feat: support checkly_client_certificate resources [sc-23397] (#307)

sorccu · web-flow · commit 0b0447b11494 · 2025-03-04T23:59:40.000+09:00
* feat: support checkly_client_certificate resources

* chore: bump SDK to latest version with client certificate support
diff --git a/checkly/provider.go b/checkly/provider.go
@@ -43,6 +43,7 @@ func Provider() *schema.Provider {
 			"checkly_trigger_group":        resourceTriggerGroup(),
 			"checkly_environment_variable": resourceEnvironmentVariable(),
 			"checkly_private_location":     resourcePrivateLocation(),
+			"checkly_client_certificate":   resourceClientCertificate(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{
 			"checkly_static_ips": dataSourceStaticIPs(),
diff --git a/checkly/resource_client_certificate.go b/checkly/resource_client_certificate.go
@@ -0,0 +1,128 @@
+package checkly
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	checkly "github.com/checkly/checkly-go-sdk"
+)
+
+func resourceClientCertificate() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceClientCertificateCreate,
+		Read:   resourceClientCertificateRead,
+		Delete: resourceClientCertificateDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Description: "Use client certificates to authenticate your API " +
+			"checks to APIs that require mutual TLS (mTLS) authentication, " +
+			"or any other authentication scheme where the requester needs to " +
+			"provide a certificate." +
+			"\n\n" +
+			"Each client certificate is specific to a domain name, e.g. " +
+			"`acme.com` and will be used automatically by any API checks " +
+			"targeting that domain." +
+			"\n\n" +
+			"Changing the value of any attribute forces a new resource to " +
+			"be created.",
+		Schema: map[string]*schema.Schema{
+			"host": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The host domain that the certificate should be used for.",
+			},
+			"certificate": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The client certificate in PEM format.",
+			},
+			"private_key": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The private key for the certificate in PEM format.",
+			},
+			"passphrase": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				Sensitive:   true,
+				Description: "Passphrase for the private key.",
+			},
+			"trusted_ca": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "PEM formatted bundle of CA certificates that the client should trust. The bundle may contain many CA certificates.",
+			},
+		},
+	}
+}
+
+func resourceClientCertificateCreate(d *schema.ResourceData, client interface{}) error {
+	clientCertificate, err := clientCertificateFromResourceData(d)
+	if err != nil {
+		return fmt.Errorf("resourceClientCertificateCreate: translation error: %w", err)
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), apiCallTimeout())
+	defer cancel()
+	result, err := client.(checkly.Client).CreateClientCertificate(ctx, clientCertificate)
+	if err != nil {
+		return fmt.Errorf("CreateClientCertificate: API error: %w", err)
+	}
+	d.SetId(result.ID)
+	return resourceClientCertificateRead(d, client)
+}
+
+func clientCertificateFromResourceData(d *schema.ResourceData) (checkly.ClientCertificate, error) {
+	return checkly.ClientCertificate{
+		ID:          d.Id(),
+		Host:        d.Get("host").(string),
+		Certificate: d.Get("certificate").(string),
+		PrivateKey:  d.Get("private_key").(string),
+		Passphrase:  d.Get("passphrase").(string),
+		TrustedCA:   d.Get("trusted_ca").(string),
+	}, nil
+}
+
+func resourceDataFromClientCertificate(c *checkly.ClientCertificate, d *schema.ResourceData) error {
+	d.Set("host", c.Host)
+	d.Set("certificate", c.Certificate)
+	d.Set("private_key", c.PrivateKey)
+	d.Set("trusted_ca", c.TrustedCA)
+	// The backend does not return a value for Passphrase and even it did, the
+	// value would be encrypted. Thus, the value should never be modified.
