactories, | ||
CheckDestroy: testAccCheckCloudflareTeamsCertificateDestroy, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccCloudflareTeamsCertificateCustomBasic(rnd, accountID), | ||
Check: resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID), | ||
resource.TestCheckResourceAttr(name, "id", rnd), | ||
resource.TestCheckResourceAttr(name, "binding_status", "inactive"), | ||
resource.TestCheckResourceAttr(name, "gateway_managed", "false"), | ||
), | ||
}, | ||
{ | ||
Config: testAccCloudflareTeamsCertificateManagedBasic(rnd, accountID), | ||
Check: resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID), | ||
resource.TestCheckResourceAttr(name, "id", rnd), | ||
resource.TestCheckResourceAttr(name, "binding_status", "inactive"), | ||
resource.TestCheckResourceAttr(name, "custom", "false"), | ||
), | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccCloudflareTeamsCertificateCustomBasic(rnd, accountID string) string { | ||
return fmt.Sprintf(` | ||
resource "cloudflare_zero_trust_gateway_certificate" "%[1]s" { | ||
account_id = "%[2]s" | ||
custom = true | ||
id = "%[1]s" | ||
} | ||
`, rnd, accountID) | ||
} | ||
|
||
func testAccCloudflareTeamsCertificateManagedBasic(rnd, accountID string) string { | ||
return fmt.Sprintf(` | ||
resource "cloudflare_zero_trust_gateway_certificate" "%[1]s" { | ||
account_id = "%[2]s" | ||
gateway_managed = true | ||
} | ||
`, rnd, accountID) | ||
} | ||
|
||
func testAccCheckCloudflareTeamsCertificateDestroy(s *terraform.State) error { | ||
client := testAccProvider.Meta().(*cloudflare.API) | ||
|
||
for _, rs := range s.RootModule().Resources { | ||
if rs.Type != "cloudflare_zero_trust_gateway_certificate" { | ||
continue | ||
} | ||
|
||
accountID = rs.Primary.Attributes[consts.AccountIDSchemaKey] | ||
_, err := client.TeamsCertificate(context.Background(), accountID, rs.Primary.ID) | ||
if err == nil { | ||
return fmt.Errorf("Teams Certificate still exists") | ||
} | ||
} | ||
|
||
return nil | ||
} |
150 changes: 150 additions & 0 deletions
150
internal/sdkv2provider/resource_cloudflare_teams_certificates.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
package sdkv2provider | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
"strings" | ||
"time" | ||
|
||
"github.com/MakeNowJust/heredoc/v2" | ||
cloudflare "github.com/cloudflare/cloudflare-go" | ||
"github.com/cloudflare/terraform-provider-cloudflare/internal/consts" | ||
"github.com/hashicorp/terraform-plugin-log/tflog" | ||
"github.com/hashicorp/terraform-plugin-sdk/v2/diag" | ||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
) | ||
|
||
func resourceCloudflareTeamsCertificate() *schema.Resource { | ||
return &schema.Resource{ | ||
Schema: resourceCloudflareTeamsCertificateSchema(), | ||
CreateContext: resourceCloudflareTeamsCertificateCreate, | ||
UpdateContext: resourceCloudflareTeamsCertificateUpdate, | ||
ReadContext: resourceCloudflareTeamsCertificateRead, | ||
DeleteContext: resourceCloudflareTeamsCertificateDelete, | ||
Importer: &schema.ResourceImporter{ | ||
StateContext: resourceCloudflareTeamsCertificateImport, | ||
}, | ||
Description: heredoc.Doc(` | ||
Provides a Cloudflare Teams Gateway Certificate resource. A Teams Certificate can | ||
be specified for Gateway TLS interception and block pages. | ||
`), | ||
} | ||
} | ||
|
||
func resourceCloudflareTeamsCertificateCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
client := meta.(*cloudflare.API) | ||
accountID := d.Get(consts.AccountIDSchemaKey).(string) | ||
|
||
if d.Get("gateway_managed").(bool) { | ||
newTeamsCertificate := cloudflare.TeamsCertificateCreateRequest{ | ||
ValidityPeriodDays: d.Get("validity_period_days").(int), | ||
} | ||
|
||
tflog.Debug(ctx, fmt.Sprintf("Creating Cloudflare Teams Certificate from struct: %+v", newTeamsCertificate)) | ||
|
||
certificate, err := client.TeamsGenerateCertificate(ctx, accountID, newTeamsCertificate) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error creating Teams Certificate for account %q: %w", accountID, err)) | ||
