From 1f3ccfcb953e2ac253ffd90361969601779eaaff Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 26 Oct 2022 22:52:49 +0200 Subject: [PATCH 01/19] Add `usage_mode` to support short lived private certificates --- .../service/acmpca/certificate_authority.go | 11 ++++ .../acmpca/certificate_authority_test.go | 54 +++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index 3a1696a0e02..56539693faf 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -191,6 +191,12 @@ func ResourceCertificateAuthority() *schema.Resource { Optional: true, Default: true, }, + "usage_mode": { + Type: schema.TypeString, + Computed: true, + Optional: true, + ValidateFunc: validation.StringInSlice(acmpca.CertificateAuthorityUsageMode_Values(), false), + }, "not_after": { Type: schema.TypeString, Computed: true, @@ -332,6 +338,10 @@ func resourceCertificateAuthorityCreate(d *schema.ResourceData, meta interface{} RevocationConfiguration: expandRevocationConfiguration(d.Get("revocation_configuration").([]interface{})), } + if v, ok := d.Get("usage_mode").(string); ok && v != "" { + input.UsageMode = aws.String(v) + } + if len(tags) > 0 { input.Tags = Tags(tags.IgnoreAWS()) } @@ -402,6 +412,7 @@ func resourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{}) } d.Set("enabled", (aws.StringValue(certificateAuthority.Status) != acmpca.CertificateAuthorityStatusDisabled)) + d.Set("usage_mode", aws.StringValue(certificateAuthority.UsageMode)) d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) diff --git a/internal/service/acmpca/certificate_authority_test.go b/internal/service/acmpca/certificate_authority_test.go index 21ef86d5d08..0fb77f9e492 100644 --- a/internal/service/acmpca/certificate_authority_test.go +++ b/internal/service/acmpca/certificate_authority_test.go @@ -42,6 +42,7 @@ func TestAccACMPCACertificateAuthority_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "certificate_chain", ""), resource.TestCheckResourceAttrSet(resourceName, "certificate_signing_request"), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "usage_mode", "GENERAL_PURPOSE"), acctest.CheckResourceAttrRFC3339(resourceName, "not_after"), acctest.CheckResourceAttrRFC3339(resourceName, "not_before"), resource.TestCheckResourceAttr(resourceName, "permanent_deletion_time_in_days", "30"), @@ -138,6 +139,38 @@ func TestAccACMPCACertificateAuthority_enabledDeprecated(t *testing.T) { }) } +func TestAccACMPCACertificateAuthority_usageMode(t *testing.T) { + var certificateAuthority acmpca.CertificateAuthority + resourceName := "aws_acmpca_certificate_authority.test" + + commonName := acctest.RandomDomainName() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t) }, + ErrorCheck: acctest.ErrorCheck(t, acmpca.EndpointsID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckCertificateAuthorityDestroy, + Steps: []resource.TestStep{ + { + Config: testAccCertificateAuthorityConfig_usageMode(commonName, acmpca.CertificateAuthorityTypeRoot, "SHORT_LIVED_CERTIFICATE"), + Check: resource.ComposeTestCheckFunc( + acctest.CheckACMPCACertificateAuthorityExists(resourceName, &certificateAuthority), + acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "acm-pca", regexp.MustCompile(`certificate-authority/.+`)), + resource.TestCheckResourceAttr(resourceName, "usage_mode", "SHORT_LIVED_CERTIFICATE"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "permanent_deletion_time_in_days", + }, + }, + }, + }) +} + func TestAccACMPCACertificateAuthority_deleteFromActiveState(t *testing.T) { var certificateAuthority acmpca.CertificateAuthority resourceName := "aws_acmpca_certificate_authority.test" @@ -191,6 +224,7 @@ func TestAccACMPCACertificateAuthority_RevocationConfiguration_empty(t *testing. resource.TestCheckResourceAttr(resourceName, "certificate_chain", ""), resource.TestCheckResourceAttrSet(resourceName, "certificate_signing_request"), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "usage_mode", "GENERAL_PURPOSE"), acctest.CheckResourceAttrRFC3339(resourceName, "not_after"), acctest.CheckResourceAttrRFC3339(resourceName, "not_before"), resource.TestCheckResourceAttr(resourceName, "permanent_deletion_time_in_days", "30"), @@ -743,6 +777,26 @@ resource "aws_acmpca_certificate_authority" "test" { `, enabled, certificateAuthorityType, commonName) } +func testAccCertificateAuthorityConfig_usageMode(commonName, certificateAuthorityType string, usageMode string) string { + return fmt.Sprintf(` +resource "aws_acmpca_certificate_authority" "test" { + enabled = true + usage_mode = %[1]q + permanent_deletion_time_in_days = 7 + type = %[2]q + + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = %[3]q + } + } +} +`, usageMode, certificateAuthorityType, commonName) +} + func testAccCertificateAuthorityConfig_root(commonName string) string { return fmt.Sprintf(` resource "aws_acmpca_certificate_authority" "test" { From e4cc74dac6430a7f1085b3ad866ff644abda538e Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 26 Oct 2022 22:55:07 +0200 Subject: [PATCH 02/19] Create 27496.txt --- .changelog/27496.