Skip to content

Commit

Permalink
Deprecate private key fields in IAM Service
Browse files Browse the repository at this point in the history
Signed-off-by: Andy Lo-A-Foe <[email protected]>
  • Loading branch information
loafoe committed Oct 8, 2024
1 parent d077593 commit fd0bee0
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
4 changes: 2 additions & 2 deletions docs/resources/iam_service.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,9 +75,9 @@ The following arguments are supported:
* `validity` - (Optional) Integer. Validity of service (in months). Minimum: 1, Maximum: 600 (5 years), Default: 12
* `token_validity` - (Optional) Integer. Access Token Lifetime (in seconds). Default: 1800 (30 minutes), Maximum: 2592000 (30 days)
* `default_scopes` - (Required) Array. Default scopes. You do not have to specify these explicitly when requesting a token. Minimum: ["openid"]
* `self_managed_private_key` - (Optional) RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the
* `self_managed_private_key` - (Deprecated, Optional) RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the
IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM
* `self_managed_expires_on` - (Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
* `self_managed_expires_on` - (Deprecated, Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
* `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service.
This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key`

Expand Down
6 changes: 4 additions & 2 deletions internal/services/iam/service/resource_iam_service.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,13 @@ func ResourceIAMService() *schema.Resource {
Optional: true,
Description: "RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" +
"Mutually exclusive with `self_managed_certificate`",
Deprecated: "Use 'self_managed_certificate' instead. This will be removed in a future version",
},
"self_managed_expires_on": {
Type: schema.TypeString,
Optional: true,
Description: "Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.\nOnly applicable when `self_managed_private_key` is used",
Deprecated: "Use 'self_managed_certificate' instead. This will be removed in a future version",
},
"self_managed_certificate": {
Type: schema.TypeString,
Expand Down Expand Up @@ -189,7 +191,7 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int
}
_ = d.Set("private_key", iam.FixPEM(createdService.PrivateKey))

// Set certificate if set from the get go
// Set certificate if set from the get-go
if selfPrivateKey != "" {
diags = setSelfManagedPrivateKey(client, *createdService, d)
if len(diags) > 0 {
Expand Down Expand Up @@ -320,7 +322,7 @@ func resourceIAMServiceUpdate(ctx context.Context, d *schema.ResourceData, m int
privateKey := d.Get("private_key").(string)

if newPrivateKey.(string) == "" && newCertificate.(string) == "" && privateKey == "" {
return diag.FromErr(fmt.Errorf("you cannot revert to a server side managed private key once you set a self managed private key or certificate"))
return resourceIAMServiceRead(ctx, d, m) // Don't update anything
}
if newCertificate.(string) != "" && newPrivateKey.(string) != "" {
return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))
Expand Down

0 comments on commit fd0bee0

Please sign in to comment.