From 587582f55311e732c9cc39627bea7e9ea8ff308f Mon Sep 17 00:00:00 2001 From: Nate Faerber Date: Tue, 26 Dec 2017 21:47:51 -0800 Subject: [PATCH 1/3] Add insecure option as requested in terraform-providers/terraform-provider-consul#6 --- consul/config.go | 8 ++++++-- consul/resource_provider.go | 6 ++++++ consul/resource_provider_test.go | 21 +++++++++++++++++++++ website/docs/index.html.markdown | 1 + 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/consul/config.go b/consul/config.go index 99897505..e3d0cf4b 100644 --- a/consul/config.go +++ b/consul/config.go @@ -17,6 +17,7 @@ type Config struct { CAFile string `mapstructure:"ca_file"` CertFile string `mapstructure:"cert_file"` KeyFile string `mapstructure:"key_file"` + Insecure bool `mapstructure:"insecure"` } // Client() returns a new client for accessing consul. @@ -37,6 +38,9 @@ func (c *Config) Client() (*consulapi.Client, error) { tlsConfig.CAFile = c.CAFile tlsConfig.CertFile = c.CertFile tlsConfig.KeyFile = c.KeyFile + if c.Insecure { + tlsConfig.InsecureSkipVerify = c.Insecure + } cc, err := consulapi.SetupTLSConfig(tlsConfig) if err != nil { return nil, err @@ -61,8 +65,8 @@ func (c *Config) Client() (*consulapi.Client, error) { client, err := consulapi.NewClient(config) - log.Printf("[INFO] Consul Client configured with address: '%s', scheme: '%s', datacenter: '%s'", - config.Address, config.Scheme, config.Datacenter) + log.Printf("[INFO] Consul Client configured with address: '%s', scheme: '%s', datacenter: '%s'"+ + ", insecure: '%t'", config.Address, config.Scheme, config.Datacenter, tlsConfig.InsecureSkipVerify) if err != nil { return nil, err } diff --git a/consul/resource_provider.go b/consul/resource_provider.go index dc800e36..b3383af8 100644 --- a/consul/resource_provider.go +++ b/consul/resource_provider.go @@ -59,6 +59,12 @@ func Provider() terraform.ResourceProvider { DefaultFunc: schema.EnvDefaultFunc("CONSUL_KEY_FILE", ""), }, + "insecure": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + "token": &schema.Schema{ Type: schema.TypeString, Optional: true, diff --git a/consul/resource_provider_test.go b/consul/resource_provider_test.go index df8fe1b8..177bea72 100644 --- a/consul/resource_provider_test.go +++ b/consul/resource_provider_test.go @@ -72,6 +72,27 @@ func TestResourceProvider_ConfigureTLS(t *testing.T) { } } +func TestResourceProvider_ConfigureTLSInsecure(t *testing.T) { + rp := Provider() + + raw := map[string]interface{}{ + "address": "demo.consul.io:80", + "datacenter": "nyc3", + "scheme": "https", + "insecure": true, + } + + rawConfig, err := config.NewRawConfig(raw) + if err != nil { + t.Fatalf("err: %s", err) + } + + err = rp.Configure(terraform.NewResourceConfig(rawConfig)) + if err != nil { + t.Fatalf("err: %s", err) + } +} + func testAccPreCheck(t *testing.T) { if v := os.Getenv("CONSUL_HTTP_ADDR"); v != "" { return diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index a03a927c..82be701a 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -51,3 +51,4 @@ The following arguments are supported: * `ca_file` - (Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate. * `cert_file` - (Optional) A path to a PEM-encoded certificate provided to the remote agent; requires use of `key_file`. * `key_file`- (Optional) A path to a PEM-encoded private key, required if `cert_file` is specified. +* `insecure`- (Optional) Boolean value to disable SSL certificate verification; setting this value to true is not recommended for production use. From aeaa811a3552275aa11b1ae1a43ac1a5cdd41966 Mon Sep 17 00:00:00 2001 From: Nate Faerber Date: Sat, 6 Jan 2018 11:04:50 -0800 Subject: [PATCH 2/3] Change to insecure_https to be more clear about usage --- consul/config.go | 28 ++++++++++++++++------------ consul/resource_provider.go | 2 +- consul/resource_provider_test.go | 31 ++++++++++++++++++++++++++----- website/docs/index.html.markdown | 2 +- 4 files changed, 44 insertions(+), 19 deletions(-) diff --git a/consul/config.go b/consul/config.go index e3d0cf4b..4eeb7760 100644 --- a/consul/config.go +++ b/consul/config.go @@ -1,6 +1,7 @@ package consul import ( + "fmt" "log" "net/http" "strings" @@ -9,15 +10,15 @@ import ( ) type Config struct { - Datacenter string `mapstructure:"datacenter"` - Address string `mapstructure:"address"` - Scheme string `mapstructure:"scheme"` - HttpAuth string `mapstructure:"http_auth"` - Token string `mapstructure:"token"` - CAFile string `mapstructure:"ca_file"` - CertFile string `mapstructure:"cert_file"` - KeyFile string `mapstructure:"key_file"` - Insecure bool `mapstructure:"insecure"` + Datacenter string `mapstructure:"datacenter"` + Address string `mapstructure:"address"` + Scheme string `mapstructure:"scheme"` + HttpAuth string `mapstructure:"http_auth"` + Token string `mapstructure:"token"` + CAFile string `mapstructure:"ca_file"` + CertFile string `mapstructure:"cert_file"` + KeyFile string `mapstructure:"key_file"` + InsecureHttps bool `mapstructure:"insecure_https"` } // Client() returns a new client for accessing consul. @@ -38,8 +39,11 @@ func (c *Config) Client() (*consulapi.Client, error) { tlsConfig.CAFile = c.CAFile tlsConfig.CertFile = c.CertFile tlsConfig.KeyFile = c.KeyFile - if c.Insecure { - tlsConfig.InsecureSkipVerify = c.Insecure + if c.InsecureHttps { + if config.Scheme != "https" { + return nil, fmt.Errorf("insecure_https is meant to be used when scheme is https") + } + tlsConfig.InsecureSkipVerify = c.InsecureHttps } cc, err := consulapi.SetupTLSConfig(tlsConfig) if err != nil { @@ -66,7 +70,7 @@ func (c *Config) Client() (*consulapi.Client, error) { client, err := consulapi.NewClient(config) log.Printf("[INFO] Consul Client configured with address: '%s', scheme: '%s', datacenter: '%s'"+ - ", insecure: '%t'", config.Address, config.Scheme, config.Datacenter, tlsConfig.InsecureSkipVerify) + ", insecure_https: '%t'", config.Address, config.Scheme, config.Datacenter, tlsConfig.InsecureSkipVerify) if err != nil { return nil, err } diff --git a/consul/resource_provider.go b/consul/resource_provider.go index b3383af8..2af3a3ce 100644 --- a/consul/resource_provider.go +++ b/consul/resource_provider.go @@ -59,7 +59,7 @@ func Provider() terraform.ResourceProvider { DefaultFunc: schema.EnvDefaultFunc("CONSUL_KEY_FILE", ""), }, - "insecure": &schema.Schema{ + "insecure_https": &schema.Schema{ Type: schema.TypeBool, Optional: true, Default: false, diff --git a/consul/resource_provider_test.go b/consul/resource_provider_test.go index 177bea72..effde72a 100644 --- a/consul/resource_provider_test.go +++ b/consul/resource_provider_test.go @@ -72,14 +72,14 @@ func TestResourceProvider_ConfigureTLS(t *testing.T) { } } -func TestResourceProvider_ConfigureTLSInsecure(t *testing.T) { +func TestResourceProvider_ConfigureTLSInsecureHttps(t *testing.T) { rp := Provider() raw := map[string]interface{}{ - "address": "demo.consul.io:80", - "datacenter": "nyc3", - "scheme": "https", - "insecure": true, + "address": "demo.consul.io:80", + "datacenter": "nyc3", + "scheme": "https", + "insecure_https": true, } rawConfig, err := config.NewRawConfig(raw) @@ -93,6 +93,27 @@ func TestResourceProvider_ConfigureTLSInsecure(t *testing.T) { } } +func TestResourceProvider_ConfigureTLSInsecureHttpsMismatch(t *testing.T) { + rp := Provider() + + raw := map[string]interface{}{ + "address": "demo.consul.io:80", + "datacenter": "nyc3", + "scheme": "http", + "insecure_https": true, + } + + rawConfig, err := config.NewRawConfig(raw) + if err != nil { + t.Fatalf("err: %s", err) + } + + err = rp.Configure(terraform.NewResourceConfig(rawConfig)) + if err == nil { + t.Fatal("Provider should error if insecure_https is set but scheme is not https") + } +} + func testAccPreCheck(t *testing.T) { if v := os.Getenv("CONSUL_HTTP_ADDR"); v != "" { return diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 82be701a..6f5b0ab9 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -51,4 +51,4 @@ The following arguments are supported: * `ca_file` - (Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate. * `cert_file` - (Optional) A path to a PEM-encoded certificate provided to the remote agent; requires use of `key_file`. * `key_file`- (Optional) A path to a PEM-encoded private key, required if `cert_file` is specified. -* `insecure`- (Optional) Boolean value to disable SSL certificate verification; setting this value to true is not recommended for production use. +* `insecure_https`- (Optional) Boolean value to disable SSL certificate verification; setting this value to true is not recommended for production use. From 440b2aa394de4c29702bdaaa4eaba6e32127f36a Mon Sep 17 00:00:00 2001 From: Nate Faerber Date: Sat, 6 Jan 2018 11:08:41 -0800 Subject: [PATCH 3/3] Add specifics about scheme to docs --- website/docs/index.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 6f5b0ab9..2227d51c 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -51,4 +51,4 @@ The following arguments are supported: * `ca_file` - (Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate. * `cert_file` - (Optional) A path to a PEM-encoded certificate provided to the remote agent; requires use of `key_file`. * `key_file`- (Optional) A path to a PEM-encoded private key, required if `cert_file` is specified. -* `insecure_https`- (Optional) Boolean value to disable SSL certificate verification; setting this value to true is not recommended for production use. +* `insecure_https`- (Optional) Boolean value to disable SSL certificate verification; setting this value to true is not recommended for production use. Only use this with scheme set to "https".