implement custom ssl resource #418
Conversation
|
Thanks for this @jterzis! Appreciate the effort. Few questions from me (other specific notes inline):
|
| }, | ||
| "bundle_method": { | ||
| Type: schema.TypeString, | ||
| Computed: true, |
There was a problem hiding this comment.
As the API has restrictions on what values can be used here, it's helpful to provide validation before the HTTP interactions are made.
| Computed: true, | |
| Computed: true, | |
| ValidateFunc: validation.StringInSlice([]string{"ubiquitous", "optimal", "force"}, false), |
There was a problem hiding this comment.
We have bundle_method here as well as nested under custom_ssl_options. Is there a difference for these two?
There was a problem hiding this comment.
The one under custom_ssl_options is passed in during creation. The other is returned by the /zones/:zone_id/custom_certificates/:cert_id which the Read method calls. Added it to top level as a convenience since on Read, the custom_ssl_options map is not set.
There was a problem hiding this comment.
🤔 Generally, we've followed what the public API has returned to ensure we had something consistent to map it off. This feels like it will cause some confusion if the value is present in two spots but not matching.
There was a problem hiding this comment.
I've strived to follow the public API however, the return body from the public api for the POST method on this resource differs from the request body passed into POST in fields and nesting of fields. I've tried to account for both by mapping the POST request body field custom_ssl_options as a nested map and then mapping the return body separately where bundle_method is non-nested (see below return body POST zones/:zone_identifier/custom_certificates from public api).
{
"success": true,
"errors": [],
"messages": [],
"result": {
"id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60",
"hosts": [
"example.com"
],
"issuer": "GlobalSign",
"signature": "SHA256WithRSA",
"status": "active",
"bundle_method": "ubiquitous",
"geo_restrictions": {
"label": "us"
},
"zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
"uploaded_on": "2014-01-01T05:20:00Z",
"modified_on": "2014-01-01T05:20:00Z",
"expires_on": "2016-01-01T05:20:00Z",
"priority": 1
}
}
I think I can set the bundle_method on READ within the nested map, custom_ssl_options and then remove bundle_method from the top level in the schema so we don't have it specified in two places as you've pointed out. But then the return body won't match 1-1 with our public api. I don't have a strong preference here and want to go with our convention so let me if you are okay with a missing bundle_method field in top level of return body.
There was a problem hiding this comment.
@jacobbednarz Thanks for adding some clarity to the request. cloudflare-go separates the req/resp payloads into 2 different structs for an underlying POST and returns the same response payload on GETS as it does on the POST (https://github.com/cloudflare/cloudflare-go/blob/master/ssl.go#L65-L92) so Im not sure there is much more to do there.
What I am doing in the schema amounts to merging the 2 structs from cloudflare-go (ZoneCustomSSLOptions, ZoneCustomSSL). In fact, there shouldn't be much confusion in the schema as to which bundle_method is needed for CREATING the resource (at time apply or plan) versus which is READ in since the latter is a Computed attribute in the schema. Maybe it would help if you describe the specific case you are trying to mitigate ?
There was a problem hiding this comment.
Now that I think about it more, I could probably remove the computed bundle_method from the schema since it's not required to be set in READ only on CREATE.
There was a problem hiding this comment.
Maybe it would help if you describe the specific case you are trying to mitigate ?
Good idea, let's start with the issue first and work backwards from there 😄 My main concern is that we're duplicating schema fields for the purposes of making the internals happy. That tells me that something isn't encapsulated or structured correctly.
There was a problem hiding this comment.
Let's abstract away from internals and present the struct that makes sense. And please with no Request/Response fields 🙏
There was a problem hiding this comment.
Sounds good. I've normalized the schema struct and removed bundle_method from the top level struct which was duplicative as @jacobbednarz indicated.
| State: resourceCloudflareCustomSslImport, | ||
| }, | ||
|
|
||
| Schema: map[string]*schema.Schema{ |
There was a problem hiding this comment.
We're missing some fields from the schema, is this intentional? The API shows the following also available:
- type
- geo_restrictions
There was a problem hiding this comment.