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/27496.txt diff --git a/.changelog/27496.txt b/.changelog/27496.txt new file mode 100644 index 00000000000..16427e6c95f --- /dev/null +++ b/.changelog/27496.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_acmpca_certificate_authority: Add `usage_mode` to support short-lived certificates +``` From 6096e99cf609f3f369369c352d222f94f2593a8a Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 26 Oct 2022 23:01:21 +0200 Subject: [PATCH 03/19] apply suggested fix from semgrep --- internal/service/acmpca/certificate_authority.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index 56539693faf..a510a7a23d5 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -412,7 +412,7 @@ func resourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{}) } d.Set("enabled", (aws.StringValue(certificateAuthority.Status) != acmpca.CertificateAuthorityStatusDisabled)) - d.Set("usage_mode", aws.StringValue(certificateAuthority.UsageMode)) + d.Set("usage_mode", certificateAuthority.UsageMode) d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) From cfa416fcf9c336dc98a5456491c77c5c9eb3e4ac Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 26 Oct 2022 23:01:33 +0200 Subject: [PATCH 04/19] add Basic short-lived certificate example to docs --- .../acmpca_certificate_authority.html.markdown | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/website/docs/r/acmpca_certificate_authority.html.markdown b/website/docs/r/acmpca_certificate_authority.html.markdown index f00d92cae6f..48ff1771028 100644 --- a/website/docs/r/acmpca_certificate_authority.html.markdown +++ b/website/docs/r/acmpca_certificate_authority.html.markdown @@ -31,6 +31,24 @@ resource "aws_acmpca_certificate_authority" "example" { } ``` +### Basic short-lived certificate + +```terraform +resource "aws_acmpca_certificate_authority" "example" { + usage_mode = "SHORT_LIVED_CERTIFICATE" + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = "example.com" + } + } + + permanent_deletion_time_in_days = 7 +} +``` + ### Enable Certificate Revocation List ```terraform From c1a0953f60218e5efb1bc967bed3fe2a6f216ba7 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 26 Oct 2022 23:02:02 +0200 Subject: [PATCH 05/19] tabs to spaces --- internal/service/acmpca/certificate_authority_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/acmpca/certificate_authority_test.go b/internal/service/acmpca/certificate_authority_test.go index 0fb77f9e492..f1832d16552 100644 --- a/internal/service/acmpca/certificate_authority_test.go +++ b/internal/service/acmpca/certificate_authority_test.go @@ -781,7 +781,7 @@ func testAccCertificateAuthorityConfig_usageMode(commonName, certificateAuthorit return fmt.Sprintf(` resource "aws_acmpca_certificate_authority" "test" { enabled = true - usage_mode = %[1]q + usage_mode = %[1]q permanent_deletion_time_in_days = 7 type = %[2]q From 9a873ff056ea420613e1a291f8f3f3f958ccde45 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 26 Oct 2022 23:02:46 +0200 Subject: [PATCH 06/19] Add `usage_mode` attribute documentation --- website/docs/r/acmpca_certificate_authority.html.markdown | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/website/docs/r/acmpca_certificate_authority.html.markdown b/website/docs/r/acmpca_certificate_authority.html.markdown index 48ff1771028..796416df591 100644 --- a/website/docs/r/acmpca_certificate_authority.html.markdown +++ b/website/docs/r/acmpca_certificate_authority.html.markdown @@ -31,7 +31,7 @@ resource "aws_acmpca_certificate_authority" "example" { } ``` -### Basic short-lived certificate +### Short-lived certificate ```terraform resource "aws_acmpca_certificate_authority" "example" { @@ -44,8 +44,6 @@ resource "aws_acmpca_certificate_authority" "example" { common_name = "example.com" } } - - permanent_deletion_time_in_days = 7 } ``` @@ -112,6 +110,7 @@ The following arguments are supported: * `certificate_authority_configuration` - (Required) Nested argument containing algorithms and certificate subject information. Defined below. * `enabled` - (Optional) Whether the certificate authority is enabled or disabled. Defaults to `true`. * `revocation_configuration` - (Optional) Nested argument containing revocation configuration. Defined below. +* `usage_mode` - (Optional) Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to `GENERAL_PURPOSE`. Valid values: `GENERAL_PURPOSE` and `SHORT_LIVED_CERTIFICATE`. * `tags` - (Optional) Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. * `type` - (Optional) Type of the certificate authority. Defaults to `SUBORDINATE`. Valid values: `ROOT` and `SUBORDINATE`. * `permanent_deletion_time_in_days` - (Optional) Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days. From dcecb1b883bc5f44bc846fe6072705fc20147cdb Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Thu, 27 Oct 2022 01:18:25 +0200 Subject: [PATCH 07/19] add `usage_mode` to data source --- internal/service/acmpca/certificate_authority_data_source.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/service/acmpca/certificate_authority_data_source.go b/internal/service/acmpca/certificate_authority_data_source.go index df30ac83ba1..29c4665c785 100644 --- a/internal/service/acmpca/certificate_authority_data_source.go +++ b/internal/service/acmpca/certificate_authority_data_source.go @@ -34,6 +34,10 @@ func DataSourceCertificateAuthority() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "usage_mode": { + Type: schema.TypeString, + Computed: true, + }, "not_after": { Type: schema.TypeString, Computed: true, @@ -139,6 +143,7 @@ func dataSourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{} certificateAuthority := describeCertificateAuthorityOutput.CertificateAuthority d.Set("arn", certificateAuthority.Arn) + d.Set("usage_mode", certificateAuthority.UsageMode) d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) From 32d752031104e1e3c5698767a525d462dc960771 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Thu, 27 Oct 2022 01:20:12 +0200 Subject: [PATCH 08/19] Update certificate authority data source tests to include `usage_mode` --- .../service/acmpca/certificate_authority_data_source_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/service/acmpca/certificate_authority_data_source_test.go b/internal/service/acmpca/certificate_authority_data_source_test.go index 6190862c75c..bb941bd652a 100644 --- a/internal/service/acmpca/certificate_authority_data_source_test.go +++ b/internal/service/acmpca/certificate_authority_data_source_test.go @@ -32,6 +32,7 @@ func TestAccACMPCACertificateAuthorityDataSource_basic(t *testing.T) { resource.TestCheckResourceAttrPair(datasourceName, "certificate", resourceName, "certificate"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_chain", resourceName, "certificate_chain"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_signing_request", resourceName, "certificate_signing_request"), + resource.TestCheckResourceAttrPair(datasourceName, "usage_mode", resourceName, "usage_mode"), resource.TestCheckResourceAttrPair(datasourceName, "not_after", resourceName, "not_after"), resource.TestCheckResourceAttrPair(datasourceName, "not_before", resourceName, "not_before"), resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.#", resourceName, "revocation_configuration.#"), @@ -69,6 +70,7 @@ func TestAccACMPCACertificateAuthorityDataSource_s3ObjectACL(t *testing.T) { resource.TestCheckResourceAttrPair(datasourceName, "certificate", resourceName, "certificate"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_chain", resourceName, "certificate_chain"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_signing_request", resourceName, "certificate_signing_request"), + resource.TestCheckResourceAttrPair(datasourceName, "usage_mode", resourceName, "usage_mode"), resource.TestCheckResourceAttrPair(datasourceName, "not_after", resourceName, "not_after"), resource.TestCheckResourceAttrPair(datasourceName, "not_before", resourceName, "not_before"), resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.#", resourceName, "revocation_configuration.