-
Notifications
You must be signed in to change notification settings - Fork 647
/
data_source_ibm_sm_private_certificate_configuration_template.go
434 lines (391 loc) · 19.7 KB
/
data_source_ibm_sm_private_certificate_configuration_template.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
// Copyright IBM Corp. 2023 All Rights Reserved.
// Licensed under the Mozilla Public License v2.0
package secretsmanager
import (
"context"
"fmt"
"log"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns"
"github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex"
"github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2"
)
func DataSourceIbmSmPrivateCertificateConfigurationTemplate() *schema.Resource {
return &schema.Resource{
ReadContext: dataSourceIbmSmPrivateCertificateConfigurationTemplateRead,
Schema: map[string]*schema.Schema{
"name": &schema.Schema{
Type: schema.TypeString,
Required: true,
Description: "The name of the configuration.",
},
"config_type": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "Th configuration type.",
},
"secret_type": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.",
},
"created_by": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The unique identifier that is associated with the entity that created the secret.",
},
"created_at": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The date when a resource was created. The date format follows RFC 3339.",
},
"updated_at": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The date when a resource was recently modified. The date format follows RFC 3339.",
},
"certificate_authority": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The name of the intermediate certificate authority.",
},
"allowed_secret_groups": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "Scopes the creation of private certificates to only the secret groups that you specify.This field can be supplied as a comma-delimited list of secret group IDs.",
},
"max_ttl_seconds": &schema.Schema{
Type: schema.TypeInt,
Computed: true,
Description: "The maximum time-to-live (TTL) for certificates that are created by this CA in seconds.",
},
"ttl_seconds": &schema.Schema{
Type: schema.TypeInt,
Computed: true,
Description: "The requested Time To Live, after which the certificate will be expired.",
},
"allow_localhost": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow `localhost` to be included as one of the requested common names.",
},
"allowed_domains": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The domains to define for the certificate template. This property is used along with the `allow_bare_domains` and `allow_subdomains` options.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"allowed_domains_template": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow the domains that are supplied in the `allowed_domains` field to contain access control list (ACL) templates.",
},
"allow_bare_domains": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow clients to request private certificates that match the value of the actual domains on the final certificate.For example, if you specify `example.com` in the `allowed_domains` field, you grant clients the ability to request a certificate that contains the name `example.com` as one of the DNS values on the final certificate.**Important:** In some scenarios, allowing bare domains can be considered a security risk.",
},
"allow_subdomains": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow clients to request private certificates with common names (CN) that are subdomains of the CNs that are allowed by the other certificate template options. This includes wildcard subdomains.For example, if `allowed_domains` has a value of `example.com` and `allow_subdomains`is set to `true`, then the following subdomains are allowed: `foo.example.com`, `bar.example.com`, `*.example.com`.**Note:** This field is redundant if you use the `allow_any_name` option.",
},
"allow_glob_domains": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow glob patterns, for example, `ftp*.example.com`, in the names that are specified in the `allowed_domains` field.If set to `true`, clients are allowed to request private certificates with names that match the glob patterns.",
},
"allow_any_name": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow clients to request a private certificate that matches any common name.",
},
"enforce_hostnames": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to enforce only valid host names for common names, DNS Subject Alternative Names, and the host section of email addresses.",
},
"allow_ip_sans": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to allow clients to request a private certificate with IP Subject Alternative Names.",
},
"allowed_uri_sans": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The URI Subject Alternative Names to allow for private certificates.Values can contain glob patterns, for example `spiffe://hostname/_*`.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"allowed_other_sans": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to allow for private certificates.The format for each element in the list is the same as OpenSSL: `<oid>:<type>:<value>` where the current valid type is `UTF8`. To allow any value for an OID, use `*` as its value. Alternatively, specify a single `*` to allow any `other_sans` input.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"server_flag": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether private certificates are flagged for server use.",
