Merge branch 'release/v0.2.0' into main

TelkomIndonesia · Feb 21, 2022 · b7e1f99 · b7e1f99
2 parents 033547c + 325550d
commit b7e1f99
Show file tree

Hide file tree

Showing 7 changed files with 232 additions and 69 deletions.
diff --git a/docs/resources/ca.md b/docs/resources/ca.md
@@ -44,5 +44,7 @@ resource "nebula_ca" "awesome" {
 - **cert** (String) The certificate data in PEM format.
 - **fingerprint** (String) The fingerprint of the certificate.
 - **key** (String, Sensitive) The private key data in PEM format.
+- **not_after** (String) Certificate not valid after this date.
+- **not_before** (String) Certificate not valid after this date.
 
 
diff --git a/docs/resources/certificate.md b/docs/resources/certificate.md
@@ -66,5 +66,7 @@ resource "nebula_certificate" "node2" {
 - **cert** (String) The certificate data in PEM format.
 - **fingerprint** (String) The fingerprint of the certificate.
 - **key** (String, Sensitive) The private key data in PEM format. Empty if `public_key` is specified.
+- **not_after** (String) Certificate not valid after this date.
+- **not_before** (String) Certificate not valid after this date.
 
 
diff --git a/internal/provider/helper.go b/internal/provider/helper.go
@@ -101,3 +101,9 @@ func x25519Keypair() ([]byte, []byte, error) {
 
 	return pubkey, privkey, err
 }
+
+func shouldExpire(c *cert.NebulaCertificate, early time.Duration) bool {
+	tn := time.Now()
+	te := c.Details.NotAfter.Add(-early)
+	return te.Before(tn) || c.Expired(tn)
+}
diff --git a/internal/provider/resource_ca.go b/internal/provider/resource_ca.go
@@ -21,6 +21,7 @@ func resourceCA() *schema.Resource {
 		CreateContext: resourceCACreate,
 		UpdateContext: resourceCAUpdate,
 		DeleteContext: resourceCADelete,
+		CustomizeDiff: resourceCADiff,
 
 		Schema: map[string]*schema.Schema{
 			"name": {
@@ -91,6 +92,16 @@ func resourceCA() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
+			"not_after": {
+				Description: "Certificate not valid after this date.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+			"not_before": {
+				Description: "Certificate not valid after this date.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
 		},
 	}
 }
@@ -101,9 +112,7 @@ func resourceCARead(ctx context.Context, d *schema.ResourceData, meta interface{
 		return diag.Errorf("error loading CA pair: %s", err)
 	}
 
-	tn := time.Now()
-	te := tn.Add(-cast.ToDuration(d.Get("early_renewal_duration")))
-	if te.After(caCert.Details.NotBefore) && caCert.Expired(te) || caCert.Expired(tn) {
+	if shouldExpire(caCert, cast.ToDuration(d.Get("early_renewal_duration"))) {
 		d.SetId("")
 	}
 	return
@@ -145,6 +154,8 @@ func resourceCACreate(ctx context.Context, d *schema.ResourceData, meta interfac
 	}
 	d.Set("cert", string(crt))
 	d.Set("key", string(cert.MarshalEd25519PrivateKey(rawPriv)))
+	d.Set("not_after", nc.Details.NotAfter.Format(time.RFC3339))
+	d.Set("not_before", nc.Details.NotBefore.Format(time.RFC3339))
 	fp, err := nc.Sha256Sum()
 	if err != nil {
 		return diag.Errorf("error while getting certificate fingerprint: %s", err)
@@ -162,3 +173,25 @@ func resourceCADelete(ctx context.Context, d *schema.ResourceData, meta interfac
 func resourceCAUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) (dg diag.Diagnostics) {
 	return
 }
+
+func resourceCADiff(ctx context.Context, rd *schema.ResourceDiff, meta interface{}) (err error) {
+	if rd.Id() == "" {
+		return // no state
+	}
+	for _, v := range []string{"name", "groups", "ips", "subnets", "duration"} {
+		if rd.HasChange(v) {
+			return
+		}
+	}
+	if !rd.HasChange("early_renewal_duration") {
+		return
+	}
+
+	_, n := rd.GetChange("early_renewal_duration")
+	exp := cast.ToTime(rd.Get("not_after")).Add(-cast.ToDuration(n))
+	if time.Now().Before(exp) {
+		return
+	}
+	rd.ForceNew("early_renewal_duration")
+	return
+}
diff --git a/internal/provider/resource_ca_test.go b/internal/provider/resource_ca_test.go
@@ -24,23 +24,63 @@ func TestAccResourceCA(t *testing.T) {
 }
 
 const testAccResourceCA = `
-resource "nebula_ca" "test" {
-  	name = "test"
-}
+	resource "nebula_ca" "test" {
+		name = "test"
+	}
 