#"), From 581c1e7b8e002a226c423c2490b05cd501dbba62 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Thu, 27 Oct 2022 01:21:44 +0200 Subject: [PATCH 09/19] Add `usage_mode` to acmpca_certificate_authority data source docs --- website/docs/d/acmpca_certificate_authority.html.markdown | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/d/acmpca_certificate_authority.html.markdown b/website/docs/d/acmpca_certificate_authority.html.markdown index ab4f244ca21..b58b46873ad 100644 --- a/website/docs/d/acmpca_certificate_authority.html.markdown +++ b/website/docs/d/acmpca_certificate_authority.html.markdown @@ -32,6 +32,7 @@ In addition to all arguments above, the following attributes are exported: * `certificate` - Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported. * `certificate_chain` - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported. * `certificate_signing_request` - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate. +* `usage_mode` - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. * `not_after` - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported. * `not_before` - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported. * `revocation_configuration` - Nested attribute containing revocation configuration. From 91e5f258f7c090aa739e3e9e29caae2431b5b4a5 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Thu, 27 Oct 2022 01:22:26 +0200 Subject: [PATCH 10/19] Update 27496.txt --- .changelog/27496.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.changelog/27496.txt b/.changelog/27496.txt index 16427e6c95f..268672b667a 100644 --- a/.changelog/27496.txt +++ b/.changelog/27496.txt @@ -1,3 +1,7 @@ ```release-note:enhancement -resource/aws_acmpca_certificate_authority: Add `usage_mode` to support short-lived certificates +resource/aws_acmpca_certificate_authority: Add `usage_mode` argument to support short-lived certificates +``` + +```release-note:enhancement +data-source/aws_acmpca_certificate_authority: Add `usage_mode` attribute to support short-lived certificates ``` From c2d6883d13eadb7e09df3c55c4a5bd59d8a33131 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:17:00 -0400 Subject: [PATCH 11/19] Tweak CHANGELOG entry. --- .changelog/27496.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.changelog/27496.txt b/.changelog/27496.txt index 268672b667a..2fbbfbeb811 100644 --- a/.changelog/27496.txt +++ b/.changelog/27496.txt @@ -1,7 +1,7 @@ ```release-note:enhancement -resource/aws_acmpca_certificate_authority: Add `usage_mode` argument to support short-lived certificates +resource/aws_acmpca_certificate_authority: Add `usage_mode` argument to support [short-lived certificates](https://docs.aws.amazon.com/privateca/latest/userguide/short-lived-certificates.html) ``` ```release-note:enhancement -data-source/aws_acmpca_certificate_authority: Add `usage_mode` attribute to support short-lived certificates +data-source/aws_acmpca_certificate_authority: Add `usage_mode` attribute ``` From 0601c6c644d139e5c03b5141de4c7a0792318fe3 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:21:14 -0400 Subject: [PATCH 12/19] r/aws_acmpca_certificate_authority: Alphabetize attributes. --- .../service/acmpca/certificate_authority.go | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index a510a7a23d5..9b5e3159344 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -30,6 +30,7 @@ func ResourceCertificateAuthority() *schema.Resource { Read: resourceCertificateAuthorityRead, Update: resourceCertificateAuthorityUpdate, Delete: resourceCertificateAuthorityDelete, + Importer: &schema.ResourceImporter{ State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { d.Set( @@ -40,9 +41,11 @@ func ResourceCertificateAuthority() *schema.Resource { return []*schema.ResourceData{d}, nil }, }, + Timeouts: &schema.ResourceTimeout{ Create: schema.DefaultTimeout(1 * time.Minute), }, + MigrateState: resourceCertificateAuthorityMigrateState, SchemaVersion: 1, @@ -191,12 +194,6 @@ func ResourceCertificateAuthority() *schema.Resource { Optional: true, Default: true, }, - "usage_mode": { - Type: schema.TypeString, - Computed: true, - Optional: true, - ValidateFunc: validation.StringInSlice(acmpca.CertificateAuthorityUsageMode_Values(), false), - }, "not_after": { Type: schema.TypeString, Computed: true, @@ -205,6 +202,15 @@ func ResourceCertificateAuthority() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "permanent_deletion_time_in_days": { + Type: schema.TypeInt, + Optional: true, + Default: certificateAuthorityPermanentDeletionTimeInDaysDefault, + ValidateFunc: validation.IntBetween( + certificateAuthorityPermanentDeletionTimeInDaysMin, + certificateAuthorityPermanentDeletionTimeInDaysMax, + ), + }, // https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevocationConfiguration.html "revocation_configuration": { Type: schema.TypeList, @@ -299,15 +305,6 @@ func ResourceCertificateAuthority() *schema.Resource { Computed: true, Deprecated: "The reported value of the \"status\" attribute is often inaccurate. Use the resource's \"enabled\" attribute to explicitly set status.", }, - "permanent_deletion_time_in_days": { - Type: schema.TypeInt, - Optional: true, - Default: certificateAuthorityPermanentDeletionTimeInDaysDefault, - ValidateFunc: validation.IntBetween( - certificateAuthorityPermanentDeletionTimeInDaysMin, - certificateAuthorityPermanentDeletionTimeInDaysMax, - ), - }, "tags": tftags.TagsSchema(), "tags_all": tftags.TagsSchemaComputed(), "type": { @@ -320,6 +317,12 @@ func ResourceCertificateAuthority() *schema.Resource { acmpca.CertificateAuthorityTypeSubordinate, }, false), }, + "usage_mode": { + Type: schema.TypeString, + Computed: true, + Optional: true, + ValidateFunc: validation.StringInSlice(acmpca.CertificateAuthorityUsageMode_Values(), false), + }, }, CustomizeDiff: verify.SetTagsDiff, From e890ab90bd44511d36770a5fba81c63d8cf66349 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:27:41 -0400 Subject: [PATCH 13/19] r/aws_acmpca_certificate_authority: Use '_Values()' function (#14601). --- .../service/acmpca/certificate_authority.go | 41 ++++++------------- 1 file changed, 13 insertions(+), 28 deletions(-) diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index 9b5e3159344..ec420963dee 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -66,28 +66,16 @@ func ResourceCertificateAuthority() *schema.Resource { Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "key_algorithm": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - ValidateFunc: validation.StringInSlice([]string{ - acmpca.KeyAlgorithmEcPrime256v1, - acmpca.KeyAlgorithmEcSecp384r1, - acmpca.KeyAlgorithmRsa2048, - acmpca.KeyAlgorithmRsa4096, - }, false), + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice(acmpca.KeyAlgorithm_Values(), false), }, "signing_algorithm": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - ValidateFunc: validation.StringInSlice([]string{ - acmpca.SigningAlgorithmSha256withecdsa, - acmpca.SigningAlgorithmSha256withrsa, - acmpca.SigningAlgorithmSha384withecdsa, - acmpca.SigningAlgorithmSha384withrsa, - acmpca.SigningAlgorithmSha512withecdsa, - acmpca.SigningAlgorithmSha512withrsa, - }, false), + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice(acmpca.SigningAlgorithm_Values(), false), }, // https://docs.aws.amazon.com/privateca/latest/APIReference/API_ASN1Subject.html "subject": { @@ -308,14 +296,11 @@ func ResourceCertificateAuthority() *schema.Resource { "tags": tftags.TagsSchema(), "tags_all": tftags.TagsSchemaComputed(), "type": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Default: acmpca.CertificateAuthorityTypeSubordinate, - ValidateFunc: validation.StringInSlice([]string{ - acmpca.CertificateAuthorityTypeRoot, - acmpca.CertificateAuthorityTypeSubordinate, - }, false), + Type: schema.TypeString, + Optional: true, + ForceNew: true, + Default: acmpca.CertificateAuthorityTypeSubordinate, + ValidateFunc: validation.StringInSlice(acmpca.CertificateAuthorityType_Values(), false), }, "usage_mode": { Type: schema.TypeString, From adc6a9327f146a97a82715dfcb75c9890d50e210 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:30:30 -0400 Subject: [PATCH 14/19] r/aws_acmpca_certificate_authority: Correct some error messages. --- internal/service/acmpca/certificate_authority.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index ec420963dee..6dcc70ff73b 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -326,7 +326,7 @@ func resourceCertificateAuthorityCreate(d *schema.ResourceData, meta interface{} RevocationConfiguration: expandRevocationConfiguration(d.Get("revocation_configuration").([]interface{})), } - if v, ok := d.Get("usage_mode").(string); ok && v != "" { + if v, ok := d.Get("usage_mode").