2023-05-02 10:33:06 -05:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2018-03-16 20:53:21 -05:00
|
|
|
package http
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/tls"
|
2023-01-26 08:08:07 -06:00
|
|
|
"crypto/x509"
|
|
|
|
|
"errors"
|
2018-03-16 20:53:21 -05:00
|
|
|
"fmt"
|
2021-11-29 17:45:35 -06:00
|
|
|
"log"
|
2018-03-16 20:53:21 -05:00
|
|
|
"net/http"
|
|
|
|
|
"net/url"
|
2019-06-05 15:12:07 -05:00
|
|
|
"time"
|
2018-03-16 20:53:21 -05:00
|
|
|
|
2019-06-05 15:12:07 -05:00
|
|
|
"github.com/hashicorp/go-retryablehttp"
|
2023-01-26 08:08:07 -06:00
|
|
|
|
2023-09-20 06:35:35 -05:00
|
|
|
"github.com/opentofu/opentofu/internal/backend"
|
|
|
|
|
"github.com/opentofu/opentofu/internal/legacy/helper/schema"
|
|
|
|
|
"github.com/opentofu/opentofu/internal/logging"
|
|
|
|
|
"github.com/opentofu/opentofu/internal/states/remote"
|
|
|
|
|
"github.com/opentofu/opentofu/internal/states/statemgr"
|
2018-03-16 20:53:21 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func New() backend.Backend {
|
|
|
|
|
s := &schema.Backend{
|
|
|
|
|
Schema: map[string]*schema.Schema{
|
|
|
|
|
"address": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Required: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_ADDRESS", nil),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The address of the REST endpoint",
|
|
|
|
|
},
|
|
|
|
|
"update_method": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_UPDATE_METHOD", "POST"),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "HTTP method to use when updating state",
|
|
|
|
|
},
|
|
|
|
|
"lock_address": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_LOCK_ADDRESS", nil),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The address of the lock REST endpoint",
|
|
|
|
|
},
|
|
|
|
|
"unlock_address": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_UNLOCK_ADDRESS", nil),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The address of the unlock REST endpoint",
|
|
|
|
|
},
|
|
|
|
|
"lock_method": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_LOCK_METHOD", "LOCK"),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The HTTP method to use when locking",
|
|
|
|
|
},
|
|
|
|
|
"unlock_method": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_UNLOCK_METHOD", "UNLOCK"),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The HTTP method to use when unlocking",
|
|
|
|
|
},
|
|
|
|
|
"username": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_USERNAME", nil),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The username for HTTP basic authentication",
|
|
|
|
|
},
|
|
|
|
|
"password": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_PASSWORD", nil),
|
2018-03-16 20:53:21 -05:00
|
|
|
Description: "The password for HTTP basic authentication",
|
|
|
|
|
},
|
|
|
|
|
"skip_cert_verification": &schema.Schema{
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: "Whether to skip TLS verification.",
|
|
|
|
|
},
|
2019-06-05 15:12:07 -05:00
|
|
|
"retry_max": &schema.Schema{
|
|
|
|
|
Type: schema.TypeInt,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_RETRY_MAX", 2),
|
2019-06-05 15:12:07 -05:00
|
|
|
Description: "The number of HTTP request retries.",
|
|
|
|
|
},
|
|
|
|
|
"retry_wait_min": &schema.Schema{
|
|
|
|
|
Type: schema.TypeInt,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_RETRY_WAIT_MIN", 1),
|
2019-06-05 15:12:07 -05:00
|
|
|
Description: "The minimum time in seconds to wait between HTTP request attempts.",
|
|
|
|
|
},
|
|
|
|
|
"retry_wait_max": &schema.Schema{
|
|
|
|
|
Type: schema.TypeInt,
|
|
|
|
|
Optional: true,
|
2020-09-02 07:35:08 -05:00
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_RETRY_WAIT_MAX", 30),
|
2019-06-05 15:12:07 -05:00
|
|
|
Description: "The maximum time in seconds to wait between HTTP request attempts.",
|
|
|
|
|
},
|
2023-01-26 08:08:07 -06:00
|
|
|
"client_ca_certificate_pem": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
|
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_CLIENT_CA_CERTIFICATE_PEM", ""),
|
|
|
|
|
Description: "A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.",
|
|
|
|
|
},
|
|
|
|
|
"client_certificate_pem": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
|
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_CLIENT_CERTIFICATE_PEM", ""),
|
|
|
|
|
Description: "A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.",
|
|
|
|
|
},
|
|
|
|
|
"client_private_key_pem": &schema.Schema{
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
|
|
|
|
DefaultFunc: schema.EnvDefaultFunc("TF_HTTP_CLIENT_PRIVATE_KEY_PEM", ""),
|
|
|
|
|
Description: "A PEM-encoded private key, required if client_certificate_pem is specified.",
|
|
|
|
|
},
|
2018-03-16 20:53:21 -05:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b := &Backend{Backend: s}
|
|
|
|
|
b.Backend.ConfigureFunc = b.configure
|
|
|
|
|
return b
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Backend struct {
|
|
|
|
|
*schema.Backend
|
|
|
|
|
|
|
|
|
|
client *httpClient
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-26 08:08:07 -06:00
|
|
|
// configureTLS configures TLS when needed; if there are no conditions requiring TLS, no change is made.