These are not supported by v4api https://github.com/cloudflare/cloudflare-go/blob/master/ssl.go#L40-L44. Ill cut a PR against that repo and then update this one likely in a separate PR.
There was a problem hiding this comment.
🙇 thanks for getting that updated! PR is at cloudflare/cloudflare-go#327
| }, | ||
| "bundle_method": { | ||
| Type: schema.TypeString, | ||
| Optional: true, |
There was a problem hiding this comment.
As the API has restrictions on what values can be used here, it's helpful to provide validation before the HTTP interactions are made.
| Optional: true, | |
| Optional: true, | |
| ValidateFunc: validation.StringInSlice([]string{"ubiquitous", "optimal", "force"}, false), |
There was a problem hiding this comment.
I was planning on adding validations as a separate ticket. This one establishes minimal functionality for creating, updating, deleting custom_ssl resource. I can add validation for requisite parameters on POST , PUT encapsulating functions though no problem.
There was a problem hiding this comment.
Understandable. If we can, I prefer to have as much validation up front as (even with MVP style PRs) to speed up the feedback loop that users get. For example, our Terraform configuration is across ~40 domains and if we apply changes we can wait up to a couple of minutes for the payload to hit the Cloudflare API only to inform us that we've incorrectly formatted a field or gave it an unexpected value. Compared to schema based validation, we get that almost instantly. It does make the user UX quite a bit nicer and doesn't waste as much time on larger installs 🙂
There was a problem hiding this comment.
Forgot to update this after I added Validation for post fields that take on a set of string values, namely bundle_method, geo_restrictions, type.
| } | ||
|
|
||
| func resourceCloudflareCustomSslRead(d *schema.ResourceData, meta interface{}) error { | ||
|
|
| log.Printf("[DEBUG] Custom SSL priority found in config: %#v", data) | ||
| //type mt map[string]interface{} | ||
| var mtSlice []cloudflare.ZoneCustomSSLPriority | ||
| if dataOk { |
There was a problem hiding this comment.
Personal preference here (so take it or leave it 😛) but I'd look to return early here and instead of nesting another level as while it's not too big of a deal now, Go is pretty good at getting gnarly nested if expressions. I.e.
data, dataOk := d.GetOk("custom_ssl_priority")
// ..
if !dataOk {
// Perhaps a better exception than `nil` but 🤷♂
return mtSlice, nil
}
for _, innerData := range data.([]interface{}) {
newData := make(map[string]interface{})
// .. continue on
}There was a problem hiding this comment.
This appears to be more idiomatic so Ill take your suggestion, thanks!
| switch idName := id; idName { | ||
| case "id": | ||
| newValue := value.(string) | ||
| //newData[id] = newValue |
There was a problem hiding this comment.
| //newData[id] = newValue |
| } | ||
| // map -> json -> struct | ||
| json.Unmarshal(zcspJson, &zcsp) | ||
| //return mtSlice, fmt.Errorf("FAILURE: %#v %#v", newData, zcsp) |
There was a problem hiding this comment.
If this isn't needed, let's get rid of it.
| //return mtSlice, fmt.Errorf("FAILURE: %#v %#v", newData, zcsp) |
| func expandToZoneCustomSSLPriority(d *schema.ResourceData) ([]cloudflare.ZoneCustomSSLPriority, error) { | ||
| data, dataOk := d.GetOk("custom_ssl_priority") | ||
| log.Printf("[DEBUG] Custom SSL priority found in config: %#v", data) | ||
| //type mt map[string]interface{} |
There was a problem hiding this comment.
| //type mt map[string]interface{} |
| // split the id so we can lookup | ||
| idAttr := strings.SplitN(d.Id(), "/", 2) | ||
|
|
||
| var zoneName string |
There was a problem hiding this comment.
Let's keep it at zoneID as we're in the process of deprecating zoneName from this provider due to the non-unique nature of it in Cloudflare.
| func TestAccCloudflareCustomSSL_Basic(t *testing.T) { | ||
| t.Parallel() | ||
| var customSSL cloudflare.ZoneCustomSSL | ||
| domain := os.Getenv("CLOUDFLARE_DOMAIN") |
There was a problem hiding this comment.