(string); ok { input.UsageMode = aws.String(v) } @@ -394,23 +394,19 @@ func resourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{}) } d.Set("arn", certificateAuthority.Arn) - if err := d.Set("certificate_authority_configuration", flattenCertificateAuthorityConfiguration(certificateAuthority.CertificateAuthorityConfiguration)); err != nil { - return fmt.Errorf("setting tags: %s", err) + return fmt.Errorf("setting certificate_authority_configuration: %w", err) } - d.Set("enabled", (aws.StringValue(certificateAuthority.Status) != acmpca.CertificateAuthorityStatusDisabled)) - d.Set("usage_mode", certificateAuthority.UsageMode) d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) - if err := d.Set("revocation_configuration", flattenRevocationConfiguration(certificateAuthority.RevocationConfiguration)); err != nil { - return fmt.Errorf("setting tags: %s", err) + return fmt.Errorf("setting revocation_configuration: %w", err) } - d.Set("serial", certificateAuthority.Serial) d.Set("status", certificateAuthority.Status) d.Set("type", certificateAuthority.Type) + d.Set("usage_mode", certificateAuthority.UsageMode) getCertificateAuthorityCertificateInput := &acmpca.GetCertificateAuthorityCertificateInput{ CertificateAuthorityArn: aws.String(d.Id()), From 73909c3a025eac0c3297b9300eb77a54d3f8841f Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:31:34 -0400 Subject: [PATCH 15/19] d/aws_acmpca_certificate_authority: Alphabetize attributes. --- .../service/acmpca/certificate_authority_data_source.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/service/acmpca/certificate_authority_data_source.go b/internal/service/acmpca/certificate_authority_data_source.go index 29c4665c785..70a1839d026 100644 --- a/internal/service/acmpca/certificate_authority_data_source.go +++ b/internal/service/acmpca/certificate_authority_data_source.go @@ -34,10 +34,6 @@ func DataSourceCertificateAuthority() *schema.Resource { Type: schema.TypeString, Computed: true, }, - "usage_mode": { - Type: schema.TypeString, - Computed: true, - }, "not_after": { Type: schema.TypeString, Computed: true, @@ -117,6 +113,10 @@ func DataSourceCertificateAuthority() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "usage_mode": { + Type: schema.TypeString, + Computed: true, + }, }, } } From 0dba5e5aaca102d305829f79a113f76e8bc1aa5b Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:34:56 -0400 Subject: [PATCH 16/19] d/aws_acmpca_certificate_authority: Correct some error messages. --- .../certificate_authority_data_source.go | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/internal/service/acmpca/certificate_authority_data_source.go b/internal/service/acmpca/certificate_authority_data_source.go index 70a1839d026..4f9eca6b5ae 100644 --- a/internal/service/acmpca/certificate_authority_data_source.go +++ b/internal/service/acmpca/certificate_authority_data_source.go @@ -134,26 +134,24 @@ func dataSourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{} describeCertificateAuthorityOutput, err := conn.DescribeCertificateAuthority(describeCertificateAuthorityInput) if err != nil { - return fmt.Errorf("error reading ACM PCA Certificate Authority: %w", err) + return fmt.Errorf("reading ACM PCA Certificate Authority (%s): %w", certificateAuthorityARN, err) } if describeCertificateAuthorityOutput.CertificateAuthority == nil { - return fmt.Errorf("error reading ACM PCA Certificate Authority: not found") + return fmt.Errorf("reading ACM PCA Certificate Authority: not found") } certificateAuthority := describeCertificateAuthorityOutput.CertificateAuthority d.Set("arn", certificateAuthority.Arn) - d.Set("usage_mode", certificateAuthority.UsageMode) d.Set("not_after", aws.TimeValue(certificateAuthority.NotAfter).Format(time.RFC3339)) d.Set("not_before", aws.TimeValue(certificateAuthority.NotBefore).Format(time.RFC3339)) - if err := d.Set("revocation_configuration", flattenRevocationConfiguration(certificateAuthority.RevocationConfiguration)); err != nil { - return fmt.Errorf("error setting tags: %w", err) + return fmt.Errorf("setting revocation_configuration: %w", err) } - d.Set("serial", certificateAuthority.Serial) d.Set("status", certificateAuthority.Status) d.Set("type", certificateAuthority.Type) + d.Set("usage_mode", certificateAuthority.UsageMode) getCertificateAuthorityCertificateInput := &acmpca.GetCertificateAuthorityCertificateInput{ CertificateAuthorityArn: aws.String(certificateAuthorityARN), @@ -166,7 +164,7 @@ func dataSourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{} // Returned when in PENDING_CERTIFICATE status // InvalidStateException: The certificate authority XXXXX is not in the correct state to have a