Merge pull request #33 from iwarapter/feature/csr_chains

Feature/csr chains
iwarapter · Nov 6, 2020 · a4932a1 · a4932a1
2 parents 644cacc + 6cb7841
commit a4932a1
Show file tree

Hide file tree

Showing 5 changed files with 202 additions and 9 deletions.
diff --git a/docs/data-sources/pingaccess_keypair_csr.md b/docs/data-sources/pingaccess_keypair_csr.md
@@ -0,0 +1,20 @@
+# Data Source: pingaccess_keypair_csr
+
+Use this data source to get the CSR of a keypair in Ping Access.
+
+## Example Usage
+```hcl
+data "pingaccess_keypair_csr" "csr" {
+  id = pingaccess_keypair.demo_generate.id
+}
+```
+## Argument Attributes
+The following arguments are supported:
+
+- [`id`](#id) - (required) The ID for the keypair.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- [`cert_request_pem`](#cert_request_pem) - The keypairs's Certificate Signing Response.
diff --git a/docs/resources/pingaccess_keypair_csr.md b/docs/resources/pingaccess_keypair_csr.md
@@ -0,0 +1,83 @@
+# Resource: pingaccess_keypair_csr
+
+Provides a keypair csr response.
+
+## Example Usage
+
+### Signing a CSR with an example tls signer
+```hcl
+resource "pingaccess_keypair" "demo_generate" {
+  alias             = "demo2"
+  city              = "London"
+  common_name       = "Example"
+  country           = "GB"
+  key_algorithm     = "RSA"
+  key_size          = 2048
+  organization      = "Test"
+  organization_unit = "Development"
+  state             = "London"
+  valid_days        = 365
+}
+
+
+data "pingaccess_keypair_csr" "csr" {
+  id = pingaccess_keypair.demo_generate.id
+}
+
+resource "pingaccess_keypair_csr" "test" {
+  keypair_id                   = pingaccess_keypair.demo_generate.id
+  file_data                    = base64encode(tls_locally_signed_cert.example.cert_pem)
+  chain_certificates           = [base64encode(tls_self_signed_cert.example.cert_pem)]
+  trusted_certificate_group_id = data.pingaccess_trusted_certificate_group.trust_any.id
+}
+
+resource "tls_private_key" "example" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "tls_locally_signed_cert" "example" {
+  cert_request_pem   = data.pingaccess_keypair_csr.csr.cert_request_pem
+  ca_key_algorithm   = "RSA"
+  ca_private_key_pem = tls_private_key.example.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.example.cert_pem
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "tls_self_signed_cert" "example" {
+  key_algorithm   = "RSA"
+  private_key_pem = tls_private_key.example.private_key_pem
+
+  subject {
+    common_name  = "example.com"
+    organization = "ACME Examples, Inc"
+  }
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+```
+
+## Argument Attributes
+The following arguments are supported:
+
+- [`keypair_id`](#keypair_id) - (required) The Id for the key pair.
+- [`file_data`](#file_data) - (required) The base64-encoded data of the keypair.
+- [`chain_certificates`](#chain_certificates) - A list of base64-encoded certificates to add to the key pair certificate chain.
+- [`trusted_certificate_group_id`](#trusted_certificate_group_id) - The ID of the trusted certificate group associated with the CSR response.
+
+## Attributes Reference
+
+None
diff --git a/func-tests/keypair_csr.tf b/func-tests/keypair_csr.tf
@@ -0,0 +1,49 @@
+
+data "pingaccess_keypair_csr" "csr" {
+  id = pingaccess_keypair.demo_generate.id
+}
+
+resource "pingaccess_keypair_csr" "test" {
+  keypair_id                   = pingaccess_keypair.demo_generate.id
+  file_data                    = base64encode(tls_locally_signed_cert.example.cert_pem)
+  chain_certificates           = [base64encode(tls_self_signed_cert.example.cert_pem)]
+  trusted_certificate_group_id = data.pingaccess_trusted_certificate_group.trust_any.id
+}
+
+resource "tls_private_key" "example" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "tls_locally_signed_cert" "example" {
+  cert_request_pem   = data.pingaccess_keypair_csr.csr.cert_request_pem
+  ca_key_algorithm   = "RSA"
+  ca_private_key_pem = tls_private_key.example.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.example.cert_pem
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "tls_self_signed_cert" "example" {
+  key_algorithm   = "RSA"
+  private_key_pem = tls_private_key.example.private_key_pem
+
+  subject {
+    common_name  = "example.com"
+    organization = "ACME Examples, Inc"
+  }
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
diff --git a/pingaccess/resource_pingaccess_keypair_csr.go b/pingaccess/resource_pingaccess_keypair_csr.go
@@ -15,6 +15,7 @@ func resourcePingAccessKeyPairCsr() *schema.Resource {
 	return &schema.Resource{
 		CreateContext: resourcePingAccessKeyPairCsrCreate,
 		ReadContext:   resourcePingAccessKeyPairCsrRead,
+		UpdateContext: resourcePingAccessKeyPairCsrUpdate,
 		DeleteContext: resourcePingAccessKeyPairCsrDelete,
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
@@ -34,18 +35,27 @@ func resourcePingAccessKeyPairCsrSchema() map[string]*schema.Schema {
 		"file_data": {
 			Type:     schema.TypeString,
 			Required: true,
-			ForceNew: true,
+		},
+		"trusted_certificate_group_id": {
+			Type:     schema.TypeInt,
+			Optional: true,
+			Default:  0,
+		},
+		"chain_certificates": {
+			Type:     schema.TypeList,
+			Optional: true,
+			Elem: &schema.Schema{
+				Type: schema.TypeString,
+			},
 		},
 	}
 }
 
