terraform-provider-greenhost/digitalocean/resource_digitalocean_certi...

package digitalocean

import (
	"context"
	"fmt"
	"log"
	"time"

	"github.com/digitalocean/godo"
	"github.com/hashicorp/terraform/helper/resource"
	"github.com/hashicorp/terraform/helper/schema"
	"github.com/hashicorp/terraform/helper/validation"
)

func resourceDigitalOceanCertificate() *schema.Resource {
	return &schema.Resource{
		Create: resourceDigitalOceanCertificateCreate,
		Read:   resourceDigitalOceanCertificateRead,
		Delete: resourceDigitalOceanCertificateDelete,
		Importer: &schema.ResourceImporter{
			State: schema.ImportStatePassthrough,
		},

		Schema: map[string]*schema.Schema{
			"name": {
				Type:         schema.TypeString,
				Required:     true,
				ForceNew:     true,
				ValidateFunc: validation.NoZeroValues,
			},

			"private_key": {
				Type:         schema.TypeString,
				Optional:     true,
				Sensitive:    true,
				ForceNew:     true,
				ValidateFunc: validation.NoZeroValues,
			},

			"leaf_certificate": {
				Type:         schema.TypeString,
				Optional:     true,
				ForceNew:     true,
				ValidateFunc: validation.NoZeroValues,
			},

			"certificate_chain": {
				Type:         schema.TypeString,
				Optional:     true,
				ForceNew:     true,
				ValidateFunc: validation.NoZeroValues,
			},

			"domains": {
				Type: schema.TypeSet,
				Elem: &schema.Schema{
					Type:         schema.TypeString,
					ValidateFunc: validation.NoZeroValues,
				},
				Optional:      true,
				ForceNew:      true,
				ConflictsWith: []string{"private_key", "leaf_certificate", "certificate_chain"},
				DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
					return d.Get("type") == "custom"
				},
			},

			"type": {
				Type:     schema.TypeString,
				Optional: true,
				ForceNew: true,
				Default:  "custom",
				ValidateFunc: validation.StringInSlice([]string{
					"custom",
					"lets_encrypt",
				}, false),
			},

			"state": {
				Type:     schema.TypeString,
				Computed: true,
			},

			"not_after": {
				Type:     schema.TypeString,
				Computed: true,
			},

			"sha1_fingerprint": {
				Type:     schema.TypeString,
				Computed: true,
			},
		},

		CustomizeDiff: func(diff *schema.ResourceDiff, v interface{}) error {

			certificateType := diff.Get("type").(string)
			if certificateType == "custom" {
				if _, ok := diff.GetOk("private_key"); !ok {
					return fmt.Errorf("`private_key` is required for when type is `custom` or empty")
				}

				if _, ok := diff.GetOk("leaf_certificate"); !ok {
					return fmt.Errorf("`leaf_certificate` is required for when type is `custom` or empty")
				}
			} else if certificateType == "lets_encrypt" {

				if _, ok := diff.GetOk("domains"); !ok {
					return fmt.Errorf("`domains` is required for when type is `lets_encrypt`")
				}
			}

			return nil
		},
	}
}

func buildCertificateRequest(d *schema.ResourceData) (*godo.CertificateRequest, error) {
	req := &godo.CertificateRequest{
		Name: d.Get("name").(string),
		Type: d.Get("type").(string),
	}

	if v, ok := d.GetOk("private_key"); ok {
		req.PrivateKey = v.(string)
	}
	if v, ok := d.GetOk("leaf_certificate"); ok {
		req.LeafCertificate = v.(string)
	}
	if v, ok := d.GetOk("certificate_chain"); ok {
		req.CertificateChain = v.(string)
	}

	if v, ok := d.GetOk("domains"); ok {
		req.DNSNames = expandDigitalOceanCertificateDomains(v.(*schema.Set).List())
	}

	return req, nil
}

func resourceDigitalOceanCertificateCreate(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*godo.Client)

	log.Printf("[INFO] Create a Certificate Request")

	certReq, err := buildCertificateRequest(d)
	if err != nil {
		return err
	}

	log.Printf("[DEBUG] Certificate Create: %#v", certReq)
	cert, _, err := client.Certificates.Create(context.Background(), certReq)
	if err != nil {
		return fmt.Errorf("Error creating Certificate: %s", err)
	}

	d.SetId(cert.ID)