certificate signing request. if !tfawserr.ErrCodeEquals(err, acmpca.ErrCodeInvalidStateException) { - return fmt.Errorf("error reading ACM PCA Certificate Authority Certificate: %w", err) + return fmt.Errorf("reading ACM PCA Certificate Authority Certificate: %w", err) } } @@ -185,7 +183,7 @@ func dataSourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{} getCertificateAuthorityCsrOutput, err := conn.GetCertificateAuthorityCsr(getCertificateAuthorityCsrInput) if err != nil { - return fmt.Errorf("error reading ACM PCA Certificate Authority Certificate Signing Request: %w", err) + return fmt.Errorf("reading ACM PCA Certificate Authority Certificate Signing Request: %w", err) } d.Set("certificate_signing_request", "") @@ -196,11 +194,11 @@ func dataSourceCertificateAuthorityRead(d *schema.ResourceData, meta interface{} tags, err := ListTags(conn, certificateAuthorityARN) if err != nil { - return fmt.Errorf("error listing tags for ACM PCA Certificate Authority (%s): %w", certificateAuthorityARN, err) + return fmt.Errorf("listing tags for ACM PCA Certificate Authority (%s): %w", certificateAuthorityARN, err) } if err := d.Set("tags", tags.IgnoreAWS().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { - return fmt.Errorf("error setting tags: %w", err) + return fmt.Errorf("setting tags: %w", err) } d.SetId(certificateAuthorityARN) From 5f4de2167990059353abafeb035e0a6a2a51b57a Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:36:13 -0400 Subject: [PATCH 17/19] d/aws_acmpca_certificate_authority: Use 'ComposeAggregateTestCheckFunc' in acceptance tests. --- .../acmpca/certificate_authority_data_source_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/service/acmpca/certificate_authority_data_source_test.go b/internal/service/acmpca/certificate_authority_data_source_test.go index bb941bd652a..d3a111c79db 100644 --- a/internal/service/acmpca/certificate_authority_data_source_test.go +++ b/internal/service/acmpca/certificate_authority_data_source_test.go @@ -27,12 +27,11 @@ func TestAccACMPCACertificateAuthorityDataSource_basic(t *testing.T) { }, { Config: testAccCertificateAuthorityDataSourceConfig_arn(commonName), - Check: resource.ComposeTestCheckFunc( + Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttrPair(datasourceName, "arn", resourceName, "arn"), resource.TestCheckResourceAttrPair(datasourceName, "certificate", resourceName, "certificate"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_chain", resourceName, "certificate_chain"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_signing_request", resourceName, "certificate_signing_request"), - resource.TestCheckResourceAttrPair(datasourceName, "usage_mode", resourceName, "usage_mode"), resource.TestCheckResourceAttrPair(datasourceName, "not_after", resourceName, "not_after"), resource.TestCheckResourceAttrPair(datasourceName, "not_before", resourceName, "not_before"), resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.#", resourceName, "revocation_configuration.#"), @@ -42,6 +41,7 @@ func TestAccACMPCACertificateAuthorityDataSource_basic(t *testing.T) { resource.TestCheckResourceAttrPair(datasourceName, "status", resourceName, "status"), resource.TestCheckResourceAttrPair(datasourceName, "tags.%", resourceName, "tags.%"), resource.TestCheckResourceAttrPair(datasourceName, "type", resourceName, "type"), + resource.TestCheckResourceAttrPair(datasourceName, "usage_mode", resourceName, "usage_mode"), ), }, }, @@ -65,12 +65,11 @@ func TestAccACMPCACertificateAuthorityDataSource_s3ObjectACL(t *testing.T) { }, { Config: testAccCertificateAuthorityDataSourceConfig_s3ObjectACLARN(commonName), - Check: resource.ComposeTestCheckFunc( + Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttrPair(datasourceName, "arn", resourceName, "arn"), resource.TestCheckResourceAttrPair(datasourceName, "certificate", resourceName, "certificate"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_chain", resourceName, "certificate_chain"), resource.TestCheckResourceAttrPair(datasourceName, "certificate_signing_request", resourceName, "certificate_signing_request"), - resource.TestCheckResourceAttrPair(datasourceName, "usage_mode", resourceName, "usage_mode"), resource.TestCheckResourceAttrPair(datasourceName, "not_after", resourceName, "not_after"), resource.TestCheckResourceAttrPair(datasourceName, "not_before", resourceName, "not_before"), resource.TestCheckResourceAttrPair(datasourceName, "revocation_configuration.#", resourceName, "revocation_configuration.#"), @@ -84,6 +83,7 @@ func TestAccACMPCACertificateAuthorityDataSource_s3ObjectACL(t *testing.T) { resource.TestCheckResourceAttrPair(datasourceName, "status", resourceName, "status"), resource.TestCheckResourceAttrPair(datasourceName, "tags.%", resourceName, "tags.%"), resource.TestCheckResourceAttrPair(datasourceName, "type", resourceName, "type"), + resource.TestCheckResourceAttrPair(datasourceName, "usage_mode", resourceName, "usage_mode"), ), }, }, From 09b03180424a69bd4dfb9102e34bc37611c3025e Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:38:16 -0400 Subject: [PATCH 18/19] r/aws_acmpca_certificate_authority: Tidy up acceptance tests. --- internal/service/acmpca/certificate_authority_test.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/internal/service/acmpca/certificate_authority_test.go b/internal/service/acmpca/certificate_authority_test.go index f1832d16552..150f234955d 100644 --- a/internal/service/acmpca/certificate_authority_test.go +++ b/internal/service/acmpca/certificate_authority_test.go @@ -42,7 +42,6 @@ func TestAccACMPCACertificateAuthority_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "certificate_chain", ""), resource.TestCheckResourceAttrSet(resourceName, "certificate_signing_request"), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "usage_mode", "GENERAL_PURPOSE"), acctest.CheckResourceAttrRFC3339(resourceName, "not_after"), acctest.CheckResourceAttrRFC3339(resourceName, "not_before"), resource.TestCheckResourceAttr(resourceName, "permanent_deletion_time_in_days", "30"), @@ -53,6 +52,7 @@ func TestAccACMPCACertificateAuthority_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "status", "PENDING_CERTIFICATE"), resource.TestCheckResourceAttr(resourceName, "tags.%", "0"), resource.TestCheckResourceAttr(resourceName, "type", "SUBORDINATE"), + resource.TestCheckResourceAttr(resourceName, "usage_mode", "GENERAL_PURPOSE"), ), }, { @@ -155,7 +155,6 @@ func TestAccACMPCACertificateAuthority_usageMode(t *testing.T) { Config: testAccCertificateAuthorityConfig_usageMode(commonName, acmpca.CertificateAuthorityTypeRoot, "SHORT_LIVED_CERTIFICATE"), Check: resource.ComposeTestCheckFunc( acctest.CheckACMPCACertificateAuthorityExists(resourceName, &certificateAuthority), - acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "acm-pca", regexp.MustCompile(`certificate-authority/.+`)), resource.TestCheckResourceAttr(resourceName, "usage_mode", "SHORT_LIVED_CERTIFICATE"), ), }, @@ -224,7 +223,6 @@ func TestAccACMPCACertificateAuthority_RevocationConfiguration_empty(t *testing. resource.TestCheckResourceAttr(resourceName, "certificate_chain", ""), resource.TestCheckResourceAttrSet(resourceName, "certificate_signing_request"), resource.TestCheckResourceAttr(resourceName, "enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "usage_mode", "GENERAL_PURPOSE"), acctest.CheckResourceAttrRFC3339(resourceName, "not_after"), acctest.CheckResourceAttrRFC3339(resourceName, "not_before"), resource.TestCheckResourceAttr(resourceName, "permanent_deletion_time_in_days", "30"), @@ -235,6 +233,7 @@ func TestAccACMPCACertificateAuthority_RevocationConfiguration_empty(t *testing. resource.TestCheckResourceAttr(resourceName, "status", "PENDING_CERTIFICATE"), resource.TestCheckResourceAttr(resourceName, "tags.%", "0"), resource.TestCheckResourceAttr(resourceName, "type", "SUBORDINATE"), + resource.TestCheckResourceAttr(resourceName, "usage_mode", "GENERAL_PURPOSE"), ), }, { From 6412e245f996a403118c12ffbc27b54a257d3fbf Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Thu, 27 Oct 2022 16:44:16 -0400 Subject: [PATCH 19/19] Fix typo. --- internal/service/acmpca/certificate_authority.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/acmpca/certificate_authority.go b/internal/service/acmpca/certificate_authority.go index 6dcc70ff73b..40eaf24b750 100644 --- a/internal/service/acmpca/certificate_authority.go +++ b/internal/service/acmpca/certificate_authority.go @@ -326,8 +326,8 @@ func resourceCertificateAuthorityCreate(d *schema.ResourceData, meta interface{} RevocationConfiguration: expandRevocationConfiguration(d.Get("revocation_configuration").([]interface{})), } - if v, ok := d.Get("usage_mode").(string); ok { - input.UsageMode = aws.String(v) + if v, ok := d.GetOk("usage_mode"); ok { + input.UsageMode = aws.String(v.(string)) } if len(tags) > 0 {