+	return nil
+}
+
+func resourceClientCertificateRead(d *schema.ResourceData, client interface{}) error {
+	ctx, cancel := context.WithTimeout(context.Background(), apiCallTimeout())
+	defer cancel()
+	clientCertificate, err := client.(checkly.Client).GetClientCertificate(ctx, d.Id())
+	if err != nil {
+		if strings.Contains(err.Error(), "404") {
+			//if resource is deleted remotely, then mark it as
+			//successfully gone by unsetting it's ID
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("resourceClientCertificateRead: API error: %w", err)
+	}
+	return resourceDataFromClientCertificate(clientCertificate, d)
+}
+
+func resourceClientCertificateDelete(d *schema.ResourceData, client interface{}) error {
+	ctx, cancel := context.WithTimeout(context.Background(), apiCallTimeout())
+	defer cancel()
+	err := client.(checkly.Client).DeleteClientCertificate(ctx, d.Id())
+	if err != nil {
+		return fmt.Errorf("resourceClientCertificateDelete: API error: %w", err)
+	}
+	return nil
+}
diff --git a/checkly/resource_client_certificate_test.go b/checkly/resource_client_certificate_test.go
@@ -0,0 +1,143 @@
+package checkly
+
+import (
+	"regexp"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccClientCertificateCheckRequiredFields(t *testing.T) {
+	config := `resource "checkly_client_certificate" "test" {}`
+	accTestCase(t, []resource.TestStep{
+		{
+			Config:      config,
+			ExpectError: regexp.MustCompile(`The argument "host" is required`),
+		},
+		{
+			Config:      config,
+			ExpectError: regexp.MustCompile(`The argument "certificate" is required`),
+		},
+		{
+			Config:      config,
+			ExpectError: regexp.MustCompile(`The argument "private_key" is required`),
+		},
+	})
+}
+
+func TestAccClientCertificate(t *testing.T) {
+	config := `
+resource "checkly_client_certificate" "test" {
+  host = "*.acme.com"
+
+  certificate = <<-EOT
+			-----BEGIN CERTIFICATE-----
+			MIICDzCCAbagAwIBAgIUMTZlfGA7WcD8e4/zt2MqxvEgQPYwCgYIKoZIzj0EAwIw
+			VDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhUb29udG93bjES
+			MBAGA1UECgwJQWNtZSBJbmMuMREwDwYDVQQDDAhhY21lLmNvbTAeFw0yNTAzMDMw
+			NTQ2NTJaFw00OTEwMjMwNTQ2NTJaMHgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD
+			QTERMA8GA1UEBwwIVG9vbnRvd24xEjAQBgNVBAoMCUFjbWUgSW5jLjEXMBUGA1UE
+			AwwOV2lsZSBFLiBDb3lvdGUxHDAaBgkqhkiG9w0BCQEWDXdpbGVAYWNtZS5jb20w
+			WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATAjjDGsKFS1qgdNqziDZoD5hamTfdH
+			0P+Ukk1RIue57QYVXhQSyNzcEz15kQnwYezEqfN+FtjtTwdk/CgnAELlo0IwQDAd
+			BgNVHQ4EFgQU9C9CpZqM2WMrOs3vAYsc5GbjyzswHwYDVR0jBBgwFoAUnlOyzF/N
+			K7YmKQegLdbdyIOCT/UwCgYIKoZIzj0EAwIDRwAwRAIgGgSnBymlH4MkZCVk5DYH
+			PdnDo2Xf5uFi1Eyn2LTYP1MCIEtiGtsf0qYv6NzIPd5uTTZoB/8hPrAgM1QzWG4O
+			3C/I
+			-----END CERTIFICATE-----
+		EOT
+
+  private_key = <<-EOT
+			-----BEGIN ENCRYPTED PRIVATE KEY-----
+			MIH0MF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBA5yR3aqy8mZD2wQzp1
+			FH2JAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQA49YCnXvfJ2CsQsV
+			9C5JJwSBkNkWunSlqyeVW6OFa/+OjlLArgTGvW5ul08qu/145O9PO4Nr2CXeK5N2
+			uvHwkWGfD8IVke+sgZPUjLoHsJ4h4AnyxlNHpIxgOfm0CoXT7PTaFb//d5NC6XyB
+			K7ZpBzIThGlbuS/b9wp4MPmSaJn5Fci+84VG7KYK5RxU0fcU0rGSBynrZw803wnO
+			FjP7qaq5bw==
+			-----END ENCRYPTED PRIVATE KEY-----
+		EOT
+
+  passphrase = "secret password"
+
+  trusted_ca = <<-EOT
+			-----BEGIN CERTIFICATE-----
+			MIIB/jCCAaOgAwIBAgIUZzxdNpoDYXaNiIBsh0/s++I+ZOEwCgYIKoZIzj0EAwIw
+			VDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhUb29udG93bjES
+			MBAGA1UECgwJQWNtZSBJbmMuMREwDwYDVQQDDAhhY21lLmNvbTAeFw0yNTAzMDMw
+			NTQzMDZaFw0yNTA0MDIwNTQzMDZaMFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD
+			QTERMA8GA1UEBwwIVG9vbnRvd24xEjAQBgNVBAoMCUFjbWUgSW5jLjERMA8GA1UE
+			AwwIYWNtZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARDH3KGK6Vsk1A4
+			yGf9ItQIS3yuAOi0n0ihmPzIOOOEN0c758ETABeUdgH55bakdx6q5KYSxf4TuXsJ
