diff --git a/go.mod b/go.mod index fcb34dd80b8..a768c3ea919 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/pquerna/otp v1.2.0 github.com/spf13/pflag v1.0.3 // indirect github.com/terraform-providers/terraform-provider-template v2.1.2+incompatible - github.com/terraform-providers/terraform-provider-tls v2.0.1+incompatible + github.com/terraform-providers/terraform-provider-tls v2.1.0+incompatible gopkg.in/yaml.v2 v2.2.2 k8s.io/apimachinery v0.0.0-20190204010555-a98ff070d70e // indirect k8s.io/client-go v10.0.0+incompatible // indirect diff --git a/go.sum b/go.sum index 3dbbcdba0df..6167f79d5be 100644 --- a/go.sum +++ b/go.sum @@ -535,8 +535,8 @@ github.com/terraform-providers/terraform-provider-openstack v1.15.0 h1:adpjqej+F github.com/terraform-providers/terraform-provider-openstack v1.15.0/go.mod h1:2aQ6n/BtChAl1y2S60vebhyJyZXBsuAI5G4+lHrT1Ew= github.com/terraform-providers/terraform-provider-template v2.1.2+incompatible h1:imLvtj+kEr7z3xsHlHed+CAw4Z/mnlLYXfynKLv12SI= github.com/terraform-providers/terraform-provider-template v2.1.2+incompatible/go.mod h1:Y+/1GV1sOgHNxzYdkkGb9Cz/FNk8W4/Gb5+Phf1CNU8= -github.com/terraform-providers/terraform-provider-tls v2.0.1+incompatible h1:LzJFW5XFadz/4K/lUSTjN2/TrQM5QZtJxrzz50z4yLY= -github.com/terraform-providers/terraform-provider-tls v2.0.1+incompatible/go.mod h1:L5wzhvGcKGSSnpY/Oq9zKRk8cwgrvurqiJu00Eu50cA= +github.com/terraform-providers/terraform-provider-tls v2.1.0+incompatible h1:/6+8oPw6h3gNs9FhaWCtAP3rzpFrOuxoCD4tBfr9p2g= +github.com/terraform-providers/terraform-provider-tls v2.1.0+incompatible/go.mod h1:kurQaP6D5IY4ig4K7EhQchbY/0Q1jZBeOGi4IrWDdJc= github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb h1:lI9ufgFfvuqRctP9Ny8lDDLbSWCMxBPletcSqrnyFYM= github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk= github.com/tmc/grpc-websocket-proxy v0.0.0-20171017195756-830351dc03c6/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= diff --git a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/data_source_public_key.go b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/data_source_public_key.go index 2d5d2f1ca22..0e940cbbd04 100644 --- a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/data_source_public_key.go +++ b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/data_source_public_key.go @@ -14,6 +14,7 @@ func dataSourcePublicKey() *schema.Resource { "private_key_pem": { Type: schema.TypeString, Required: true, + Sensitive: true, Description: "PEM formatted string to use as the private key", }, "algorithm": { @@ -49,7 +50,13 @@ func dataSourcePublicKeyRead(d *schema.ResourceData, meta interface{}) error { keyPemBlock, _ := pem.Decode(bytes) if keyPemBlock == nil || (keyPemBlock.Type != "RSA PRIVATE KEY" && keyPemBlock.Type != "EC PRIVATE KEY") { - return fmt.Errorf("failed to decode PEM block containing private key of type %#v", keyPemBlock.Type) + typ := "unknown" + + if keyPemBlock != nil { + typ = keyPemBlock.Type + } + + return fmt.Errorf("failed to decode PEM block containing private key of type %#v", typ) } keyAlgo := "" diff --git a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_cert_request.go b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_cert_request.go index 81f992df9c1..8d39efcc78c 100644 --- a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_cert_request.go +++ b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_cert_request.go @@ -5,9 +5,9 @@ import ( "crypto/x509" "encoding/pem" "fmt" - "net" - "github.com/hashicorp/terraform/helper/schema" + "net" + "net/url" ) const pemCertReqType = "CERTIFICATE REQUEST" @@ -40,6 +40,16 @@ func resourceCertRequest() *schema.Resource { }, }, + "uris": { + Type: schema.TypeList, + Optional: true, + Description: "List of URIs to use as subjects of the certificate", + ForceNew: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "key_algorithm": { Type: schema.TypeString, Required: true, @@ -52,6 +62,7 @@ func resourceCertRequest() *schema.Resource { Required: true, Description: "PEM-encoded private key that the certificate will belong to", ForceNew: true, + Sensitive: true, StateFunc: func(v interface{}) string { return hashForState(v.(string)) }, @@ -107,6 +118,14 @@ func CreateCertRequest(d *schema.ResourceData, meta interface{}) error { } certReq.IPAddresses = append(certReq.IPAddresses, ip) } + urisI := d.Get("uris").