	log.Printf("[INFO] Waiting for certificate (%s) to have state 'verified'", cert.ID)
	stateConf := &resource.StateChangeConf{
		Pending:    []string{"pending"},
		Target:     []string{"verified"},
		Refresh:    newCertificateStateRefreshFunc(d, meta),
		Timeout:    d.Timeout(schema.TimeoutCreate),
		Delay:      10 * time.Second,
		MinTimeout: 3 * time.Second,
	}

	if _, err := stateConf.WaitForState(); err != nil {
		return fmt.Errorf("Error waiting for certificate (%s) to become active: %s", d.Get("name"), err)
	}

	return resourceDigitalOceanCertificateRead(d, meta)
}

func resourceDigitalOceanCertificateRead(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*godo.Client)

	log.Printf("[INFO] Reading the details of the Certificate %s", d.Id())
	cert, resp, err := client.Certificates.Get(context.Background(), d.Id())
	if err != nil {
		// check if the certificate no longer exists.
		if resp != nil && resp.StatusCode == 404 {
			log.Printf("[WARN] DigitalOcean Certificate (%s) not found", d.Id())
			d.SetId("")
			return nil
		}

		return fmt.Errorf("Error retrieving Certificate: %s", err)
	}

	d.Set("name", cert.Name)
	d.Set("type", cert.Type)
	d.Set("state", cert.State)
	d.Set("not_after", cert.NotAfter)
	d.Set("sha1_fingerprint", cert.SHA1Fingerprint)

	if err := d.Set("domains", flattenDigitalOceanCertificateDomains(cert.DNSNames)); err != nil {
		return fmt.Errorf("Error setting `domains`: %+v", err)
	}

	return nil

}

func resourceDigitalOceanCertificateDelete(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*godo.Client)

	log.Printf("[INFO] Deleting Certificate: %s", d.Id())
	_, err := client.Certificates.Delete(context.Background(), d.Id())
	if err != nil {
		return fmt.Errorf("Error deleting Certificate: %s", err)
	}

	return nil

}

func expandDigitalOceanCertificateDomains(domains []interface{}) []string {
	expandedDomains := make([]string, len(domains))
	for i, v := range domains {
		expandedDomains[i] = v.(string)
	}

	return expandedDomains
}

func flattenDigitalOceanCertificateDomains(domains []string) *schema.Set {
	if domains == nil {
		return nil
	}

	flattenedDomains := schema.NewSet(schema.HashString, []interface{}{})
	for _, v := range domains {
		if v != "" {
			flattenedDomains.Add(v)
		}
	}

	return flattenedDomains
}

func newCertificateStateRefreshFunc(d *schema.ResourceData, meta interface{}) resource.StateRefreshFunc {
	client := meta.(*godo.Client)
	return func() (interface{}, string, error) {

		// Retrieve the certificate properties
		cert, _, err := client.Certificates.Get(context.Background(), d.Id())
		if err != nil {
			return nil, "", fmt.Errorf("Error retrieving certifica: %s", err)
		}

		return cert, cert.State, nil
	}
}
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`package digitalocean`

			`import (`
			`"context"`
			`"fmt"`
			`"log"`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`"time"`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00
			`"github.com/digitalocean/godo"`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`"github.com/hashicorp/terraform/helper/resource"`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`"github.com/hashicorp/terraform/helper/schema"`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`"github.com/hashicorp/terraform/helper/validation"`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`)`

			`func resourceDigitalOceanCertificate() *schema.Resource {`
			`return &schema.Resource{`
			`Create: resourceDigitalOceanCertificateCreate,`
			`Read: resourceDigitalOceanCertificateRead,`
			`Delete: resourceDigitalOceanCertificateDelete,`
Add importability for Load Balancers and Certificate. (#104) * Added importability for load balancer * Added importability, go fmt'ed * Added importability for DNS records * added importability for certificates * Added import notes for DNS records and load balancers * Added import tests * Added random int for test configs * Added certificates for the test to import * Fixed docs, added certificate importability on docs * Make TestAccDigitalOceanCertificate_importBasic pass by reusing certificate generation from resource_digitalocean_certificate_test.go * Fix importablity of Load Balancer Droplet droplet_ids. * Revert "Added importability for DNS records" This reverts commit 94b1f69fe756c862125d0b899d49eca74f7bd591. * Remove mention of record imports in docs. * Remove digitalocean/import_digitalocean_record_test.go 2018-06-25 23:38:10 +00:00			`Importer: &schema.ResourceImporter{`
			`State: schema.ImportStatePassthrough,`
			`},`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00
			`Schema: map[string]*schema.Schema{`
			`"name": {`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`Type: schema.TypeString,`
			`Required: true,`
			`ForceNew: true,`
			`ValidateFunc: validation.NoZeroValues,`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`},`