|
|
|
|
|
func (b *Backend) configureTLS(client *retryablehttp.Client, data *schema.ResourceData) error {
|
|
|
|
|
// If there are no conditions needing to configure TLS, leave the client untouched
|
|
|
|
|
skipCertVerification := data.Get("skip_cert_verification").(bool)
|
|
|
|
|
clientCACertificatePem := data.Get("client_ca_certificate_pem").(string)
|
|
|
|
|
clientCertificatePem := data.Get("client_certificate_pem").(string)
|
|
|
|
|
clientPrivateKeyPem := data.Get("client_private_key_pem").(string)
|
|
|
|
|
if !skipCertVerification && clientCACertificatePem == "" && clientCertificatePem == "" && clientPrivateKeyPem == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
if clientCertificatePem != "" && clientPrivateKeyPem == "" {
|
|
|
|
|
return fmt.Errorf("client_certificate_pem is set but client_private_key_pem is not")
|
|
|
|
|
}
|
|
|
|
|
if clientPrivateKeyPem != "" && clientCertificatePem == "" {
|
|
|
|
|
return fmt.Errorf("client_private_key_pem is set but client_certificate_pem is not")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TLS configuration is needed; create an object and configure it
|
|
|
|
|
var tlsConfig tls.Config
|
|
|
|
|
client.HTTPClient.Transport.(*http.Transport).TLSClientConfig = &tlsConfig
|
|
|
|
|
|
|
|
|
|
if skipCertVerification {
|
|
|
|
|
// ignores TLS verification
|
|
|
|
|
tlsConfig.InsecureSkipVerify = true
|
|
|
|
|
}
|
|
|
|
|
if clientCACertificatePem != "" {
|
|
|
|
|
// trust servers based on a CA
|
|
|
|
|
tlsConfig.RootCAs = x509.NewCertPool()
|
|
|
|
|
if !tlsConfig.RootCAs.AppendCertsFromPEM([]byte(clientCACertificatePem)) {
|
|
|
|
|
return errors.New("failed to append certs")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if clientCertificatePem != "" && clientPrivateKeyPem != "" {
|
|
|
|
|
// attach a client certificate to the TLS handshake (aka mTLS)
|
|
|
|
|
certificate, err := tls.X509KeyPair([]byte(clientCertificatePem), []byte(clientPrivateKeyPem))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("cannot load client certificate: %w", err)
|
|
|
|
|
}
|
|
|
|
|
tlsConfig.Certificates = []tls.Certificate{certificate}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-16 20:53:21 -05:00
|
|
|
func (b *Backend) configure(ctx context.Context) error {
|
|
|
|
|
data := schema.FromContextBackendConfig(ctx)
|
|
|
|
|
|
|
|
|
|
address := data.Get("address").(string)
|
|
|
|
|
updateURL, err := url.Parse(address)
|
|
|
|
|
if err != nil {
|
2023-09-14 05:57:12 -05:00
|
|
|
return fmt.Errorf("failed to parse address URL: %w", err)
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
|
|
|
|
if updateURL.Scheme != "http" && updateURL.Scheme != "https" {
|
|
|
|
|
return fmt.Errorf("address must be HTTP or HTTPS")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
updateMethod := data.Get("update_method").(string)
|
|
|
|
|
|
|
|
|
|
var lockURL *url.URL
|
|
|
|
|
if v, ok := data.GetOk("lock_address"); ok && v.(string) != "" {
|
|
|
|
|
var err error
|
|
|