([]interface{}) + for _, uriI := range urisI { + uri, err := url.Parse(uriI.(string)) + if err != nil { + return fmt.Errorf("invalid URI %#v", uriI.(string)) + } + certReq.URIs = append(certReq.URIs, uri) + } certReqBytes, err := x509.CreateCertificateRequest(rand.Reader, &certReq, key) if err != nil { diff --git a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_certificate.go b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_certificate.go index 2462f9f302d..5002c7fac54 100644 --- a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_certificate.go +++ b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_certificate.go @@ -53,6 +53,10 @@ type rsaPublicKey struct { E int } +var now = func() time.Time { + return time.Now() +} + // generateSubjectKeyID generates a SHA-1 hash of the subject public key. func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) { var publicKeyBytes []byte @@ -88,7 +92,6 @@ func resourceCertificateCommonSchema() map[string]*schema.Schema { Optional: true, Default: 0, Description: "Number of hours before the certificates expiry when a new certificate will be generated", - ForceNew: true, }, "is_ca_certificate": { @@ -113,6 +116,11 @@ func resourceCertificateCommonSchema() map[string]*schema.Schema { Computed: true, }, + "ready_for_renewal": { + Type: schema.TypeBool, + Computed: true, + }, + "validity_start_time": { Type: schema.TypeString, Computed: true, @@ -122,13 +130,20 @@ func resourceCertificateCommonSchema() map[string]*schema.Schema { Type: schema.TypeString, Computed: true, }, + + "set_subject_key_id": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Description: "If true, the generated certificate will include a subject key identifier.", + ForceNew: true, + }, } } func createCertificate(d *schema.ResourceData, template, parent *x509.Certificate, pub crypto.PublicKey, priv interface{}) error { var err error - template.NotBefore = time.Now() + template.NotBefore = now() template.NotAfter = template.NotBefore.Add(time.Duration(d.Get("validity_period_hours").(int)) * time.Hour) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) @@ -157,6 +172,13 @@ func createCertificate(d *schema.ResourceData, template, parent *x509.Certificat } } + if d.Get("set_subject_key_id").(bool) { + template.SubjectKeyId, err = generateSubjectKeyID(pub) + if err != nil { + return fmt.Errorf("failed to set subject key identifier: %s", err) + } + } + certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) if err != nil { return fmt.Errorf("error creating certificate: %s", err) @@ -174,6 +196,7 @@ func createCertificate(d *schema.ResourceData, template, parent *x509.Certificat d.SetId(template.SerialNumber.String()) d.Set("cert_pem", certPem) + d.Set("ready_for_renewal", false) d.Set("validity_start_time", string(validFromBytes)) d.Set("validity_end_time", string(validToBytes)) @@ -186,25 +209,43 @@ func DeleteCertificate(d *schema.ResourceData, meta interface{}) error { } func ReadCertificate(d *schema.ResourceData, meta interface{}) error { + return nil +} + +func CustomizeCertificateDiff(d *schema.ResourceDiff, meta interface{}) error { + var readyForRenewal bool endTimeStr := d.Get("validity_end_time").(string) - endTime := time.Now() + endTime := now() err := endTime.UnmarshalText([]byte(endTimeStr)) if err != nil { - // If end time is invalid then we'll just throw away the whole - // thing so we can generate a new one. - d.SetId("") - return nil + // If end time is invalid then we'll treat it as being at the time for renewal. + readyForRenewal = true + } else { + earlyRenewalPeriod := time.Duration(-d.Get("early_renewal_hours").(int)) * time.Hour + endTime = endTime.Add(earlyRenewalPeriod) + + currentTime := now() + timeToRenewal := endTime.Sub(currentTime) + if timeToRenewal <= 0 { + readyForRenewal = true + } } - earlyRenewalPeriod := time.Duration(-d.Get("early_renewal_hours").