Add TLSCLientCert and TLSClientKey options for splunk logging

[kellymclaughlin]

Add support for the TLSClientCert and TLSClientKey options.

Follows from this go-fastly PR.

Testing

I ran the splunk tests to verify the change and I will defer the full suite run until after code review.

13:55:02:terraform-provider-fastly(splunk-tls-options) $ env TF_ACC=1 make testacc TESTARGS='-v -run=[Ss]plunk'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -v -run=[Ss]plunk -timeout 360m -ldflags="-X=github.com/fastly/terraform-provider-fastly/version.ProviderVersion=acc"
?   	github.com/fastly/terraform-provider-fastly	[no test files]
=== RUN   TestResourceFastlyFlattenSplunk
--- PASS: TestResourceFastlyFlattenSplunk (0.14s)
=== RUN   TestAccFastlyServiceV1_splunk_basic
--- PASS: TestAccFastlyServiceV1_splunk_basic (88.55s)
=== RUN   TestAccFastlyServiceV1_splunk_basic_compute
--- PASS: TestAccFastlyServiceV1_splunk_basic_compute (41.56s)
=== RUN   TestAccFastlyServiceV1_splunk_default
--- PASS: TestAccFastlyServiceV1_splunk_default (42.82s)
=== RUN   TestAccFastlyServiceV1_splunk_complete
--- PASS: TestAccFastlyServiceV1_splunk_complete (87.56s)
=== RUN   TestAccFastlyServiceV1_splunk_env
--- PASS: TestAccFastlyServiceV1_splunk_env (42.17s)
PASS
ok  	github.com/fastly/terraform-provider-fastly/fastly	302.819s
?   	github.com/fastly/terraform-provider-fastly/scripts/website	[no test files]
?   	github.com/fastly/terraform-provider-fastly/version	[no test files]

[Integralist]

@kellymclaughlin Left one comment but other LGTM.

[Integralist]

Have approved, but before merging I'll await clarification to my question re: using the same cert value for both tls_ca_cert and tls_client_cert.

[Integralist]

Thanks @kellymclaughlin this LGTM 👍🏻

NOTE: I applied a bunch of typo suggestions.

So yes, please if you could run a full test suite, and then I can get this merged.

[Integralist]

@kellymclaughlin maybe run make website-test locally to see if it's erroring there https://github.com/fastly/terraform-provider-fastly/pull/353/checks?check_run_id=1741107919

[kellymclaughlin]

@kellymclaughlin maybe run make website-test locally to see if it's erroring there https://github.com/fastly/terraform-provider-fastly/pull/353/checks?check_run_id=1741107919

@Integralist I see the same errors locally as reported in the CI output:

make[1]: *** No rule to make target 'website-provider-test'.  Stop.
make[1]: Entering directory '/home/runner/work/terraform-provider-fastly/terraform-provider-fastly/go/src/github.com/hashicorp/terraform-website'
make: *** [website-test] Error 2
make[1]: Leaving directory '/home/runner/work/terraform-provider-fastly/terraform-provider-fastly/go/src/github.com/hashicorp/terraform-website'
GNUmakefile:68: recipe for target 'website-test' failed

I pulled the latest master branch changes and rebased my local copy of the branch and still seems to be an issue with that Makefile target.

Edit: I tried the website-test Makefile target on the master branch and I see the same errors there.

[Integralist]

@kellymclaughlin OK so just started to look into this and I discovered the makefile target we try to call no longer exists in the terraform repo: hashicorp/terraform-website#1592 << this PR 5 days ago deleted it 🤷🏻 maybe @phamann knows off the top of his head of differences between website-provider and website-provider-test, otherwise I'll dig into the PR and see if I can figure out why it was deemed no longer needed.

[freeformz]

hashicorp/terraform-website#1592 moved most of the logic to a script (content/scripts/check-incoming-links.sh)

[Integralist]

@kellymclaughlin can you rebase master please. I've removed the website CI job for now (next week I'll be looking at adding it back but with a different implementation: see this PR for some context).

[Integralist]

@kellymclaughlin also once you've pulled latest master you should find Go-Fastly has been bumped to 3.0.0

One last request, could you run make generate-docs as well to see if there's any documentation changes that are generated.

Thanks!