CLOUDFLARE_ZONE_ID is preferred to CLOUDFLARE_DOMAIN for the uniqueness of it.
There was a problem hiding this comment.
Ok i was applying the pattern we currently have elsewhere. I agree zone id a unique identifier is preferable esp. since the tests create actual resources and cost $ potentially.
There was a problem hiding this comment.
Yeah, sorry about that. We've put the deprecation in place as of the next minor release and I'll be swapping everything over internally once that lands.
There was a problem hiding this comment.
no problem, updated!
| t.Parallel() | ||
| var customSSL cloudflare.ZoneCustomSSL | ||
| zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") | ||
| resourceName := fmt.Sprintf("cloudflare_custom_ssl.foossl") |
There was a problem hiding this comment.
Let's use the generateRandomResourceName() method here to build a resource name for the entropy to denote this isn't a static resource (only used for testing) and in the future when we swap all resource names to begin with tf-acc, this will be one less place we need to manually update.
| resourceName := fmt.Sprintf("cloudflare_custom_ssl.foossl") | |
| rnd := generateRandomResourceName() | |
| resourceName := "cloudflare_custom_ssl." + rnd |
There was a problem hiding this comment.
This will require a couple of flow on updates in this test but ends up being quite a bit more flexible.
There was a problem hiding this comment.
Sounds good. Updated in commit: 8fa7bea
| fmt.Printf("Failed to update custom ssl cert: %s", err) | ||
| } | ||
|
|
||
| resList, reErr := client.ReprioritizeSSL(zoneID, zcsp) |
There was a problem hiding this comment.
Should use partial state mode here: https://www.terraform.io/docs/plugins/provider.html#resource-data
ghost
added
the
kind/documentation
| return fmt.Sprintf(` | ||
| resource "cloudflare_custom_ssl" "%[2]s" { | ||
| zone_id = "%[1]s" | ||
| options = { |
There was a problem hiding this comment.
This is causing a failure for the integration tests
------- Stdout: -------
=== RUN TestAccCloudflareCustomSSL_Basic
=== PAUSE TestAccCloudflareCustomSSL_Basic
=== CONT TestAccCloudflareCustomSSL_Basic
--- FAIL: TestAccCloudflareCustomSSL_Basic (0.02s)
testing.go:568: Step 0 error: config is invalid: Unsupported argument: An argument named "options" is not expected here.
FAIL
| options = { | |
| custom_ssl_options = { |
There was a problem hiding this comment.
Odd that this was not picked up by CI. Good catch! I fixed it.
There was a problem hiding this comment.
We have two types of CI running here and only one hooked up to GitHub 🙁 The unit tests passed but these were making the integration tests fail which run on a different system.
We're looking to see if we can have them both hooked into GitHub but it's a chat with Hashicorp as they own the repositories.
