feat(iot): Add ability to set user device certificate (#859)

* feat(iot): add ability to set user device certificate

* test(iot): add test for user device certificate

* test(iot): use unique resource names in tests to prevent conflict between tests set

* test(iot): update cassettes for iot-device-minimal

* chore: add a SECURITY.md (#872)

* feat(domain): add record resource (#854)

Co-authored-by: Jeremy JACQUEMIN <[email protected]>

* doc: fix default runtime on k8s_pool (#873)

Co-authored-by: Jerome Malinge <[email protected]>
Co-authored-by: Rémy Léone <[email protected]>
Co-authored-by: jerjako <[email protected]>
Co-authored-by: Jeremy JACQUEMIN <[email protected]>
Co-authored-by: Jérémy THERIN <[email protected]>
Co-authored-by: jaime Bernabe <[email protected]>

Author: 6 people

docs/resources/iot_device.md

@@ -27,6 +27,27 @@ resource scaleway_iot_device main {
 }
 ```
 
+### With custom certificate
+
+```hcl
+resource scaleway_iot_hub main {
+    name         = "test-iot"
+    product_plan = "plan_shared"
+}
+
+data local_file device_cert {
+    filename = "device-certificate.pem"
+}
+
+resource scaleway_iot_device main {
+    hub_id = scaleway_iot_hub.main.id
+    name   = "test-iot"
+    certificate {
+        crt = data.local_file.device_cert.content
+    }
+}
+```
+
 ## Arguments Reference
 
 The following arguments are supported:
@@ -55,6 +76,9 @@ The following arguments are supported:
         - `policy` (Optional) Same as publish rules.
         - `topics` (Optional) Same as publish rules.
 
+- `certificate.crt` - (Optional) The certificate of the device, either generated by Scaleway or provided.
+
+~> **Important:** Updates to `certificate.crt` will disconnect connected devices and the previous certificate will be deleted and won't be recoverable.
 
 ## Attributes Reference
 
@@ -64,8 +88,7 @@ In addition to all arguments above, the following attributes are exported:
 - `created_at` - The date and time the device was created.
 - `updated_at` - The date and time the device resource was updated.
 - `certificate` - The certificate bundle of the device.
-    - `crt` - The certificate of the device.
-    - `key` - The private key of the device.
+    - `key` - The private key of the device, in case it is generated by Scaleway.
 - `status` - The current status of the device.
 - `last_activity_at` - The last MQTT activity of the device.
 - `is_connected` - The current connection status of the device.

scaleway/resource_iot_device.go

@@ -119,18 +119,7 @@ func resourceScalewayIotDevice() *schema.Resource {
 					},
 				},
 			},
-			// Computed elements
-			"region": regionSchema(),
-			"created_at": {
-				Type:        schema.TypeString,
-				Computed:    true,
-				Description: "The date and time of the creation of the device",
-			},
-			"updated_at": {
-				Type:        schema.TypeString,
-				Computed:    true,
-				Description: "The date and time of the last update of the device",
-			},
+			// Provided or computed elements
 			"certificate": {
 				Type:        schema.TypeList,
 				MaxItems:    1,
@@ -141,18 +130,32 @@ func resourceScalewayIotDevice() *schema.Resource {
 					Schema: map[string]*schema.Schema{
 						"crt": {
 							Type:        schema.TypeString,
+							Optional:    true,
 							Computed:    true,
+							Sensitive:   true,
 							Description: "X509 PEM encoded certificate of the device",
 						},
 						"key": {
 							Type:        schema.TypeString,
 							Computed:    true,
-							Description: "X509 PEM encoded key of the device",
 							Sensitive:   true,
+							Description: "X509 PEM encoded key of the device",
 						},
 					},
 				},
 			},
+			// Computed elements
+			"region": regionSchema(),
+			"created_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The date and time of the creation of the device",
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The date and time of the last update of the device",
+			},
 			"status": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -242,12 +245,26 @@ func resourceScalewayIotDeviceCreate(ctx context.Context, d *schema.ResourceData
 
 	d.SetId(newRegionalIDString(region, res.Device.ID))
 
-	// Certificate and Key cannot be retreived later
-	cert := map[string]interface{}{
-		"crt": res.Certificate.Crt,
-		"key": res.Certificate.Key,
+	// If user certifcate is provided.
+	if devCrt, ok := d.GetOk("certificate.0.crt"); ok {
+		// Set user certificate to device.
+		// It cannot currently be added in the create device request.
+		_, err := iotAPI.SetDeviceCertificate(&iot.SetDeviceCertificateRequest{
+			Region:         region,
+			DeviceID:       res.Device.ID,
+			CertificatePem: devCrt.(string),
+		}, scw.WithContext(ctx))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	} else {
+		// Update certificate and key as they cannot be retreived later.
+		cert := map[string]interface{}{
+			"crt": res.Certificate.Crt,
+			"key": res.Certificate.Key,
+		}
+		_ = d.Set("certificate", []map[string]interface{}{cert})
 	}
-	_ = d.Set("certificate", []map[string]interface{}{cert})
 
 	return resourceScalewayIotDeviceRead(ctx, d, meta)
 }
@@ -319,11 +336,32 @@ func resourceScalewayIotDeviceRead(ctx context.Context, d *schema.ResourceData,
 		_ = d.Set("message_filters", []map[string]interface{}{mf})
 	}
 
+	////
+	// Read Device certificate
+	////
+
+	// As we cannot read the key, we get back it from cache and do not change it.
+	if devCrtKey, ok := d.GetOk("certificate.0.key"); ok {
+		devCrt, err := iotAPI.GetDeviceCertificate(&iot.GetDeviceCertificateRequest{
+			Region:   region,
+			DeviceID: deviceID,
+		}, scw.WithContext(ctx))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		// Set device certificate.
+		cert := map[string]interface{}{
+			"crt": devCrt.CertificatePem,
+			"key": devCrtKey.(string),
+		}
+		_ = d.Set("certificate", []map[string]interface{}{cert})
+	}
+
 	return nil
 }
 
 func resourceScalewayIotDeviceUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	iotAPI, region, hubID, err := iotAPIWithRegionAndID(meta, d.Id())
+	iotAPI, region, deviceID, err := iotAPIWithRegionAndID(meta, d.Id())
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -333,7 +371,7 @@ func resourceScalewayIotDeviceUpdate(ctx context.Context, d *schema.ResourceData
 	////
 	updateRequest := &iot.UpdateDeviceRequest{
 		Region:   region,
-		DeviceID: hubID,
+		DeviceID: deviceID,
 	}
 
 	if d.HasChange("allow_insecure") {
@@ -387,6 +425,20 @@ func resourceScalewayIotDeviceUpdate(ctx context.Context, d *schema.ResourceData
 		return diag.FromErr(err)
 	}
 
+	////
+	// Set the device certificate if changed
+	////
+	if d.HasChange("certificate.0.crt") {
+		_, err := iotAPI.SetDeviceCertificate(&iot.SetDeviceCertificateRequest{
+			Region:         region,
+			DeviceID:       deviceID,
+			CertificatePem: d.Get("certificate.0.crt").(string),
+		}, scw.WithContext(ctx))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	return resourceScalewayIotDeviceRead(ctx, d, meta)
 }