[kellymclaughlin]

@Integralist I did the rebase. Here is the output I see from running make generate-docs and the subsequent git status output:

17:03:00:terraform-provider-fastly(splunk-tls-options) $ make generate-docs
go run scripts/generate-docs.go
2021/01/29 17:03:04 
exit status 1
make: *** [GNUmakefile:56: generate-docs] Error 1

17:03:04:terraform-provider-fastly(splunk-tls-options *) $ gs
On branch splunk-tls-options
Your branch is up to date with 'origin/splunk-tls-options'.

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   templates/data-sources/ip_ranges.md.tmpl
	modified:   templates/data-sources/waf_rules.md.tmpl
	deleted:    templates/resources/arguments/package.md.tmpl
	deleted:    templates/resources/components/footer.md.tmpl
	modified:   templates/resources/service_acl_entries_v1.md.tmpl
	modified:   templates/resources/service_compute.md.tmpl
	modified:   templates/resources/service_dictionary_items_v1.md.tmpl
	modified:   templates/resources/service_dynamic_snippet_content_v1.md.tmpl
	modified:   templates/resources/service_v1.md.tmpl
	modified:   templates/resources/service_waf_configuration.md.tmpl
	modified:   templates/resources/user_v1.md.tmpl

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	templates-backup/

[Integralist]

Thanks @kellymclaughlin I'm going to pull your branch today and run the make target to see if I get a similar error (and if so I'll try and identify the cause).

[Integralist]

@kellymclaughlin interesting. When running make generate-docs I didn't get the error output you did. What OS are you running?

Also, could you share the actual diff output so I can see what modifications were made to your local git 'staging area', as from the output you provided after running git status suggests a whole bunch of template files were modified!

When I run the generate-docs target I see:

$ make generate-docs
go run scripts/generate-docs.go

$ git status
On branch splunk-tls-options
Your branch is up to date with 'origin/splunk-tls-options'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   docs/resources/service_compute.md
        modified:   docs/resources/service_v1.md

no changes added to commit (use "git add" and/or "git commit -a")

$ git diff
diff --git a/docs/resources/service_compute.md b/docs/resources/service_compute.md
index 60f6b2c..a47fdc0 100644
--- a/docs/resources/service_compute.md
+++ b/docs/resources/service_compute.md
@@ -588,6 +588,8 @@ Required:
 Optional:

 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication

diff --git a/docs/resources/service_v1.md b/docs/resources/service_v1.md
index 528caa4..cbca37a 100644
--- a/docs/resources/service_v1.md
+++ b/docs/resources/service_v1.md
@@ -1044,6 +1044,8 @@ Optional:
 - **placement** (String) Where in the generated VCL the logging call should be placed
 - **response_condition** (String) The name of the condition to apply
 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication

[kellymclaughlin]

@Integralist Alrighty, I've figured out the issue with generate-docs. I didn't have a required binary called tfplugindocs installed and that was causing the error. Now with that installed here's what I get from running generate-docs:

10:54:47:terraform-provider-fastly(splunk-tls-options) $ make generate-docs
go run scripts/generate-docs.go
10:55:11:terraform-provider-fastly(splunk-tls-options *) $ echo $?
0
10:55:27:terraform-provider-fastly(splunk-tls-options *) $ git status
On branch splunk-tls-options
Your branch is up to date with 'origin/splunk-tls-options'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   docs/data-sources/ip_ranges.md
	modified:   docs/data-sources/waf_rules.md
	modified:   docs/resources/service_acl_entries_v1.md
	modified:   docs/resources/service_compute.md
	modified:   docs/resources/service_v1.md
	modified:   docs/resources/service_waf_configuration.md

no changes added to commit (use "git add" and/or "git commit -a")
10:55:29:terraform-provider-fastly(splunk-tls-options *) $ git diff docs/
diff --git a/docs/data-sources/ip_ranges.md b/docs/data-sources/ip_ranges.md
index d31926a..ef8b212 100644
--- a/docs/data-sources/ip_ranges.md
+++ b/docs/data-sources/ip_ranges.md
@@ -36,7 +36,7 @@ resource "aws_security_group" "from_fastly" {
 
 - **id** (String) The ID of this resource.
 
-### Read-only
+### Read-Only
 
 - **cidr_blocks** (List of String) The lexically ordered list of ipv4 CIDR blocks.
 - **ipv6_cidr_blocks** (List of String) The lexically ordered list of ipv6 CIDR blocks.
diff --git a/docs/data-sources/waf_rules.md b/docs/data-sources/waf_rules.md
index 2a8765c..2661647 100644
--- a/docs/data-sources/waf_rules.md
+++ b/docs/data-sources/waf_rules.md
@@ -159,14 +159,14 @@ The `rules` block supports:
 - **publishers** (List of String) A list of publishers to be used as filters for the data set.
 - **tags** (List of String) A list of tags to be used as filters for the data set.
 
