Merge pull request #430 from koendelaat/fix/cn_check

Fix CommonName check for IAM Service Certificate
philips-software · Sep 19, 2024 · 47af62f · 47af62f
2 parents 85836df + b82c726
commit 47af62f
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/docs/resources/iam_service.md b/docs/resources/iam_service.md
@@ -28,6 +28,42 @@ resource "hsdp_iam_service" "testservice" {
 }
 ```
 
+The followin example creates a service with an external managed certificate
+
+```hcl
+resource "tls_private_key" "testservice" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "tls_self_signed_cert" "testservice" {
+  private_key_pem = tls_private_key.testservice.private_key_pem
+
+  subject {
+    common_name  = "testservice." # Should match `service.name` + "." (dot)
+  }
+
+  validity_period_hours = 24
+
+  allowed_uses = [  ]
+}
+
+resource "hsdp_iam_service" "testservice" {
+  name                = "testservice"
+  description         = "Test service"
+  application_id      = var.app_id
+
+  validity            = 12   # Months
+  
+  token_validity      = 3600 # Seconds
+
+  scopes              = ["openid"]
+  default_scopes      = ["openid"]
+  
+  self_managed_certificate = tls_self_signed_cert.testservice.cert_pem
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -42,6 +78,8 @@ The following arguments are supported:
 * `self_managed_private_key` - (Optional)  RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the
   IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM
 * `self_managed_expires_on` - (Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
+* `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service.
+  This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key`
 
 ## Attributes Reference
 

diff --git a/internal/services/iam/service/resource_iam_service.go b/internal/services/iam/service/resource_iam_service.go
@@ -416,8 +416,8 @@ func setSelfManagedCertificate(client *iam.Client, service iam.Service, d *schem
 		return diag.FromErr(fmt.Errorf("parsing certificate: %w", err))
 	}
 	commonName := cert.Subject.CommonName
-	if commonName != service.ServiceID {
-		return diag.FromErr(fmt.Errorf("certificate subject CommonName should match `service_id`: %s != %s", commonName, service.ServiceID))
+	if commonName != fmt.Sprintf("%s.", service.Name) {
+		return diag.FromErr(fmt.Errorf("certificate subject CommonName should match `service_name + \".\"`: %s != %s", commonName, fmt.Sprintf("%s.", service.Name)))
 	}
 	_, _, err = client.Services.UpdateServiceCertificateDER(service, block.Bytes)
 	if err != nil {