feat(cdn): add custom certificate support (#983)
relates to STACKITCDN-1000
This commit is contained in:
Politano
GitHub
parent
813b8c0e81
commit
df0f152158
8 changed files with 834 additions and 71 deletions
|
|
@ -2,6 +2,7 @@ package cdn
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
|
@ -22,6 +23,7 @@ import (
|
|||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/schema/validator"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
|
||||
"github.com/hashicorp/terraform-plugin-log/tflog"
|
||||
"github.com/stackitcloud/stackit-sdk-go/core/oapierror"
|
||||
"github.com/stackitcloud/stackit-sdk-go/services/cdn"
|
||||
|
|
@ -37,6 +39,18 @@ var (
|
|||
_ resource.ResourceWithConfigure = &customDomainResource{}
|
||||
_ resource.ResourceWithImportState = &customDomainResource{}
|
||||
)
|
||||
var certificateSchemaDescriptions = map[string]string{
|
||||
"main": "The TLS certificate for the custom domain. If omitted, a managed certificate will be used. If the block is specified, a custom certificate is used.",
|
||||
"certificate": "The PEM-encoded TLS certificate. Required for custom certificates.",
|
||||
"private_key": "The PEM-encoded private key for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.",
|
||||
"version": "A version identifier for the certificate. Required for custom certificates. The certificate will be updated if this field is changed.",
|
||||
}
|
||||
|
||||
var certificateTypes = map[string]attr.Type{
|
||||
"version": types.Int64Type,
|
||||
"certificate": types.StringType,
|
||||
"private_key": types.StringType,
|
||||
}
|
||||
|
||||
var customDomainSchemaDescriptions = map[string]string{
|
||||
"id": "Terraform's internal resource identifier. It is structured as \"`project_id`,`distribution_id`\".",
|
||||
|
|
@ -46,6 +60,12 @@ var customDomainSchemaDescriptions = map[string]string{
|
|||
"errors": "List of distribution errors",
|
||||
}
|
||||
|
||||
type CertificateModel struct {
|
||||
Certificate types.String `tfsdk:"certificate"`
|
||||
PrivateKey types.String `tfsdk:"private_key"`
|
||||
Version types.Int64 `tfsdk:"version"`
|
||||
}
|
||||
|
||||
type CustomDomainModel struct {
|
||||
ID types.String `tfsdk:"id"` // Required by Terraform
|
||||
DistributionId types.String `tfsdk:"distribution_id"` // DistributionID associated with the cdn distribution
|
||||
|
|
@ -53,6 +73,7 @@ type CustomDomainModel struct {
|
|||
Name types.String `tfsdk:"name"` // The custom domain
|
||||
Status types.String `tfsdk:"status"` // The status of the cdn distribution
|
||||
Errors types.List `tfsdk:"errors"` // Any errors that the distribution has
|
||||
Certificate types.Object `tfsdk:"certificate"` // the certificate of the custom domain
|
||||
}
|
||||
|
||||
type customDomainResource struct {
|
||||
|
|
@ -63,6 +84,11 @@ func NewCustomDomainResource() resource.Resource {
|
|||
return &customDomainResource{}
|
||||
}
|
||||
|
||||
type Certificate struct {
|
||||
Type string
|
||||
Version *int64
|
||||
}
|
||||
|
||||
func (r *customDomainResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
||||
providerData, ok := conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
|
||||
if !ok {
|
||||
|
|
@ -120,6 +146,26 @@ func (r *customDomainResource) Schema(_ context.Context, _ resource.SchemaReques
|
|||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"certificate": schema.SingleNestedAttribute{
|
||||
Description: certificateSchemaDescriptions["main"],
|
||||
Optional: true,
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"certificate": schema.StringAttribute{
|
||||
Description: certificateSchemaDescriptions["certificate"],
|
||||
Optional: true,
|
||||
Sensitive: true,
|
||||
},
|
||||
"private_key": schema.StringAttribute{
|
||||
Description: certificateSchemaDescriptions["private_key"],
|
||||
Optional: true,
|
||||
Sensitive: true,
|
||||
},
|
||||
"version": schema.Int64Attribute{
|
||||
Description: certificateSchemaDescriptions["version"],
|
||||
Computed: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