} | ||
d.SetId(certificate.ID) | ||
} | ||
|
||
if d.Get("activate").(bool) { | ||
certificate, err := client.TeamsActivateCertificate(ctx, accountID, d.Get("id").(string)) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error activating Teams Certificate with id %q for account %q: %w", d.Get("id"), accountID, err)) | ||
} | ||
d.Set("binding_status", certificate.BindingStatus) | ||
d.Set("qs_pack_id", certificate.QsPackId) | ||
} | ||
|
||
return resourceCloudflareTeamsCertificateRead(ctx, d, meta) | ||
} | ||
|
||
func resourceCloudflareTeamsCertificateUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
client := meta.(*cloudflare.API) | ||
accountID := d.Get(consts.AccountIDSchemaKey).(string) | ||
|
||
if d.Get("activate").(bool) { | ||
certificate, err := client.TeamsActivateCertificate(ctx, accountID, d.Get("id").(string)) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error activating Teams Certificate with id %q for account %q: %w", d.Get("id"), accountID, err)) | ||
} | ||
d.Set("binding_status", certificate.BindingStatus) | ||
d.Set("qs_pack_id", certificate.QsPackId) | ||
} else { | ||
certificate, err := client.TeamsDeactivateCertificate(ctx, accountID, d.Get("id").(string)) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error deactivating Teams Certificate with id %q for account %q: %w", d.Get("id"), accountID, err)) | ||
} | ||
d.Set("binding_status", certificate.BindingStatus) | ||
d.Set("qs_pack_id", certificate.QsPackId) | ||
} | ||
|
||
return resourceCloudflareTeamsCertificateRead(ctx, d, meta) | ||
} | ||
|
||
func resourceCloudflareTeamsCertificateRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
client := meta.(*cloudflare.API) | ||
accountID := d.Get(consts.AccountIDSchemaKey).(string) | ||
|
||
Certificate, err := client.TeamsCertificate(ctx, accountID, d.Id()) | ||
|
||
if err != nil { | ||
var notFoundError *cloudflare.NotFoundError | ||
if errors.As(err, ¬FoundError) { | ||
tflog.Info(ctx, fmt.Sprintf("Teams Certificate %s no longer exists", d.Id())) | ||
d.SetId("") | ||
return nil | ||
} | ||
return diag.FromErr(fmt.Errorf("error finding Teams Certificate %q: %w", d.Id(), err)) | ||
} | ||
|
||
d.Set("id", Certificate.ID) | ||
d.Set("enabled", Certificate.Enabled) | ||
d.Set("binding_status", Certificate.BindingStatus) | ||
d.Set("qs_pack_id", Certificate.QsPackId) | ||
d.Set("type", Certificate.Type) | ||
d.Set("uploaded_on", Certificate.UploadedOn.Format(time.RFC3339Nano)) | ||
d.Set("created_at", Certificate.CreatedAt.Format(time.RFC3339Nano)) | ||
d.Set("expires_on", Certificate.ExpiresOn.Format(time.RFC3339Nano)) | ||
|
||
return nil | ||
} | ||
|
||
func resourceCloudflareTeamsCertificateDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
client := meta.(*cloudflare.API) | ||
certID := d.Id() | ||
accountID := d.Get(consts.AccountIDSchemaKey).(string) | ||
|
||
tflog.Debug(ctx, fmt.Sprintf("Deleting Cloudflare Teams Certificate using ID: %s", certID)) | ||
|
||
err := client.TeamsDeleteCertificate(ctx, accountID, certID) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error deleting Teams Certificate for account %q: %w", accountID, err)) | ||
} | ||
|
||
resourceCloudflareTeamsCertificateRead(ctx, d, meta) | ||
|
||
return nil | ||
} | ||
|
||
func resourceCloudflareTeamsCertificateImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { | ||
attributes := strings.SplitN(d.Id(), "/", 2) | ||
|
||
if len(attributes) != 2 { | ||
return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"accountID/teamsCertificateID\"", d.Id()) | ||
} | ||
|
||
accountID, teamsCertificateID := attributes[0], attributes[1] | ||
|
||
tflog.Debug(ctx, fmt.Sprintf("Importing Cloudflare Teams Certificate: id %s for account %s", teamsCertificateID, accountID)) | ||
|
||
d.Set(consts.AccountIDSchemaKey, accountID) | ||
d.SetId(teamsCertificateID) | ||
|
||
resourceCloudflareTeamsCertificateRead(ctx, d, meta) | ||
|
||
return []*schema.ResourceData{d}, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.