			`"private_key": {`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`Type: schema.TypeString,`
			`Optional: true,`
			`Sensitive: true,`
			`ForceNew: true,`
			`ValidateFunc: validation.NoZeroValues,`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`},`

			`"leaf_certificate": {`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`Type: schema.TypeString,`
			`Optional: true,`
			`ForceNew: true,`
			`ValidateFunc: validation.NoZeroValues,`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`},`

			`"certificate_chain": {`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`Type: schema.TypeString,`
			`Optional: true,`
			`ForceNew: true,`
			`ValidateFunc: validation.NoZeroValues,`
			`},`

			`"domains": {`
			`Type: schema.TypeSet,`
			`Elem: &schema.Schema{`
			`Type: schema.TypeString,`
			`ValidateFunc: validation.NoZeroValues,`
			`},`
			`Optional: true,`
			`ForceNew: true,`
			`ConflictsWith: []string{"private_key", "leaf_certificate", "certificate_chain"},`
Suppress diff for dns names on custom certificate resources (Fixes: #146). 2018-10-04 15:41:55 +00:00			`DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {`
			`return d.Get("type") == "custom"`
			`},`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`},`

			`"type": {`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`Type: schema.TypeString,`
			`Optional: true,`
			`ForceNew: true,`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`Default: "custom",`
			`ValidateFunc: validation.StringInSlice([]string{`
			`"custom",`
			`"lets_encrypt",`
			`}, false),`
			`},`

			`"state": {`
			`Type: schema.TypeString,`
			`Computed: true,`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`},`

			`"not_after": {`
			`Type: schema.TypeString,`
provider/digitalocean: Mark not_after and sha1_fingerprint as computed 2017-05-26 14:21:08 +00:00			`Computed: true,`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`},`

			`"sha1_fingerprint": {`
			`Type: schema.TypeString,`
provider/digitalocean: Mark not_after and sha1_fingerprint as computed 2017-05-26 14:21:08 +00:00			`Computed: true,`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`},`
			`},`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00
			`CustomizeDiff: func(diff *schema.ResourceDiff, v interface{}) error {`

			`certificateType := diff.Get("type").(string)`
			`if certificateType == "custom" {`
			`if _, ok := diff.GetOk("private_key"); !ok {`
			return fmt.Errorf("`private_key` is required for when type is `custom` or empty")
			`}`

			`if _, ok := diff.GetOk("leaf_certificate"); !ok {`
			return fmt.Errorf("`leaf_certificate` is required for when type is `custom` or empty")
			`}`
			`} else if certificateType == "lets_encrypt" {`

			`if _, ok := diff.GetOk("domains"); !ok {`
			return fmt.Errorf("`domains` is required for when type is `lets_encrypt`")
			`}`
			`}`

			`return nil`
			`},`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`}`
			`}`

			`func buildCertificateRequest(d schema.ResourceData) (godo.CertificateRequest, error) {`
			`req := &godo.CertificateRequest{`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`Name: d.Get("name").(string),`
			`Type: d.Get("type").(string),`
			`}`

			`if v, ok := d.GetOk("private_key"); ok {`
			`req.PrivateKey = v.(string)`
			`}`
			`if v, ok := d.GetOk("leaf_certificate"); ok {`
			`req.LeafCertificate = v.(string)`
			`}`
			`if v, ok := d.GetOk("certificate_chain"); ok {`
			`req.CertificateChain = v.(string)`
			`}`

			`if v, ok := d.GetOk("domains"); ok {`
			`req.DNSNames = expandDigitalOceanCertificateDomains(v.(*schema.Set).List())`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`}`

			`return req, nil`
			`}`

			`func resourceDigitalOceanCertificateCreate(d *schema.ResourceData, meta interface{}) error {`
			`client := meta.(*godo.Client)`

			`log.Printf("[INFO] Create a Certificate Request")`

			`certReq, err := buildCertificateRequest(d)`
			`if err != nil {`
			`return err`
			`}`