| certificate = "-----BEGIN CERTIFICATE-----\nMIIFWzCCBEOgAwIBAgISAw9GlDw8l9n12rmHAKjwRYtFMA0GCSqGSIb3DQEBCwUA\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\nExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA3MTUyMzI1MzZaFw0x\nOTEwMTMyMzI1MzZaMBwxGjAYBgNVBAMTEXRmLnRlc3QuY2ZhcGkubmV0MIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzRS91Cp5T/QmvxB5WoX/BFkf7KPU\noGZM5SpbmU/nKDSG+8H0yNOP2YycxJ1ZlWW6dNsgbBY1Y6XNvBYOUIDklNu56RZT\nGUfUMCQQHlqM04xCb1oZmnwcmqqEy3WxEHQHGNpfARmgD7prDP4XcFsxyLBCBO6U\n7/wbQ1SCP4LOlOi6EgpTYdFIBa8EU6ev0UbaAjXyF411fF4P9KgROonss6SjmSzs\nEro87JV80kMAarTaEenrJMYy+DkS55rEFtAshJ/ov3HvVBzgJl9tiVBxF/+xybM2\nulWR78mIi9byv5WozrdCFKUGxrUbPzrv4C/Zg9ptZMHr2P36thmgl1zAiwIDAQAB\no4ICZzCCAmMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\nBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSxzSYXcr7fLqOKXxKdX+v4\nWPGuBzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB\nAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw\ndC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw\ndC5vcmcvMBwGA1UdEQQVMBOCEXRmLnRlc3QuY2ZhcGkubmV0MEwGA1UdIARFMEMw\nCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j\ncHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYA4mlL\nribo6UAJ6IYbtjuD1D7n/nSI+6SPKJMBnd3x2/4AAAFr+CucegAABAMARzBFAiEA\n9m+2odMVc4vungmCW10dFce5ot+bVxuRHkk28QoGh/gCIA8BNHm/6yGnUxjzn8J9\n1l3+QlrsZlYe+qS3qApK7EBKAHcAY/Lbzeg7zCzPC3KEJ1drM6SNYXePvXWmOLHH\naFRL2I0AAAFr+CuccgAABAMASDBGAiEAs79AHMEQs95IyfTyMGd2rnk46B/qQwYw\ntKxbFom3aC0CIQCXEXaHnKH21qa6SSFFd996BbY8ZNTAZNna23dIip8UxDANBgkq\nhkiG9w0BAQsFAAOCAQEAW+QluwC2Zxa6WM3bbMAUIAbdUe64nh9H5Ej/GC6niZKZ\nFVQt8nfNcoukmJbjl0YdxZi1QY5eenFg2eYkdy6Loj04Nf8GBEEciWODJaYKbieZ\nzSbVgKL75n7LUfBonavQAjoWIUdW88wL8790QVh0E3vloY3JVCApx0CuQKO0TeaR\nxIcP8QFh3A7EG3T0K5qdfxVTPnf9QLkiYeiXhfbz5EOwCfzA4xYsIDqc86rGFDuh\nFjR5aZV33sGQQFgYAXkHtT58z0sydbXgX4txRnGLQ6n0LlubeiAb0/RhiiHG+VFb\nAK5YZPYP+eod/41MtuKTBEHSrQmODefUZm5VUghJww==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow\nSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT\nGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF\nq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8\nSMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0\nZ8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA\na6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj\n/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T\nAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG\nCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv\nbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k\nc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw\nVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC\nARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz\nMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu\nY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF\nAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo\nuM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/\nwApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu\nX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG\nPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6\nKOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n-----END CERTIFICATE-----\n" | ||
