Add insecure option as requested in GH-6

consul/config.go

@@ -1,6 +1,7 @@
 package consul
 
 import (
+	"fmt"
 	"log"
 	"net/http"
 	"strings"
@@ -9,14 +10,15 @@ import (
 )
 
 type Config struct {
-	Datacenter string `mapstructure:"datacenter"`
-	Address    string `mapstructure:"address"`
-	Scheme     string `mapstructure:"scheme"`
-	HttpAuth   string `mapstructure:"http_auth"`
-	Token      string `mapstructure:"token"`
-	CAFile     string `mapstructure:"ca_file"`
-	CertFile   string `mapstructure:"cert_file"`
-	KeyFile    string `mapstructure:"key_file"`
+	Datacenter    string `mapstructure:"datacenter"`
+	Address       string `mapstructure:"address"`
+	Scheme        string `mapstructure:"scheme"`
+	HttpAuth      string `mapstructure:"http_auth"`
+	Token         string `mapstructure:"token"`
+	CAFile        string `mapstructure:"ca_file"`
+	CertFile      string `mapstructure:"cert_file"`
+	KeyFile       string `mapstructure:"key_file"`
+	InsecureHttps bool   `mapstructure:"insecure_https"`
 }
 
 // Client() returns a new client for accessing consul.
@@ -37,6 +39,12 @@ func (c *Config) Client() (*consulapi.Client, error) {
 	tlsConfig.CAFile = c.CAFile
 	tlsConfig.CertFile = c.CertFile
 	tlsConfig.KeyFile = c.KeyFile
+	if c.InsecureHttps {
+		if config.Scheme != "https" {
+			return nil, fmt.Errorf("insecure_https is meant to be used when scheme is https")
+		}
+		tlsConfig.InsecureSkipVerify = c.InsecureHttps
+	}
 	cc, err := consulapi.SetupTLSConfig(tlsConfig)
 	if err != nil {
 		return nil, err
@@ -61,8 +69,8 @@ func (c *Config) Client() (*consulapi.Client, error) {
 
 	client, err := consulapi.NewClient(config)
 
-	log.Printf("[INFO] Consul Client configured with address: '%s', scheme: '%s', datacenter: '%s'",
-		config.Address, config.Scheme, config.Datacenter)
+	log.Printf("[INFO] Consul Client configured with address: '%s', scheme: '%s', datacenter: '%s'"+
+		", insecure_https: '%t'", config.Address, config.Scheme, config.Datacenter, tlsConfig.InsecureSkipVerify)
 	if err != nil {
 		return nil, err
 	}

consul/resource_provider.go

@@ -59,6 +59,12 @@ func Provider() terraform.ResourceProvider {
 				DefaultFunc: schema.EnvDefaultFunc("CONSUL_KEY_FILE", ""),
 			},
 
+			"insecure_https": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"token": &schema.Schema{
 				Type:     schema.TypeString,
 				Optional: true,

consul/resource_provider_test.go

@@ -72,6 +72,48 @@ func TestResourceProvider_ConfigureTLS(t *testing.T) {
 	}
 }
 
+func TestResourceProvider_ConfigureTLSInsecureHttps(t *testing.T) {
+	rp := Provider()
+
+	raw := map[string]interface{}{
+		"address":        "demo.consul.io:80",
+		"datacenter":     "nyc3",
+		"scheme":         "https",
+		"insecure_https": true,
+	}
+
+	rawConfig, err := config.NewRawConfig(raw)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	err = rp.Configure(terraform.NewResourceConfig(rawConfig))
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+}
+
+func TestResourceProvider_ConfigureTLSInsecureHttpsMismatch(t *testing.T) {
+	rp := Provider()
+
+	raw := map[string]interface{}{
+		"address":        "demo.consul.io:80",
+		"datacenter":     "nyc3",
+		"scheme":         "http",
+		"insecure_https": true,
+	}
+
+	rawConfig, err := config.NewRawConfig(raw)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	err = rp.Configure(terraform.NewResourceConfig(rawConfig))
+	if err == nil {
+		t.Fatal("Provider should error if insecure_https is set but scheme is not https")
+	}
+}
+
 func testAccPreCheck(t *testing.T) {
 	if v := os.Getenv("CONSUL_HTTP_ADDR"); v != "" {
 		return

website/docs/index.html.markdown

@@ -51,3 +51,4 @@ The following arguments are supported:
 * `ca_file` - (Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.
 * `cert_file` - (Optional) A path to a PEM-encoded certificate provided to the remote agent; requires use of `key_file`.
 * `key_file`- (Optional) A path to a PEM-encoded private key, required if `cert_file` is specified.
+* `insecure_https`- (Optional) Boolean value to disable SSL certificate verification; setting this value to true is not recommended for production use. Only use this with scheme set to "https".