diff --git a/docs/resources/iam_service.md b/docs/resources/iam_service.md index a1469b5c..18fbd794 100644 --- a/docs/resources/iam_service.md +++ b/docs/resources/iam_service.md @@ -28,6 +28,42 @@ resource "hsdp_iam_service" "testservice" { } ``` +The followin example creates a service with an external managed certificate + +```hcl +resource "tls_private_key" "testservice" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "tls_self_signed_cert" "testservice" { + private_key_pem = tls_private_key.testservice.private_key_pem + + subject { + common_name = "testservice." # Should match `service.name` + "." (dot) + } + + validity_period_hours = 24 + + allowed_uses = [ ] +} + +resource "hsdp_iam_service" "testservice" { + name = "testservice" + description = "Test service" + application_id = var.app_id + + validity = 12 # Months + + token_validity = 3600 # Seconds + + scopes = ["openid"] + default_scopes = ["openid"] + + self_managed_certificate = tls_self_signed_cert.testservice.cert_pem +} +``` + ## Argument Reference The following arguments are supported: @@ -42,6 +78,8 @@ The following arguments are supported: * `self_managed_private_key` - (Optional) RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM * `self_managed_expires_on` - (Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years. +* `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. + This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key` ## Attributes Reference diff --git a/internal/services/iam/service/resource_iam_service.go b/internal/services/iam/service/resource_iam_service.go index 1e39541c..14c07827 100644 --- a/internal/services/iam/service/resource_iam_service.go +++ b/internal/services/iam/service/resource_iam_service.go @@ -416,8 +416,8 @@ func setSelfManagedCertificate(client *iam.Client, service iam.Service, d *schem return diag.FromErr(fmt.Errorf("parsing certificate: %w", err)) } commonName := cert.Subject.CommonName - if commonName != service.ServiceID { - return diag.FromErr(fmt.Errorf("certificate subject CommonName should match `service_id`: %s != %s", commonName, service.ServiceID)) + if commonName != fmt.Sprintf("%s.", service.Name) { + return diag.FromErr(fmt.Errorf("certificate subject CommonName should match `service_name + \".\"`: %s != %s", commonName, fmt.Sprintf("%s.", service.Name))) } _, _, err = client.Services.UpdateServiceCertificateDER(service, block.Bytes) if err != nil {