Support mTLS for connection to AWX

.goreleaser.yml

@@ -52,4 +52,3 @@ release:
   draft: false
 changelog:
   skip: true
-

awx/data_source_credential.go

@@ -1,65 +1,81 @@
 /*
 Use this data source to query Credential by ID.
 
-Example Usage
+# Example Usage
 
 ```hcl
 *TBD*
 ```
-
 */
 package awx
 
 import (
 	"context"
-	"strconv"
-	"time"
-
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	awx "github.com/mrcrilly/goawx/client"
+	"strconv"
 )
 
-func dataSourceCredentialByID() *schema.Resource {
+func dataSourceCredentialByName() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: dataSourceCredentialByIDRead,
+		ReadContext: dataSourceCredentialsRead,
 		Schema: map[string]*schema.Schema{
 			"id": &schema.Schema{
-				Type:        schema.TypeInt,
-				Required:    true,
-				Description: "Credential id",
+				Type:     schema.TypeInt,
+				Optional: true,
+				Computed: true,
 			},
-			"username": &schema.Schema{
-				Type:        schema.TypeString,
-				Computed:    true,
-				Description: "The Username from searched id",
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				Computed: false,
 			},
 			"kind": &schema.Schema{
-				Type:        schema.TypeString,
-				Computed:    true,
-				Description: "The Kind from searched id",
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
 			},
 		},
 	}
 }
 
-func dataSourceCredentialByIDRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+func dataSourceCredentialsRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
 
 	client := m.(*awx.AWX)
-	id := d.Get("id").(int)
-	cred, err := client.CredentialsService.GetCredentialsByID(id, map[string]string{})
+	params := make(map[string]string)
+
+	if name, okName := d.GetOk("name"); okName {
+		params["name"] = name.(string)
+	}
+
+	if len(params) == 0 {
+		return buildDiagnosticsMessage(
+			"Get: Missing Parameters",
+			"Please use the selector: (name)")
+	}
+
+	credentials, _, err := client.CredentialsService.ListCredentials(map[string]string{})
+
 	if err != nil {
-		diags = append(diags, diag.Diagnostic{
-			Severity: diag.Error,
-			Summary:  "Unable to fetch credential",
-			Detail:   "The given credential ID is invalid or malformed",
-		})
+		return buildDiagnosticsMessage(
+			"Get: Fail to fetch Credential list",
+			"Fail to find the Credential list, got: %s",
+			err)
 	}
 
-	d.Set("username", cred.Inputs["username"])
-	d.Set("kind", cred.Kind)
-	d.SetId(strconv.FormatInt(time.Now().Unix(), 10))
+	for _, credential := range credentials {
+		if credential.Name == params["name"] {
+			d.SetId(strconv.Itoa(credential.ID))
+			d.Set("name", credential.Name)
+			d.Set("kind", credential.Kind)
+			return diags
+		}
+	}
 
-	return diags
+	return buildDiagnosticsMessage(
+		"Credential not found",
+		"Could not find Credential with name: %s",
+		params["name"])
 }

awx/data_source_execution_environment.go

@@ -0,0 +1,66 @@
+package awx
+
+import (
+	"context"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	awx "github.com/mrcrilly/goawx/client"
+	"strconv"
+)
+
+func dataSourceExecutionEnvironmentByName() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceExecutionEnvironmentsRead,
+		Schema: map[string]*schema.Schema{
+			"id": &schema.Schema{
+				Type:     schema.TypeInt,
+				Optional: true,
+				Computed: true,
+			},
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				Computed: false,
+			},
+		},
+	}
+}
+
+func dataSourceExecutionEnvironmentsRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	var diags diag.Diagnostics
+
+	client := m.(*awx.AWX)
+	params := make(map[string]string)
+
+	if name, okName := d.GetOk("name"); okName {
+		params["name"] = name.(string)
+	}
+
+	if len(params) == 0 {
+		return buildDiagnosticsMessage(
+			"Get: Missing Parameters",
+			"Please use the selector: (name)")
+	}
+
+	executionEnvironments, _, err := client.ExecutionEnvironmentsService.ListExecutionEnvironments(map[string]string{})
+
+	if err != nil {
+		return buildDiagnosticsMessage(
+			"Get: Fail to fetch Execution Environment list",
+			"Fail to find the Execution Environment list, got: %s",
+			err)
+	}
+
+	for _, executionEnvironment := range executionEnvironments {
+		if executionEnvironment.Name == params["name"] {
+			d.SetId(strconv.Itoa(executionEnvironment.ID))
+			d.Set("name", executionEnvironment.Name)
+			return diags
+		}
+	}
+
+	return buildDiagnosticsMessage(
+		"Execution Environment not found",
+		"Could not find Execution Environment with name: %s",
+		params["name"])
+}