-### Read-only
+### Read-Only
 
 - **rules** (List of Object) The list of rules that results from any given combination of filters. (see [below for nested schema](#nestedatt--rules))
 
 <a id="nestedatt--rules"></a>
 ### Nested Schema for `rules`
 
-Read-only:
+Read-Only:
 
 - **latest_revision_number** (Number)
 - **modsec_rule_id** (Number)
diff --git a/docs/resources/service_acl_entries_v1.md b/docs/resources/service_acl_entries_v1.md
index 5327679..8d461c7 100644
--- a/docs/resources/service_acl_entries_v1.md
+++ b/docs/resources/service_acl_entries_v1.md
@@ -246,6 +246,6 @@ Optional:
 - **negated** (Boolean) A boolean that will negate the match if true
 - **subnet** (String) An optional subnet mask applied to the IP address
 
-Read-only:
+Read-Only:
 
 - **id** (String) The ID of this resource.
diff --git a/docs/resources/service_compute.md b/docs/resources/service_compute.md
index 60f6b2c..43dbb46 100644
--- a/docs/resources/service_compute.md
+++ b/docs/resources/service_compute.md
@@ -110,7 +110,7 @@ $ terraform import fastly_service_compute.demo xxxxxxxxxxxxxxxxxxxx
 - **syslog** (Block Set) (see [below for nested schema](#nestedblock--syslog))
 - **version_comment** (String) Description field for the version
 
-### Read-only
+### Read-Only
 
 - **active_version** (Number) The currently active version of your Fastly Service
 - **cloned_version** (Number) The latest cloned version by the provider. The value gets only set after running `terraform apply`
@@ -588,6 +588,8 @@ Required:
 Optional:
 
 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication
 
diff --git a/docs/resources/service_v1.md b/docs/resources/service_v1.md
index 528caa4..72c13b7 100644
--- a/docs/resources/service_v1.md
+++ b/docs/resources/service_v1.md
@@ -282,7 +282,7 @@ $ terraform import fastly_service_v1.demo xxxxxxxxxxxxxxxxxxxx
 - **version_comment** (String) Description field for the version
 - **waf** (Block List, Max: 1) (see [below for nested schema](#nestedblock--waf))
 
-### Read-only
+### Read-Only
 
 - **active_version** (Number) The currently active version of your Fastly Service
 - **cloned_version** (Number) The latest cloned version by the provider. The value gets only set after running `terraform apply`
@@ -306,7 +306,7 @@ Required:
 
 - **name** (String) A unique name to identify this ACL
 
-Read-only:
+Read-Only:
 
 - **acl_id** (String) The ID of the ACL
 
@@ -430,7 +430,7 @@ Optional:
 
 - **write_only** (Boolean) If `true`, the dictionary is a private dictionary, and items are not readable in the UI or via API. Default is `false`. It is important to note that changing this attribute will delete and recreate the dictionary, discard the current items in the dictionary. Using a write-only/private dictionary should only be done if the items are managed outside of Terraform
 
-Read-only:
+Read-Only:
 
 - **dictionary_id** (String) The ID of the dictionary
 
@@ -465,7 +465,7 @@ Optional:
 
 - **priority** (Number) Priority determines the ordering for multiple snippets. Lower numbers execute first. Defaults to `100`
 
-Read-only:
+Read-Only:
 
 - **snippet_id** (String) The ID of the dynamic snippet
 
@@ -1044,6 +1044,8 @@ Optional:
 - **placement** (String) Where in the generated VCL the logging call should be placed
 - **response_condition** (String) The name of the condition to apply
 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication
 
@@ -1114,6 +1116,6 @@ Optional:
 - **disabled** (Boolean) A flag used to completely disable a Web Application Firewall. This is intended to only be used in an emergency
 - **prefetch_condition** (String) The `condition` to determine which requests will be run past your Fastly WAF. This `condition` must be of type `PREFETCH`. For detailed information about Conditionals, see [Fastly's Documentation on Conditionals](https://docs.fastly.com/en/guides/using-conditions)
 
-Read-only:
+Read-Only:
 
 - **waf_id** (String) The ID of the WAF
diff --git a/docs/resources/service_waf_configuration.md b/docs/resources/service_waf_configuration.md
index f8eba9f..77ef7d0 100644
--- a/docs/resources/service_waf_configuration.md
+++ b/docs/resources/service_waf_configuration.md
@@ -638,6 +638,6 @@ Optional:
 
 - **modsec_rule_ids** (Set of Number) Set of modsecurity IDs to be excluded. No rules should be provided when `exclusion_type` is `waf`. The rules need to be configured on the Web Application Firewall to be excluded
 
-Read-only:
+Read-Only:
 
 - **number** (Number) The numeric ID assigned to the WAF Rule Exclusion
(END)
-Read-only:
+Read-Only:
 
 - **acl_id** (String) The ID of the ACL
 
@@ -430,7 +430,7 @@ Optional:
 
 - **write_only** (Boolean) If `true`, the dictionary is a private dictionary, and items are not readable in the UI or via API. Default is `false`. It is important to note that changing this attribute will delete and recreate the dictionary, discard the current items in the dictionary. Using a write-only/private dictionary should only be done if the items are managed outside of Terraform
 
-Read-only:
+Read-Only:
 
 - **dictionary_id** (String) The ID of the dictionary
 
@@ -465,7 +465,7 @@ Optional:
 
 - **priority** (Number) Priority determines the ordering for multiple snippets. Lower numbers execute first. Defaults to `100`
 
-Read-only:
+Read-Only:
 
 - **snippet_id** (String) The ID of the dynamic snippet
 
@@ -1044,6 +1044,8 @@ Optional:
 - **placement** (String) Where in the generated VCL the logging call should be placed
 - **response_condition** (String) The name of the condition to apply
 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication
 
@@ -1114,6 +1116,6 @@ Optional:
 - **disabled** (Boolean) A flag used to completely disable a Web Application Firewall. This is intended to only be used in an emergency
 - **prefetch_condition** (String) The `condition` to determine which requests will be run past your Fastly WAF. This `condition` must be of type `PREFETCH`. For detailed information about Conditionals, see [Fastly's Documentation on Conditionals](https://docs.fastly.com/en/guides/using-conditions)
 
-Read-only:
+Read-Only:
 
 - **waf_id** (String) The ID of the WAF
diff --git a/docs/resources/service_waf_configuration.md b/docs/resources/service_waf_configuration.md
index f8eba9f..77ef7d0 100644
--- a/docs/resources/service_waf_configuration.md
+++ b/docs/resources/service_waf_configuration.md
@@ -638,6 +638,6 @@ Optional:
 
 - **modsec_rule_ids** (Set of Number) Set of modsecurity IDs to be excluded. No rules should be provided when `exclusion_type` is `waf`. The rules need to be configured on the Web Application Firewall to be excluded
 
-Read-only:
+Read-Only:
 
 - **number** (Number) The numeric ID assigned to the WAF Rule Exclusion

[Integralist]

Nice! Thanks @kellymclaughlin -- interesting you got a case sensitivity change 🤔 wonder if that's a newer version to the tfplugindocs tool I was using to generate the docs?

We should get those documentation changes committed because when we cut a new terraform release, there is a webhook on this repo that will attempt to publish the updated documentation to the terraform registry.

Ps, I'm trying to add a new CI workflow for checking if docs need to be regenerated (rather than devs having to remember to run make generate-docs every time they open a PR). #362 (it's failing at the moment 🙂 but just wanted to make you aware that I was working on it).

[kellymclaughlin]

I did grab the latest version of tfplugindocs which looks to be just released a few days hours ago so you're probably right about the case changes.

tfplugindocs Version 0.4.0 from commit b7abf704f51e7356251d59bceb27d4973d78bee4

[Integralist]

@kellymclaughlin can you rebase master one more time please as we have updated the code for generating the documentation (such that we should hopefully ensure we're all using the same version -- you'll need to manually uninstall tfplugindocs and then run make generate-docs which will install tfplugindocs for you before generating the docs). We also created a new CI workflow which should then show up in this PR and will hopefully not error if the latest committed documentation is up-to-date with the code when CI runs.

[kellymclaughlin]

@kellymclaughlin can you rebase master one more time please as we have updated the code for generating the documentation (such that we should hopefully ensure we're all using the same version -- you'll need to manually uninstall tfplugindocs and then run make generate-docs which will install tfplugindocs for you before generating the docs). We also created a new CI workflow which should then show up in this PR and will hopefully not error if the latest committed documentation is up-to-date with the code when CI runs.

All done and looks like the CI checks are all happy.

[Integralist]

All done and looks like the CI checks are all happy.

🎉 🎉 🎉