(int)) * time.Hour - endTime = endTime.Add(earlyRenewalPeriod) - - if time.Now().After(endTime) { - // Treat an expired certificate as not existing, so we'll generate - // a new one with the next plan. - d.SetId("") + if readyForRenewal { + err = d.SetNew("ready_for_renewal", true) + if err != nil { + return err + } + err = d.ForceNew("ready_for_renewal") + if err != nil { + return err + } } return nil } + +func UpdateCertificate(d *schema.ResourceData, meta interface{}) error { + return nil +} diff --git a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_locally_signed_cert.go b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_locally_signed_cert.go index 39c90022f8d..968be50197b 100644 --- a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_locally_signed_cert.go +++ b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_locally_signed_cert.go @@ -31,6 +31,7 @@ func resourceLocallySignedCert() *schema.Resource { Required: true, Description: "PEM-encoded CA private key used to sign the certificate", ForceNew: true, + Sensitive: true, StateFunc: func(v interface{}) string { return hashForState(v.(string)) }, @@ -47,10 +48,12 @@ func resourceLocallySignedCert() *schema.Resource { } return &schema.Resource{ - Create: CreateLocallySignedCert, - Delete: DeleteCertificate, - Read: ReadCertificate, - Schema: s, + Create: CreateLocallySignedCert, + Delete: DeleteCertificate, + Read: ReadCertificate, + Update: UpdateCertificate, + CustomizeDiff: CustomizeCertificateDiff, + Schema: s, } } @@ -72,6 +75,7 @@ func CreateLocallySignedCert(d *schema.ResourceData, meta interface{}) error { Subject: certReq.Subject, DNSNames: certReq.DNSNames, IPAddresses: certReq.IPAddresses, + URIs: certReq.URIs, BasicConstraintsValid: true, } diff --git a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_private_key.go b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_private_key.go index 0e0286812d7..4e56b43d4a7 100644 --- a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_private_key.go +++ b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_private_key.go @@ -77,8 +77,9 @@ func resourcePrivateKey() *schema.Resource { }, "private_key_pem": { - Type: schema.TypeString, - Computed: true, + Type: schema.TypeString, + Computed: true, + Sensitive: true, }, "public_key_pem": { diff --git a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_self_signed_cert.go b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_self_signed_cert.go index c6edf7e4be9..5cf0295ff33 100644 --- a/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_self_signed_cert.go +++ b/vendor/github.com/terraform-providers/terraform-provider-tls/tls/resource_self_signed_cert.go @@ -4,6 +4,7 @@ import ( "crypto/x509" "fmt" "net" + "net/url" "github.com/hashicorp/terraform/helper/schema" ) @@ -38,6 +39,16 @@ func resourceSelfSignedCert() *schema.Resource { }, } + s["uris"] = &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Description: "List of URIs to use as subjects of the certificate", + ForceNew: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + } + s["key_algorithm"] = &schema.Schema{ Type: schema.TypeString, Required: true, @@ -50,16 +61,19 @@ func resourceSelfSignedCert() *schema.Resource { Required: true, Description: "PEM-encoded private key that the certificate will belong to", ForceNew: true, + Sensitive: true, StateFunc: func(v interface{}) string { return hashForState(v.(string)) }, } return &schema.Resource{ - Create: CreateSelfSignedCert, - Delete: DeleteCertificate, - Read: ReadCertificate, - Schema: s, + Create: CreateSelfSignedCert, + Delete: DeleteCertificate, + Read: ReadCertificate, + Update: UpdateCertificate, + CustomizeDiff: CustomizeCertificateDiff, + Schema: s, } } @@ -99,6 +113,14 @@ func CreateSelfSignedCert(d *schema.ResourceData, meta interface{}) error { } cert.IPAddresses = append(cert.IPAddresses, ip) } + urisI := d.Get("uris").([]interface{}) + for _, uriStrI := range urisI { + uri, err := url.Parse(uriStrI.(string)) + if err != nil { + return fmt.Errorf("invalid URI %#v", uriStrI.(string)) + } + cert.URIs = append(cert.URIs, uri) + } return createCertificate(d, &cert, &cert, publicKey(key), key) } diff --git a/vendor/modules.txt b/vendor/modules.txt index bc94ebe4e59..18648e86b11 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -584,7 +584,7 @@ github.com/spf13/pflag github.com/spf13/viper # github.com/terraform-providers/terraform-provider-template v2.1.2+incompatible github.com/terraform-providers/terraform-provider-template/template -# github.com/terraform-providers/terraform-provider-tls v2.0.1+incompatible +# github.com/terraform-providers/terraform-provider-tls v2.1.0+incompatible github.com/terraform-providers/terraform-provider-tls/tls # github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb github.com/timakin/bodyclose/passes/bodyclose