feat: revert use of SystemCertPool() it doesn't seem like the right t…

…hing to do since the driver should use the system root cas by default anyway
petoju · Nov 21, 2024 · 5f4c2f8 · 5f4c2f8
1 parent aa51a73
commit 5f4c2f8
Showing 1 changed file with 27 additions and 26 deletions.
diff --git a/mysql/provider.go b/mysql/provider.go
@@ -137,23 +137,24 @@ func Provider() *schema.Provider {
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"config_key": {
-							Type:     schema.TypeString,
-							Default:  "custom",
-							Optional: true,
+							Type:        schema.TypeString,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CONFIG_KEY", "custom"),
 						},
 						"ca_cert": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:        schema.TypeString,
+							Required:    true,
+							DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CA_CERT", nil),
 						},
 						"client_cert": {
-							Type:     schema.TypeString,
-							Default:  "",
-							Optional: true,
+							Type:        schema.TypeString,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CLIENT_CERT", ""),
 						},
 						"client_key": {
-							Type:     schema.TypeString,
-							Default:  "",
-							Optional: true,
+							Type:        schema.TypeString,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CLIENT_KEY", ""),
 						},
 					},
 				},
@@ -331,11 +332,12 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 	var privateIp = d.Get("private_ip").(bool)
 	var tlsConfig = d.Get("tls").(string)
 	var tlsConfigStruct *tls.Config
+	configKey := "default"
 
 	customTLSMap := d.Get("custom_tls").([]interface{})
 	if len(customTLSMap) > 0 {
+		log.Printf("[DEBUG] Using custom TLS config")
 		var customTLS CustomTLS
-		var rootCertPool *x509.CertPool
 		customMap := customTLSMap[0].(map[string]interface{})
 		customTLSJson, err := json.Marshal(customMap)
 		if err != nil {
@@ -347,6 +349,13 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 			return nil, diag.Errorf("failed to unmarshal tls config %v with error %v", customTLSJson, err)
 		}
 
+		// Update the configKey if it is set
+		if customTLS.ConfigKey != "" {
+			configKey = customTLS.ConfigKey
+		}
+
+		tlsConfigStruct = &tls.Config{}
+
 		var pem []byte
 		if customTLS.CACert != "" {
 			log.Printf("[DEBUG] Using custom CA cert")
@@ -362,21 +371,12 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 			if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
 				return nil, diag.Errorf("failed to append pem: %v", pem)
 			}
-		} else {
-			// Use system cert pool as fallback
-			rootCertPool, err = x509.SystemCertPool()
-			if err != nil {
-				return nil, diag.Errorf("failed to get system cert pool: %v", err)
-			}
-		}
-
-		tlsConfigStruct = &tls.Config{
-			RootCAs: rootCertPool,
+			tlsConfigStruct.RootCAs = rootCertPool
 		}
 
-		var cert tls.Certificate
-
 		if customTLS.ClientCert != "" && customTLS.ClientKey != "" {
+			log.Printf("[DEBUG] Using custom ClientCert & ClientKey")
+			var cert tls.Certificate
 			if strings.HasPrefix(customTLS.ClientCert, "-----BEGIN") {
 				cert, err = tls.X509KeyPair([]byte(customTLS.ClientCert), []byte(customTLS.ClientKey))
 			} else {
@@ -388,11 +388,12 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 			tlsConfigStruct.Certificates = []tls.Certificate{cert}
 		}
 
-		err = mysql.RegisterTLSConfig(customTLS.ConfigKey, tlsConfigStruct)
+		// Register the config
+		err = mysql.RegisterTLSConfig(configKey, tlsConfigStruct)
 		if err != nil {
 			return nil, diag.Errorf("failed registering TLS config: %v", err)
 		}
-		tlsConfig = customTLS.ConfigKey
+		tlsConfig = configKey
 	}
 
 	proto := "tcp"