From a74249c97d776a620f5792f9d77b1d35ce660b94 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sun, 31 Dec 2017 15:36:15 +0100 Subject: [PATCH 01/30] Add basic aws_acm_certificate resource --- aws/provider.go | 1 + aws/resource_aws_acm_certificate.go | 190 +++++++++++++++++++++++ aws/resource_aws_acm_certificate_test.go | 130 ++++++++++++++++ 3 files changed, 321 insertions(+) create mode 100644 aws/resource_aws_acm_certificate.go create mode 100644 aws/resource_aws_acm_certificate_test.go diff --git a/aws/provider.go b/aws/provider.go index e4c80bfccebf..28620f857175 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -237,6 +237,7 @@ func Provider() terraform.ResourceProvider { }, ResourcesMap: map[string]*schema.Resource{ + "aws_acm_certificate": resourceAwsAcmCertificate(), "aws_ami": resourceAwsAmi(), "aws_ami_copy": resourceAwsAmiCopy(), "aws_ami_from_instance": resourceAwsAmiFromInstance(), diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go new file mode 100644 index 000000000000..0afc0a058cef --- /dev/null +++ b/aws/resource_aws_acm_certificate.go @@ -0,0 +1,190 @@ +package aws + +import ( + "fmt" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/helper/schema" + "log" + "time" +) + +func resourceAwsAcmCertificate() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsAcmCertificateCreate, + Read: resourceAwsAcmCertificateRead, + Delete: resourceAwsAcmCertificateDelete, + + Schema: map[string]*schema.Schema{ + "domain_name": &schema.Schema{ + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + + "subject_alternative_names": &schema.Schema{ + Type: schema.TypeList, + Optional: true, + ForceNew: true, + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "validation_method": &schema.Schema{ + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "certificate_arn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + ForceNew: true, + }, + "domain_validation_options": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "domain_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + "resource_record_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + "resource_record_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + "resource_record_value": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + }, + }, + }, + }, + } +} + +func resourceAwsAcmCertificateCreate(d *schema.ResourceData, meta interface{}) error { + acmconn := meta.(*AWSClient).acmconn + params := &acm.RequestCertificateInput{ + DomainName: aws.String(d.Get("domain_name").(string)), + ValidationMethod: aws.String("DNS"), + } + + // TODO: check that validation method is DNS, nothing else supported at the moment + + sans, ok := d.GetOk("subject_alternative_names") + if ok { + sanStrings := sans.([]interface{}) + params.SubjectAlternativeNames = expandStringList(sanStrings) + } + + log.Printf("[DEBUG] ACM Certificate Request: %#v", params) + resp, err := acmconn.RequestCertificate(params) + + if err != nil { + return fmt.Errorf("Error requesting certificate: %s", err) + } + + d.SetId(*resp.CertificateArn) + d.Set("certificate_arn", *resp.CertificateArn) + + return resourceAwsAcmCertificateRead(d, meta) +} + +func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) error { + acmconn := meta.(*AWSClient).acmconn + + params := &acm.DescribeCertificateInput{ + CertificateArn: aws.String(d.Id()), + } + + return resource.Retry(time.Duration(1)*time.Minute, func() *resource.RetryError { + resp, err := acmconn.DescribeCertificate(params) + + if err != nil { + return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) + } + + if err := d.Set("domain_name", resp.Certificate.DomainName); err != nil { + return resource.NonRetryableError(err) + } + if err := d.Set("subject_alternative_names", cleanUpSubjectAlternativeNames(resp.Certificate)); err != nil { + return resource.NonRetryableError(err) + } + + domainValidationOptions, err := convertDomainValidationOptions(resp.Certificate.DomainValidationOptions) + + if err != nil { + return resource.RetryableError(err) + } + + if err := d.Set("domain_validation_options", domainValidationOptions); err != nil { + return resource.NonRetryableError(err) + } + + return nil + }) + +} + +func cleanUpSubjectAlternativeNames(cert *acm.CertificateDetail) []string { + sans := cert.SubjectAlternativeNames + vs := make([]string, 0, len(sans)-1) + for _, v := range sans { + if *v != *cert.DomainName { + vs = append(vs, *v) + } + } + return vs + +} + +func convertDomainValidationOptions(validations []*acm.DomainValidation) ([]map[string]interface{}, error) { + result := make([]map[string]interface{}, 0, len(validations)) + + for _, o := range validations { + validationOption := make(map[string]interface{}) + validationOption["domain_name"] = *o.DomainName + if o.ResourceRecord != nil { + validationOption["resource_record_name"] = *o.ResourceRecord.Name + validationOption["resource_record_type"] = *o.ResourceRecord.Type + validationOption["resource_record_value"] = *o.ResourceRecord.Value + } else { + log.Printf("[DEBUG] No resource record found in validation options, need to retry: %#v", o) + return nil, fmt.Errorf("No resource record found in DNS DomainValidationOptions: %v", o) + } + + result = append(result, validationOption) + } + + return result, nil +} + +func resourceAwsAcmCertificateDelete(d *schema.ResourceData, meta interface{}) error { + acmconn := meta.(*AWSClient).acmconn + + if err := resourceAwsAcmCertificateRead(d, meta); err != nil { + return err + } + if d.Id() == "" { + // This might happen from the read + return nil + } + + params := &acm.DeleteCertificateInput{ + CertificateArn: aws.String(d.Id()), + } + + _, err := acmconn.DeleteCertificate(params) + + if err != nil { + return fmt.Errorf("Error deleting certificate: %s", err) + } + + d.SetId("") + return nil +} diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go new file mode 100644 index 000000000000..888b0af44eb6 --- /dev/null +++ b/aws/resource_aws_acm_certificate_test.go @@ -0,0 +1,130 @@ +package aws + +import ( + "fmt" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { + var conf acm.DescribeCertificateOutput + + domain := "certtest.sandbox.sellmayr.net" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAcmCertificateDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccAcmCertificateConfig(domain), + Check: resource.ComposeTestCheckFunc( + testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf), + testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, "PENDING_VALIDATION"), + ), + }, + }, + }) +} + +func testAccAcmCertificateConfig(domain string) string { + return fmt.Sprintf(` +resource "aws_acm_certificate" "cert" { + domain_name = "%s" + validation_method = "DNS" +} +`, domain) +} + +func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutput) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No id is set") + } + + if rs.Primary.Attributes["certificate_arn"] == "" { + return fmt.Errorf("No certificate_arn is set") + } + + if rs.Primary.Attributes["certificate_arn"] != rs.Primary.ID { + return fmt.Errorf("No certificate_arn and ID are different: %s %s", rs.Primary.Attributes["certificate_arn"], rs.Primary.ID) + } + + acmconn := testAccProvider.Meta().(*AWSClient).acmconn + + resp, err := acmconn.DescribeCertificate(&acm.DescribeCertificateInput{ + CertificateArn: aws.String(rs.Primary.Attributes["certificate_arn"]), + }) + + if err != nil { + return err + } + + *res = *resp + + return nil + } +} + +func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificateOutput, domain string, status string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + attrs := rs.Primary.Attributes + + if *cert.Certificate.DomainName != domain { + return fmt.Errorf("Domain name is %s but expected %s", *cert.Certificate.DomainName, domain) + } + if *cert.Certificate.Status != status { + return fmt.Errorf("Status is %s but expected %s", *cert.Certificate.Status, status) + } + if attrs["domain_name"] != domain { + return fmt.Errorf("Domain name in state is %s but expected %s", attrs["domain_name"], domain) + } + + // TODO: check other attributes? + + return nil + } +} + +func testAccCheckAcmCertificateDestroy(s *terraform.State) error { + acmconn := testAccProvider.Meta().(*AWSClient).acmconn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_acm_certificate" { + continue + } + _, err := acmconn.DescribeCertificate(&acm.DescribeCertificateInput{ + CertificateArn: aws.String(rs.Primary.ID), + }) + + if err == nil { + return fmt.Errorf("Certificate still exists.") + } + + // Verify the error is what we want + acmerr, ok := err.(awserr.Error) + + if !ok { + return err + } + if acmerr.Code() != "ResourceNotFoundException" { + return err + } + } + + return nil +} From 4e49e55dd7fdff91e720e7391bc7e46bd900d25a Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sun, 31 Dec 2017 16:13:13 +0100 Subject: [PATCH 02/30] Add basic aws_acm_certificate_validation resource that waits until a certificate can be validated and is issued --- aws/provider.go | 1 + aws/resource_aws_acm_certificate_test.go | 75 ++++++++++++++ ...resource_aws_acm_certificate_validation.go | 98 +++++++++++++++++++ 3 files changed, 174 insertions(+) create mode 100644 aws/resource_aws_acm_certificate_validation.go diff --git a/aws/provider.go b/aws/provider.go index 28620f857175..37b60fef3075 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -238,6 +238,7 @@ func Provider() terraform.ResourceProvider { ResourcesMap: map[string]*schema.Resource{ "aws_acm_certificate": resourceAwsAcmCertificate(), + "aws_acm_certificate_validation": resourceAwsAcmCertificateValidation(), "aws_ami": resourceAwsAmi(), "aws_ami_copy": resourceAwsAmiCopy(), "aws_ami_from_instance": resourceAwsAmiFromInstance(), diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index 888b0af44eb6..cb340b3ef602 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -9,11 +9,14 @@ import ( "github.com/aws/aws-sdk-go/service/acm" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" + "regexp" ) func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { var conf acm.DescribeCertificateOutput + var confAfterValidation acm.DescribeCertificateOutput + root_zone_domain := "sandbox.sellmayr.net" domain := "certtest.sandbox.sellmayr.net" resource.Test(t, resource.TestCase{ @@ -21,6 +24,7 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { Providers: testAccProviders, CheckDestroy: testAccCheckAcmCertificateDestroy, Steps: []resource.TestStep{ + // Test that we can request a certificate resource.TestStep{ Config: testAccAcmCertificateConfig(domain), Check: resource.ComposeTestCheckFunc( @@ -28,6 +32,20 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, "PENDING_VALIDATION"), ), }, + // Test that validation times out if certificate can't be validated + resource.TestStep{ + Config: testAccAcmCertificateWithValidationConfig(domain), + ExpectError: regexp.MustCompile("Expected certificate to be issued but was in state PENDING_VALIDATION"), + }, + // Test that validation succeeds once we provide the right DNS validation records + resource.TestStep{ + Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain), + Check: resource.ComposeTestCheckFunc( + testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &confAfterValidation), + testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &confAfterValidation, domain, "ISSUED"), + testAccCheckAcmCertificateValidationAttributes("aws_acm_certificate_validation.cert", &confAfterValidation), + ), + }, }, }) } @@ -41,6 +59,47 @@ resource "aws_acm_certificate" "cert" { `, domain) } +func testAccAcmCertificateWithValidationConfig(domain string) string { + return fmt.Sprintf(` +resource "aws_acm_certificate" "cert" { + domain_name = "%s" + validation_method = "DNS" +} + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + timeout = "20s" +} +`, domain) +} + +func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string) string { + return fmt.Sprintf(` +resource "aws_acm_certificate" "cert" { + domain_name = "%s" + validation_method = "DNS" +} + +data "aws_route53_zone" "zone" { + name = "%s." + private_zone = false +} + +resource "aws_route53_record" "cert_validation" { + name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" + type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" + zone_id = "${data.aws_route53_zone.zone.id}" + records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] + ttl = 60 +} + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + validation_record_fqdn = "${aws_route53_record.cert_validation.fqdn}" # This wouldn't strictly be necessary but it can enforce a dependency +} +`, domain, rootZoneDomain) +} + func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutput) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -100,6 +159,22 @@ func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificat } } +func testAccCheckAcmCertificateValidationAttributes(n string, cert *acm.DescribeCertificateOutput) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s.", n) + } + attrs := rs.Primary.Attributes + + if attrs["certificate_arn"] != *cert.Certificate.CertificateArn { + return fmt.Errorf("Certificate ARN in state is %s but expected %s", attrs["arn"], *cert.Certificate.CertificateArn) + } + + return nil + } +} + func testAccCheckAcmCertificateDestroy(s *terraform.State) error { acmconn := testAccProvider.Meta().(*AWSClient).acmconn diff --git a/aws/resource_aws_acm_certificate_validation.go b/aws/resource_aws_acm_certificate_validation.go new file mode 100644 index 000000000000..c85a4a80fbbb --- /dev/null +++ b/aws/resource_aws_acm_certificate_validation.go @@ -0,0 +1,98 @@ +package aws + +import ( + "fmt" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/helper/schema" + "log" + "time" +) + +func resourceAwsAcmCertificateValidation() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsAcmCertificateValidationCreate, + Read: resourceAwsAcmCertificateValidationRead, + Delete: resourceAwsAcmCertificateValidationDelete, + + Schema: map[string]*schema.Schema{ + "certificate_arn": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "validation_record_fqdn": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + }, + "timeout": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + Default: "45m", + }, + }, + } +} + +func resourceAwsAcmCertificateValidationCreate(d *schema.ResourceData, meta interface{}) error { + // TODO: check that validation_record_fqdn (if set) matches the domain validation information for cert + // TODO: check that certificate is AMAZON_ISSUED and has Domain Validation enabled (should we also allow to wait for E-Mail validation?) + + timeout, err := time.ParseDuration(d.Get("timeout").