Merge pull request #139 from katrinpolit/custom_certificate

Customer certificate fix

Author: katrinpolit

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.3.4 (Not Released)
+
+* Fix bug in Custom Certificate resource
+
 ## 3.3.3 (Released)
 
 * Fix pagination bug in sub-account resource

GNUmakefile

@@ -6,7 +6,8 @@ NAMESPACE=terraform-providers
 PKG_NAME=incapsula
 BINARY=terraform-provider-${PKG_NAME}
 # Whenever bumping provider version, please update the version in incapsula/client.go (line 27) as well.
-VERSION=3.3.3
+VERSION=3.3.4
+
 
 OS_ARCH=darwin_amd64
 # OS_ARCH=linux_amd64

incapsula/client.go

@@ -25,7 +25,7 @@ type Client struct {
 func NewClient(config *Config) *Client {
 	client := &http.Client{}
 
-	return &Client{config: config, httpClient: client, providerVersion: "3.3.3"}
+	return &Client{config: config, httpClient: client, providerVersion: "3.3.4"}
 }
 
 // Verify checks the API credentials

incapsula/client_certificate.go

@@ -23,22 +23,33 @@ type CertificateAddResponse struct {
 // CertificateListResponse contains site object with details of custom certificate
 type CertificateListResponse struct {
 	Res int `json:"res"`
+	SSL SSL `json:"ssl"`
 }
 
 // CertificateEditResponse contains confirmation of successful upload of certificate
 type CertificateEditResponse struct {
 	Res        int    `json:"res"`
 	ResMessage string `json:"res_message"`
+	SSL        SSL    `json:"ssl"`
+}
+
+type SSL struct {
+	CustomCertificate CustomCertificate `json:"custom_certificate"`
+}
+
+type CustomCertificate struct {
+	InputHash string `json:"inputHash"`
 }
 
 // AddCertificate adds a custom SSL certificate to a site in Incapsula
-func (c *Client) AddCertificate(siteID, certificate, privateKey, passphrase string) (*CertificateAddResponse, error) {
+func (c *Client) AddCertificate(siteID, certificate, privateKey, passphrase, inputHash string) (*CertificateAddResponse, error) {
 
 	log.Printf("[INFO] Adding custom certificate for site_id: %s", siteID)
 
 	values := url.Values{
 		"site_id":     {siteID},
 		"certificate": {certificate},
+		"input_hash":  {inputHash},
 	}
 
 	if privateKey != "" {
@@ -112,13 +123,14 @@ func (c *Client) ListCertificates(siteID string) (*CertificateListResponse, erro
 }
 
 // EditCertificate updates the custom certifiacte on an Incapsula site
-func (c *Client) EditCertificate(siteID, certificate, privateKey, passphrase string) (*CertificateEditResponse, error) {
+func (c *Client) EditCertificate(siteID, certificate, privateKey, passphrase, inputHash string) (*CertificateEditResponse, error) {
 
 	log.Printf("[INFO] Editing custom certificate for Incapsula site_id: %s\n", siteID)
 
 	values := url.Values{
 		"site_id":     {siteID},
 		"certificate": {certificate},
+		"input_hash":  {inputHash},
 	}
 
 	if privateKey != "" {

incapsula/resource_certificate.go

@@ -1,9 +1,10 @@
 package incapsula
 
 import (
-	"log"
-
+	"crypto/sha1"
+	"encoding/hex"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"log"
 )
 
 func resourceCertificate() *schema.Resource {
@@ -45,18 +46,31 @@ func resourceCertificate() *schema.Resource {
 				Optional:    true,
 				Sensitive:   true,
 			},
+			"input_hash": {
+				Description: "inputHash",
+				Type:        schema.TypeString,
+				Optional:    true,
+				DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+					newHash := createHash(d)
+					if newHash == old {
+						return true
+					}
+					return false
+				},
+			},
 		},
 	}
 }
 
 func resourceCertificateCreate(d *schema.ResourceData, m interface{}) error {
 	client := m.(*Client)
-
+	inputHash := createHash(d)
 	_, err := client.AddCertificate(
 		d.Get("site_id").(string),
 		d.Get("certificate").(string),
 		d.Get("private_key").(string),
 		d.Get("passphrase").(string),
+		inputHash,
 	)
 
 	if err != nil {
@@ -89,6 +103,7 @@ func resourceCertificateRead(d *schema.ResourceData, m interface{}) error {
 		return err
 	}
 
+	d.Set("input_hash", listCertificatesResponse.SSL.CustomCertificate.InputHash)
 	d.SetId("12345")
 
 	return nil
@@ -97,20 +112,22 @@ func resourceCertificateRead(d *schema.ResourceData, m interface{}) error {
 func resourceCertificateUpdate(d *schema.ResourceData, m interface{}) error {
 	client := m.(*Client)
 
+	inputHash := createHash(d)
+
 	_, err := client.EditCertificate(
 		d.Get("site_id").(string),
 		d.Get("certificate").(string),
 		d.Get("private_key").(string),
 		d.Get("passphrase").(string),
+		inputHash,
 	)
 
 	if err != nil {
 		return err
 	}
 
 	d.SetId("12345")
-
-	return nil
+	return resourceCertificateRead(d, m)
 }
 
 func resourceCertificateDelete(d *schema.ResourceData, m interface{}) error {
@@ -128,3 +145,16 @@ func resourceCertificateDelete(d *schema.ResourceData, m interface{}) error {
 
 	return nil
 }
+
+func createHash(d *schema.ResourceData) string {
+	h := sha1.New()
+
+	certificate := d.Get("certificate").(string)
+	passphrase := d.Get("passphrase").(string)
+	privateKey := d.Get("private_key").(string)
+	stringForHash := certificate + privateKey + passphrase
+	h.Write([]byte(stringForHash))
+	byteString := h.Sum(nil)
+	result := hex.EncodeToString(byteString)
+	return result
+}

website/docs/r/custom_certificate.html.markdown

@@ -30,6 +30,7 @@ The following arguments are supported:
 * `certificate` - (Required) The certificate file in base64 format. You can use the Terraform HCL `file` directive to pull in the contents from a file. You can also inline the certificate in the configuration.
 * `private_key` - (Optional) The private key of the certificate in base64 format. Optional in case of PFX certificate file format.
 * `passphrase` - (Optional) The passphrase used to protect your SSL certificate.
+* `input_hash` - (Optional) Currently ignored. If terraform plan flags this field as changed, it means that any of: `certificate`, `private_key`, or `passphrase` has changed.
 
 ## Attributes Reference