 func resourcePingAccessKeyPairCsrCreate(_ context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	svc := m.(paClient).KeyPairs
 	input := keyPairs.ImportCSRResponseCommandInput{
-		Body: models.CSRResponseImportDocView{
-			FileData: String(d.Get("file_data").(string)),
-		},
-		Id: d.Get("keypair_id").(string),
+		Body: *resourcePingAccessKeyPairCsrReadData(d),
+		Id:   d.Get("keypair_id").(string),
 	}
 
 	result, _, err := svc.ImportCSRResponseCommand(&input)
@@ -61,7 +71,37 @@ func resourcePingAccessKeyPairCsrRead(_ context.Context, d *schema.ResourceData,
 	return nil
 }
 
+func resourcePingAccessKeyPairCsrUpdate(_ context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	svc := m.(paClient).KeyPairs
+	input := keyPairs.ImportCSRResponseCommandInput{
+		Body: *resourcePingAccessKeyPairCsrReadData(d),
+		Id:   d.Get("keypair_id").(string),
+	}
+
+	_, _, err := svc.ImportCSRResponseCommand(&input)
+	if err != nil {
+		return diag.Errorf("unable to update KeyPairCsr: %s", err)
+	}
+	return nil
+}
+
 func resourcePingAccessKeyPairCsrDelete(_ context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	d.SetId("")
 	return nil
 }
+
+func resourcePingAccessKeyPairCsrReadData(d *schema.ResourceData) *models.CSRResponseImportDocView {
+	csr := models.CSRResponseImportDocView{
+		FileData: String(d.Get("file_data").(string)),
+	}
+
+	if v, ok := d.GetOk("chain_certificates"); ok {
+		certs := expandStringList(v.([]interface{}))
+		csr.ChainCertificates = &certs
+	}
+	if v, ok := d.GetOk("trusted_certificate_group_id"); ok {
+		csr.TrustedCertGroupId = Int(v.(int))
+	}
+
+	return &csr
+}
diff --git a/pingaccess/resource_pingaccess_keypair_csr_test.go b/pingaccess/resource_pingaccess_keypair_csr_test.go
@@ -28,7 +28,7 @@ func TestAccPingAccessKeyPairCsr(t *testing.T) {
 		Subject: pkix.Name{
 			Organization: []string{"Ping Identity"},
 			Country:      []string{"US"},
-			CommonName: "localhost",
+			CommonName:   "localhost",
 		},
 		NotBefore:             time.Now(),
 		NotAfter:              time.Now().AddDate(10, 0, 0),
@@ -87,7 +87,7 @@ func TestAccPingAccessKeyPairCsr(t *testing.T) {
 		CheckDestroy: testAccCheckPingAccessKeyPairCsrDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccPingAccessKeyPairCsrConfig(signedCert),
+				Config: testAccPingAccessKeyPairCsrConfig(signedCert, caBuf.String()),
 				//Check: resource.ComposeTestCheckFunc(),
 			},
 		},
@@ -98,11 +98,12 @@ func testAccCheckPingAccessKeyPairCsrDestroy(s *terraform.State) error {
 	return nil
 }
 
-func testAccPingAccessKeyPairCsrConfig(signedCert string) string {
+func testAccPingAccessKeyPairCsrConfig(signedCert, chain string) string {
 	return fmt.Sprintf(`
 resource "pingaccess_keypair_csr" "test" {
   keypair_id = "1"
   file_data = "%s"
+  chain_certificates = ["%s"]
 }
-`, base64.StdEncoding.EncodeToString([]byte(signedCert)))
+`, base64.StdEncoding.EncodeToString([]byte(signedCert)), base64.StdEncoding.EncodeToString([]byte(chain)))
 }