(string)) + if err != nil { + return err + } + + return resource.Retry(timeout, func() *resource.RetryError { + acmconn := meta.(*AWSClient).acmconn + + certificate_arn := d.Get("certificate_arn").(string) + params := &acm.DescribeCertificateInput{ + CertificateArn: aws.String(certificate_arn), + } + + resp, err := acmconn.DescribeCertificate(params) + + if err != nil { + return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) + } + + if *resp.Certificate.Status != "ISSUED" { + return resource.RetryableError(fmt.Errorf("Expected certificate to be issued but was in state %s", *resp.Certificate.Status)) + } + + log.Printf("[INFO] ACM Certificate validation for %s done, certificate was issued", certificate_arn) + return resource.NonRetryableError(resourceAwsAcmCertificateValidationRead(d, meta)) + }) +} + +func resourceAwsAcmCertificateValidationRead(d *schema.ResourceData, meta interface{}) error { + acmconn := meta.(*AWSClient).acmconn + + params := &acm.DescribeCertificateInput{ + CertificateArn: aws.String(d.Get("certificate_arn").(string)), + } + + resp, err := acmconn.DescribeCertificate(params) + + if err != nil { + return fmt.Errorf("Error describing certificate: %s", err) + } + + if *resp.Certificate.Status != "ISSUED" { + log.Printf("[INFO] Certificate status not issued, was %s, tainting validation", *resp.Certificate.Status) + d.SetId("") + } else { + d.SetId((*resp.Certificate.IssuedAt).String()) + } + return nil +} + +func resourceAwsAcmCertificateValidationDelete(d *schema.ResourceData, meta interface{}) error { + // No need to do anything, certificate will be deleted when acm_certificate is deleted + d.SetId("") + return nil +} From d4ef13aa323d2a895cde6f7e5ce358bbf958ccb4 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 13 Jan 2018 18:57:50 +0100 Subject: [PATCH 03/30] Add documentation for aws_acm_certificate and aws_acm_certificate_validation --- website/aws.erb | 12 +++ website/docs/r/acm_certificate.html.markdown | 77 +++++++++++++++++++ .../acm_certificate_validation.html.markdown | 65 ++++++++++++++++ 3 files changed, 154 insertions(+) create mode 100644 website/docs/r/acm_certificate.html.markdown create mode 100644 website/docs/r/acm_certificate_validation.html.markdown diff --git a/website/aws.erb b/website/aws.erb index 5bf9ba7af53f..6c086b8cc134 100644 --- a/website/aws.erb +++ b/website/aws.erb @@ -233,6 +233,18 @@ + > + ACM Resources + + + > API Gateway Resources
    diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown new file mode 100644 index 000000000000..2a0aca149fc4 --- /dev/null +++ b/website/docs/r/acm_certificate.html.markdown @@ -0,0 +1,77 @@ +--- +layout: "aws" +page_title: "AWS: aws_acm_certificate" +sidebar_current: "docs-aws-resource-acm-certificate" +description: |- + Requests and manages a certificate from Amazon Certificate Manager (ACM). +--- + +# aws_acm_certificate + +The ACM certificate resource allows requesting and management of certificates +from the Amazon Certificate Manager. + +It deals with requesting certificates and managing their attributes and life-cycle. +This resource does not deal with validation of a certificate but can provide inputs +for other resources implementing the validation. It does not wait for a certificate to be issued. +Use a [`aws_acm_certificate_validation`](acm_certificate_validation.html) resource for this. + +Most commonly, this resource is used to together with [`aws_route53_record`](route53_record.html) and +[`aws_acm_certificate_validation`](acm_certificate_validation.html) to request a DNS validated certificate, +deploy the required validation records and wait for validation to complete. + +## Example Usage + +```hcl +resource "aws_acm_certificate" "cert" { + domain_name = "example.com" + validation_method = "DNS" +} + +data "aws_route53_zone" "zone" { + name = "example.com." + private_zone = false +} + +resource "aws_route53_record" "cert_validation" { + name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" + type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" + zone_id = "${data.aws_route53_zone.zone.id}" + records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] + ttl = 60 +} + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + validation_record_fqdn = "${aws_route53_record.cert_validation.fqdn}" +} + +resource "aws_lb_listener" "front_end" { + # [...] + certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `domain_name` - (Required) A domain name for which the certificate should be issued +* `subject_alternative_names` - (Optional) A list of domains that should be SANs in the issued certificate +* `validation_method` - (Required) Which method to use for validation (only `DNS` is supported at the moment) + +## Attributes Reference + +The following attributes are exported: + +* `certificate_arn` - The ARN of the certificate +* `domain_validation_options` - A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined + +Domain validation objects export the following attributes: + +* `domain_name` - The domain to be validated +* `resource_record_name` - The name of the DNS record to create to validate the certificate +* `resource_record_type` - The type of DNS record to create +* `resource_record_value` - The value the DNS record needs to have + + diff --git a/website/docs/r/acm_certificate_validation.html.markdown b/website/docs/r/acm_certificate_validation.html.markdown new file mode 100644 index 000000000000..43ac4c47f68a --- /dev/null +++ b/website/docs/r/acm_certificate_validation.html.markdown @@ -0,0 +1,65 @@ +--- +layout: "aws" +page_title: "AWS: aws_acm_certificate_validation" +sidebar_current: "docs-aws-resource-acm-certificate-validation" +description: |- + Waits for and checks successful validation of an ACM certificate. +--- + +# aws_acm_certificate_validation + +This resource represents a successful validation of an ACM certificate in concert +with other resources. + +Most commonly, this resource is used to together with [`aws_route53_record`](route53_record.html) and +[`aws_acm_certificate_validation`](acm_certificate_validation.html) to request a DNS validated certificate, +deploy the required validation records and wait for validation to complete. + +~> **WARNING:** This resource implements a part of the validation workflow. It does not represent a real-world entity in AWS, therefore changing or deleting this resource on its own has no immediate effect. + + +## Example Usage + +```hcl +resource "aws_acm_certificate" "cert" { + domain_name = "example.com" + validation_method = "DNS" +} + +data "aws_route53_zone" "zone" { + name = "example.com." + private_zone = false +} + +resource "aws_route53_record" "cert_validation" { + name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" + type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" + zone_id = "${data.aws_route53_zone.zone.id}" + records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] + ttl = 60 +} + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + validation_record_fqdn = "${aws_route53_record.cert_validation.fqdn}" +} + +resource "aws_lb_listener" "front_end" { + # [...] + certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `certificate_arn` - (Required) The ARN of the certificate that is being validated. +* `validation_record_fqdn` - (Optional) The FQDN of the record that implements the validation. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation +* `timeout` - (Optional) How long to wait for a certificate to be issued. Defaults to `"45m"` but ACM usually validates certificates much faster. + +## Attributes Reference + +The following attributes are exported: + +* `certificate_arn` - The ARN of the certificate that was validated. The same as the input but once this resouce completes, consumers can assume the certificate was issued successfully From fc359ece0cc13a1a1fc634148db8c2832bdf3a06 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sun, 14 Jan 2018 14:40:46 +0100 Subject: [PATCH 04/30] r/aws_acm_certificate_validation: Add sanity checks --- aws/resource_aws_acm_certificate_test.go | 22 +++++- ...resource_aws_acm_certificate_validation.go | 67 ++++++++++++++++--- .../acm_certificate_validation.html.markdown | 4 +- 3 files changed, 80 insertions(+), 13 deletions(-) diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index cb340b3ef602..94e5bd8db3b8 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -37,6 +37,11 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { Config: testAccAcmCertificateWithValidationConfig(domain), ExpectError: regexp.MustCompile("Expected certificate to be issued but was in state PENDING_VALIDATION"), }, + // Test that validation fails if given validation_fqdns don't match + resource.TestStep{ + Config: testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain), + ExpectError: regexp.MustCompile("Certificate needs .* to be set but only .* was passed to validation_record_fqdns"), + }, // Test that validation succeeds once we provide the right DNS validation records resource.TestStep{ Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain), @@ -73,6 +78,21 @@ resource "aws_acm_certificate_validation" "cert" { `, domain) } +func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string) string { + return fmt.Sprintf(` +resource "aws_acm_certificate" "cert" { + domain_name = "%s" + validation_method = "DNS" +} + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + validation_record_fqdns = ["some-wrong-fqdn.example.com"] + timeout = "20s" +} +`, domain) +} + func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { @@ -95,7 +115,7 @@ resource "aws_route53_record" "cert_validation" { resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" - validation_record_fqdn = "${aws_route53_record.cert_validation.fqdn}" # This wouldn't strictly be necessary but it can enforce a dependency + validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] } `, domain, rootZoneDomain) } diff --git a/aws/resource_aws_acm_certificate_validation.go b/aws/resource_aws_acm_certificate_validation.go index c85a4a80fbbb..bf6244087dc9 100644 --- a/aws/resource_aws_acm_certificate_validation.go +++ b/aws/resource_aws_acm_certificate_validation.go @@ -7,6 +7,8 @@ import ( "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/schema" "log" + "reflect" + "sort" "time" ) @@ -22,10 +24,12 @@ func resourceAwsAcmCertificateValidation() *schema.Resource { Required: true, ForceNew: true, }, - "validation_record_fqdn": { - Type: schema.TypeString, + "validation_record_fqdns": { + Type: schema.TypeSet, Optional: true, ForceNew: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, }, "timeout": { Type: schema.TypeString, @@ -38,22 +42,38 @@ func resourceAwsAcmCertificateValidation() *schema.Resource { } func resourceAwsAcmCertificateValidationCreate(d *schema.ResourceData, meta interface{}) error { - // TODO: check that validation_record_fqdn (if set) matches the domain validation information for cert - // TODO: check that certificate is AMAZON_ISSUED and has Domain Validation enabled (should we also allow to wait for E-Mail validation?) - timeout, err := time.ParseDuration(d.Get("timeout").(string)) if err != nil { return err } - return resource.Retry(timeout, func() *resource.RetryError { - acmconn := meta.(*AWSClient).acmconn + certificate_arn := d.Get("certificate_arn").(string) + + acmconn := meta.(*AWSClient).acmconn + params := &acm.DescribeCertificateInput{ + CertificateArn: aws.String(certificate_arn), + } + + resp, err := acmconn.DescribeCertificate(params) + + if err != nil { + return fmt.Errorf("Error describing certificate: %s", err) + } + + if *resp.Certificate.Type != "AMAZON_ISSUED" { + return fmt.Errorf("Certificate %s has type %s, no validation necessary", *resp.Certificate.CertificateArn, *resp.Certificate.Type) + } - certificate_arn := d.Get("certificate_arn").(string) - params := &acm.DescribeCertificateInput{ - CertificateArn: aws.String(certificate_arn), + if validation_record_fqdns, ok := d.GetOk("validation_record_fqdns"); ok { + err := resourceAwsAcmCertificateCheckValidationRecords(validation_record_fqdns.(*schema.Set).List(), resp.Certificate) + if err != nil { + return err } + } else { + log.Printf("[INFO] No validation_record_fqdns set, skipping check") + } + return resource.Retry(timeout, func() *resource.RetryError { resp, err := acmconn.DescribeCertificate(params) if err != nil { @@ -69,6 +89,33 @@ func resourceAwsAcmCertificateValidationCreate(d *schema.ResourceData, meta inte }) } +func resourceAwsAcmCertificateCheckValidationRecords(validation_record_fqdns []interface{}, cert *acm.CertificateDetail) error { + expected_fqdns := make([]string, len(cert.DomainValidationOptions)) + for i, v := range cert.DomainValidationOptions { + if *v.ValidationMethod == "DNS" { + expected_fqdns[i] = *v.ResourceRecord.Name + } + } + + actual_validation_record_fqdns := make([]string, 0, len(validation_record_fqdns)) + + for _, v := range validation_record_fqdns { + val := v.(string) + actual_validation_record_fqdns = append(actual_validation_record_fqdns, val) + } + + sort.Strings(expected_fqdns) + sort.Strings(actual_validation_record_fqdns) + + log.Printf("[DEBUG] Checking validation_record_fqdns. Expected: %v, Actual: %v", expected_fqdns, actual_validation_record_fqdns) + + if !reflect.DeepEqual(expected_fqdns, actual_validation_record_fqdns) { + return fmt.Errorf("Certificate needs %v to be set but only %v was passed to validation_record_fqdns", expected_fqdns, actual_validation_record_fqdns) + } + + return nil +} + func resourceAwsAcmCertificateValidationRead(d *schema.ResourceData, meta interface{}) error { acmconn := meta.(*AWSClient).acmconn diff --git a/website/docs/r/acm_certificate_validation.html.markdown b/website/docs/r/acm_certificate_validation.html.markdown index 43ac4c47f68a..a378c870e7f1 100644 --- a/website/docs/r/acm_certificate_validation.html.markdown +++ b/website/docs/r/acm_certificate_validation.html.markdown @@ -41,7 +41,7 @@ resource "aws_route53_record" "cert_validation" { resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" - validation_record_fqdn = "${aws_route53_record.cert_validation.fqdn}" + validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] } resource "aws_lb_listener" "front_end" { @@ -55,7 +55,7 @@ resource "aws_lb_listener" "front_end" { The following arguments are supported: * `certificate_arn` - (Required) The ARN of the certificate that is being validated. -* `validation_record_fqdn` - (Optional) The FQDN of the record that implements the validation. