Merge pull request #3 from gordonbondon/cacert_support

Add support for custom CA cert

README.md

@@ -24,6 +24,8 @@ provider "elasticsearch" {
     aws_access_key = ""
     aws_secret_key = ""
     aws_token = "" # if necessary
+    insecure = true # to bypass certificate check
+    cacert_file = "/path/to/ca.crt" # when connecting to elastic with self-signed certificate
 }
 
 resource "elasticsearch_index_template" "test" {

provider.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"log"
 	"net/http"
 	"net/url"
@@ -9,6 +11,7 @@ import (
 	awscredentials "github.com/aws/aws-sdk-go/aws/credentials"
 	awssigv4 "github.com/aws/aws-sdk-go/aws/signer/v4"
 	"github.com/deoxxa/aws_signing_client"
+	"github.com/hashicorp/terraform/helper/pathorcontents"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
 	elastic "gopkg.in/olivere/elastic.v5"
@@ -46,12 +49,26 @@ func Provider() terraform.ResourceProvider {
 				Default:     "",
 				Description: "The session token for use with AWS Elasticsearch Service domains",
 			},
+
+			"cacert_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "",
+				Description: "A Custom CA certificate",
+			},
+
+			"insecure": &schema.Schema{
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Disable SSL verification of API calls",
+			},
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
 			"elasticsearch_index_template":      resourceElasticsearchIndexTemplate(),
 			"elasticsearch_snapshot_repository": resourceElasticsearchSnapshotRepository(),
-			"elasticsearch_kibana_object": resourceElasticsearchKibanaObject(),
+			"elasticsearch_kibana_object":       resourceElasticsearchKibanaObject(),
 		},
 
 		ConfigureFunc: providerConfigure,
@@ -60,6 +77,8 @@ func Provider() terraform.ResourceProvider {
 
 func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	rawUrl := d.Get("url").(string)
+	insecure := d.Get("insecure").(bool)
+	cacertFile := d.Get("cacert_file").(string)
 	parsedUrl, err := url.Parse(rawUrl)
 	if err != nil {
 		return nil, err
@@ -72,6 +91,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	if m := awsUrlRegexp.FindStringSubmatch(parsedUrl.Hostname()); m != nil {
 		log.Printf("[INFO] Using AWS: %+v", m[1])
 		opts = append(opts, elastic.SetHttpClient(awsHttpClient(m[1], d)), elastic.SetSniff(false))
+	} else if insecure || cacertFile != "" {
+		opts = append(opts, elastic.SetHttpClient(tlsHttpClient(d)), elastic.SetSniff(false))
 	}
 
 	return elastic.NewClient(opts...)
@@ -93,3 +114,31 @@ func awsHttpClient(region string, d *schema.ResourceData) *http.Client {
 
 	return client
 }
+
+func tlsHttpClient(d *schema.ResourceData) *http.Client {
+	insecure := d.Get("insecure").(bool)
+	cacertFile := d.Get("cacert_file").(string)
+
+	// Configure TLS/SSL
+	tlsConfig := &tls.Config{}
+
+	// If a cacertFile has been specified, use that for cert validation
+	if cacertFile != "" {
+		caCert, _, _ := pathorcontents.Read(cacertFile)
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(caCert))
+		tlsConfig.RootCAs = caCertPool
+	}
+
+	// If configured as insecure, turn off SSL verification
+	if insecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
+	transport := &http.Transport{TLSClientConfig: tlsConfig}
+
+	client := &http.Client{Transport: transport}
+
+	return client
+}

website/source/docs/providers/elasticsearch/index.html.markdown

@@ -62,3 +62,5 @@ The following arguments are supported:
 * `aws_access_key` - (Optional) The access key for use with AWS Elasticsearch Service domains. It can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable.
 * `aws_secret_key` - (Optional) The secret key for use with AWS Elasticsearch Service domains. It can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable.
 * `aws_token` - (Optional) The session token for use with AWS Elasticsearch Service domains. It can also be sourced from the `AWS_SESSION_TOKEN` environment variable.
+* `cacert_file` - (Optional) Specify a custom CA certificate when communicating over SSL. You can specify either a path to the file or the contents of the certificate.
+* `insecure` - (Optional) Trust self-signed certificates.