Skip to content

Commit f8a4502

Browse files
alexng-canuckalexng-canuck
committed
Add support for ignoring invalid cert options in the x509 clients used for instance principal
Currently the option to ignore server cert errors is only applied to clients that Terraform has explicitly created. However, this misses clients that are implicitly created by the OCI SDK to handle requests to auth services.
1 parent 3e7531b commit f8a4502

File tree

1 file changed

+16
-1
lines changed

1 file changed

+16
-1
lines changed

oci/provider.go

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -837,6 +837,7 @@ func getConfigProviders(d *schema.ResourceData, auth string) ([]oci_common.Confi
837837

838838
switch auth {
839839
case strings.ToLower(authAPIKeySetting):
840+
// No additional config providers needed
840841
case strings.ToLower(authInstancePrincipalSetting):
841842
apiKeyConfigVariablesToUnset, ok := checkIncompatibleAttrsForApiKeyAuth(d)
842843
if !ok {
@@ -847,7 +848,21 @@ func getConfigProviders(d *schema.ResourceData, auth string) ([]oci_common.Confi
847848
if !ok {
848849
return nil, fmt.Errorf("can not get %s from Terraform configuration (InstancePrincipal)", regionAttrName)
849850
}
850-
cfg, err := oci_common_auth.InstancePrincipalConfigurationProviderForRegion(oci_common.StringToRegion(region.(string)))
851+
852+
// Used to modify InstancePrincipal auth clients so that `accept_local_certs` is honored for auth clients as well
853+
// These clients are created implicitly by SDK, and are not modified by the buildConfigureClientFn that usually does this for the other SDK clients
854+
instancePrincipalAuthClientModifier := func(client oci_common.HTTPRequestDispatcher) (oci_common.HTTPRequestDispatcher, error) {
855+
if acceptLocalCerts := getEnvSettingWithBlankDefault(acceptLocalCerts); acceptLocalCerts != "" {
856+
if bool, err := strconv.ParseBool(acceptLocalCerts); err == nil {
857+
modifiedClient := buildHttpClient()
858+
modifiedClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = bool
859+
return modifiedClient, nil
860+
}
861+
}
862+
return client, nil
863+
}
864+
865+
cfg, err := oci_common_auth.InstancePrincipalConfigurationForRegionWithCustomClient(oci_common.StringToRegion(region.(string)), instancePrincipalAuthClientModifier)
851866
if err != nil {
852867
return nil, err
853868
}

0 commit comments

Comments
 (0)