awx/provider.go

@@ -3,11 +3,14 @@ package awx
 import (
 	"context"
 	"crypto/tls"
-	"net/http"
-
+	"crypto/x509"
+	"fmt"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	awx "github.com/mrcrilly/goawx/client"
+	"net/http"
+	"os"
+	"path/filepath"
 )
 
 func Provider() *schema.Provider {
@@ -35,6 +38,21 @@ func Provider() *schema.Provider {
 				Sensitive:   true,
 				DefaultFunc: schema.EnvDefaultFunc("AWX_PASSWORD", "password"),
 			},
+			"client_cert": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Client certificate to use for mTLS validation. Must be provided along with client-key and ca-cert for mTLS to be used.",
+			},
+			"client_key": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Client key to use for mTLS validation. Must be provided along with client-cert and ca-cert for mTLS to be used",
+			},
+			"ca_cert": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "CA certificate to use for mTLS validation. Must be provided along with client-cert and client-key for mTLS to be used",
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"awx_credential_azure_key_vault":         resourceCredentialAzureKeyVault(),
@@ -58,8 +76,8 @@ func Provider() *schema.Provider {
 		},
 		DataSourcesMap: map[string]*schema.Resource{
 			"awx_credential_azure_key_vault": dataSourceCredentialAzure(),
-			"awx_credential":                 dataSourceCredentialByID(),
-			"awx_credentials":                dataSourceCredentials(),
+			"awx_credential":                 dataSourceCredentialByName(),
+			"awx_execution_environment":      dataSourceExecutionEnvironmentByName(),
 			"awx_inventory_group":            dataSourceInventoryGroup(),
 			"awx_inventory":                  dataSourceInventory(),
 			"awx_job_template":               dataSourceJobTemplate(),
@@ -76,11 +94,33 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 	username := d.Get("username").(string)
 	password := d.Get("password").(string)
 
+	clientCertPEM, clientCertPEMExists := d.GetOk("client_cert")
+	clientKeyPEM, clientKeyPEMExists := d.GetOk("client_key")
+	caCertPEM, caCertPEMExists := d.GetOk("ca_cert")
+
 	client := http.DefaultClient
 	if d.Get("insecure").(bool) {
 		client.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
+	} else if clientCertPEMExists && clientKeyPEMExists && caCertPEMExists {
+		transportTlsConfig, err := generateMtlsConfig(
+			clientCertPEM.(string),
+			clientKeyPEM.(string),
+			caCertPEM.(string))
+
+		if err == nil {
+			client.Transport = &http.Transport{
+				TLSClientConfig: transportTlsConfig,
+			}
+		} else {
+			var diags diag.Diagnostics
+			return nil, append(diags, diag.Diagnostic{
+				Severity: diag.Error,
+				Summary:  "Invalid mTLS config",
+				Detail:   fmt.Sprintf("The provided mTLS config is invalid: %s", err),
+			})
+		}
 	}
 
 	// Warning or errors can be collected in a slice type
@@ -97,3 +137,42 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 
 	return c, diags
 }
+
+// This method also writes the mTLS certificates to disk - to allow them to be used for other calls to
+// AWX
+func generateMtlsConfig(clientCertPEM string, clientKeyPEM string, caCertPEM string) (*tls.Config, error) {
+	clientCertPEMBlock := []byte(clientCertPEM)
+	clientKeyPEMBlock := []byte(clientKeyPEM)
+	caCertPEMBlock := []byte(caCertPEM)
+
+	tempCertificatePath := "/wrk/terraform-provider-awx"
+	os.MkdirAll(tempCertificatePath, 0700)
+
+	writeByteArrayToFile(clientCertPEMBlock, filepath.Join(tempCertificatePath, "tls.crt"))
+	writeByteArrayToFile(clientKeyPEMBlock, filepath.Join(tempCertificatePath, "tls.key"))
+	writeByteArrayToFile(caCertPEMBlock, filepath.Join(tempCertificatePath, "ca.crt"))
+
+	cert, err := tls.X509KeyPair(clientCertPEMBlock, clientKeyPEMBlock)
+	if err != nil {
+		return nil, err
+	}
+
+	caCertPool, _ := x509.SystemCertPool()
+	if caCertPool == nil {
+		caCertPool = x509.NewCertPool()
+	}
+	caCertPool.AppendCertsFromPEM(caCertPEMBlock)
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+	}, nil
+}
+
+func writeByteArrayToFile(byteArray []byte, filePath string) {
+	t, err := os.Create(filePath)
+	if err == nil {
+		t.Write(byteArray)
+		t.Close()
+	}
+}