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation +* `validation_record_fqdns` - (Optional) List of FQDNs that implement the validation. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation * `timeout` - (Optional) How long to wait for a certificate to be issued. Defaults to `"45m"` but ACM usually validates certificates much faster. ## Attributes Reference From b1bd46bda1f9da27e13d740730a4c14d3f4dbce4 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sun, 14 Jan 2018 17:19:28 +0100 Subject: [PATCH 05/30] r/aws_acm_certificate_validation: Test and clean up support for SANs --- aws/resource_aws_acm_certificate.go | 17 ++++---- aws/resource_aws_acm_certificate_test.go | 53 ++++++++++++++++-------- 2 files changed, 43 insertions(+), 27 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 0afc0a058cef..ff424e539e99 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -22,7 +22,6 @@ func resourceAwsAcmCertificate() *schema.Resource { Required: true, ForceNew: true, }, - "subject_alternative_names": &schema.Schema{ Type: schema.TypeList, Optional: true, @@ -144,21 +143,21 @@ func cleanUpSubjectAlternativeNames(cert *acm.CertificateDetail) []string { } func convertDomainValidationOptions(validations []*acm.DomainValidation) ([]map[string]interface{}, error) { - result := make([]map[string]interface{}, 0, len(validations)) + var result []map[string]interface{} for _, o := range validations { - validationOption := make(map[string]interface{}) - validationOption["domain_name"] = *o.DomainName if o.ResourceRecord != nil { - validationOption["resource_record_name"] = *o.ResourceRecord.Name - validationOption["resource_record_type"] = *o.ResourceRecord.Type - validationOption["resource_record_value"] = *o.ResourceRecord.Value + validationOption := map[string]interface{}{ + "domain_name": *o.DomainName, + "resource_record_name": *o.ResourceRecord.Name, + "resource_record_type": *o.ResourceRecord.Type, + "resource_record_value": *o.ResourceRecord.Value, + } + result = append(result, validationOption) } else { log.Printf("[DEBUG] No resource record found in validation options, need to retry: %#v", o) return nil, fmt.Errorf("No resource record found in DNS DomainValidationOptions: %v", o) } - - result = append(result, validationOption) } return result, nil diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index 94e5bd8db3b8..b75f5a02d479 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -18,6 +18,7 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { root_zone_domain := "sandbox.sellmayr.net" domain := "certtest.sandbox.sellmayr.net" + sanDomain := "certtest2.sandbox.sellmayr.net" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -26,28 +27,28 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { Steps: []resource.TestStep{ // Test that we can request a certificate resource.TestStep{ - Config: testAccAcmCertificateConfig(domain), + Config: testAccAcmCertificateConfig(domain, sanDomain), Check: resource.ComposeTestCheckFunc( testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf), - testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, "PENDING_VALIDATION"), + testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), ), }, // Test that validation times out if certificate can't be validated resource.TestStep{ - Config: testAccAcmCertificateWithValidationConfig(domain), + Config: testAccAcmCertificateWithValidationConfig(domain, sanDomain), ExpectError: regexp.MustCompile("Expected certificate to be issued but was in state PENDING_VALIDATION"), }, // Test that validation fails if given validation_fqdns don't match resource.TestStep{ - Config: testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain), + Config: testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain, sanDomain), ExpectError: regexp.MustCompile("Certificate needs .* to be set but only .* was passed to validation_record_fqdns"), }, // Test that validation succeeds once we provide the right DNS validation records resource.TestStep{ - Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain), + Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain, sanDomain), Check: resource.ComposeTestCheckFunc( testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &confAfterValidation), - testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &confAfterValidation, domain, "ISSUED"), + testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &confAfterValidation, domain, sanDomain, "ISSUED"), testAccCheckAcmCertificateValidationAttributes("aws_acm_certificate_validation.cert", &confAfterValidation), ), }, @@ -55,34 +56,37 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { }) } -func testAccAcmCertificateConfig(domain string) string { +func testAccAcmCertificateConfig(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { domain_name = "%s" validation_method = "DNS" + subject_alternative_names = ["%s"] } -`, domain) +`, domain, sanDomain) } -func testAccAcmCertificateWithValidationConfig(domain string) string { +func testAccAcmCertificateWithValidationConfig(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { domain_name = "%s" validation_method = "DNS" + subject_alternative_names = ["%s"] } resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" timeout = "20s" } -`, domain) +`, domain, sanDomain) } -func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string) string { +func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { domain_name = "%s" validation_method = "DNS" + subject_alternative_names = ["%s"] } resource "aws_acm_certificate_validation" "cert" { @@ -90,14 +94,15 @@ resource "aws_acm_certificate_validation" "cert" { validation_record_fqdns = ["some-wrong-fqdn.example.com"] timeout = "20s" } -`, domain) +`, domain, sanDomain) } -func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string) string { +func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { domain_name = "%s" validation_method = "DNS" + subject_alternative_names = ["%s"] } data "aws_route53_zone" "zone" { @@ -113,11 +118,22 @@ resource "aws_route53_record" "cert_validation" { ttl = 60 } +resource "aws_route53_record" "cert_validation_san" { + name = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_name}" + type = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_type}" + zone_id = "${data.aws_route53_zone.zone.id}" + records = ["${aws_acm_certificate.cert.domain_validation_options.1.resource_record_value}"] + ttl = 60 +} + resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" - validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] + validation_record_fqdns = [ + "${aws_route53_record.cert_validation.fqdn}", + "${aws_route53_record.cert_validation_san.fqdn}" + ] } -`, domain, rootZoneDomain) +`, domain, sanDomain, rootZoneDomain) } func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutput) resource.TestCheckFunc { @@ -155,7 +171,7 @@ func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutp } } -func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificateOutput, domain string, status string) resource.TestCheckFunc { +func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificateOutput, domain string, sanDomain string, status string) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] if !ok { @@ -166,6 +182,9 @@ func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificat if *cert.Certificate.DomainName != domain { return fmt.Errorf("Domain name is %s but expected %s", *cert.Certificate.DomainName, domain) } + if *cert.Certificate.SubjectAlternativeNames[1] != sanDomain { + return fmt.Errorf("SAN Domain name is %s but expected %s", *cert.Certificate.SubjectAlternativeNames[1], sanDomain) + } if *cert.Certificate.Status != status { return fmt.Errorf("Status is %s but expected %s", *cert.Certificate.Status, status) } @@ -173,8 +192,6 @@ func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificat return fmt.Errorf("Domain name in state is %s but expected %s", attrs["domain_name"], domain) } - // TODO: check other attributes? - return nil } } From fe230cb5a2136c105e322b2cf6164f14cc21949f Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 20 Jan 2018 13:31:46 +0100 Subject: [PATCH 06/30] r/aws_acm_certificate: Add ability to import certificates --- aws/resource_aws_acm_certificate.go | 13 +++++++++++++ aws/resource_aws_acm_certificate_test.go | 5 +++++ website/docs/r/acm_certificate.html.markdown | 6 ++++++ 3 files changed, 24 insertions(+) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index ff424e539e99..f5b8204c9c28 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -15,6 +15,9 @@ func resourceAwsAcmCertificate() *schema.Resource { Create: resourceAwsAcmCertificateCreate, Read: resourceAwsAcmCertificateRead, Delete: resourceAwsAcmCertificateDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, Schema: map[string]*schema.Schema{ "domain_name": &schema.Schema{ @@ -108,9 +111,19 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) } + if *resp.Certificate.Type != "AMAZON_ISSUED" { + return resource.NonRetryableError(fmt.Errorf("Certificate has type %s, only AMAZON_ISSUED is supported at the moment", *resp.Certificate.Type)) + } + if err := d.Set("domain_name", resp.Certificate.DomainName); err != nil { return resource.NonRetryableError(err) } + if err := d.Set("certificate_arn", resp.Certificate.CertificateArn); err != nil { + return resource.NonRetryableError(err) + } + if err := d.Set("validation_method", resp.Certificate.DomainValidationOptions[0].ValidationMethod); err != nil { + return resource.NonRetryableError(err) + } if err := d.Set("subject_alternative_names", cleanUpSubjectAlternativeNames(resp.Certificate)); err != nil { return resource.NonRetryableError(err) } diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index b75f5a02d479..c82341b8fab7 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -52,6 +52,11 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { testAccCheckAcmCertificateValidationAttributes("aws_acm_certificate_validation.cert", &confAfterValidation), ), }, + resource.TestStep{ + ResourceName: "aws_acm_certificate.cert", + ImportState: true, + ImportStateVerify: true, + }, }, }) } diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index 2a0aca149fc4..aebf1fcbb6bf 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -74,4 +74,10 @@ Domain validation objects export the following attributes: * `resource_record_type` - The type of DNS record to create * `resource_record_value` - The value the DNS record needs to have +## Import +Certificates can be imported using their ARN, e.g. + +``` +$ terraform import aws_acm_certificate.cert aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a +``` From bf646abafc12cc6caed8a4f62c8dc50123a83191 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 20 Jan 2018 13:33:51 +0100 Subject: [PATCH 07/30] r/aws_acm_certificate_validation: Ignore trailing . when validating FQDNs --- aws/resource_aws_acm_certificate_validation.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_acm_certificate_validation.go b/aws/resource_aws_acm_certificate_validation.go index bf6244087dc9..a31d6aad2191 100644 --- a/aws/resource_aws_acm_certificate_validation.go +++ b/aws/resource_aws_acm_certificate_validation.go @@ -9,6 +9,7 @@ import ( "log" "reflect" "sort" + "strings" "time" ) @@ -93,7 +94,7 @@ func resourceAwsAcmCertificateCheckValidationRecords(validation_record_fqdns []i expected_fqdns := make([]string, len(cert.DomainValidationOptions)) for i, v := range cert.DomainValidationOptions { if *v.ValidationMethod == "DNS" { - expected_fqdns[i] = *v.ResourceRecord.Name + expected_fqdns[i] = strings.TrimSuffix(*v.ResourceRecord.Name, ".") } } @@ -101,7 +102,7 @@ func resourceAwsAcmCertificateCheckValidationRecords(validation_record_fqdns []i for _, v := range validation_record_fqdns { val := v.(string) - actual_validation_record_fqdns = append(actual_validation_record_fqdns, val) + actual_validation_record_fqdns = append(actual_validation_record_fqdns, strings.TrimSuffix(val, ".")) } sort.Strings(expected_fqdns) From 32a9137bf20bfd5508b912a04215a2589658bc61 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 20 Jan 2018 13:45:24 +0100 Subject: [PATCH 08/30] r/aws_acm_certificate: Validate validation_method --- aws/resource_aws_acm_certificate.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index f5b8204c9c28..5f9c95982dfa 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -35,6 +35,12 @@ func resourceAwsAcmCertificate() *schema.Resource { Type: schema.TypeString, Required: true, ForceNew: true, + ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { + if v.(string) != "DNS" { + errors = append(errors, fmt.Errorf("only validation_method DNS is supported at the moment")) + } + return + }, }, "certificate_arn": &schema.Schema{ Type: schema.TypeString, @@ -76,8 +82,6 @@ func resourceAwsAcmCertificateCreate(d *schema.ResourceData, meta interface{}) e ValidationMethod: aws.String("DNS"), } - // TODO: check that validation method is DNS, nothing else supported at the moment - sans, ok := d.GetOk("subject_alternative_names") if ok { sanStrings := sans.