},
"client_flag": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether private certificates are flagged for client use.",
},
"code_signing_flag": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether private certificates are flagged for code signing use.",
},
"email_protection_flag": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether private certificates are flagged for email protection use.",
},
"key_type": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The type of private key to generate.",
},
"key_bits": &schema.Schema{
Type: schema.TypeInt,
Computed: true,
Description: "The number of bits to use to generate the private key.Allowable values for RSA keys are: `2048` and `4096`. Allowable values for EC keys are: `224`, `256`, `384`, and `521`. The default for RSA keys is `2048`. The default for EC keys is `256`.",
},
"key_usage": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The allowed key usage constraint to define for private certificates.You can find valid values in the [Go x509 package documentation](https://pkg.go.dev/crypto/x509#KeyUsage). Omit the `KeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"ext_key_usage": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The allowed extended key usage constraint on private certificates.You can find valid values in the [Go x509 package documentation](https://golang.org/pkg/crypto/x509/#ExtKeyUsage). Omit the `ExtKeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"ext_key_usage_oids": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "A list of extended key usage Object Identifiers (OIDs).",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"use_csr_common_name": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property.",
},
"use_csr_sans": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property.",
},
"ou": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The Organizational Unit (OU) values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"organization": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The Organization (O) values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"country": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The Country (C) values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"locality": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The Locality (L) values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"province": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The Province (ST) values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"street_address": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The street address values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"postal_code": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "The postal code values to define in the subject field of the resulting certificate.",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"serial_number": &schema.Schema{
Type: schema.TypeString,
Computed: true,
Description: "The serial number to assign to the generated certificate. To assign a random serial number, you can omit this field.",
},
"require_cn": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to require a common name to create a private certificate.By default, a common name is required to generate a certificate. To make the `common_name` field optional, set the `require_cn` option to `false`.",
},
"policy_identifiers": &schema.Schema{
Type: schema.TypeList,
Computed: true,
Description: "A list of policy Object Identifiers (OIDs).",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"basic_constraints_valid_for_non_ca": &schema.Schema{
Type: schema.TypeBool,
Computed: true,
Description: "Determines whether to mark the Basic Constraints extension of an issued private certificate as valid for non-CA certificates.",
},
"not_before_duration_seconds": &schema.Schema{
Type: schema.TypeInt,
Computed: true,
Description: "The duration in seconds by which to backdate the `not_before` property of an issued private certificate.",
},
},
}
}
func dataSourceIbmSmPrivateCertificateConfigurationTemplateRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2()
if err != nil {
return diag.FromErr(err)
}
region := getRegion(secretsManagerClient, d)
instanceId := d.Get("instance_id").(string)
secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d))
getConfigurationOptions := &secretsmanagerv2.GetConfigurationOptions{}
getConfigurationOptions.SetName(d.Get("name").(string))
privateCertificateConfigurationTemplateIntf, response, err := secretsManagerClient.GetConfigurationWithContext(context, getConfigurationOptions)
if err != nil {
log.Printf("[DEBUG] GetConfigurationWithContext failed %s\n%s", err, response)
return diag.FromErr(fmt.Errorf("GetConfigurationWithContext failed %s\n%s", err, response))
}
privateCertificateConfigurationTemplate := privateCertificateConfigurationTemplateIntf.(*secretsmanagerv2.PrivateCertificateConfigurationTemplate)
d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *getConfigurationOptions.Name))
if err = d.Set("region", region); err != nil {
