Merge pull request #429 from koendelaat/feature/iam_service_certificate

Added `self_managed_certificate` to IAM Service

Author: loafoe

go.mod

@@ -34,10 +34,10 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect
 	github.com/fatih/color v1.16.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.17.0 // indirect
+	github.com/go-playground/validator/v10 v10.22.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -63,7 +63,7 @@ require (
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/labstack/echo/v4 v4.9.0 // indirect
 	github.com/labstack/gommon v0.3.1 // indirect
-	github.com/leodido/go-urn v1.2.4 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
@@ -87,7 +87,7 @@ require (
 	golang.org/x/crypto v0.26.0 // indirect
 	golang.org/x/mod v0.19.0 // indirect
 	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.23.0 // indirect
 	golang.org/x/text v0.17.0 // indirect

go.sum

@@ -150,8 +150,8 @@ github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYF
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
-github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
+github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
+github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
@@ -216,8 +216,8 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.17.0 h1:SmVVlfAOtlZncTxRuinDPomC2DkXJ4E5T9gDA0AIH74=
-github.com/go-playground/validator/v10 v10.17.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
+github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao=
+github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
@@ -422,8 +422,8 @@ github.com/labstack/echo/v4 v4.9.0 h1:wPOF1CE6gvt/kmbMR4dGzWvHMPT+sAEUJOwOTtvITV
 github.com/labstack/echo/v4 v4.9.0/go.mod h1:xkCDAdFCIf8jsFQ5NnbK7oqaF/yU1A1X20Ltm0OvSks=
 github.com/labstack/gommon v0.3.1 h1:OomWaJXm7xR6L1HmEtGyQf26TEn7V6X88mktX9kee9o=
 github.com/labstack/gommon v0.3.1/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
-github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
-github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/loafoe/easyssh-proxy/v2 v2.0.4 h1:EzD0FWq2Ro44sDIbk95cs5oUlWFi2GKc6u/A8sxAxBM=
 github.com/loafoe/easyssh-proxy/v2 v2.0.4/go.mod h1:PzKetBuhTzg74M1AapAmDQAwBILp/MIiUkeUQ9bx42k=
 github.com/loafoe/ferrite v0.2.0 h1:4sIUGPCUpN116Nu7tZksAovFKVYBnqN4PFalk9/6r+A=
@@ -594,19 +594,14 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tchap/go-patricia v0.0.0-20160729071656-dd168db6051b/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
@@ -729,8 +724,8 @@ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
-golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/services/iam/service/resource_iam_service.go

@@ -81,15 +81,23 @@ func ResourceIAMService() *schema.Resource {
 				Description:  "Access Token Lifetime (in seconds). Default: 1800 (30 minutes), Maximum: 2592000 (30 days).",
 			},
 			"self_managed_private_key": {
-				Type:        schema.TypeString,
-				Sensitive:   true,
-				Optional:    true,
-				Description: "RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.",
+				Type:      schema.TypeString,
+				Sensitive: true,
+				Optional:  true,
+				Description: "RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" +
+					"Mutually exclusive with `self_managed_certificate`",
 			},
 			"self_managed_expires_on": {
 				Type:        schema.TypeString,
 				Optional:    true,
-				Description: "Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.",
+				Description: "Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.\nOnly applicable when `self_managed_private_key` is used",
+			},
+			"self_managed_certificate": {
+				Type:      schema.TypeString,
+				Sensitive: true,
+				Optional:  true,
+				Description: "X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" +
+					"Mutually exclusive with `self_managed_private_key`",
 			},
 			"private_key": {
 				Type:        schema.TypeString,
@@ -151,9 +159,16 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int
 	defaultScopes := tools.ExpandStringList(d.Get("default_scopes").(*schema.Set).List())
 	selfExpiresOn := d.Get("self_managed_expires_on").(string)
 	selfPrivateKey := d.Get("self_managed_private_key").(string)
+	selfCertificate := d.Get("self_managed_certificate").(string)
 	if selfPrivateKey == "" && selfExpiresOn != "" {
 		return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_expires_on' value without also specifying the 'self_managed_private_key'"))
 	}
+	if selfCertificate != "" && selfExpiresOn != "" {
+		return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_expires_on' value in combination with 'self_managed_certificate'"))
+	}
+	if selfCertificate != "" && selfPrivateKey != "" {
+		return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))
+	}
 