| private_key = "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDNFL3UKnlP9Ca/\nEHlahf8EWR/so9SgZkzlKluZT+coNIb7wfTI04/ZjJzEnVmVZbp02yBsFjVjpc28\nFg5QgOSU27npFlMZR9QwJBAeWozTjEJvWhmafByaqoTLdbEQdAcY2l8BGaAPumsM\n/hdwWzHIsEIE7pTv/BtDVII/gs6U6LoSClNh0UgFrwRTp6/RRtoCNfIXjXV8Xg/0\nqBE6ieyzpKOZLOwSujzslXzSQwBqtNoR6eskxjL4ORLnmsQW0CyEn+i/ce9UHOAm\nX22JUHEX/7HJsza6VZHvyYiL1vK/lajOt0IUpQbGtRs/Ou/gL9mD2m1kwevY/fq2\nGaCXXMCLAgMBAAECggEBAIvvvkQ6o0KiV5oCNLxHOKcP5Y/Ejr7Qb2HkEFLByfqO\nNRku1MgATGTm5MXolIszuhIov6vhT5bqOUNBTY0zFkZY1DevSw6yC6C5yuHbacKk\nL2Tp9xSJ4b7L4gcvDJ4sffdAcpk+khCJZKid7QJ2x7aoRrQ01B4ZScUcsi+CI1JJ\nbkp3LvH+pYfz2/NXGwqsvgxKAIbMTsSv271BWTm0Pr/cQ3AECnKCWnS0/3LNy1SP\nt1xXAuL8vVfkl84RqTYws3cXQBvwo9KobqZFdNvIsGbyIdV4Z8T4KG4QzS2DBFrh\nFzOKBw+uvkBMjJCeBAd1Daha7ylJio+zOvN9j5RGNFkCgYEA7x8FcO4yO6bfTGrd\n/ocbaovSsABHkxmEZb6Ki7EPlQgmrjwmUaNUf/pwoW/RC58d+gHrcBkw8Y9DnUvL\njy9sljKJS+ApS16uILelQ556A0GCYLla5vJ/oDAuJ8kAtxCkPvvdFlHP6GDuODsY\nl6pauLp2VuoOa9IeVs8xlQPiwt0CgYEA246bMyC/gQYIEQj4sIqClUd60mMhjupN\nkbQdMsOjM8sBjf9s3ZIONWXI5UFE/QrdDdMsZBP4xUvX/CgcoXjxsRoIyWFR/vHC\n++o9yKj9XfFP5g41U7eOJj36GiVZ2s/J1qglJ44cFmIBaReGoXopS/ccOTcScDbK\nPOIOArcdFocCgYEAsmhhxeVig1E476oYYaxqTy9tjbVXsa/rMYJdmmYL6zS+r2bf\nbC/Bfw7a9AgaX2JjmkHOaL/S3Zf3aafAg99tVA72ky73gG1u26hJXM8j18QLw6Dn\n6sHpaRophbOZnfyDnx6J0PpPdeDEPB4Tdi07LPKqEqTlB5so2boTE0xn5t0CgYEA\nn9WbSodGoskfSjd7xBmxorccxNiB76bGvZGfx/sAbo4VHaibOlo/mcP1kmAHtycX\nch8Pq/OWIRtrqxgQb8S6PrGzP9dnd+/MgNQwEkpj2OX5woMJc16nT1PDJRGX7mFi\nkLBsC/W6oNjMKhOEYT2rnq/Qjh53f9WDOPtgM73WoTUCgYAnYT8lyRyRVrgm925h\nrzE1uHcK7k6ZgSsIHTy3HLi7GQTzIbAMDmz0ZrTZgyEnrvTSuvHklxreUrBBt1+W\n5HbyCTwlUxkKQcj7QX5IlKe1IpvhSjvplG6bPHvHQWPmnFL4Q0WPRwISWPcoP/Ih\nqHXCFswfipntRh3ghFnACt55xg==\n-----END PRIVATE KEY-----\n" | ||
| bundle_method = "ubiquitous", | ||
| geo_restrictions = { |
There was a problem hiding this comment.
After fixing the issue above, this is now failing with the following error
=== RUN TestAccCloudflareCustomSSL_Basic
=== PAUSE TestAccCloudflareCustomSSL_Basic
=== CONT TestAccCloudflareCustomSSL_Basic
--- FAIL: TestAccCloudflareCustomSSL_Basic (0.02s)
testing.go:568: Step 0 error: config is invalid: Incorrect attribute value type: Inappropriate value for attribute "custom_ssl_options": element "geo_restrictions": string required.
FAIL
FAIL github.com/terraform-providers/terraform-provider-cloudflare/cloudflare 0.050s
We will need to look at getting these fixed before we merge this in.
There was a problem hiding this comment.
Also, the value usd is invalid here. The schema only allows "us", "eu", "highest_security"
There was a problem hiding this comment.
I (and integration tests) are still seeing failures here. It doesn't look like you've addressed the issue with geo_restrictions yet.
|
Are we including origin certificates as part of this PR, or will this need to be a separate resource? Edit: sorry, origin certificates are a discrete resource (API) - so this won't apply |
Implementation of custom ssl resource in terraform.
See v4 library https://github.com/cloudflare/cloudflare-go/blob/master/ssl.go.
Tested with terraform v0.11.0
Create a file
main.tfafter building the plugin withmake fmt && make buildand insert the following:Interpolate the desired variables in the file and run
terraform init && terraform plan. Thenterraform applyto build resource.