|
|
lockURL, err = url.Parse(v.(string))
|
|
|
|
|
if err != nil {
|
2023-09-14 05:57:12 -05:00
|
|
|
return fmt.Errorf("failed to parse lockAddress URL: %w", err)
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
|
|
|
|
if lockURL.Scheme != "http" && lockURL.Scheme != "https" {
|
|
|
|
|
return fmt.Errorf("lockAddress must be HTTP or HTTPS")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
lockMethod := data.Get("lock_method").(string)
|
|
|
|
|
|
|
|
|
|
var unlockURL *url.URL
|
|
|
|
|
if v, ok := data.GetOk("unlock_address"); ok && v.(string) != "" {
|
|
|
|
|
var err error
|
|
|
|
|
unlockURL, err = url.Parse(v.(string))
|
|
|
|
|
if err != nil {
|
2023-09-14 05:57:12 -05:00
|
|
|
return fmt.Errorf("failed to parse unlockAddress URL: %w", err)
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
|
|
|
|
if unlockURL.Scheme != "http" && unlockURL.Scheme != "https" {
|
|
|
|
|
return fmt.Errorf("unlockAddress must be HTTP or HTTPS")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unlockMethod := data.Get("unlock_method").(string)
|
|
|
|
|
|
2019-06-05 15:12:07 -05:00
|
|
|
rClient := retryablehttp.NewClient()
|
|
|
|
|
rClient.RetryMax = data.Get("retry_max").(int)
|
|
|
|
|
rClient.RetryWaitMin = time.Duration(data.Get("retry_wait_min").(int)) * time.Second
|
|
|
|
|
rClient.RetryWaitMax = time.Duration(data.Get("retry_wait_max").(int)) * time.Second
|
2021-11-29 17:45:35 -06:00
|
|
|
rClient.Logger = log.New(logging.LogOutput(), "", log.Flags())
|
2023-01-26 08:08:07 -06:00
|
|
|
if err = b.configureTLS(rClient, data); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-06-05 15:12:07 -05:00
|
|
|
|
2018-03-16 20:53:21 -05:00
|
|
|
b.client = &httpClient{
|
|
|
|
|
URL: updateURL,
|
|
|
|
|
UpdateMethod: updateMethod,
|
|
|
|
|
|
|
|
|
|
LockURL: lockURL,
|
|
|
|
|
LockMethod: lockMethod,
|
|
|
|
|
UnlockURL: unlockURL,
|
|
|
|
|
UnlockMethod: unlockMethod,
|
|
|
|
|
|
|
|
|
|
Username: data.Get("username").(string),
|
|
|
|
|
Password: data.Get("password").(string),
|
|
|
|
|
|
|
|
|
|
// accessible only for testing use
|
2019-06-05 15:12:07 -05:00
|
|
|
Client: rClient,
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-08 15:09:14 -06:00
|
|
|
func (b *Backend) StateMgr(name string) (statemgr.Full, error) {
|
2018-03-16 20:53:21 -05:00
|
|
|
if name != backend.DefaultStateName {
|
2018-10-31 10:45:03 -05:00
|
|
|
return nil, backend.ErrWorkspacesNotSupported
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &remote.State{Client: b.client}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-08 15:09:14 -06:00
|
|
|
func (b *Backend) Workspaces() ([]string, error) {
|
2018-10-31 10:45:03 -05:00
|
|
|
return nil, backend.ErrWorkspacesNotSupported
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
|
|
|
|
|
2023-11-08 15:09:14 -06:00
|
|
|
func (b *Backend) DeleteWorkspace(string, bool) error {
|
2018-10-31 10:45:03 -05:00
|
|
|
return backend.ErrWorkspacesNotSupported
|
2018-03-16 20:53:21 -05:00
|
|
|
}
|