			`log.Printf("[DEBUG] Certificate Create: %#v", certReq)`
			`cert, _, err := client.Certificates.Create(context.Background(), certReq)`
			`if err != nil {`
			`return fmt.Errorf("Error creating Certificate: %s", err)`
			`}`

			`d.SetId(cert.ID)`

Fixed a debug message typo 2018-09-04 19:00:54 +00:00			`log.Printf("[INFO] Waiting for certificate (%s) to have state 'verified'", cert.ID)`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`stateConf := &resource.StateChangeConf{`
			`Pending: []string{"pending"},`
			`Target: []string{"verified"},`
			`Refresh: newCertificateStateRefreshFunc(d, meta),`
			`Timeout: d.Timeout(schema.TimeoutCreate),`
			`Delay: 10 * time.Second,`
			`MinTimeout: 3 * time.Second,`
			`}`

			`if _, err := stateConf.WaitForState(); err != nil {`
			`return fmt.Errorf("Error waiting for certificate (%s) to become active: %s", d.Get("name"), err)`
			`}`

provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`return resourceDigitalOceanCertificateRead(d, meta)`
			`}`

			`func resourceDigitalOceanCertificateRead(d *schema.ResourceData, meta interface{}) error {`
			`client := meta.(*godo.Client)`

			`log.Printf("[INFO] Reading the details of the Certificate %s", d.Id())`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`cert, resp, err := client.Certificates.Get(context.Background(), d.Id())`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`if err != nil {`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`// check if the certificate no longer exists.`
			`if resp != nil && resp.StatusCode == 404 {`
			`log.Printf("[WARN] DigitalOcean Certificate (%s) not found", d.Id())`
			`d.SetId("")`
			`return nil`
			`}`

provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`return fmt.Errorf("Error retrieving Certificate: %s", err)`
			`}`

			`d.Set("name", cert.Name)`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`d.Set("type", cert.Type)`
			`d.Set("state", cert.State)`
provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`d.Set("not_after", cert.NotAfter)`
			`d.Set("sha1_fingerprint", cert.SHA1Fingerprint)`

Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00			`if err := d.Set("domains", flattenDigitalOceanCertificateDomains(cert.DNSNames)); err != nil {`
			return fmt.Errorf("Error setting `domains`: %+v", err)
			`}`

provider/digitalocean: Add support for certificates Besides the support for DO certificates themselves, this commit also includes: 1) A new `RandTLSCert` function that generates a valid, self-signed TLS certificate to be used in the test 2) A fix for the PEM encoding of the private key generated in `RandSSHKeyPair`: the PEM was always empty 2017-05-16 10:40:33 +00:00			`return nil`

			`}`

			`func resourceDigitalOceanCertificateDelete(d *schema.ResourceData, meta interface{}) error {`
			`client := meta.(*godo.Client)`

			`log.Printf("[INFO] Deleting Certificate: %s", d.Id())`
			`_, err := client.Certificates.Delete(context.Background(), d.Id())`
			`if err != nil {`
			`return fmt.Errorf("Error deleting Certificate: %s", err)`
			`}`

			`return nil`

			`}`
Added support for LetsEncrypt issued certificates 2018-08-29 18:45:16 +00:00
			`func expandDigitalOceanCertificateDomains(domains []interface{}) []string {`
			`expandedDomains := make([]string, len(domains))`
			`for i, v := range domains {`
			`expandedDomains[i] = v.(string)`
			`}`

			`return expandedDomains`
			`}`

			`func flattenDigitalOceanCertificateDomains(domains []string) *schema.Set {`
			`if domains == nil {`
			`return nil`
			`}`

			`flattenedDomains := schema.NewSet(schema.HashString, []interface{}{})`
			`for _, v := range domains {`
			`if v != "" {`
			`flattenedDomains.Add(v)`
			`}`
			`}`

			`return flattenedDomains`
			`}`

			`func newCertificateStateRefreshFunc(d *schema.ResourceData, meta interface{}) resource.StateRefreshFunc {`
			`client := meta.(*godo.Client)`
			`return func() (interface{}, string, error) {`

			`// Retrieve the certificate properties`
			`cert, _, err := client.Certificates.Get(context.Background(), d.Id())`
			`if err != nil {`
			`return nil, "", fmt.Errorf("Error retrieving certifica: %s", err)`
			`}`

			`return cert, cert.State, nil`
			`}`
			`}`