return diag.FromErr(fmt.Errorf("Error setting region: %s", err))
}
if err = d.Set("config_type", privateCertificateConfigurationTemplate.ConfigType); err != nil {
return diag.FromErr(fmt.Errorf("Error setting config_type: %s", err))
}
if err = d.Set("secret_type", privateCertificateConfigurationTemplate.SecretType); err != nil {
return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err))
}
if err = d.Set("created_by", privateCertificateConfigurationTemplate.CreatedBy); err != nil {
return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err))
}
if err = d.Set("created_at", DateTimeToRFC3339(privateCertificateConfigurationTemplate.CreatedAt)); err != nil {
return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err))
}
if err = d.Set("updated_at", DateTimeToRFC3339(privateCertificateConfigurationTemplate.UpdatedAt)); err != nil {
return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err))
}
if err = d.Set("certificate_authority", privateCertificateConfigurationTemplate.CertificateAuthority); err != nil {
return diag.FromErr(fmt.Errorf("Error setting certificate_authority: %s", err))
}
if err = d.Set("allowed_secret_groups", privateCertificateConfigurationTemplate.AllowedSecretGroups); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allowed_secret_groups: %s", err))
}
if err = d.Set("max_ttl_seconds", flex.IntValue(privateCertificateConfigurationTemplate.MaxTtlSeconds)); err != nil {
return diag.FromErr(fmt.Errorf("Error setting max_ttl_seconds: %s", err))
}
if err = d.Set("ttl_seconds", flex.IntValue(privateCertificateConfigurationTemplate.TtlSeconds)); err != nil {
return diag.FromErr(fmt.Errorf("Error setting ttl_seconds: %s", err))
}
if err = d.Set("allow_localhost", privateCertificateConfigurationTemplate.AllowLocalhost); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allow_localhost: %s", err))
}
if err = d.Set("allowed_domains_template", privateCertificateConfigurationTemplate.AllowedDomainsTemplate); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allowed_domains_template: %s", err))
}
if err = d.Set("allow_bare_domains", privateCertificateConfigurationTemplate.AllowBareDomains); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allow_bare_domains: %s", err))
}
if err = d.Set("allow_subdomains", privateCertificateConfigurationTemplate.AllowSubdomains); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allow_subdomains: %s", err))
}
if err = d.Set("allow_glob_domains", privateCertificateConfigurationTemplate.AllowGlobDomains); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allow_glob_domains: %s", err))
}
if err = d.Set("allow_any_name", privateCertificateConfigurationTemplate.AllowAnyName); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allow_any_name: %s", err))
}
if err = d.Set("enforce_hostnames", privateCertificateConfigurationTemplate.EnforceHostnames); err != nil {
return diag.FromErr(fmt.Errorf("Error setting enforce_hostnames: %s", err))
}
if err = d.Set("allow_ip_sans", privateCertificateConfigurationTemplate.AllowIpSans); err != nil {
return diag.FromErr(fmt.Errorf("Error setting allow_ip_sans: %s", err))
}
if err = d.Set("server_flag", privateCertificateConfigurationTemplate.ServerFlag); err != nil {
return diag.FromErr(fmt.Errorf("Error setting server_flag: %s", err))
}
if err = d.Set("client_flag", privateCertificateConfigurationTemplate.ClientFlag); err != nil {
return diag.FromErr(fmt.Errorf("Error setting client_flag: %s", err))
}
if err = d.Set("code_signing_flag", privateCertificateConfigurationTemplate.CodeSigningFlag); err != nil {
return diag.FromErr(fmt.Errorf("Error setting code_signing_flag: %s", err))
}
if err = d.Set("email_protection_flag", privateCertificateConfigurationTemplate.EmailProtectionFlag); err != nil {
return diag.FromErr(fmt.Errorf("Error setting email_protection_flag: %s", err))
}
if err = d.Set("key_type", privateCertificateConfigurationTemplate.KeyType); err != nil {
return diag.FromErr(fmt.Errorf("Error setting key_type: %s", err))
}
if err = d.Set("key_bits", flex.IntValue(privateCertificateConfigurationTemplate.KeyBits)); err != nil {
return diag.FromErr(fmt.Errorf("Error setting key_bits: %s", err))
}
if err = d.Set("use_csr_common_name", privateCertificateConfigurationTemplate.UseCsrCommonName); err != nil {
return diag.FromErr(fmt.Errorf("Error setting use_csr_common_name: %s", err))
}
if err = d.Set("use_csr_sans", privateCertificateConfigurationTemplate.UseCsrSans); err != nil {
return diag.FromErr(fmt.Errorf("Error setting use_csr_sans: %s", err))
}
if err = d.Set("serial_number", privateCertificateConfigurationTemplate.SerialNumber); err != nil {
return diag.FromErr(fmt.Errorf("Error setting serial_number: %s", err))
}
if err = d.Set("require_cn", privateCertificateConfigurationTemplate.RequireCn); err != nil {
return diag.FromErr(fmt.Errorf("Error setting require_cn: %s", err))
}
if err = d.Set("basic_constraints_valid_for_non_ca", privateCertificateConfigurationTemplate.BasicConstraintsValidForNonCa); err != nil {
return diag.FromErr(fmt.Errorf("Error setting basic_constraints_valid_for_non_ca: %s", err))
}
if err = d.Set("not_before_duration_seconds", flex.IntValue(privateCertificateConfigurationTemplate.NotBeforeDurationSeconds)); err != nil {
return diag.FromErr(fmt.Errorf("Error setting not_before_duration_seconds: %s", err))
}
return nil
}