"status": schema.StringAttribute{
|
||||
Computed: true,
|
||||
Description: customDomainSchemaDescriptions["status"],
|
||||
|
|
@ -146,21 +192,33 @@ func (r *customDomainResource) Create(ctx context.Context, req resource.CreateRe
|
|||
ctx = tflog.SetField(ctx, "distribution_id", distributionId)
|
||||
name := model.Name.ValueString()
|
||||
ctx = tflog.SetField(ctx, "name", name)
|
||||
certificate, err := toCertificatePayload(ctx, &model)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Creating API payload: %v", err))
|
||||
return
|
||||
}
|
||||
|
||||
payload := cdn.PutCustomDomainPayload{IntentId: cdn.PtrString(uuid.NewString())}
|
||||
|
||||
_, err := r.client.PutCustomDomain(ctx, projectId, distributionId, name).PutCustomDomainPayload(payload).Execute()
|
||||
payload := cdn.PutCustomDomainPayload{
|
||||
IntentId: cdn.PtrString(uuid.NewString()),
|
||||
Certificate: certificate,
|
||||
}
|
||||
_, err = r.client.PutCustomDomain(ctx, projectId, distributionId, name).PutCustomDomainPayload(payload).Execute()
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Calling API: %v", err))
|
||||
return
|
||||
}
|
||||
waitResp, err := wait.CreateCDNCustomDomainWaitHandler(ctx, r.client, projectId, distributionId, name).SetTimeout(5 * time.Minute).WaitWithContext(ctx)
|
||||
_, err = wait.CreateCDNCustomDomainWaitHandler(ctx, r.client, projectId, distributionId, name).SetTimeout(5 * time.Minute).WaitWithContext(ctx)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Waiting for create: %v", err))
|
||||
return
|
||||
}
|
||||
|
||||
err = mapCustomDomainFields(waitResp, &model)
|
||||
respCustomDomain, err := r.client.GetCustomDomainExecute(ctx, projectId, distributionId, name)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Calling API: %v", err))
|
||||
return
|
||||
}
|
||||
err = mapCustomDomainResourceFields(respCustomDomain, &model)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Processing API payload: %v", err))
|
||||
return
|
||||
|
|
@ -190,6 +248,7 @@ func (r *customDomainResource) Read(ctx context.Context, req resource.ReadReques
|
|||
ctx = tflog.SetField(ctx, "name", name)
|
||||
|
||||
customDomainResp, err := r.client.GetCustomDomain(ctx, projectId, distributionId, name).Execute()
|
||||
|
||||
if err != nil {
|
||||
var oapiErr *oapierror.GenericOpenAPIError
|
||||
// n.b. err is caught here if of type *oapierror.GenericOpenAPIError, which the stackit SDK client returns
|
||||
|
|
@ -202,7 +261,7 @@ func (r *customDomainResource) Read(ctx context.Context, req resource.ReadReques
|
|||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading CDN custom domain", fmt.Sprintf("Calling API: %v", err))
|
||||
return
|
||||
}
|
||||
err = mapCustomDomainFields(customDomainResp.CustomDomain, &model)
|
||||
err = mapCustomDomainResourceFields(customDomainResp, &model)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading CDN custom domain", fmt.Sprintf("Processing API payload: %v", err))
|
||||
return
|
||||
|
|
@ -216,9 +275,59 @@ func (r *customDomainResource) Read(ctx context.Context, req resource.ReadReques
|
|||
tflog.Info(ctx, "CDN custom domain read")
|
||||
}
|
||||
|
||||
func (r *customDomainResource) Update(ctx context.Context, _ resource.UpdateRequest, resp *resource.UpdateResponse) { // nolint:gocritic // function signature required by Terraform
|
||||
// Update shouldn't be called; custom domains have only computed fields and fields that require replacement when changed
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain", "Custom domain cannot be updated")
|
||||
func (r *customDomainResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) { // nolint:gocritic // function signature required by Terraform
|
||||
var model CustomDomainModel
|
||||
diags := req.Plan.Get(ctx, &model)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
projectId := model.ProjectId.ValueString()
|
||||
ctx = tflog.SetField(ctx, "project_id", projectId)
|
||||
distributionId := model.DistributionId.ValueString()
|
||||
ctx = tflog.SetField(ctx, "distribution_id", distributionId)