-resource "nebula_ca" "test1" {
-	name = "test1"
-	groups = ["test12"]
-	ips = ["192.168.0.1/24"]
-	subnets = ["192.168.0.1/26"]
-	duration = "24h"
-	early_renewal_duration = "1h"
-}
+	resource "nebula_ca" "test1" {
+		name = "test1"
+		groups = ["test12"]
+		ips = ["192.168.0.1/24"]
+		subnets = ["192.168.0.1/26"]
+		duration = "24h"
+		early_renewal_duration = "1h"
+	}
 `
 
 const testAccResourceCAExpired = `
-resource "nebula_ca" "test" {
-	name = "test"
-	duration="0.000000001s"
+	resource "nebula_ca" "testexp" {
+		name = "test"
+		duration="0.000000001s"
+	}
+
+	resource "nebula_ca" "testexp1" {
+		name = "test"
+		duration = "24h"
+		early_renewal_duration = "24h"
+	}
+`
+
+// WARN: Possible flaky test
+func TestAccResourceCAUpdateEarlyRenewal(t *testing.T) {
+	resource.UnitTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceCAUpdateEarlyRenewal,
+			},
+			{
+				Config: testAccResourceCAUpdateEarlyRenewalUpdate,
+			},
+		},
+	})
 }
+
+const testAccResourceCAUpdateEarlyRenewal = `
+	resource "nebula_ca" "test" {
+		name = "test"
+		duration = "24h"
+		provisioner "local-exec" {
+			interpreter = ["bash", "-c"]
+			command = "sleep 5"
+		}
+	}
+`
+const testAccResourceCAUpdateEarlyRenewalUpdate = `
+	resource "nebula_ca" "test" {
+		name = "test"
+		duration = "24h"
+		early_renewal_duration = "23h59m55s"
+	}
 `
diff --git a/internal/provider/resource_cert.go b/internal/provider/resource_cert.go
@@ -20,6 +20,7 @@ func resourceCertificate() *schema.Resource {
 		CreateContext: resourceCertificateCreate,
 		UpdateContext: resourceCertificateUpdate,
 		DeleteContext: resourceCertificateDelete,
+		CustomizeDiff: resourceCertificateDiff,
 
 		Schema: map[string]*schema.Schema{
 			"name": {
@@ -73,17 +74,20 @@ func resourceCertificate() *schema.Resource {
 				Description: "The signing CA certificate data in PEM format.",
 				Type:        schema.TypeString,
 				Required:    true,
+				ForceNew:    true,
 			},
 			"ca_key": {
 				Description: "The signing CA private key data in PEM format.",
 				Type:        schema.TypeString,
 				Required:    true,
 				Sensitive:   true,
+				ForceNew:    true,
 			},
 			"public_key": {
 				Description: "The previously generated public key data in PEM format.",
 				Type:        schema.TypeString,
 				Optional:    true,
+				ForceNew:    true,
 			},
 
 			"cert": {
@@ -102,6 +106,16 @@ func resourceCertificate() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
+			"not_after": {
+				Description: "Certificate not valid after this date.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+			"not_before": {
+				Description: "Certificate not valid after this date.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
 		},
 	}
 }
@@ -117,9 +131,7 @@ func resourceCertificateRead(ctx context.Context, d *schema.ResourceData, meta i
 	if err != nil {
 		return diag.Errorf("error loading certificate pair: %s", err)
 	}
-	tn := time.Now()
-	te := tn.Add(-cast.ToDuration(d.Get("early_renewal_duration")))
-	if te.After(nCert.Details.NotBefore) && nCert.Expired(te) || nCert.Expired(tn) {
+	if shouldExpire(nCert, cast.ToDuration(d.Get("early_renewal_duration"))) {
 		d.SetId("")
 		return
 	}
@@ -205,6 +217,8 @@ func resourceCertificateCreate(ctx context.Context, d *schema.ResourceData, meta
 	if rawPriv != nil {
 		d.Set("key", string(cert.MarshalX25519PrivateKey(rawPriv)))
 	}
+	d.Set("not_after", nc.Details.NotAfter.Format(time.RFC3339))
+	d.Set("not_before", nc.Details.NotBefore.Format(time.RFC3339))
 	fp, err := nc.Sha256Sum()
 	if err != nil {
 		return diag.Errorf("error while getting certificate fingerprint: %s", err)
@@ -220,3 +234,25 @@ func resourceCertificateDelete(ctx context.Context, d *schema.ResourceData, meta
 func resourceCertificateUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) (dg diag.Diagnostics) {
 	return
 }
+
+func resourceCertificateDiff(ctx context.Context, rd *schema.ResourceDiff, meta interface{}) (err error) {
+	if rd.Id() == "" {
+		return // no state
+	}
+	for _, v := range []string{"name", "groups", "ip", "subnets", "duration", "ca_cert", "ca_key", "public_key"} {
+		if rd.HasChange(v) {
+			return
+		}
+	}
+	if !rd.HasChange("early_renewal_duration") {
+		return
+	}
+
+	_, n := rd.GetChange("early_renewal_duration")
+	exp := cast.ToTime(rd.Get("not_after")).Add(-cast.ToDuration(n))
+	if time.Now().Before(exp) {
+		return
+	}
+	rd.ForceNew("early_renewal_duration")
+	return
+}