feat: Allow setting a CA file in the provider (#765)

bodgit · fbreckle · web-flow · commit d885db18f99d · 2025-09-12T11:59:22.000+02:00
* feat: Allow setting a CA file in the provider

* chore: regenerate docs

---------

Co-authored-by: Fabian Breckle &lt;fabian.breckle@breuninger.de&gt;
diff --git a/docs/index.md b/docs/index.md
@@ -67,6 +67,7 @@ provider "netbox" {
 ### Optional
 
 - `allow_insecure_https` (Boolean) Flag to set whether to allow https with invalid certificates. Can be set via the `NETBOX_ALLOW_INSECURE_HTTPS` environment variable. Defaults to `false`.
+- `ca_cert_file` (String) Path to a PEM-encoded CA certificate for verifying the Netbox server certificate. Can be set via the `NETBOX_CA_CERT_FILE` environment variable.
 - `default_tags` (Set of String) Tags to add to every resource managed by this provider.
 - `headers` (Map of String) Set these header on all requests to Netbox. Can be set via the `NETBOX_HEADERS` environment variable.
 - `request_timeout` (Number) Netbox API HTTP request timeout in seconds. Can be set via the `NETBOX_REQUEST_TIMEOUT` environment variable.
diff --git a/netbox/client.go b/netbox/client.go
@@ -19,6 +19,7 @@ type Config struct {
 	Headers                     map[string]interface{}
 	RequestTimeout              int
 	StripTrailingSlashesFromURL bool
+	CACertFile                  string
 }
 
 // customHeaderTransport is a transport that adds the specified headers on
@@ -52,6 +53,7 @@ func (cfg *Config) Client() (*netboxclient.NetBoxAPI, error) {
 
 	// build http client
 	clientOpts := httptransport.TLSClientOptions{
+		CA:                 cfg.CACertFile,
 		InsecureSkipVerify: cfg.AllowInsecureHTTPS,
 	}
 
diff --git a/netbox/provider.go b/netbox/provider.go
@@ -263,6 +263,12 @@ func Provider() *schema.Provider {
 				Optional:    true,
 				Description: "Tags to add to every resource managed by this provider",
 			},
+			"ca_cert_file": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("NETBOX_CA_CERT_FILE", nil),
+				Description: "Path to a PEM-encoded CA certificate for verifying the Netbox server certificate. Can be set via the `NETBOX_CA_CERT_FILE` environment variable.",
+			},
 		},
 		ConfigureContextFunc: providerConfigure,
 	}
@@ -291,6 +297,7 @@ func providerConfigure(ctx context.Context, data *schema.ResourceData) (interfac
 		Headers:                     data.Get("headers").(map[string]interface{}),
 		RequestTimeout:              data.Get("request_timeout").(int),
 		StripTrailingSlashesFromURL: data.Get("strip_trailing_slashes_from_url").(bool),
+		CACertFile:                  data.Get("ca_cert_file").(string),
 	}
 
 	serverURL := data.Get("server_url").(string)

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ type Config struct {`
`19`	`19`	`Headers map[string]interface{}`
`20`	`20`	`RequestTimeout int`
`21`	`21`	`StripTrailingSlashesFromURL bool`
	`22`	`+ CACertFile string`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`// customHeaderTransport is a transport that adds the specified headers on`
`@@ -52,6 +53,7 @@ func (cfg Config) Client() (netboxclient.NetBoxAPI, error) {`
`52`	`53`
`53`	`54`	`// build http client`
`54`	`55`	`clientOpts := httptransport.TLSClientOptions{`
	`56`	`+ CA: cfg.CACertFile,`
`55`	`57`	`InsecureSkipVerify: cfg.AllowInsecureHTTPS,`
`56`	`58`	`}`
`57`	`59`