From 9ca466279339432728ab8b125ce9efa8c0df6fd5 Mon Sep 17 00:00:00 2001 From: Ioannis Simeonidis <36934072+simioa@users.noreply.github.com> Date: Thu, 14 Dec 2023 15:50:02 +0100 Subject: [PATCH 1/2] Add Kibana CA Certs optional parameter --- docs/index.md | 1 + internal/clients/config/kibana.go | 20 +++++++++++++++++++ internal/clients/config/kibana_test.go | 27 ++++++++++++++++++++++---- internal/clients/config/provider.go | 1 + internal/schema/connection.go | 13 +++++++++++++ 5 files changed, 58 insertions(+), 4 deletions(-) diff --git a/docs/index.md b/docs/index.md index 1c0e8c1c1..aacc7bb97 100644 --- a/docs/index.md +++ b/docs/index.md @@ -185,6 +185,7 @@ Optional: Optional: - `api_key` (String, Sensitive) API Key to use for authentication to Kibana +- `ca_certs` (List of String) A list of paths to CA certificates to validate the certificate presented by the Kibana server. - `endpoints` (List of String, Sensitive) A comma-separated list of endpoints where the terraform provider will point to, this must include the http(s) schema and port number. - `insecure` (Boolean) Disable TLS certificate validation - `password` (String, Sensitive) Password to use for API authentication to Kibana. diff --git a/internal/clients/config/kibana.go b/internal/clients/config/kibana.go index 526082dad..9fc532cd9 100644 --- a/internal/clients/config/kibana.go +++ b/internal/clients/config/kibana.go @@ -4,6 +4,7 @@ import ( "context" "os" "strconv" + "strings" "github.com/disaster37/go-kibana-rest/v8" fwdiags "github.com/hashicorp/terraform-plugin-framework/diag" @@ -45,6 +46,14 @@ func newKibanaConfigFromSDK(d *schema.ResourceData, base baseConfig) (kibanaConf } } + if caCerts, ok := kibConfig["ca_certs"].([]interface{}); ok && len(caCerts) > 0 { + for _, elem := range caCerts { + if vStr, elemOk := elem.(string); elemOk { + config.CAs = append(config.CAs, vStr) + } + } + } + if insecure, ok := kibConfig["insecure"]; ok && insecure.(bool) { config.DisableVerifySSL = true } @@ -69,6 +78,9 @@ func newKibanaConfigFromFramework(ctx context.Context, cfg ProviderConfiguration } var endpoints []string diags := kibConfig.Endpoints.ElementsAs(ctx, &endpoints, true) + + var cas []string + diags.Append(kibConfig.CACerts.ElementsAs(ctx, &cas, true)...) if diags.HasError() { return kibanaConfig{}, diags } @@ -77,6 +89,10 @@ func newKibanaConfigFromFramework(ctx context.Context, cfg ProviderConfiguration config.Address = endpoints[0] } + if len(cas) > 0 { + config.CAs = cas + } + config.DisableVerifySSL = kibConfig.Insecure.ValueBool() } @@ -88,6 +104,9 @@ func (k kibanaConfig) withEnvironmentOverrides() kibanaConfig { k.Password = withEnvironmentOverride(k.Password, "KIBANA_PASSWORD") k.ApiKey = withEnvironmentOverride(k.ApiKey, "KIBANA_API_KEY") k.Address = withEnvironmentOverride(k.Address, "KIBANA_ENDPOINT") + if caCerts, ok := os.LookupEnv("KIBANA_CA_CERTS"); ok { + k.CAs = strings.Split(caCerts, ",") + } if insecure, ok := os.LookupEnv("KIBANA_INSECURE"); ok { if insecureValue, err := strconv.ParseBool(insecure); err == nil { @@ -104,6 +123,7 @@ func (k kibanaConfig) toFleetConfig() fleetConfig { Username: k.Username, Password: k.Password, APIKey: k.ApiKey, + CACerts: k.CAs, Insecure: k.DisableVerifySSL, } } diff --git a/internal/clients/config/kibana_test.go b/internal/clients/config/kibana_test.go index 5a5b68f99..c5dc22352 100644 --- a/internal/clients/config/kibana_test.go +++ b/internal/clients/config/kibana_test.go @@ -57,7 +57,8 @@ func Test_newKibanaConfigFromSDK(t *testing.T) { "endpoints": []interface{}{"example.com/kibana"}, "username": "kibana", "password": "baltic", - "insecure": true, + "ca_certs": []interface{}{"internal", "lets_decrypt"}, + "insecure": false, }, }, }, @@ -65,7 +66,8 @@ func Test_newKibanaConfigFromSDK(t *testing.T) { Address: "example.com/kibana", Username: "kibana", Password: "baltic", - DisableVerifySSL: true, + CAs: []string{"internal", "lets_decrypt"}, + DisableVerifySSL: false, }, } }, @@ -86,6 +88,7 @@ func Test_newKibanaConfigFromSDK(t *testing.T) { "endpoints": []interface{}{"example.com/kibana"}, "username": "kibana", "password": "baltic", + "ca_certs": []interface{}{"internal", "lets_decrypt"}, "insecure": true, }, }, @@ -95,12 +98,14 @@ func Test_newKibanaConfigFromSDK(t *testing.T) { "KIBANA_USERNAME": "elastic", "KIBANA_PASSWORD": "thin-lines", "KIBANA_INSECURE": "false", + "KIBANA_CA_CERTS": "black,sea", }, expectedConfig: kibanaConfig{ Address: "example.com/cabana", Username: "elastic", Password: "thin-lines", DisableVerifySSL: false, + CAs: []string{"black", "sea"}, }, } }, @@ -114,6 +119,7 @@ func Test_newKibanaConfigFromSDK(t *testing.T) { os.Unsetenv("KIBANA_ENDPOINT") os.Unsetenv("KIBANA_INSECURE") os.Unsetenv("KIBANA_API_KEY") + os.Unsetenv("KIBANA_CA_CERTS") args := tt.args() rd := schema.TestResourceDataRaw(t, map[string]*schema.Schema{ @@ -177,7 +183,11 @@ func Test_newKibanaConfigFromFramework(t *testing.T) { Endpoints: types.ListValueMust(types.StringType, []attr.Value{ types.StringValue("example.com/kibana"), }), - Insecure: types.BoolValue(true), + CACerts: types.ListValueMust(types.StringType, []attr.Value{ + types.StringValue("internal"), + types.StringValue("lets_decrypt"), + }), + Insecure: types.BoolValue(false), }, }, }, @@ -185,7 +195,8 @@ func Test_newKibanaConfigFromFramework(t *testing.T) { Address: "example.com/kibana", Username: "kibana", Password: "baltic", - DisableVerifySSL: true, + CAs: []string{"internal", "lets_decrypt"}, + DisableVerifySSL: false, }, } }, @@ -206,6 +217,7 @@ func Test_newKibanaConfigFromFramework(t *testing.T) { Endpoints: types.ListValueMust(types.StringType, []attr.Value{ types.StringValue("example.com/kibana"), }), + CACerts: types.ListValueMust(types.StringType, []attr.Value{}), Insecure: types.BoolValue(true), }, }, @@ -236,6 +248,10 @@ func Test_newKibanaConfigFromFramework(t *testing.T) { Endpoints: types.ListValueMust(types.StringType, []attr.Value{ types.StringValue("example.com/kibana"), }), + CACerts: types.ListValueMust(types.StringType, []attr.Value{ + types.StringValue("internal"), + types.StringValue("lets_decrypt"), + }), Insecure: types.BoolValue(true), }, }, @@ -245,11 +261,13 @@ func Test_newKibanaConfigFromFramework(t *testing.T) { "KIBANA_USERNAME": "elastic", "KIBANA_PASSWORD": "thin-lines", "KIBANA_INSECURE": "false", + "KIBANA_CA_CERTS": "black,sea", }, expectedConfig: kibanaConfig{ Address: "example.com/cabana", Username: "elastic", Password: "thin-lines", + CAs: []string{"black", "sea"}, DisableVerifySSL: false, }, } @@ -263,6 +281,7 @@ func Test_newKibanaConfigFromFramework(t *testing.T) { os.Unsetenv("KIBANA_PASSWORD") os.Unsetenv("KIBANA_API_KEY") os.Unsetenv("KIBANA_ENDPOINT") + os.Unsetenv("KIBANA_CA_CERTS") os.Unsetenv("KIBANA_INSECURE") args := tt.args() diff --git a/internal/clients/config/provider.go b/internal/clients/config/provider.go index 1fc87aa14..f57dcff8d 100644 --- a/internal/clients/config/provider.go +++ b/internal/clients/config/provider.go @@ -30,6 +30,7 @@ type KibanaConnection struct { ApiKey types.String `tfsdk:"api_key"` Endpoints types.List `tfsdk:"endpoints"` Insecure types.Bool `tfsdk:"insecure"` + CACerts types.List `tfsdk:"ca_certs"` } type FleetConnection struct { diff --git a/internal/schema/connection.go b/internal/schema/connection.go index 432666058..6eac05e28 100644 --- a/internal/schema/connection.go +++ b/internal/schema/connection.go @@ -163,6 +163,11 @@ func GetKbFWConnectionBlock() fwschema.Block { Sensitive: true, ElementType: types.StringType, }, + "ca_certs": fwschema.ListAttribute{ + MarkdownDescription: "A list of paths to CA certificates to validate the certificate presented by the Kibana server.", + Optional: true, + ElementType: types.StringType, + }, "insecure": fwschema.BoolAttribute{ MarkdownDescription: "Disable TLS certificate validation", Optional: true, @@ -397,6 +402,14 @@ func GetKibanaConnectionSchema() *schema.Schema { Type: schema.TypeString, }, }, + "ca_certs": { + Description: "A list of paths to CA certificates to validate the certificate presented by the Kibana server.", + Type: schema.TypeList, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, "insecure": { Description: "Disable TLS certificate validation", Type: schema.TypeBool, From 0cc565fc606745c1079c481bff7f2b0cbbb0c23f Mon Sep 17 00:00:00 2001 From: Toby Brain Date: Tue, 16 Jan 2024 13:00:11 +1100 Subject: [PATCH 2/2] Changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a0d97758..6a64f47b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## [Unreleased] +### Added +- Add new optional `ca_certs` attribute for Kibana ([#507](https://github.com/elastic/terraform-provider-elasticstack/pull/507)) + ### Fixed - Handle nil LastExecutionDate's in Kibana alerting rules. ([#508](https://github.com/elastic/terraform-provider-elasticstack/pull/508)) - Import all relevant attributes during `elasticstack_fleet_output` import ([#522](https://github.com/elastic/terraform-provider-elasticstack/pull/522))