 	var createdService *iam.Service
 
@@ -176,12 +191,19 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int
 
 	// Set certificate if set from the get go
 	if selfPrivateKey != "" {
-		diags = setSelfManaged(client, *createdService, d)
+		diags = setSelfManagedPrivateKey(client, *createdService, d)
+		if len(diags) > 0 {
+			_, _, _ = client.Services.DeleteService(*createdService) // Cleanup
+			return diags
+		}
+	}
+	// Set certificate if set from publicKey
+	if selfCertificate != "" {
+		diags = setSelfManagedCertificate(client, *createdService, d)
 		if len(diags) > 0 {
 			_, _, _ = client.Services.DeleteService(*createdService) // Cleanup
 			return diags
 		}
-		_ = d.Set("private_key", selfPrivateKey)
 	}
 
 	// Set scopes and default_scopes
@@ -291,14 +313,23 @@ func resourceIAMServiceUpdate(ctx context.Context, d *schema.ResourceData, m int
 			_, _, _ = client.Services.AddScopes(s, []string{}, toAdd)
 		}
 	}
-	if d.HasChange("self_managed_expires_on") || d.HasChange("self_managed_private_key") {
-		_, npk := d.GetChange("self_managed_private_key")
+	if d.HasChange("self_managed_expires_on") || d.HasChange("self_managed_private_key") || d.HasChange("self_managed_certificate") {
+		_, newPrivateKey := d.GetChange("self_managed_private_key")
+		_, newCertificate := d.GetChange("self_managed_certificate")
 		privateKey := d.Get("private_key").(string)
 
-		if npk.(string) == "" && privateKey == "" {
-			return diag.FromErr(fmt.Errorf("you cannot revert to a server side managed private key once you set a self managed private key"))
+		if newPrivateKey.(string) == "" && newCertificate.(string) == "" && privateKey == "" {
+			return diag.FromErr(fmt.Errorf("you cannot revert to a server side managed private key once you set a self managed private key or certificate"))
+		}
+		if newCertificate.(string) != "" && newPrivateKey.(string) != "" {
+			return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))
+		}
+		if newPrivateKey.(string) != "" {
+			diags = setSelfManagedPrivateKey(client, s, d)
+		}
+		if newCertificate.(string) != "" {
+			diags = setSelfManagedCertificate(client, s, d)
 		}
-		diags = setSelfManaged(client, s, d)
 		if len(diags) > 0 {
 			return diags
 		}
@@ -330,7 +361,7 @@ func resourceIAMServiceDelete(_ context.Context, d *schema.ResourceData, m inter
 	return diags
 }
 
-func setSelfManaged(client *iam.Client, service iam.Service, d *schema.ResourceData) diag.Diagnostics {
+func setSelfManagedPrivateKey(client *iam.Client, service iam.Service, d *schema.ResourceData) diag.Diagnostics {
 	var diags diag.Diagnostics
 
 	selfPrivateKey := d.Get("self_managed_private_key").(string)
@@ -367,3 +398,33 @@ func setSelfManaged(client *iam.Client, service iam.Service, d *schema.ResourceD
 	}
 	return diags
 }
+
+func setSelfManagedCertificate(client *iam.Client, service iam.Service, d *schema.ResourceData) diag.Diagnostics {
+	var diags diag.Diagnostics
+
+	selfCertificate := d.Get("self_managed_certificate").(string)
+	fixedPEM := iam.FixPEM(selfCertificate)
+	block, _ := pem.Decode([]byte(fixedPEM))
+	if block == nil {
+		block, _ = pem.Decode([]byte(selfCertificate)) // Try unmodified decode
+		if block == nil {
+			return diag.FromErr(fmt.Errorf("error decoding 'self_managed_certificate'"))
+		}
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("parsing certificate: %w", err))
+	}
+	commonName := cert.Subject.CommonName
+	if commonName != service.ServiceID {
+		return diag.FromErr(fmt.Errorf("certificate subject CommonName should match `service_id`: %s != %s", commonName, service.ServiceID))
+	}
+	_, _, err = client.Services.UpdateServiceCertificateDER(service, block.Bytes)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("setting certificate: %w", err))
+	}
+	if fixedPEM != "" {
+		_ = d.Set("private_key", nil)
+	}
+	return diags
+}