+			2nCihqVVo1MwUTAdBgNVHQ4EFgQUnlOyzF/NK7YmKQegLdbdyIOCT/UwHwYDVR0j
+			BBgwFoAUnlOyzF/NK7YmKQegLdbdyIOCT/UwDwYDVR0TAQH/BAUwAwEB/zAKBggq
+			hkjOPQQDAgNJADBGAiEA/cJ9jV8MQz4ypQsFvUatrnbxyHO0f+pJhf09pAk6Kj8C
+			IQCkSbope5r0KlVdqBeFF8wCfE3plwpelve3jqVIz6MedQ==
+			-----END CERTIFICATE-----
+		EOT
+}`
+	accTestCase(t, []resource.TestStep{
+		{
+			Config: config,
+			Check: resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"checkly_client_certificate.test",
+					"host",
+					"*.acme.com",
+				),
+				resource.TestCheckResourceAttr(
+					"checkly_client_certificate.test",
+					"certificate",
+					"-----BEGIN CERTIFICATE-----\n"+
+						"MIICDzCCAbagAwIBAgIUMTZlfGA7WcD8e4/zt2MqxvEgQPYwCgYIKoZIzj0EAwIw\n"+
+						"VDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhUb29udG93bjES\n"+
+						"MBAGA1UECgwJQWNtZSBJbmMuMREwDwYDVQQDDAhhY21lLmNvbTAeFw0yNTAzMDMw\n"+
+						"NTQ2NTJaFw00OTEwMjMwNTQ2NTJaMHgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD\n"+
+						"QTERMA8GA1UEBwwIVG9vbnRvd24xEjAQBgNVBAoMCUFjbWUgSW5jLjEXMBUGA1UE\n"+
+						"AwwOV2lsZSBFLiBDb3lvdGUxHDAaBgkqhkiG9w0BCQEWDXdpbGVAYWNtZS5jb20w\n"+
+						"WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATAjjDGsKFS1qgdNqziDZoD5hamTfdH\n"+
+						"0P+Ukk1RIue57QYVXhQSyNzcEz15kQnwYezEqfN+FtjtTwdk/CgnAELlo0IwQDAd\n"+
+						"BgNVHQ4EFgQU9C9CpZqM2WMrOs3vAYsc5GbjyzswHwYDVR0jBBgwFoAUnlOyzF/N\n"+
+						"K7YmKQegLdbdyIOCT/UwCgYIKoZIzj0EAwIDRwAwRAIgGgSnBymlH4MkZCVk5DYH\n"+
+						"PdnDo2Xf5uFi1Eyn2LTYP1MCIEtiGtsf0qYv6NzIPd5uTTZoB/8hPrAgM1QzWG4O\n"+
+						"3C/I\n"+
+						"-----END CERTIFICATE-----\n",
+				),
+				resource.TestCheckResourceAttr(
+					"checkly_client_certificate.test",
+					"private_key",
+					"-----BEGIN ENCRYPTED PRIVATE KEY-----\n"+
+						"MIH0MF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBA5yR3aqy8mZD2wQzp1\n"+
+						"FH2JAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQA49YCnXvfJ2CsQsV\n"+
+						"9C5JJwSBkNkWunSlqyeVW6OFa/+OjlLArgTGvW5ul08qu/145O9PO4Nr2CXeK5N2\n"+
+						"uvHwkWGfD8IVke+sgZPUjLoHsJ4h4AnyxlNHpIxgOfm0CoXT7PTaFb//d5NC6XyB\n"+
+						"K7ZpBzIThGlbuS/b9wp4MPmSaJn5Fci+84VG7KYK5RxU0fcU0rGSBynrZw803wnO\n"+
+						"FjP7qaq5bw==\n"+
+						"-----END ENCRYPTED PRIVATE KEY-----\n",
+				),
+				resource.TestCheckResourceAttr(
+					"checkly_client_certificate.test",
+					"passphrase",
+					"secret password",
+				),
+				resource.TestCheckResourceAttr(
+					"checkly_client_certificate.test",
+					"trusted_ca",
+					"-----BEGIN CERTIFICATE-----\n"+
+						"MIIB/jCCAaOgAwIBAgIUZzxdNpoDYXaNiIBsh0/s++I+ZOEwCgYIKoZIzj0EAwIw\n"+
+						"VDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhUb29udG93bjES\n"+
+						"MBAGA1UECgwJQWNtZSBJbmMuMREwDwYDVQQDDAhhY21lLmNvbTAeFw0yNTAzMDMw\n"+
+						"NTQzMDZaFw0yNTA0MDIwNTQzMDZaMFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD\n"+
+						"QTERMA8GA1UEBwwIVG9vbnRvd24xEjAQBgNVBAoMCUFjbWUgSW5jLjERMA8GA1UE\n"+
+						"AwwIYWNtZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARDH3KGK6Vsk1A4\n"+
+						"yGf9ItQIS3yuAOi0n0ihmPzIOOOEN0c758ETABeUdgH55bakdx6q5KYSxf4TuXsJ\n"+
+						"2nCihqVVo1MwUTAdBgNVHQ4EFgQUnlOyzF/NK7YmKQegLdbdyIOCT/UwHwYDVR0j\n"+
+						"BBgwFoAUnlOyzF/NK7YmKQegLdbdyIOCT/UwDwYDVR0TAQH/BAUwAwEB/zAKBggq\n"+
+						"hkjOPQQDAgNJADBGAiEA/cJ9jV8MQz4ypQsFvUatrnbxyHO0f+pJhf09pAk6Kj8C\n"+
+						"IQCkSbope5r0KlVdqBeFF8wCfE3plwpelve3jqVIz6MedQ==\n"+
+						"-----END CERTIFICATE-----\n",
+				),
+			),
+		},
+	})
+}
diff --git a/docs/resources/client_certificate.md b/docs/resources/client_certificate.md
@@ -0,0 +1,52 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "checkly_client_certificate Resource - terraform-provider-checkly"
+subcategory: ""
+description: |-
+  Use client certificates to authenticate your API checks to APIs that require mutual TLS (mTLS) authentication, or any other authentication scheme where the requester needs to provide a certificate.