([]interface{}) From fa7bc0a22db353c16b372832ef5b13e75c2f7e93 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 20 Jan 2018 13:54:08 +0100 Subject: [PATCH 09/30] r/aws_acm_certificate: Don't set certificate_arn twice --- aws/resource_aws_acm_certificate.go | 1 - 1 file changed, 1 deletion(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 5f9c95982dfa..0cd57e7e079e 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -96,7 +96,6 @@ func resourceAwsAcmCertificateCreate(d *schema.ResourceData, meta interface{}) e } d.SetId(*resp.CertificateArn) - d.Set("certificate_arn", *resp.CertificateArn) return resourceAwsAcmCertificateRead(d, meta) } From 259ced4b874d98050b161108809f0704d5b8448f Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 20 Jan 2018 14:45:55 +0100 Subject: [PATCH 10/30] r/aws_acm_certificate: Add support for tagging --- aws/resource_aws_acm_certificate.go | 32 ++++++ aws/resource_aws_acm_certificate_test.go | 90 +++++++++++++--- aws/tagsACM.go | 103 +++++++++++++++++++ aws/tagsACM_test.go | 103 +++++++++++++++++++ website/docs/r/acm_certificate.html.markdown | 8 +- 5 files changed, 319 insertions(+), 17 deletions(-) create mode 100644 aws/tagsACM.go create mode 100644 aws/tagsACM_test.go diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 0cd57e7e079e..a8135678d413 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -14,6 +14,7 @@ func resourceAwsAcmCertificate() *schema.Resource { return &schema.Resource{ Create: resourceAwsAcmCertificateCreate, Read: resourceAwsAcmCertificateRead, + Update: resourceAwsAcmCertificateUpdate, Delete: resourceAwsAcmCertificateDelete, Importer: &schema.ResourceImporter{ State: schema.ImportStatePassthrough, @@ -71,6 +72,7 @@ func resourceAwsAcmCertificate() *schema.Resource { }, }, }, + "tags": tagsSchema(), }, } } @@ -96,6 +98,17 @@ func resourceAwsAcmCertificateCreate(d *schema.ResourceData, meta interface{}) e } d.SetId(*resp.CertificateArn) + if v, ok := d.GetOk("tags"); ok { + params := &acm.AddTagsToCertificateInput{ + CertificateArn: resp.CertificateArn, + Tags: tagsFromMapACM(v.(map[string]interface{})), + } + _, err := acmconn.AddTagsToCertificate(params) + + if err != nil { + return fmt.Errorf("Error requesting certificate: %s", err) + } + } return resourceAwsAcmCertificateRead(d, meta) } @@ -141,9 +154,28 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.NonRetryableError(err) } + params := &acm.ListTagsForCertificateInput{ + CertificateArn: aws.String(d.Id()), + } + + tagResp, err := acmconn.ListTagsForCertificate(params) + if err := d.Set("tags", tagsToMapACM(tagResp.Tags)); err != nil { + return resource.NonRetryableError(err) + } + return nil }) +} +func resourceAwsAcmCertificateUpdate(d *schema.ResourceData, meta interface{}) error { + if d.HasChange("tags") { + acmconn := meta.(*AWSClient).acmconn + err := setTagsACM(acmconn, d) + if err != nil { + return err + } + } + return nil } func cleanUpSubjectAlternativeNames(cert *acm.CertificateDetail) []string { diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index c82341b8fab7..6079694df787 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -14,6 +14,7 @@ import ( func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { var conf acm.DescribeCertificateOutput + var tags acm.ListTagsForCertificateOutput var confAfterValidation acm.DescribeCertificateOutput root_zone_domain := "sandbox.sellmayr.net" @@ -29,8 +30,20 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { resource.TestStep{ Config: testAccAcmCertificateConfig(domain, sanDomain), Check: resource.ComposeTestCheckFunc( - testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf), + testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf, &tags), testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), + testAccCheckTagsACM(&tags.Tags, "Hello", "World"), + testAccCheckTagsACM(&tags.Tags, "Foo", "Bar"), + ), + }, + // Test that we can change the tags + resource.TestStep{ + Config: testAccAcmCertificateConfigWithChangedTags(domain, sanDomain), + Check: resource.ComposeTestCheckFunc( + testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf, &tags), + testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), + testAccCheckTagsACM(&tags.Tags, "Environment", "Test"), + testAccCheckTagsACM(&tags.Tags, "Foo", "Baz"), ), }, // Test that validation times out if certificate can't be validated @@ -47,7 +60,7 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { resource.TestStep{ Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain, sanDomain), Check: resource.ComposeTestCheckFunc( - testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &confAfterValidation), + testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &confAfterValidation, &tags), testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &confAfterValidation, domain, sanDomain, "ISSUED"), testAccCheckAcmCertificateValidationAttributes("aws_acm_certificate_validation.cert", &confAfterValidation), ), @@ -64,9 +77,29 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { func testAccAcmCertificateConfig(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] + domain_name = "%s" + validation_method = "DNS" + subject_alternative_names = ["%s"] + + tags { + "Hello" = "World" + "Foo" = "Bar" + } +} +`, domain, sanDomain) +} + +func testAccAcmCertificateConfigWithChangedTags(domain string, sanDomain string) string { + return fmt.Sprintf(` +resource "aws_acm_certificate" "cert" { + domain_name = "%s" + validation_method = "DNS" + subject_alternative_names = ["%s"] + + tags { + "Environment" = "Test" + "Foo" = "Baz" + } } `, domain, sanDomain) } @@ -74,11 +107,17 @@ resource "aws_acm_certificate" "cert" { func testAccAcmCertificateWithValidationConfig(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] + domain_name = "%s" + validation_method = "DNS" + subject_alternative_names = ["%s"] + + tags { + "Environment" = "Test" + "Foo" = "Baz" + } } + resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" timeout = "20s" @@ -89,11 +128,17 @@ resource "aws_acm_certificate_validation" "cert" { func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] + domain_name = "%s" + validation_method = "DNS" + subject_alternative_names = ["%s"] + + tags { + "Environment" = "Test" + "Foo" = "Baz" + } } + resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" validation_record_fqdns = ["some-wrong-fqdn.example.com"] @@ -105,11 +150,17 @@ resource "aws_acm_certificate_validation" "cert" { func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] + domain_name = "%s" + validation_method = "DNS" + subject_alternative_names = ["%s"] + + tags { + "Environment" = "Test" + "Foo" = "Baz" + } } + data "aws_route53_zone" "zone" { name = "%s." private_zone = false @@ -141,7 +192,7 @@ resource "aws_acm_certificate_validation" "cert" { `, domain, sanDomain, rootZoneDomain) } -func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutput) resource.TestCheckFunc { +func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutput, tags *acm.ListTagsForCertificateOutput) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] if !ok { @@ -170,7 +221,16 @@ func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutp return err } + tagsResp, err := acmconn.ListTagsForCertificate(&acm.ListTagsForCertificateInput{ + CertificateArn: aws.String(rs.Primary.Attributes["certificate_arn"]), + }) + + if err != nil { + return err + } + *res = *resp + *tags = *tagsResp return nil } diff --git a/aws/tagsACM.go b/aws/tagsACM.go new file mode 100644 index 000000000000..56434f82a3c4 --- /dev/null +++ b/aws/tagsACM.go @@ -0,0 +1,103 @@ +package aws + +import ( + "log" + "regexp" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/schema" +) + +func setTagsACM(conn *acm.ACM, d *schema.ResourceData) error { + if d.HasChange("tags") { + oraw, nraw := d.GetChange("tags") + o := oraw.(map[string]interface{}) + n := nraw.(map[string]interface{}) + create, remove := diffTagsACM(tagsFromMapACM(o), tagsFromMapACM(n)) + + // Set tags + if len(remove) > 0 { + input := acm.RemoveTagsFromCertificateInput{ + CertificateArn: aws.String(d.Get("certificate_arn").(string)), + Tags: remove, + } + log.Printf("[DEBUG] Removing ACM tags: %s", input) + _, err := conn.RemoveTagsFromCertificate(&input) + if err != nil { + return err + } + } + if len(create) > 0 { + input := acm.AddTagsToCertificateInput{ + CertificateArn: aws.String(d.Get("certificate_arn").(string)), + Tags: create, + } + log.Printf("[DEBUG] Adding ACM tags: %s", input) + _, err := conn.AddTagsToCertificate(&input) + if err != nil { + return err + } + } + } + + return nil +} + +// diffTags takes our tags locally and the ones remotely and returns +// the set of tags that must be created, and the set of tags that must +// be destroyed. +func diffTagsACM(oldTags, newTags []*acm.Tag) ([]*acm.Tag, []*acm.Tag) { + // First, we're creating everything we have + create := make(map[string]interface{}) + for _, t := range newTags { + create[*t.Key] = *t.Value + } + + // Build the list of what to remove + var remove []*acm.Tag + for _, t := range oldTags { + old, ok := create[*t.Key] + if !ok || old != *t.Value { + // Delete it! + remove = append(remove, t) + } + } + + return tagsFromMapACM(create), remove +} + +func tagsFromMapACM(m map[string]interface{}) []*acm.Tag { + result := []*acm.Tag{} + for k, v := range m { + result = append(result, &acm.Tag{ + Key: aws.String(k), + Value: aws.String(v.(string)), + }) + } + + return result +} + +func tagsToMapACM(ts []*acm.Tag) map[string]string { + result := map[string]string{} + for _, t := range ts { + result[*t.Key] = *t.Value + } + + return result +} + +// compare a tag against a list of strings and checks if it should +// be ignored or not +func tagIgnoredACM(t *acm.Tag) bool { + filter := []string{"^aws:"} + for _, v := range filter { + log.Printf("[DEBUG] Matching %v with %v\n", v, *t.Key) + if r, _ := regexp.MatchString(v, *t.Key); r == true { + log.Printf("[DEBUG] Found AWS specific tag %s (val: %s), ignoring.\n", *t.Key, *t.Value) + return true + } + } + return false +} diff --git a/aws/tagsACM_test.go b/aws/tagsACM_test.go new file mode 100644 index 000000000000..c2764acfd226 --- /dev/null +++ b/aws/tagsACM_test.go @@ -0,0 +1,103 @@ +package aws + +import ( + "fmt" + "reflect" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestDiffTagsACM(t *testing.T) { + cases := []struct { + Old, New map[string]interface{} + Create, Remove map[string]string + }{ + // Basic add/remove + { + Old: map[string]interface{}{ + "foo": "bar", + }, + New: map[string]interface{}{ + "bar": "baz", + }, + Create: map[string]string{ + "bar": "baz", + }, + Remove: map[string]string{ + "foo": "bar", + }, + }, + + // Modify + { + Old: map[string]interface{}{ + "foo": "bar", + }, + New: map[string]interface{}{ + "foo": "baz", + }, + Create: map[string]string{ + "foo": "baz", + }, + Remove: map[string]string{ + "foo": "bar", + }, + }, + } + + for i, tc := range cases { + c, r := diffTagsACM(tagsFromMapACM(tc.Old), tagsFromMapACM(tc.New)) + cm := tagsToMapACM(c) + rm := tagsToMapACM(r) + if !reflect.DeepEqual(cm, tc.Create) { + t.Fatalf("%d: bad create: %#v", i, cm) + } + if !reflect.DeepEqual(rm, tc.Remove) { + t.Fatalf("%d: bad remove: %#v", i, rm) + } + } +} + +func TestIgnoringTagsACM(t *testing.T) { + var ignoredTags []*acm.Tag + ignoredTags = append(ignoredTags, &acm.Tag{ + Key: aws.String("aws:cloudformation:logical-id"), + Value: aws.String("foo"), + }) + ignoredTags = append(ignoredTags, &acm.Tag{ + Key: aws.String("aws:foo:bar"), + Value: aws.String("baz"), + }) + for _, tag := range ignoredTags { + if !tagIgnoredACM(tag) { + t.Fatalf("Tag %v with value %v not ignored, but should be!", *tag.Key, *tag.Value) + } + } +} + +// testAccCheckTags can be used to check the tags on a resource. +func testAccCheckTagsACM( + ts *[]*acm.Tag, key string, value string) resource.TestCheckFunc { + return func(s *terraform.State) error { + m := tagsToMapACM(*ts) + v, ok := m[key] + if value != "" && !ok { + return fmt.Errorf("Missing tag: %s", key) + } else if value == "" && ok { + return fmt.Errorf("Extra tag: %s", key) + } + if value == "" { + return nil + } + + if v != value { + return fmt.Errorf("%s: bad value: %s", key, v) + } + + return nil + } +} diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index aebf1fcbb6bf..b20c7e3d96d0 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -24,8 +24,11 @@ deploy the required validation records and wait for validation to complete. ```hcl resource "aws_acm_certificate" "cert" { - domain_name = "example.com" - validation_method = "DNS" + domain_name = "example.com" + validation_method = "DNS" + tags { + Environment = "test" + } } data "aws_route53_zone" "zone" { @@ -59,6 +62,7 @@ The following arguments are supported: * `domain_name` - (Required) A domain name for which the certificate should be issued * `subject_alternative_names` - (Optional) A list of domains that should be SANs in the issued certificate * `validation_method` - (Required) Which method to use for validation (only `DNS` is supported at the moment) +* `tags` - (Optional) A mapping of tags to assign to the resource. ## Attributes Reference From d81ab237930ebceaaac07e9fc076b196cd69bf13 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Sat, 20 Jan 2018 15:13:44 +0100 Subject: [PATCH 11/30] r/aws_acm_certificate: Make domain name used in acceptance tests configurable --- aws/resource_aws_acm_certificate_test.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index 6079694df787..b6af672b85b5 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go/service/acm" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" + "os" "regexp" ) @@ -16,10 +17,13 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { var conf acm.DescribeCertificateOutput var tags acm.ListTagsForCertificateOutput var confAfterValidation acm.DescribeCertificateOutput + if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { + t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") + } - root_zone_domain := "sandbox.sellmayr.net" - domain := "certtest.sandbox.sellmayr.net" - sanDomain := "certtest2.sandbox.sellmayr.net" + root_zone_domain := os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") + domain := fmt.Sprintf("certtest.%s", root_zone_domain) + sanDomain := fmt.Sprintf("certtest2.%s", root_zone_domain) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, From 3afd4fbfc7ea4af86748ce4e6469f86abfb63e85 Mon Sep 17 00:00:00 2001 From: Joel Handwell Date: Tue, 30 Jan 2018 00:10:01 -0500 Subject: [PATCH 12/30] Adjust code in documentation to the spec --- website/docs/r/acm_certificate.