Add pubkey generation support

[FrenchBen]

Although this may not be very common, I often find myself having to feed a private key to Terraform, but then needing its public key for provider specific deployments.

This adds an equivalent public key RSA generator to the current private key, and moves the publicKey function to the public key file.

The input is a private key string, or file.

Checking acceptance tests:

$ make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v  -timeout 120m
?   	github.com/terraform-providers/terraform-provider-tls	[no test files]
=== RUN   TestProvider
--- PASS: TestProvider (0.00s)
=== RUN   TestCertRequest
--- PASS: TestCertRequest (0.04s)
=== RUN   TestLocallySignedCert
--- PASS: TestLocallySignedCert (0.02s)
=== RUN   TestPrivateKeyRSA
--- PASS: TestPrivateKeyRSA (3.21s)
=== RUN   TestPrivateKeyECDSA
--- PASS: TestPrivateKeyECDSA (0.05s)
=== RUN   TestPublicKeyRSA
--- PASS: TestPublicKeyRSA (4.69s)
=== RUN   TestSelfSignedCert
--- PASS: TestSelfSignedCert (0.04s)
PASS
ok  	github.com/terraform-providers/terraform-provider-tls/tls	8.077s

[FrenchBen]

There's a good amount of duplicate code with the tls_private_key module, perhaps we can simply add support to the generation to have a private key string submitted, in which case it's not generated?

[vancluever]

Hey @FrenchBen, this might also answer your second question as well, but I think this would be better as a data source. Main reason being is that a private key already needs to exist to extract the public key from, so nothing is actually being created by the resource.

More specifically answering your question about reuse - you could probably take the extraction code starting here and throw it into a helper that both tls_private_key (the resource) and tls_public_key (the data source) could use. The code may need a bit of re-arrangement so that the resulting helper is only exporting the public fields, leaving the private fields to the resource only.

[FrenchBen]

Updated to use a data_source instead, as recommended:

$ make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v  -timeout 120m
?   	github.com/terraform-providers/terraform-provider-tls	[no test files]
=== RUN   TestAccPublicKey_dataSource
--- PASS: TestAccPublicKey_dataSource (0.02s)
=== RUN   TestProvider
--- PASS: TestProvider (0.00s)
=== RUN   TestCertRequest
--- PASS: TestCertRequest (0.04s)
=== RUN   TestLocallySignedCert
--- PASS: TestLocallySignedCert (0.03s)
=== RUN   TestPrivateKeyRSA
--- PASS: TestPrivateKeyRSA (4.10s)
=== RUN   TestPrivateKeyECDSA
--- PASS: TestPrivateKeyECDSA (0.05s)
=== RUN   TestSelfSignedCert
--- PASS: TestSelfSignedCert (0.04s)
PASS
ok  	github.com/terraform-providers/terraform-provider-tls/tls	4.300s

[vancluever]

@FrenchBen great job so far! Just got some review comments that I'd like to see changed before we merge, and also the resource is lacking documentation. Can you make sure you add that as well?

You can see some examples on existing documentation for this provider in the website directory, and if you want to preview it you can clone the terraform-website repository and follow the instructions there to get set up.

Thanks!

[vancluever]

Can this be changed to private_key_pem to bring it in line with the other resources in this provider?

[vancluever]

ForceNew is not needed in data sources. This generally controls deletion/creation workflows, both of which data sources lack.

[vancluever]

I'm actually wondering if maybe this key should just be removed - this removes a bit of complexity from the resource, and if someone needs to load a file from a local path, they can just use the file interpolation function.

[FrenchBen]

Great point! It'll make things a lot easier.

[vancluever]

You could also use GetOk or GetOkExists here, which are specifically the exact ways you check for a value defined in Terraform.

[vancluever]

The error message seems to indicate that you are only attempting to decode an RSA private key even though the key can be that or an EC private key.

[vancluever]

Looks like you have the field here named private_key_pem even though the field is just private_key in the schema. I'm recommending the schema be fixed, of course. :)

[vancluever]

Minor can we change this to readPublicKey to imply that it's doing a bit more than just parsing the public key?

[vancluever]

PS: You could probably make this test self-hosting but using the tls_private_key resource to generate a key. Then you could use TestCheckResourceAttrPair to just compare the two values.

[FrenchBen]

I'll add it as another test. I like the fact that we're taking a private key without it's matching Public Key and confirming that its output is what we expected.
The TestCheckResourceAttrPair seems redundant, as they both use the same function, thus if there's a mistake, it'll come be a consistent one.

[vancluever]

@FrenchBen fair enough, and I actually didn't notice the testPrivateKey fixture being used in other tests. Will wait for the second test!

[FrenchBen]

@vancluever PTAL at the latest changes :)

[vancluever]

@FrenchBen sorry for leaving this so long - I'll have a look sometime within the next couple of days for sure. Were you going to work on adding the second test as mentioned?

[FrenchBen]

@vancluever already did:
https://github.com/terraform-providers/terraform-provider-tls/pull/11/files#diff-db53aa662810ae9abc7cf890db96dc69R50

The 2 tests are:

• Given a known private key, verify that the public key matches expected result.
• Generate a private key, verify that the public key matches that of the generated public key (they use the same function, so it's a bit of an odd test).

Anything else you think I should test for?

[vancluever]

Great - I didn't see that!

Barring anything serious, I think this can be merged tomorrow when I give it another once over 🙂

[FrenchBen]

I think it's my fault - Looks like spacing is a little off, I'll get this fixed.

[vancluever]

Hey @FrenchBen, one more comment about the tests, in addition to the following smoke test that failed:

This config:

resource "tls_private_key" "key" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P384"
}

data "tls_public_key" "pub" {
  private_key_pem = "${tls_private_key.key.private_key_pem}"
}

output "data_public_key_pem" {
  value = "${data.tls_public_key.pub.public_key_pem}"
}

output "data_public_key_openssh" {
  value = "${data.tls_public_key.pub.public_key_openssh}"
}

Gives this error:

Error: Error applying plan:

1 error(s) occurred:

* data.tls_public_key.pub: data.tls_public_key.pub: error converting key to rsa asn1: structure error: tags don't match (2 vs {class:0 tag:4 length:48 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false}  @5

This works with RSA, so not too sure what's happening here, but the P384 test is what is in our examples for tls_private_key, and the public keys dump in that resource just fine.

If you can fix that it would be great (might be good to add another test with that config specifically), also you will need to pull as I just fixed up some test naming and docs, and was about to approve this before the smoke test failed.

Thanks!

[vancluever]

Are these outputs actually being tested anywhere? I don't see any checks for them...

Can this test also be broken out into another test? As it's pretty much a completely different test case (manually supplied key versus generated one).

[FrenchBen]

The output can be removed indeed.
Since the test was for all Public Key, I thought they belonged within the same function, but as separate steps. Is that not the right approach?

[FrenchBen]

Added the extra test - Different algo = different parser (of course 🤦‍♂️ ) - Moved to using the default private key parser in the certs to make things cleaner.

[vancluever]

@FrenchBen this looks good! I've just split out the tests so that it's more clear what exactly we are testing in each step.

Otherwise, this fixed everything - smoke test works now, so I think we are good to merge!

Thank you very much for you contribution and your patience through the process!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.