+  Each client certificate is specific to a domain name, e.g. acme.com and will be used automatically by any API checks targeting that domain.
+  Changing the value of any attribute forces a new resource to be created.
+---
+
+# checkly_client_certificate (Resource)
+
+Use client certificates to authenticate your API checks to APIs that require mutual TLS (mTLS) authentication, or any other authentication scheme where the requester needs to provide a certificate.
+
+Each client certificate is specific to a domain name, e.g. `acme.com` and will be used automatically by any API checks targeting that domain.
+
+Changing the value of any attribute forces a new resource to be created.
+
+## Example Usage
+
+```terraform
+variable "acme_client_certificate_passphrase" {
+  type      = string
+  sensitive = true
+}
+
+resource "checkly_client_certificate" "test" {
+  host        = "*.acme.com"
+  certificate = file("${path.module}/cert.pem")
+  private_key = file("${path.module}/key.pem")
+  trusted_ca  = file("${path.module}/ca.pem")
+  passphrase  = var.acme_client_certificate_passphrase
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `certificate` (String) The client certificate in PEM format.
+- `host` (String) The host domain that the certificate should be used for.
+- `private_key` (String) The private key for the certificate in PEM format.
+
+### Optional
+
+- `passphrase` (String, Sensitive) Passphrase for the private key.
+- `trusted_ca` (String) PEM formatted bundle of CA certificates that the client should trust. The bundle may contain many CA certificates.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/examples/resources/checkly_client_certificate/resource.tf b/examples/resources/checkly_client_certificate/resource.tf
@@ -0,0 +1,12 @@
+variable "acme_client_certificate_passphrase" {
+  type      = string
+  sensitive = true
+}
+
+resource "checkly_client_certificate" "test" {
+  host        = "*.acme.com"
+  certificate = file("${path.module}/cert.pem")
+  private_key = file("${path.module}/key.pem")
+  trusted_ca  = file("${path.module}/ca.pem")
+  passphrase  = var.acme_client_certificate_passphrase
+}
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.22
 
 require (
 	github.com/aws/aws-sdk-go v1.44.122 // indirect
-	github.com/checkly/checkly-go-sdk v1.9.1
+	github.com/checkly/checkly-go-sdk v1.10.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-cmp v0.6.0
 	github.com/gruntwork-io/terratest v0.41.16
diff --git a/go.sum b/go.sum
@@ -240,8 +240,8 @@ github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTS
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/checkly/checkly-go-sdk v1.9.1 h1:eXDdrDJsp/xDd3mdEIJOlZvwtCW6VXBEYQmeDzlCWic=
-github.com/checkly/checkly-go-sdk v1.9.1/go.mod h1:Pd6tBOggAe41NnCU5KwqA8JvD6J20/IctszT2E0AvHo=
+github.com/checkly/checkly-go-sdk v1.10.0 h1:8TtVf0nwKzDRKHhZmb+8bFYLcgzE1K4vxgVy/XOgOyg=
+github.com/checkly/checkly-go-sdk v1.10.0/go.mod h1:Pd6tBOggAe41NnCU5KwqA8JvD6J20/IctszT2E0AvHo=
 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=

-Original file line number
+Diff line change
 require (
 	github.com/aws/aws-sdk-go v1.44.122 // indirect
 -	github.com/checkly/checkly-go-sdk v1.9.1
 +	github.com/checkly/checkly-go-sdk v1.10.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-cmp v0.6.0
 	github.com/gruntwork-io/terratest v0.41.16