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index b20c7e3d96d0..4470f0f9c0a3 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -46,7 +46,7 @@ resource "aws_route53_record" "cert_validation" { resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" - validation_record_fqdn = "${aws_route53_record.cert_validation.fqdn}" + validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] } resource "aws_lb_listener" "front_end" { From 65c85fe40e025d1d5a795f6f38b8468bce987376 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Thu, 1 Feb 2018 21:16:13 +0100 Subject: [PATCH 13/30] r/aws_acm_certificate: Improve code style by organising imports, using constants and utility methods, removing extraneous code --- aws/resource_aws_acm_certificate.go | 30 +++++++++---------- aws/resource_aws_acm_certificate_test.go | 13 +++----- ...resource_aws_acm_certificate_validation.go | 11 +++---- 3 files changed, 25 insertions(+), 29 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index a8135678d413..467305f32a3a 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -2,12 +2,13 @@ package aws import ( "fmt" + "log" + "time" + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/acm" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/schema" - "log" - "time" ) func resourceAwsAcmCertificate() *schema.Resource { @@ -21,51 +22,50 @@ func resourceAwsAcmCertificate() *schema.Resource { }, Schema: map[string]*schema.Schema{ - "domain_name": &schema.Schema{ + "domain_name": { Type: schema.TypeString, Required: true, ForceNew: true, }, - "subject_alternative_names": &schema.Schema{ + "subject_alternative_names": { Type: schema.TypeList, Optional: true, ForceNew: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "validation_method": &schema.Schema{ + "validation_method": { Type: schema.TypeString, Required: true, ForceNew: true, ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { - if v.(string) != "DNS" { + if v.(string) != acm.ValidationMethodDns { errors = append(errors, fmt.Errorf("only validation_method DNS is supported at the moment")) } return }, }, - "certificate_arn": &schema.Schema{ + "certificate_arn": { Type: schema.TypeString, Computed: true, - ForceNew: true, }, - "domain_validation_options": &schema.Schema{ + "domain_validation_options": { Type: schema.TypeList, Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "domain_name": &schema.Schema{ + "domain_name": { Type: schema.TypeString, Computed: true, }, - "resource_record_name": &schema.Schema{ + "resource_record_name": { Type: schema.TypeString, Computed: true, }, - "resource_record_type": &schema.Schema{ + "resource_record_type": { Type: schema.TypeString, Computed: true, }, - "resource_record_value": &schema.Schema{ + "resource_record_value": { Type: schema.TypeString, Computed: true, }, @@ -81,7 +81,7 @@ func resourceAwsAcmCertificateCreate(d *schema.ResourceData, meta interface{}) e acmconn := meta.(*AWSClient).acmconn params := &acm.RequestCertificateInput{ DomainName: aws.String(d.Get("domain_name").(string)), - ValidationMethod: aws.String("DNS"), + ValidationMethod: aws.String(acm.ValidationMethodDns), } sans, ok := d.GetOk("subject_alternative_names") @@ -127,7 +127,7 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) } - if *resp.Certificate.Type != "AMAZON_ISSUED" { + if *resp.Certificate.Type != acm.CertificateTypeAmazonIssued { return resource.NonRetryableError(fmt.Errorf("Certificate has type %s, only AMAZON_ISSUED is supported at the moment", *resp.Certificate.Type)) } diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index b6af672b85b5..bacbf9509fef 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -4,13 +4,13 @@ import ( "fmt" "testing" + "os" + "regexp" + "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/service/acm" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" - "os" - "regexp" ) func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { @@ -297,12 +297,7 @@ func testAccCheckAcmCertificateDestroy(s *terraform.State) error { } // Verify the error is what we want - acmerr, ok := err.(awserr.Error) - - if !ok { - return err - } - if acmerr.Code() != "ResourceNotFoundException" { + if !isAWSErr(err, acm.ErrCodeResourceNotFoundException, "") { return err } } diff --git a/aws/resource_aws_acm_certificate_validation.go b/aws/resource_aws_acm_certificate_validation.go index a31d6aad2191..9c5a3fb00d52 100644 --- a/aws/resource_aws_acm_certificate_validation.go +++ b/aws/resource_aws_acm_certificate_validation.go @@ -2,15 +2,16 @@ package aws import ( "fmt" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acm" - "github.com/hashicorp/terraform/helper/resource" - "github.com/hashicorp/terraform/helper/schema" "log" "reflect" "sort" "strings" "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/helper/schema" ) func resourceAwsAcmCertificateValidation() *schema.Resource { @@ -93,7 +94,7 @@ func resourceAwsAcmCertificateValidationCreate(d *schema.ResourceData, meta inte func resourceAwsAcmCertificateCheckValidationRecords(validation_record_fqdns []interface{}, cert *acm.CertificateDetail) error { expected_fqdns := make([]string, len(cert.DomainValidationOptions)) for i, v := range cert.DomainValidationOptions { - if *v.ValidationMethod == "DNS" { + if *v.ValidationMethod == acm.ValidationMethodDns { expected_fqdns[i] = strings.TrimSuffix(*v.ResourceRecord.Name, ".") } } From f3b4d69904119ffeda73e5d430cefe6882253d3b Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Thu, 1 Feb 2018 22:37:41 +0100 Subject: [PATCH 14/30] r/aws_acm_certificate: Change certificate_arn attribute to arn --- aws/resource_aws_acm_certificate.go | 4 ++-- aws/resource_aws_acm_certificate_test.go | 18 +++++++++--------- aws/tagsACM.go | 4 ++-- website/docs/r/acm_certificate.html.markdown | 4 ++-- .../r/acm_certificate_validation.html.markdown | 2 +- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 467305f32a3a..d76806ccf3ab 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -44,7 +44,7 @@ func resourceAwsAcmCertificate() *schema.Resource { return }, }, - "certificate_arn": { + "arn": { Type: schema.TypeString, Computed: true, }, @@ -134,7 +134,7 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err if err := d.Set("domain_name", resp.Certificate.DomainName); err != nil { return resource.NonRetryableError(err) } - if err := d.Set("certificate_arn", resp.Certificate.CertificateArn); err != nil { + if err := d.Set("arn", resp.Certificate.CertificateArn); err != nil { return resource.NonRetryableError(err) } if err := d.Set("validation_method", resp.Certificate.DomainValidationOptions[0].ValidationMethod); err != nil { diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index bacbf9509fef..3be1297aa18c 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -123,7 +123,7 @@ resource "aws_acm_certificate" "cert" { resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + certificate_arn = "${aws_acm_certificate.cert.arn}" timeout = "20s" } `, domain, sanDomain) @@ -144,7 +144,7 @@ resource "aws_acm_certificate" "cert" { resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + certificate_arn = "${aws_acm_certificate.cert.arn}" validation_record_fqdns = ["some-wrong-fqdn.example.com"] timeout = "20s" } @@ -187,7 +187,7 @@ resource "aws_route53_record" "cert_validation_san" { } resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + certificate_arn = "${aws_acm_certificate.cert.arn}" validation_record_fqdns = [ "${aws_route53_record.cert_validation.fqdn}", "${aws_route53_record.cert_validation_san.fqdn}" @@ -207,18 +207,18 @@ func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutp return fmt.Errorf("No id is set") } - if rs.Primary.Attributes["certificate_arn"] == "" { - return fmt.Errorf("No certificate_arn is set") + if rs.Primary.Attributes["arn"] == "" { + return fmt.Errorf("No arn is set") } - if rs.Primary.Attributes["certificate_arn"] != rs.Primary.ID { - return fmt.Errorf("No certificate_arn and ID are different: %s %s", rs.Primary.Attributes["certificate_arn"], rs.Primary.ID) + if rs.Primary.Attributes["arn"] != rs.Primary.ID { + return fmt.Errorf("No arn and ID are different: %s %s", rs.Primary.Attributes["arn"], rs.Primary.ID) } acmconn := testAccProvider.Meta().(*AWSClient).acmconn resp, err := acmconn.DescribeCertificate(&acm.DescribeCertificateInput{ - CertificateArn: aws.String(rs.Primary.Attributes["certificate_arn"]), + CertificateArn: aws.String(rs.Primary.Attributes["arn"]), }) if err != nil { @@ -226,7 +226,7 @@ func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutp } tagsResp, err := acmconn.ListTagsForCertificate(&acm.ListTagsForCertificateInput{ - CertificateArn: aws.String(rs.Primary.Attributes["certificate_arn"]), + CertificateArn: aws.String(rs.Primary.Attributes["arn"]), }) if err != nil { diff --git a/aws/tagsACM.go b/aws/tagsACM.go index 56434f82a3c4..5f8a88fa90f4 100644 --- a/aws/tagsACM.go +++ b/aws/tagsACM.go @@ -19,7 +19,7 @@ func setTagsACM(conn *acm.ACM, d *schema.ResourceData) error { // Set tags if len(remove) > 0 { input := acm.RemoveTagsFromCertificateInput{ - CertificateArn: aws.String(d.Get("certificate_arn").(string)), + CertificateArn: aws.String(d.Get("arn").(string)), Tags: remove, } log.Printf("[DEBUG] Removing ACM tags: %s", input) @@ -30,7 +30,7 @@ func setTagsACM(conn *acm.ACM, d *schema.ResourceData) error { } if len(create) > 0 { input := acm.AddTagsToCertificateInput{ - CertificateArn: aws.String(d.Get("certificate_arn").(string)), + CertificateArn: aws.String(d.Get("arn").(string)), Tags: create, } log.Printf("[DEBUG] Adding ACM tags: %s", input) diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index 4470f0f9c0a3..7b6f0dd81a27 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -45,7 +45,7 @@ resource "aws_route53_record" "cert_validation" { } resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + certificate_arn = "${aws_acm_certificate.cert.arn}" validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] } @@ -68,7 +68,7 @@ The following arguments are supported: The following attributes are exported: -* `certificate_arn` - The ARN of the certificate +* `arn` - The ARN of the certificate * `domain_validation_options` - A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined Domain validation objects export the following attributes: diff --git a/website/docs/r/acm_certificate_validation.html.markdown b/website/docs/r/acm_certificate_validation.html.markdown index a378c870e7f1..4699ae9fefd8 100644 --- a/website/docs/r/acm_certificate_validation.html.markdown +++ b/website/docs/r/acm_certificate_validation.html.markdown @@ -40,7 +40,7 @@ resource "aws_route53_record" "cert_validation" { } resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.certificate_arn}" + certificate_arn = "${aws_acm_certificate.cert.arn}" validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] } From 77fd92d49eae1ade510afe466c9c9bc0f1150b30 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Thu, 1 Feb 2018 22:50:38 +0100 Subject: [PATCH 15/30] r/aws_acm_certificate: Remove error checks for setting string attributes --- aws/resource_aws_acm_certificate.go | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index d76806ccf3ab..5c80d6325b39 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -131,15 +131,10 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.NonRetryableError(fmt.Errorf("Certificate has type %s, only AMAZON_ISSUED is supported at the moment", *resp.Certificate.Type)) } - if err := d.Set("domain_name", resp.Certificate.DomainName); err != nil { - return resource.NonRetryableError(err) - } - if err := d.Set("arn", resp.Certificate.CertificateArn); err != nil { - return resource.NonRetryableError(err) - } - if err := d.Set("validation_method", resp.Certificate.DomainValidationOptions[0].ValidationMethod); err != nil { - return resource.NonRetryableError(err) - } + d.Set("domain_name", resp.Certificate.DomainName) + d.Set("arn", resp.Certificate.CertificateArn) + d.Set("validation_method", resp.Certificate.DomainValidationOptions[0].ValidationMethod) + if err := d.Set("subject_alternative_names", cleanUpSubjectAlternativeNames(resp.Certificate)); err != nil { return resource.NonRetryableError(err) } From ee046e8ee08cd38ec86655a02ceae1201c0f2a0b Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Thu, 1 Feb 2018 23:08:16 +0100 Subject: [PATCH 16/30] r/aws_acm_certificate: Remove uselesss describe-call in delete operation --- aws/resource_aws_acm_certificate.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 5c80d6325b39..f86ace24c663 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -209,21 +209,13 @@ func convertDomainValidationOptions(validations []*acm.DomainValidation) ([]map[ func resourceAwsAcmCertificateDelete(d *schema.ResourceData, meta interface{}) error { acmconn := meta.(*AWSClient).acmconn - if err := resourceAwsAcmCertificateRead(d, meta); err != nil { - return err - } - if d.Id() == "" { - // This might happen from the read - return nil - } - params := &acm.DeleteCertificateInput{ CertificateArn: aws.String(d.Id()), } _, err := acmconn.DeleteCertificate(params) - if err != nil { + if err != nil && !isAWSErr(err, acm.ErrCodeResourceNotFoundException, "") { return fmt.Errorf("Error deleting certificate: %s", err) } From 010da87f1ef7b843989935e36801ad4ead830bc0 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Fri, 2 Feb 2018 16:31:42 +0100 Subject: [PATCH 17/30] r/aws_acm_certificate: Randomize domains used in acceptance test to be more robust against parallel tests or interactions with broken previous tests --- aws/resource_aws_acm_certificate_test.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index 3be1297aa18c..eddf6c43448b 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/acm" + "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" ) @@ -22,8 +23,11 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { } root_zone_domain := os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") - domain := fmt.Sprintf("certtest.%s", root_zone_domain) - sanDomain := fmt.Sprintf("certtest2.%s", root_zone_domain) + + rInt1 := acctest.RandInt() + + domain := fmt.Sprintf("tf-acc-%d.%s", rInt1, root_zone_domain) + sanDomain := fmt.Sprintf("tf-acc-%d-san.%s", rInt1, root_zone_domain) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, From 263d9b1b98fcb60271eb5ec1bfe3b60dbe5e3f5e Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Fri, 2 Feb 2018 16:58:47 +0100 Subject: [PATCH 18/30] r/aws_acm_certificate: Add resource attribute checks to tests to make expectations more explicit --- aws/resource_aws_acm_certificate_test.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index eddf6c43448b..5c69ba19189b 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -40,8 +40,17 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf, &tags), testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), + testAccCheckTagsACM(&tags.Tags, "Hello", "World"), testAccCheckTagsACM(&tags.Tags, "Foo", "Bar"), + + resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", regexp.MustCompile(`^arn:aws:acm:[^:]+:[^:]+:certificate/.