|
||||
name := model.Name.ValueString()
|
||||
ctx = tflog.SetField(ctx, "name", name)
|
||||
|
||||
certificate, err := toCertificatePayload(ctx, &model)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating CDN custom domain", fmt.Sprintf("Creating API payload: %v", err))
|
||||
return
|
||||
}
|
||||
|
||||
payload := cdn.PutCustomDomainPayload{
|
||||
IntentId: cdn.PtrString(uuid.NewString()),
|
||||
Certificate: certificate,
|
||||
}
|
||||
_, err = r.client.PutCustomDomain(ctx, projectId, distributionId, name).PutCustomDomainPayload(payload).Execute()
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Calling API: %v", err))
|
||||
return
|
||||
}
|
||||
|
||||
_, err = wait.CreateCDNCustomDomainWaitHandler(ctx, r.client, projectId, distributionId, name).SetTimeout(5 * time.Minute).WaitWithContext(ctx)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Waiting for update: %v", err))
|
||||
return
|
||||
}
|
||||
|
||||
respCustomDomain, err := r.client.GetCustomDomainExecute(ctx, projectId, distributionId, name)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Calling API to read final state: %v", err))
|
||||
return
|
||||
}
|
||||
err = mapCustomDomainResourceFields(respCustomDomain, &model)
|
||||
if err != nil {
|
||||
core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating CDN custom domain certificate", fmt.Sprintf("Processing API payload: %v", err))
|
||||
return
|
||||
}
|
||||
diags = resp.State.Set(ctx, model)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
tflog.Info(ctx, "CDN custom domain certificate updated")
|
||||
}
|
||||
|
||||
func (r *customDomainResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { // nolint:gocritic // function signature required by Terraform
|
||||
|
|
@ -260,30 +369,138 @@ func (r *customDomainResource) ImportState(ctx context.Context, req resource.Imp
|
|||
tflog.Info(ctx, "CDN custom domain state imported")
|
||||
}
|
||||
|
||||
func mapCustomDomainFields(customDomain *cdn.CustomDomain, model *CustomDomainModel) error {
|
||||
if customDomain == nil {
|
||||
func normalizeCertificate(certInput cdn.GetCustomDomainResponseGetCertificateAttributeType) (Certificate, error) {
|
||||
var customCert *cdn.GetCustomDomainCustomCertificate
|
||||
var managedCert *cdn.GetCustomDomainManagedCertificate
|
||||
|
||||
if certInput == nil {
|
||||
return Certificate{}, errors.New("input of type GetCustomDomainResponseCertificate is nil")
|
||||
}
|
||||
customCert = certInput.GetCustomDomainCustomCertificate
|
||||
managedCert = certInput.GetCustomDomainManagedCertificate
|
||||
|
||||
// Now we process the extracted certificates
|
||||
if customCert != nil && customCert.Type != nil && customCert.Version != nil {
|
||||
return Certificate{
|
||||
Type: *customCert.Type,
|
||||
Version: customCert.Version, // Converts from *int64 to int
|
||||
}, nil
|
||||
}
|
||||
|
||||
if managedCert != nil && managedCert.Type != nil {
|
||||
// The version will be the zero value for int (0), as requested
|
||||
return Certificate{
|
||||
Type: *managedCert.Type,
|
||||
}, nil
|
||||
}
|
||||
|
||||
return Certificate{}, errors.New("certificate structure is empty, neither custom nor managed is set")
|
||||
}
|
||||
|
||||
// toCertificatePayload constructs the certificate part of the payload for the API request.
|
||||
// It defaults to a managed certificate if the certificate block is omitted, otherwise it creates a custom certificate.
|
||||
func toCertificatePayload(ctx context.Context, model *CustomDomainModel) (*cdn.PutCustomDomainPayloadCertificate, error) {
|
||||
// If the certificate block is not specified, default to a managed certificate.
|
||||
if model.Certificate.IsNull() {
|
||||
managedCert := cdn.NewPutCustomDomainManagedCertificate("managed")
|
||||
certPayload := cdn.PutCustomDomainManagedCertificateAsPutCustomDomainPayloadCertificate(managedCert)
|
||||
return &certPayload, nil
|
||||
}
|
||||
|
||||
var certModel CertificateModel
|
||||
// Unpack the Terraform object into the temporary struct.
