Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: change mTLS associated hostnames to a set #3498

Merged
merged 3 commits into from
Aug 28, 2024
Merged

fix: change mTLS associated hostnames to a set #3498

merged 3 commits into from
Aug 28, 2024

Conversation

BSFishy
Copy link
Contributor

@BSFishy BSFishy commented Jul 24, 2024
edited
Loading

The API doesn't order mTLS associated hostnames in any meaningful way. This can cause drift as seen in #3436. We can mitigate this by ignoring associated hostname changes, when the only thing that has changed is the ordering.

I tried a number of other approaches including sorting the list that is returned from the API and sorting the incoming associated hostname list, but none of that type of stuff worked.

fixes #3436

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 24, 2024
edited
Loading

changelog detected ✅

@BSFishy BSFishy force-pushed the sort_hostnames branch 2 times, most recently from 24ba41d to 393e8ef Compare July 25, 2024 21:58
@BSFishy BSFishy changed the title fix: sort associated hostnames alphabetically fix: ignore associated hostnames reordering Jul 25, 2024
@BSFishy BSFishy marked this pull request as ready for review July 25, 2024 22:01
@ajholland
Copy link
Contributor

Looks good to me!

bporter816
bporter816 reviewed Jul 26, 2024
View reviewed changes
.changelog/3498.txt Outdated Show resolved Hide resolved
jacobbednarz
jacobbednarz requested changes Jul 29, 2024
View reviewed changes
Copy link
Member

@jacobbednarz jacobbednarz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the changes you're making here are basically what TypeSet is built for. i'd suggest we swap to that instead and remove the additional schema functions here.

@BSFishy
fix: ignore associated hostnames reordering
0b218d0 
Signed-off-by: Matt Provost <mprovost@cloudflare.com>
@BSFishy BSFishy changed the title fix: ignore associated hostnames reordering fix: change mTLS associated hostnames to a set Jul 29, 2024
@BSFishy
Copy link
Contributor Author

BSFishy commented Jul 29, 2024

the changes you're making here are basically what TypeSet is built for. i'd suggest we swap to that instead and remove the additional schema functions here.

I thought what I was doing felt wrong! Thanks for pointing me in the right direction. Updated and ready for re-review :)

@bporter816
Copy link

Hi @jacobbednarz, can we get this reviewed for the next release?

@jacobbednarz
Copy link
Member

the acceptance tests are failing here (and on master) so we'll need to work out what needs to change to support it.

TF_ACC=1 go test ./internal/sdkv2provider -v -run "^TestAccCloudflareAccessMutualTLS" -count 1 -timeout 120m -parallel 1
=== RUN   TestAccCloudflareAccessMutualTLSBasic
    resource_cloudflare_access_mutual_tls_certificate_test.go:75: Step 1/2 error: Error running apply: exit status 1
        
        Error: error creating Access Mutual TLS Certificate for accounts "f037e56e89293a057740de681ac9abbe": error from makeRequest: access.api.error.certificate_required (12032)
        
          with cloudflare_access_mutual_tls_certificate.jndisxqick,
          on terraform_plugin_test.tf line 12, in resource "cloudflare_access_mutual_tls_certificate" "jndisxqick":
          12: resource "cloudflare_access_mutual_tls_certificate" "jndisxqick" {
        
--- FAIL: TestAccCloudflareAccessMutualTLSBasic (0.86s)
=== RUN   TestAccCloudflareAccessMutualTLSBasicWithZoneID
    resource_cloudflare_access_mutual_tls_certificate_test.go:118: Step 1/2 error: Error running apply: exit status 1
        
        Error: error creating Access Mutual TLS Certificate for zones "0da42c8d2132a9ddaf714f9e7c920711": error from makeRequest: access.api.error.certificate_required (12032)
        
          with cloudflare_access_mutual_tls_certificate.sjkcssabds,
          on terraform_plugin_test.tf line 12, in resource "cloudflare_access_mutual_tls_certificate" "sjkcssabds":
          12: resource "cloudflare_access_mutual_tls_certificate" "sjkcssabds" {
        
--- FAIL: TestAccCloudflareAccessMutualTLSBasicWithZoneID (0.72s)
FAIL
FAIL	github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider	2.365s
FAIL
make: *** [testacc] Error 1

@bporter816
Copy link

bporter816 commented Aug 27, 2024
edited
Loading

From the error message, is it possible that CLOUDFLARE_MUTUAL_TLS_CERTIFICATE isn't being set? In terms of the changes needed for this PR, seems like there needs to be several changes in this file, like using TestCheckResourceAddrSet instead of TestCheckResourceAttr, toset([]) instead of [], etc.

@BSFishy
Copy link
Contributor Author

BSFishy commented Aug 27, 2024

I think I agree with @bporter816 that it looks like the CLOUDFLARE_MUTUAL_TLS_CERTIFICATE variable isn't being set. Apart from that, the file mentioned seems to be fine to me. To my understanding, TestCheckResourceAttrSet checks if an attribute is set, rather than if it contains a specific value (which for the certificate is fine I think), and lists should automatically be coerced to sets where necissary, according to these docs. Let me know if any of this sounds wrong and I can take another look

@bporter816
Copy link

Ah yes, I think I misread the docs on that function. Another thing I wasn't sure about is if things like this indexing still work:

terraform-provider-cloudflare/internal/sdkv2provider/resource_cloudflare_access_mutual_tls_certificate_test.go

Line 131 in 4708b62

resource.TestCheckResourceAttr(name, "associated_hostnames.0", domain),

@jacobbednarz
Copy link
Member

nice find. after fixing that (and adding a check in the tests for future runners), this is all now passing

TF_ACC=1 go test ./internal/sdkv2provider -v -run "^TestAccCloudflareAccessMutualTLS" -count 1 -timeout 120m -parallel 1
=== RUN   TestAccCloudflareAccessMutualTLSBasic
--- PASS: TestAccCloudflareAccessMutualTLSBasic (9.57s)
=== RUN   TestAccCloudflareAccessMutualTLSBasicWithZoneID
--- PASS: TestAccCloudflareAccessMutualTLSBasicWithZoneID (9.22s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider	19.298s

@jacobbednarz jacobbednarz merged commit c44a0f0 into cloudflare:master Aug 28, 2024
9 checks passed
@github-actions github-actions bot added this to the v4.41.0 milestone Aug 28, 2024
@BSFishy BSFishy deleted the sort_hostnames branch August 28, 2024 14:36
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 4, 2024

This functionality has been released in v4.41.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bporter816 bporter816 bporter816 left review comments

@jacobbednarz jacobbednarz Awaiting requested review from jacobbednarz jacobbednarz is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4.41.0
Development

Successfully merging this pull request may close these issues.

Perpetual drift from Access mTLS cert associated hostname reordering
4 participants
@BSFishy @ajholland @bporter816 @jacobbednarz