+$`)), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "domain_name", domain), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.#", "1"), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.0", sanDomain), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.%", "2"), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Hello", "World"), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Foo", "Bar"), ), }, // Test that we can change the tags @@ -50,8 +59,13 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf, &tags), testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), + testAccCheckTagsACM(&tags.Tags, "Environment", "Test"), testAccCheckTagsACM(&tags.Tags, "Foo", "Baz"), + + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.%", "2"), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Environment", "Test"), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Foo", "Baz"), ), }, // Test that validation times out if certificate can't be validated From 2f6219be708979c018aad906a37b4cf7be1bec5a Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Fri, 2 Feb 2018 17:40:53 +0100 Subject: [PATCH 19/30] r/aws_acm_certificate and r/aws_acm_certificate_validation: Clean up documentation: removed duplicate examples, clean up formatting, add missing parameters and fix wording --- website/docs/r/acm_certificate.html.markdown | 26 ++----------------- .../acm_certificate_validation.html.markdown | 4 +-- 2 files changed, 4 insertions(+), 26 deletions(-) diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index 7b6f0dd81a27..43254741a40c 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -30,29 +30,6 @@ resource "aws_acm_certificate" "cert" { Environment = "test" } } - -data "aws_route53_zone" "zone" { - name = "example.com." - private_zone = false -} - -resource "aws_route53_record" "cert_validation" { - name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" - type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" - zone_id = "${data.aws_route53_zone.zone.id}" - records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] - ttl = 60 -} - -resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.arn}" - validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] -} - -resource "aws_lb_listener" "front_end" { - # [...] - certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}" -} ``` ## Argument Reference @@ -66,8 +43,9 @@ The following arguments are supported: ## Attributes Reference -The following attributes are exported: +The following additional attributes are exported: +* `id` - The ARN of the certificate * `arn` - The ARN of the certificate * `domain_validation_options` - A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined diff --git a/website/docs/r/acm_certificate_validation.html.markdown b/website/docs/r/acm_certificate_validation.html.markdown index 4699ae9fefd8..a43b7ea4aebd 100644 --- a/website/docs/r/acm_certificate_validation.html.markdown +++ b/website/docs/r/acm_certificate_validation.html.markdown @@ -22,8 +22,8 @@ deploy the required validation records and wait for validation to complete. ```hcl resource "aws_acm_certificate" "cert" { - domain_name = "example.com" - validation_method = "DNS" + domain_name = "example.com" + validation_method = "DNS" } data "aws_route53_zone" "zone" { From 0a4b196943d367d35687066219f480357cd2910a Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Fri, 2 Feb 2018 17:43:48 +0100 Subject: [PATCH 20/30] r/aws_acm_certificate_validation: Remove attribute reference since it's a duplicate. No additional attributes are exported --- website/docs/r/acm_certificate_validation.html.markdown | 6 ------ 1 file changed, 6 deletions(-) diff --git a/website/docs/r/acm_certificate_validation.html.markdown b/website/docs/r/acm_certificate_validation.html.markdown index a43b7ea4aebd..27144d985067 100644 --- a/website/docs/r/acm_certificate_validation.html.markdown +++ b/website/docs/r/acm_certificate_validation.html.markdown @@ -57,9 +57,3 @@ The following arguments are supported: * `certificate_arn` - (Required) The ARN of the certificate that is being validated. * `validation_record_fqdns` - (Optional) List of FQDNs that implement the validation. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation * `timeout` - (Optional) How long to wait for a certificate to be issued. Defaults to `"45m"` but ACM usually validates certificates much faster. - -## Attributes Reference - -The following attributes are exported: - -* `certificate_arn` - The ARN of the certificate that was validated. The same as the input but once this resouce completes, consumers can assume the certificate was issued successfully From 026193a937da2a5cdb75d520dbc57a58be3ccf18 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Fri, 2 Feb 2018 18:17:56 +0100 Subject: [PATCH 21/30] r/aws_acm_certificate: Be more tolerant of certificates deleted outside of terraform --- aws/resource_aws_acm_certificate.go | 5 ++++- aws/resource_aws_acm_certificate_validation.go | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index f86ace24c663..9f69e7bada75 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -123,7 +123,10 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.Retry(time.Duration(1)*time.Minute, func() *resource.RetryError { resp, err := acmconn.DescribeCertificate(params) - if err != nil { + if err != nil && isAWSErr(err, acm.ErrCodeResourceNotFoundException, "") { + d.SetId("") + return nil + } else if err != nil { return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) } diff --git a/aws/resource_aws_acm_certificate_validation.go b/aws/resource_aws_acm_certificate_validation.go index 9c5a3fb00d52..9c37b50735f6 100644 --- a/aws/resource_aws_acm_certificate_validation.go +++ b/aws/resource_aws_acm_certificate_validation.go @@ -127,7 +127,10 @@ func resourceAwsAcmCertificateValidationRead(d *schema.ResourceData, meta interf resp, err := acmconn.DescribeCertificate(params) - if err != nil { + if err != nil && isAWSErr(err, acm.ErrCodeResourceNotFoundException, "") { + d.SetId("") + return nil + } else if err != nil { return fmt.Errorf("Error describing certificate: %s", err) } From b37bf16456bc361757781728df64fae9c0000c2a Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 21:20:14 +0100 Subject: [PATCH 22/30] r/aws_acm_certificate: Add support for EMAIL validation --- aws/resource_aws_acm_certificate.go | 48 ++++++++++++++------ aws/resource_aws_acm_certificate_test.go | 45 ++++++++++++++++++ website/docs/r/acm_certificate.html.markdown | 8 +++- 3 files changed, 84 insertions(+), 17 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 9f69e7bada75..dff88b78f432 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -37,12 +37,6 @@ func resourceAwsAcmCertificate() *schema.Resource { Type: schema.TypeString, Required: true, ForceNew: true, - ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { - if v.(string) != acm.ValidationMethodDns { - errors = append(errors, fmt.Errorf("only validation_method DNS is supported at the moment")) - } - return - }, }, "arn": { Type: schema.TypeString, @@ -72,6 +66,11 @@ func resourceAwsAcmCertificate() *schema.Resource { }, }, }, + "validation_emails": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + }, "tags": tagsSchema(), }, } @@ -81,7 +80,7 @@ func resourceAwsAcmCertificateCreate(d *schema.ResourceData, meta interface{}) e acmconn := meta.(*AWSClient).acmconn params := &acm.RequestCertificateInput{ DomainName: aws.String(d.Get("domain_name").(string)), - ValidationMethod: aws.String(acm.ValidationMethodDns), + ValidationMethod: aws.String(d.Get("validation_method").(string)), } sans, ok := d.GetOk("subject_alternative_names") @@ -136,13 +135,12 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err d.Set("domain_name", resp.Certificate.DomainName) d.Set("arn", resp.Certificate.CertificateArn) - d.Set("validation_method", resp.Certificate.DomainValidationOptions[0].ValidationMethod) if err := d.Set("subject_alternative_names", cleanUpSubjectAlternativeNames(resp.Certificate)); err != nil { return resource.NonRetryableError(err) } - domainValidationOptions, err := convertDomainValidationOptions(resp.Certificate.DomainValidationOptions) + domainValidationOptions, emailValidationOptions, err := convertValidationOptions(resp.Certificate.DomainValidationOptions) if err != nil { return resource.RetryableError(err) @@ -151,6 +149,10 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err if err := d.Set("domain_validation_options", domainValidationOptions); err != nil { return resource.NonRetryableError(err) } + if err := d.Set("validation_emails", emailValidationOptions); err != nil { + return resource.NonRetryableError(err) + } + d.Set("validation_method", resourceAwsAcmCertificateGuessValidationMethod(domainValidationOptions, emailValidationOptions)) params := &acm.ListTagsForCertificateInput{ CertificateArn: aws.String(d.Id()), @@ -164,6 +166,17 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return nil }) } +func resourceAwsAcmCertificateGuessValidationMethod(domainValidationOptions []map[string]interface{}, emailValidationOptions []string) string { + // The DescribeCertificate Response doesn't have information on what validation method was used + // so we need to guess from the validation options we see... + if len(domainValidationOptions) > 0 { + return acm.ValidationMethodDns + } else if len(emailValidationOptions) > 0 { + return acm.ValidationMethodEmail + } else { + return "NONE" + } +} func resourceAwsAcmCertificateUpdate(d *schema.ResourceData, meta interface{}) error { if d.HasChange("tags") { @@ -188,8 +201,9 @@ func cleanUpSubjectAlternativeNames(cert *acm.CertificateDetail) []string { } -func convertDomainValidationOptions(validations []*acm.DomainValidation) ([]map[string]interface{}, error) { - var result []map[string]interface{} +func convertValidationOptions(validations []*acm.DomainValidation) ([]map[string]interface{}, []string, error) { + var domainValidationResult []map[string]interface{} + var emailValidationResult []string for _, o := range validations { if o.ResourceRecord != nil { @@ -199,14 +213,18 @@ func convertDomainValidationOptions(validations []*acm.DomainValidation) ([]map[ "resource_record_type": *o.ResourceRecord.Type, "resource_record_value": *o.ResourceRecord.Value, } - result = append(result, validationOption) + domainValidationResult = append(domainValidationResult, validationOption) + } else if o.ValidationEmails != nil && len(o.ValidationEmails) > 0 { + for _, validationEmail := range o.ValidationEmails { + emailValidationResult = append(emailValidationResult, *validationEmail) + } } else { - log.Printf("[DEBUG] No resource record found in validation options, need to retry: %#v", o) - return nil, fmt.Errorf("No resource record found in DNS DomainValidationOptions: %v", o) + log.Printf("[DEBUG] No validation options need to retry: %#v", o) + return nil, nil, fmt.Errorf("No validation options need to retry: %#v", o) } } - return result, nil + return domainValidationResult, emailValidationResult, nil } func resourceAwsAcmCertificateDelete(d *schema.ResourceData, meta interface{}) error { diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index 5c69ba19189b..c1e7336b3053 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -14,6 +14,41 @@ import ( "github.com/hashicorp/terraform/terraform" ) +func TestAccAwsAcmResource_emailValidation(t *testing.T) { + if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { + t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") + } + + root_zone_domain := os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") + + rInt1 := acctest.RandInt() + + domain := fmt.Sprintf("tf-acc-%d.%s", rInt1, root_zone_domain) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAcmCertificateDestroy, + Steps: []resource.TestStep{ + // Test that we can request a certificate + resource.TestStep{ + Config: testAccAcmCertificateConfigWithEMailValidation(domain), + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", regexp.MustCompile(`^arn:aws:acm:[^:]+:[^:]+:certificate/.+$`)), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "domain_name", domain), + resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.#", "0"), + resource.TestMatchResourceAttr("aws_acm_certificate.cert", "validation_emails.0", regexp.MustCompile(`^[^@]+@.+$`)), + ), + }, + resource.TestStep{ + ResourceName: "aws_acm_certificate.cert", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) + +} func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { var conf acm.DescribeCertificateOutput var tags acm.ListTagsForCertificateOutput @@ -96,6 +131,16 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { }) } +func testAccAcmCertificateConfigWithEMailValidation(domain string) string { + return fmt.Sprintf(` +resource "aws_acm_certificate" "cert" { + domain_name = "%s" + validation_method = "EMAIL" +} +`, domain) + +} + func testAccAcmCertificateConfig(domain string, sanDomain string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index 43254741a40c..eb81fa51086b 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -20,6 +20,9 @@ Most commonly, this resource is used to together with [`aws_route53_record`](rou [`aws_acm_certificate_validation`](acm_certificate_validation.html) to request a DNS validated certificate, deploy the required validation records and wait for validation to complete. +Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside +of Terraform. + ## Example Usage ```hcl @@ -38,7 +41,7 @@ The following arguments are supported: * `domain_name` - (Required) A domain name for which the certificate should be issued * `subject_alternative_names` - (Optional) A list of domains that should be SANs in the issued certificate -* `validation_method` - (Required) Which method to use for validation (only `DNS` is supported at the moment) +* `validation_method` - (Required) Which method to use for validation (`DNS` or `EMAIL`) * `tags` - (Optional) A mapping of tags to assign to the resource. ## Attributes Reference @@ -47,7 +50,8 @@ The following additional attributes are exported: * `id` - The ARN of the certificate * `arn` - The ARN of the certificate -* `domain_validation_options` - A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined +* `domain_validation_options` - A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if `DNS`-validation was used. +* `validation_emails` - A list of addresses that received a validation E-Mail. Only set if `EMAIL`-validation was used. Domain validation objects export the following attributes: From 88a85953883d2dede98c0e75e31327ca4042815e Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 21:28:19 +0100 Subject: [PATCH 23/30] r/aws_acm_certificate: Refactor if-statement for readability --- aws/resource_aws_acm_certificate.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index dff88b78f432..957d580f0858 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -122,10 +122,11 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.Retry(time.Duration(1)*time.Minute, func() *resource.RetryError { resp, err := acmconn.DescribeCertificate(params) - if err != nil && isAWSErr(err, acm.ErrCodeResourceNotFoundException, "") { - d.SetId("") - return nil - } else if err != nil { + if err != nil { + if isAWSErr(err, acm.ErrCodeResourceNotFoundException, "") { + d.SetId("") + return nil + } return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) } From 533badcb95eaed9789e3b33d1c8aa7fbfdd1ba30 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 21:38:45 +0100 Subject: [PATCH 24/30] r/aws_acm_certificate: Simplify tests, rely on resource state instead of custom checks --- aws/resource_aws_acm_certificate_test.go | 110 ++--------------------- 1 file changed, 5 insertions(+), 105 deletions(-) diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index c1e7336b3053..bc4447e96739 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -14,6 +14,8 @@ import ( "github.com/hashicorp/terraform/terraform" ) +var certificateArnRegex = regexp.MustCompile(`^arn:aws:acm:[^:]+:[^:]+:certificate/.+$`) + func TestAccAwsAcmResource_emailValidation(t *testing.T) { if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") @@ -34,7 +36,7 @@ func TestAccAwsAcmResource_emailValidation(t *testing.T) { resource.TestStep{ Config: testAccAcmCertificateConfigWithEMailValidation(domain), Check: resource.ComposeTestCheckFunc( - resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", regexp.MustCompile(`^arn:aws:acm:[^:]+:[^:]+:certificate/.+$`)), + resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", certificateArnRegex), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "domain_name", domain), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.#", "0"), resource.TestMatchResourceAttr("aws_acm_certificate.cert", "validation_emails.0", regexp.MustCompile(`^[^@]+@.+$`)), @@ -50,9 +52,6 @@ func TestAccAwsAcmResource_emailValidation(t *testing.T) { } func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { - var conf acm.DescribeCertificateOutput - var tags acm.ListTagsForCertificateOutput - var confAfterValidation acm.DescribeCertificateOutput if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") } @@ -73,13 +72,7 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { resource.TestStep{ Config: testAccAcmCertificateConfig(domain, sanDomain), Check: resource.ComposeTestCheckFunc( - testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf, &tags), - testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), - - testAccCheckTagsACM(&tags.Tags, "Hello", "World"), - testAccCheckTagsACM(&tags.Tags, "Foo", "Bar"), - - resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", regexp.MustCompile(`^arn:aws:acm:[^:]+:[^:]+:certificate/.+$`)), + resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", certificateArnRegex), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "domain_name", domain), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.#", "1"), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.0", sanDomain), @@ -92,12 +85,6 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { resource.TestStep{ Config: testAccAcmCertificateConfigWithChangedTags(domain, sanDomain), Check: resource.ComposeTestCheckFunc( - testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &conf, &tags), - testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &conf, domain, sanDomain, "PENDING_VALIDATION"), - - testAccCheckTagsACM(&tags.Tags, "Environment", "Test"), - testAccCheckTagsACM(&tags.Tags, "Foo", "Baz"), - resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.%", "2"), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Environment", "Test"), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Foo", "Baz"), @@ -117,9 +104,7 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { resource.TestStep{ Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain, sanDomain), Check: resource.ComposeTestCheckFunc( - testAccCheckAcmCertificateExists("aws_acm_certificate.cert", &confAfterValidation, &tags), - testAccCheckAcmCertificateAttributes("aws_acm_certificate.cert", &confAfterValidation, domain, sanDomain, "ISSUED"), - testAccCheckAcmCertificateValidationAttributes("aws_acm_certificate_validation.cert", &confAfterValidation), + resource.TestMatchResourceAttr("aws_acm_certificate_validation.cert", "certificate_arn", certificateArnRegex), ), }, resource.TestStep{ @@ -259,91 +244,6 @@ resource "aws_acm_certificate_validation" "cert" { `, domain, sanDomain, rootZoneDomain) } -func testAccCheckAcmCertificateExists(n string, res *acm.DescribeCertificateOutput, tags *acm.ListTagsForCertificateOutput) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[n] - if !ok { - return fmt.Errorf("Not found: %s", n) - } - - if rs.Primary.ID == "" { - return fmt.Errorf("No id is set") - } - - if rs.Primary.Attributes["arn"] == "" { - return fmt.Errorf("No arn is set") - } - - if rs.Primary.Attributes["arn"] != rs.Primary.ID { - return fmt.Errorf("No arn and ID are different: %s %s", rs.Primary.Attributes["arn"], rs.Primary.ID) - } - - acmconn := testAccProvider.Meta().(*AWSClient).acmconn - - resp, err := acmconn.DescribeCertificate(&acm.DescribeCertificateInput{ - CertificateArn: aws.String(rs.Primary.Attributes["arn"]), - }) - - if err != nil { - return err - } - - tagsResp, err := acmconn.ListTagsForCertificate(&acm.ListTagsForCertificateInput{ - CertificateArn: aws.String(rs.Primary.Attributes["arn"]), - }) - - if err != nil { - return err - } - - *res = *resp - *tags = *tagsResp - - return nil - } -} - -func testAccCheckAcmCertificateAttributes(n string, cert *acm.DescribeCertificateOutput, domain string, sanDomain string, status string) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[n] - if !ok { - return fmt.Errorf("Not found: %s", n) - } - attrs := rs.Primary.Attributes - - if *cert.Certificate.DomainName != domain { - return fmt.Errorf("Domain name is %s but expected %s", *cert.Certificate.DomainName, domain) - } - if *cert.Certificate.SubjectAlternativeNames[1] != sanDomain { - return fmt.Errorf("SAN Domain name is %s but expected %s", *cert.Certificate.SubjectAlternativeNames[1], sanDomain) - } - if *cert.Certificate.Status != status { - return fmt.Errorf("Status is %s but expected %s", *cert.Certificate.Status, status) - } - if attrs["domain_name"] != domain { - return fmt.Errorf("Domain name in state is %s but expected %s", attrs["domain_name"], domain) - } - - return nil - } -} - -func testAccCheckAcmCertificateValidationAttributes(n string, cert *acm.DescribeCertificateOutput) resource.TestCheckFunc { - return func(s *terraform.State) error { - rs, ok := s.RootModule().Resources[n] - if !ok { - return fmt.Errorf("Not found: %s.", n) - } - attrs := rs.Primary.Attributes - - if attrs["certificate_arn"] != *cert.Certificate.CertificateArn { - return fmt.Errorf("Certificate ARN in state is %s but expected %s", attrs["arn"], *cert.Certificate.CertificateArn) - } - - return nil - } -} - func testAccCheckAcmCertificateDestroy(s *terraform.State) error { acmconn := testAccProvider.Meta().(*AWSClient).acmconn From d80b669fedce5e9cc45900b0d43cda740c74d35c Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 21:42:42 +0100 Subject: [PATCH 25/30] r/aws_acm_certificate: Remove unused function --- aws/tagsACM_test.go | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/aws/tagsACM_test.go b/aws/tagsACM_test.go index c2764acfd226..14213437d76d 100644 --- a/aws/tagsACM_test.go +++ b/aws/tagsACM_test.go @@ -1,14 +1,11 @@ package aws import ( - "fmt" "reflect" "testing" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/acm" - "github.com/hashicorp/terraform/helper/resource" - "github.com/hashicorp/terraform/terraform" ) func TestDiffTagsACM(t *testing.T) { @@ -78,26 +75,3 @@ func TestIgnoringTagsACM(t *testing.T) { } } } - -// testAccCheckTags can be used to check the tags on a resource. -func testAccCheckTagsACM( - ts *[]*acm.Tag, key string, value string) resource.TestCheckFunc { - return func(s *terraform.State) error { - m := tagsToMapACM(*ts) - v, ok := m[key] - if value != "" && !ok { - return fmt.Errorf("Missing tag: %s", key) - } else if value == "" && ok { - return fmt.Errorf("Extra tag: %s", key) - } - if value == "" { - return nil - } - - if v != value { - return fmt.Errorf("%s: bad value: %s", key, v) - } - - return nil - } -} From d4c01e187590e45ca2ba1df694bc19f59bbc8d8c Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 22:11:40 +0100 Subject: [PATCH 26/30] r/aws_acm_certificate: Simplify tests, parameterize instead of duplicate --- aws/resource_aws_acm_certificate_test.go | 33 +++++++++--------------- 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index bc4447e96739..4d7cd7e4f88e 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -70,7 +70,10 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { Steps: []resource.TestStep{ // Test that we can request a certificate resource.TestStep{ - Config: testAccAcmCertificateConfig(domain, sanDomain), + Config: testAccAcmCertificateConfig( + domain, sanDomain, + "Hello", "World", + "Foo", "Bar"), Check: resource.ComposeTestCheckFunc( resource.TestMatchResourceAttr("aws_acm_certificate.cert", "arn", certificateArnRegex), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "domain_name", domain), @@ -83,7 +86,10 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { }, // Test that we can change the tags resource.TestStep{ - Config: testAccAcmCertificateConfigWithChangedTags(domain, sanDomain), + Config: testAccAcmCertificateConfig( + domain, sanDomain, + "Environment", "Test", + "Foo", "Baz"), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.%", "2"), resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Environment", "Test"), @@ -126,7 +132,7 @@ resource "aws_acm_certificate" "cert" { } -func testAccAcmCertificateConfig(domain string, sanDomain string) string { +func testAccAcmCertificateConfig(domain string, sanDomain string, tag1Key, tag1Value, tag2Key, tag2Value string) string { return fmt.Sprintf(` resource "aws_acm_certificate" "cert" { domain_name = "%s" @@ -134,26 +140,11 @@ resource "aws_acm_certificate" "cert" { subject_alternative_names = ["%s"] tags { - "Hello" = "World" - "Foo" = "Bar" + "%s" = "%s" + "%s" = "%s" } } -`, domain, sanDomain) -} - -func testAccAcmCertificateConfigWithChangedTags(domain string, sanDomain string) string { - return fmt.Sprintf(` -resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] - - tags { - "Environment" = "Test" - "Foo" = "Baz" - } -} -`, domain, sanDomain) +`, domain, sanDomain, tag1Key, tag1Value, tag2Key, tag2Value) } func testAccAcmCertificateWithValidationConfig(domain string, sanDomain string) string { From ff443c1ff0af3f31e76d81d23d4a091c28f92cc0 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 22:30:57 +0100 Subject: [PATCH 27/30] r/aws_acm_certificate and r/aws_acm_certificate_validation: Split test for the whole validation flow into per-resource tests --- aws/resource_aws_acm_certificate_test.go | 108 +-------------- ...rce_aws_acm_certificate_validation_test.go | 124 ++++++++++++++++++ 2 files changed, 126 insertions(+), 106 deletions(-) create mode 100644 aws/resource_aws_acm_certificate_validation_test.go diff --git a/aws/resource_aws_acm_certificate_test.go b/aws/resource_aws_acm_certificate_test.go index 4d7cd7e4f88e..d0b6fb561c74 100644 --- a/aws/resource_aws_acm_certificate_test.go +++ b/aws/resource_aws_acm_certificate_test.go @@ -51,7 +51,8 @@ func TestAccAwsAcmResource_emailValidation(t *testing.T) { }) } -func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { + +func TestAccAwsAcmResource_dnsValidationAndTagging(t *testing.T) { if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") } @@ -96,23 +97,6 @@ func TestAccAwsAcmResource_certificateIssuingFlow(t *testing.T) { resource.TestCheckResourceAttr("aws_acm_certificate.cert", "tags.Foo", "Baz"), ), }, - // Test that validation times out if certificate can't be validated - resource.TestStep{ - Config: testAccAcmCertificateWithValidationConfig(domain, sanDomain), - ExpectError: regexp.MustCompile("Expected certificate to be issued but was in state PENDING_VALIDATION"), - }, - // Test that validation fails if given validation_fqdns don't match - resource.TestStep{ - Config: testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain, sanDomain), - ExpectError: regexp.MustCompile("Certificate needs .* to be set but only .* was passed to validation_record_fqdns"), - }, - // Test that validation succeeds once we provide the right DNS validation records - resource.TestStep{ - Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain, sanDomain), - Check: resource.ComposeTestCheckFunc( - resource.TestMatchResourceAttr("aws_acm_certificate_validation.cert", "certificate_arn", certificateArnRegex), - ), - }, resource.TestStep{ ResourceName: "aws_acm_certificate.cert", ImportState: true, @@ -147,94 +131,6 @@ resource "aws_acm_certificate" "cert" { `, domain, sanDomain, tag1Key, tag1Value, tag2Key, tag2Value) } -func testAccAcmCertificateWithValidationConfig(domain string, sanDomain string) string { - return fmt.Sprintf(` -resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] - - tags { - "Environment" = "Test" - "Foo" = "Baz" - } -} - - -resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.arn}" - timeout = "20s" -} -`, domain, sanDomain) -} - -func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string, sanDomain string) string { - return fmt.Sprintf(` -resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] - - tags { - "Environment" = "Test" - "Foo" = "Baz" - } -} - - -resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.arn}" - validation_record_fqdns = ["some-wrong-fqdn.example.com"] - timeout = "20s" -} -`, domain, sanDomain) -} - -func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string, sanDomain string) string { - return fmt.Sprintf(` -resource "aws_acm_certificate" "cert" { - domain_name = "%s" - validation_method = "DNS" - subject_alternative_names = ["%s"] - - tags { - "Environment" = "Test" - "Foo" = "Baz" - } -} - - -data "aws_route53_zone" "zone" { - name = "%s." - private_zone = false -} - -resource "aws_route53_record" "cert_validation" { - name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" - type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" - zone_id = "${data.aws_route53_zone.zone.id}" - records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] - ttl = 60 -} - -resource "aws_route53_record" "cert_validation_san" { - name = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_name}" - type = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_type}" - zone_id = "${data.aws_route53_zone.zone.id}" - records = ["${aws_acm_certificate.cert.domain_validation_options.1.resource_record_value}"] - ttl = 60 -} - -resource "aws_acm_certificate_validation" "cert" { - certificate_arn = "${aws_acm_certificate.cert.arn}" - validation_record_fqdns = [ - "${aws_route53_record.cert_validation.fqdn}", - "${aws_route53_record.cert_validation_san.fqdn}" - ] -} -`, domain, sanDomain, rootZoneDomain) -} - func testAccCheckAcmCertificateDestroy(s *terraform.State) error { acmconn := testAccProvider.Meta().(*AWSClient).acmconn diff --git a/aws/resource_aws_acm_certificate_validation_test.go b/aws/resource_aws_acm_certificate_validation_test.go new file mode 100644 index 000000000000..47750efaca11 --- /dev/null +++ b/aws/resource_aws_acm_certificate_validation_test.go @@ -0,0 +1,124 @@ +package aws + +import ( + "fmt" + "testing" + + "os" + "regexp" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" +) + +func TestAccAwsAcmResource_certificateIssuingAndValidationFlow(t *testing.T) { + if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { + t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") + } + + root_zone_domain := os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") + + rInt1 := acctest.RandInt() + + domain := fmt.Sprintf("tf-acc-%d.%s", rInt1, root_zone_domain) + sanDomain := fmt.Sprintf("tf-acc-%d-san.%s", rInt1, root_zone_domain) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAcmCertificateDestroy, + Steps: []resource.TestStep{ + // Test that validation times out if certificate can't be validated + resource.TestStep{ + Config: testAccAcmCertificateWithValidationConfig(domain, sanDomain), + ExpectError: regexp.MustCompile("Expected certificate to be issued but was in state PENDING_VALIDATION"), + }, + // Test that validation fails if given validation_fqdns don't match + resource.TestStep{ + Config: testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain, sanDomain), + ExpectError: regexp.MustCompile("Certificate needs .* to be set but only .* was passed to validation_record_fqdns"), + }, + // Test that validation succeeds once we provide the right DNS validation records + resource.TestStep{ + Config: testAccAcmCertificateWithValidationAndRecordsConfig(root_zone_domain, domain, sanDomain), + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr("aws_acm_certificate_validation.cert", "certificate_arn", certificateArnRegex), + ), + }, + // Test that we can import a validated certificate + resource.TestStep{ + ResourceName: "aws_acm_certificate.cert", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccAcmCertificateWithValidationConfig(domain string, sanDomain string) string { + return fmt.Sprintf(` +%s + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.arn}" + timeout = "20s" +} +`, testAccAcmCertificateConfig( + domain, sanDomain, + "Environment", "Test", + "Foo", "Baz")) +} + +func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string, sanDomain string) string { + return fmt.Sprintf(` +%s + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.arn}" + validation_record_fqdns = ["some-wrong-fqdn.example.com"] + timeout = "20s" +} +`, testAccAcmCertificateConfig( + domain, sanDomain, + "Environment", "Test", + "Foo", "Baz")) +} + +func testAccAcmCertificateWithValidationAndRecordsConfig(rootZoneDomain string, domain string, sanDomain string) string { + return fmt.Sprintf(` +%s + +data "aws_route53_zone" "zone" { + name = "%s." + private_zone = false +} + +resource "aws_route53_record" "cert_validation" { + name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" + type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" + zone_id = "${data.aws_route53_zone.zone.id}" + records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] + ttl = 60 +} + +resource "aws_route53_record" "cert_validation_san" { + name = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_name}" + type = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_type}" + zone_id = "${data.aws_route53_zone.zone.id}" + records = ["${aws_acm_certificate.cert.domain_validation_options.1.resource_record_value}"] + ttl = 60 +} + +resource "aws_acm_certificate_validation" "cert" { + certificate_arn = "${aws_acm_certificate.cert.arn}" + validation_record_fqdns = [ + "${aws_route53_record.cert_validation.fqdn}", + "${aws_route53_record.cert_validation_san.fqdn}" + ] +} +`, testAccAcmCertificateConfig( + domain, sanDomain, + "Environment", "Test", + "Foo", "Baz"), + rootZoneDomain) +} From e42421ac9cb6ddf792b1ae821a2791cd98bc5744 Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 22:46:20 +0100 Subject: [PATCH 28/30] r/aws_acm_certificate_validation: Use built-in timeout functionality instead of special attribute --- aws/resource_aws_acm_certificate_validation.go | 16 ++++------------ ...source_aws_acm_certificate_validation_test.go | 8 ++++++-- .../r/acm_certificate_validation.html.markdown | 8 +++++++- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/aws/resource_aws_acm_certificate_validation.go b/aws/resource_aws_acm_certificate_validation.go index 9c37b50735f6..f71367d61359 100644 --- a/aws/resource_aws_acm_certificate_validation.go +++ b/aws/resource_aws_acm_certificate_validation.go @@ -33,22 +33,14 @@ func resourceAwsAcmCertificateValidation() *schema.Resource { Elem: &schema.Schema{Type: schema.TypeString}, Set: schema.HashString, }, - "timeout": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Default: "45m", - }, + }, + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(45 * time.Minute), }, } } func resourceAwsAcmCertificateValidationCreate(d *schema.ResourceData, meta interface{}) error { - timeout, err := time.ParseDuration(d.Get("timeout").(string)) - if err != nil { - return err - } - certificate_arn := d.Get("certificate_arn").(string) acmconn := meta.(*AWSClient).acmconn @@ -75,7 +67,7 @@ func resourceAwsAcmCertificateValidationCreate(d *schema.ResourceData, meta inte log.Printf("[INFO] No validation_record_fqdns set, skipping check") } - return resource.Retry(timeout, func() *resource.RetryError { + return resource.Retry(d.Timeout(schema.TimeoutCreate), func() *resource.RetryError { resp, err := acmconn.DescribeCertificate(params) if err != nil { diff --git a/aws/resource_aws_acm_certificate_validation_test.go b/aws/resource_aws_acm_certificate_validation_test.go index 47750efaca11..2a2f17113a7d 100644 --- a/aws/resource_aws_acm_certificate_validation_test.go +++ b/aws/resource_aws_acm_certificate_validation_test.go @@ -61,7 +61,9 @@ func testAccAcmCertificateWithValidationConfig(domain string, sanDomain string) resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.arn}" - timeout = "20s" + timeouts { + create = "20s" + } } `, testAccAcmCertificateConfig( domain, sanDomain, @@ -76,7 +78,9 @@ func testAccAcmCertificateWithValidationConfigAndWrongFQDN(domain string, sanDom resource "aws_acm_certificate_validation" "cert" { certificate_arn = "${aws_acm_certificate.cert.arn}" validation_record_fqdns = ["some-wrong-fqdn.example.com"] - timeout = "20s" + timeouts { + create = "20s" + } } `, testAccAcmCertificateConfig( domain, sanDomain, diff --git a/website/docs/r/acm_certificate_validation.html.markdown b/website/docs/r/acm_certificate_validation.html.markdown index 27144d985067..a729f62782d2 100644 --- a/website/docs/r/acm_certificate_validation.html.markdown +++ b/website/docs/r/acm_certificate_validation.html.markdown @@ -56,4 +56,10 @@ The following arguments are supported: * `certificate_arn` - (Required) The ARN of the certificate that is being validated. * `validation_record_fqdns` - (Optional) List of FQDNs that implement the validation. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation -* `timeout` - (Optional) How long to wait for a certificate to be issued. Defaults to `"45m"` but ACM usually validates certificates much faster. + +## Timeouts + +`acm_certificate_validation` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) +configuration options: + +- `create` - (Default `45m`) How long to wait for a certificate to be issued. From 75d784c0327d4624957c32f4184fad9730547e4f Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 23:03:09 +0100 Subject: [PATCH 29/30] r/aws_acm_certificate: Allow importing of certificates that aren't AMAZON_ISSUED --- aws/resource_aws_acm_certificate.go | 40 ++++++++++---------- website/docs/r/acm_certificate.html.markdown | 4 +- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/aws/resource_aws_acm_certificate.go b/aws/resource_aws_acm_certificate.go index 957d580f0858..4b2c06b36240 100644 --- a/aws/resource_aws_acm_certificate.go +++ b/aws/resource_aws_acm_certificate.go @@ -130,10 +130,6 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.NonRetryableError(fmt.Errorf("Error describing certificate: %s", err)) } - if *resp.Certificate.Type != acm.CertificateTypeAmazonIssued { - return resource.NonRetryableError(fmt.Errorf("Certificate has type %s, only AMAZON_ISSUED is supported at the moment", *resp.Certificate.Type)) - } - d.Set("domain_name", resp.Certificate.DomainName) d.Set("arn", resp.Certificate.CertificateArn) @@ -141,7 +137,7 @@ func resourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) err return resource.NonRetryableError(err) } - domainValidationOptions, emailValidationOptions, err := convertValidationOptions(resp.Certificate.DomainValidationOptions) + domainValidationOptions, emailValidationOptions, err := convertValidationOptions(resp.Certificate) if err != nil { return resource.RetryableError(err) @@ -202,26 +198,28 @@ func cleanUpSubjectAlternativeNames(cert *acm.CertificateDetail) []string { } -func convertValidationOptions(validations []*acm.DomainValidation) ([]map[string]interface{}, []string, error) { +func convertValidationOptions(certificate *acm.CertificateDetail) ([]map[string]interface{}, []string, error) { var domainValidationResult []map[string]interface{} var emailValidationResult []string - for _, o := range validations { - if o.ResourceRecord != nil { - validationOption := map[string]interface{}{ - "domain_name": *o.DomainName, - "resource_record_name": *o.ResourceRecord.Name, - "resource_record_type": *o.ResourceRecord.Type, - "resource_record_value": *o.ResourceRecord.Value, - } - domainValidationResult = append(domainValidationResult, validationOption) - } else if o.ValidationEmails != nil && len(o.ValidationEmails) > 0 { - for _, validationEmail := range o.ValidationEmails { - emailValidationResult = append(emailValidationResult, *validationEmail) + if *certificate.Type == acm.CertificateTypeAmazonIssued { + for _, o := range certificate.DomainValidationOptions { + if o.ResourceRecord != nil { + validationOption := map[string]interface{}{ + "domain_name": *o.DomainName, + "resource_record_name": *o.ResourceRecord.Name, + "resource_record_type": *o.ResourceRecord.Type, + "resource_record_value": *o.ResourceRecord.Value, + } + domainValidationResult = append(domainValidationResult, validationOption) + } else if o.ValidationEmails != nil && len(o.ValidationEmails) > 0 { + for _, validationEmail := range o.ValidationEmails { + emailValidationResult = append(emailValidationResult, *validationEmail) + } + } else { + log.Printf("[DEBUG] No validation options need to retry: %#v", o) + return nil, nil, fmt.Errorf("No validation options need to retry: %#v", o) } - } else { - log.Printf("[DEBUG] No validation options need to retry: %#v", o) - return nil, nil, fmt.Errorf("No validation options need to retry: %#v", o) } } diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index eb81fa51086b..32b66bc1e1d6 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -41,7 +41,7 @@ The following arguments are supported: * `domain_name` - (Required) A domain name for which the certificate should be issued * `subject_alternative_names` - (Optional) A list of domains that should be SANs in the issued certificate -* `validation_method` - (Required) Which method to use for validation (`DNS` or `EMAIL`) +* `validation_method` - (Required) Which method to use for validation. `DNS` or `EMAIL` are valid, `NONE` can be used for certificates that were imported into ACM and then into Terraform. * `tags` - (Optional) A mapping of tags to assign to the resource. ## Attributes Reference @@ -65,5 +65,5 @@ Domain validation objects export the following attributes: Certificates can be imported using their ARN, e.g. ``` -$ terraform import aws_acm_certificate.cert aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a +$ terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a ``` From b2c070cdfd8a5a8892567072b7c12a363263ce6a Mon Sep 17 00:00:00 2001 From: Florian Sellmayr Date: Tue, 6 Feb 2018 23:15:23 +0100 Subject: [PATCH 30/30] r/aws_acm_certificate: Add warning about importing imported certificates to docs --- website/docs/r/acm_certificate.html.markdown | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/docs/r/acm_certificate.html.markdown b/website/docs/r/acm_certificate.html.markdown index 32b66bc1e1d6..4236a860f074 100644 --- a/website/docs/r/acm_certificate.html.markdown +++ b/website/docs/r/acm_certificate.html.markdown @@ -67,3 +67,5 @@ Certificates can be imported using their ARN, e.g. ``` $ terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a ``` + +~> **WARNING:** Importing certificates that are not `AMAZON_ISSUED` is supported but may lead to fragile terraform projects: Once such a resource is destroyed, it can't be recreated.