|
||||
respDiags := model.Certificate.As(ctx, &certModel, basetypes.ObjectAsOptions{})
|
||||
if respDiags.HasError() {
|
||||
return nil, fmt.Errorf("invalid certificate or private key: %w", core.DiagsToError(respDiags))
|
||||
}
|
||||
|
||||
if utils.IsUndefined(certModel.Certificate) || utils.IsUndefined(certModel.PrivateKey) {
|
||||
return nil, fmt.Errorf(`"certificate" and "private_key" must be set`)
|
||||
}
|
||||
|
||||
certStr := base64.StdEncoding.EncodeToString([]byte(certModel.Certificate.ValueString()))
|
||||
keyStr := base64.StdEncoding.EncodeToString([]byte(certModel.PrivateKey.ValueString()))
|
||||
|
||||
if certStr == "" || keyStr == "" {
|
||||
return nil, errors.New("invalid certificate or private key. Please check if the string of the public certificate and private key in PEM format")
|
||||
}
|
||||
|
||||
customCert := cdn.NewPutCustomDomainCustomCertificate(
|
||||
certStr,
|
||||
keyStr,
|
||||
"custom",
|
||||
)
|
||||
certPayload := cdn.PutCustomDomainCustomCertificateAsPutCustomDomainPayloadCertificate(customCert)
|
||||
|
||||
return &certPayload, nil
|
||||
}
|
||||
|
||||
func mapCustomDomainResourceFields(customDomainResponse *cdn.GetCustomDomainResponse, model *CustomDomainModel) error {
|
||||
if customDomainResponse == nil {
|
||||
return fmt.Errorf("response input is nil")
|
||||
}
|
||||
if model == nil {
|
||||
return fmt.Errorf("model input is nil")
|
||||
}
|
||||
|
||||
if customDomain.Name == nil {
|
||||
return fmt.Errorf("Name is missing in response")
|
||||
if customDomainResponse.CustomDomain == nil {
|
||||
return fmt.Errorf("CustomDomain is missing in response")
|
||||
}
|
||||
if customDomainResponse.CustomDomain.Name == nil {
|
||||
return fmt.Errorf("name is missing in response")
|
||||
}
|
||||
|
||||
if customDomain.Status == nil {
|
||||
return fmt.Errorf("Status missing in response")
|
||||
if customDomainResponse.CustomDomain.Status == nil {
|
||||
return fmt.Errorf("status missing in response")
|
||||
}
|
||||
normalizedCert, err := normalizeCertificate(customDomainResponse.Certificate)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Certificate error in normalizer: %w", err)
|
||||
}
|
||||
|
||||
model.ID = utils.BuildInternalTerraformId(model.ProjectId.ValueString(), model.DistributionId.ValueString(), *customDomain.Name)
|
||||
model.Status = types.StringValue(string(*customDomain.Status))
|
||||
// If the certificate is managed, the certificate block in the state should be null.
|
||||
if normalizedCert.Type == "managed" {
|
||||
model.Certificate = types.ObjectNull(certificateTypes)
|
||||
} else {
|
||||
// If the certificate is custom, we need to preserve the user-configured
|
||||
// certificate and private key from the plan/state, and only update the computed version.
|
||||
certAttributes := map[string]attr.Value{
|
||||
"certificate": types.StringNull(), // Default to null
|
||||
"private_key": types.StringNull(), // Default to null
|
||||
"version": types.Int64Null(),
|
||||
}
|
||||
|
||||
// Get existing values from the model's certificate object if it exists
|
||||
if !model.Certificate.IsNull() {
|
||||
existingAttrs := model.Certificate.Attributes()
|
||||
if val, ok := existingAttrs["certificate"]; ok {
|
||||
certAttributes["certificate"] = val
|
||||
}
|
||||
if val, ok := existingAttrs["private_key"]; ok {
|
||||
certAttributes["private_key"] = val
|
||||
}
|
||||
}
|
||||
|
||||
// Set the computed version from the API response
|
||||
if normalizedCert.Version != nil {
|
||||
certAttributes["version"] = types.Int64Value(*normalizedCert.Version)
|
||||
}
|
||||
|
||||
certificateObj, diags := types.ObjectValue(certificateTypes, certAttributes)
|
||||
if diags.HasError() {
|
||||
return fmt.Errorf("failed to map certificate: %w", core.DiagsToError(diags))
|
||||
}
|
||||
model.Certificate = certificateObj
|
||||
}
|
||||
|
||||
model.ID = utils.BuildInternalTerraformId(model.ProjectId.ValueString(), model.DistributionId.ValueString(), *customDomainResponse.CustomDomain.Name)
|
||||
model.Status = types.StringValue(string(*customDomainResponse.CustomDomain.Status))
|
||||
|
||||
customDomainErrors := []attr.Value{}
|
||||
if customDomain.Errors != nil {
|
||||
for _, e := range *customDomain.Errors {
|
||||
if customDomainResponse.CustomDomain.Errors != nil {
|
||||
for _, e := range *customDomainResponse.CustomDomain.Errors {
|
||||
if e.En == nil {
|
||||
return fmt.Errorf("Error description missing")
|
||||
return fmt.Errorf("error description missing")
|
||||
}
|
||||
customDomainErrors = append(customDomainErrors, types.StringValue(*e.En))
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue