Adds a certificate data source

[JamesBelchamber]

This allows SSL Certificates created in DNSimple to be applied to other terraform resources. Fixes #3

[JamesBelchamber]

Hey @radeksimko - thanks for the review :)

DNSimple is an old-school certificate provider - "creating" (ordering) a certificate is a manual process that cannot be done through the API, and costs a significant amount. This is similar in process to the AWS ACM certificates, which can be referenced as data sources in the AWS provider but cannot be created.

[nbering]

Do you think DNSimple might have a testing endpoint they'd be willing to share for acceptance tests? Since they make a commission on certificates it might be in their interest financially to support this feature.

[JamesBelchamber]

Actually, there is an endpoint in their sandbox environment: https://developer.dnsimple.com/sandbox/

Unfortunately, testing SSL certificates is not supported:

Testing working with certificates is at the moment not supported within the sandbox because certificate validation requires actual DNS service.

[weppos]

DNSimple is an old-school certificate provider - "creating" (ordering) a certificate is a manual process that cannot be done through the API, and costs a significant amount.

@JamesBelchamber actually we are releasing this endpoint these days. It means the order process could be automated as well.

The flow will be:

1. you create the order
2. you submit the order
3. you'll either poll or subscribe to webhook when the cert is ready

Do you think DNSimple might have a testing endpoint they'd be willing to share for acceptance tests? Since they make a commission on certificates it might be in their interest financially to support this feature.

Acceptance tests will have to run on production, as we won't be able to support it for sandbox for quite a while. Also, we'll only support automatic certificate creation for Let's Encrypt, and LE certificates are free.

We won't support it for standard certificates. It's also quite hard for us to support it via a test account, due to potential abuses.

There are also limitations on sandbox that you pointed out. Unfortunately it's quite hard even for us to provide a full testing environment for certificates, as CAs don't always have a sandbox env or the requirements don't fully match our sandbox definition.

[JamesBelchamber]

Hmm, this is interesting. Is that completely automated @weppos or are there manual steps? I used aws_acm_certificate as the precedent for creating this data source, because on AWS there are manual steps.

For testing this PR in particular, all we would need is an existing certificate (instead of creating a new one). Could DNSimple provide an SSL Certificate in the sandbox environment which we can fetch? That would satisfy the tests, the cert doesn't have to be valid (or even make any sense).

Edit: I just noticed you're only supporting this for LE certs, which is nice but won't work for our use-case. So maybe we need this to be a dnsimple_standard_certificate, and separately we can create dnsimple_letsencrypt_certificate as a resource.

[weppos]

FYI the difference between standard and letsencrypt is mostly at purchase or renewal. Once issued, the resource is the same.

I can create a "fake" certificate for retrieval in sandbox, if you want. Actually, I think you may be able to create it on your own from the UI.

Would the test credentials be public?

[JamesBelchamber]

Terraform tests work by creating a resource and then checking it exists as expected. Since we cannot create standard certificates via the API we would need a cert to exist that we can test against - I think that Hashicorp would have to own the cert themselves (this looks like it's how it works on the AWS ACM Certs). We wouldn't have shared credentials exposed.

Are we able to create LE certs via the API? I couldn't find any documentation on it. I still think we would need a separate resource, since a standard certificate cannot be created/updated/destroyed by Terraform (instead being a simple data source).

[JamesBelchamber]

Can you create a "fake" certificate that's available to everyone in the Sandbox API? This would be the best solution, though I completely understand if you cannot :)

[weppos]

@JamesBelchamber can you create an account at https://sandbox.dnsimple.com/dashboard. Subscribe to a plan and use the test card: https://developer.dnsimple.com/sandbox/#testing-subscriptions Once done, you should be able to request a test certificate via UI, and then you can hook into that from the API

[JamesBelchamber]

~When we request a cert in the sandbox account, where does the validation email go @weppos?~

Ah, the email really comes from Comodo and really issues a certificate, huh. @radeksimko I don't know how you want to play this now, we can create test certs manually and test them against the sandbox API, does hashicorp want to set this up internally so that tests pass? These certs aren't shared between accounts so whatever certificate is being fetched from the API would only work with one account.

[weppos]

What @JamesBelchamber said. We can't currently expose Let's Encrypt in sandbox due to some limitation of our sandbox vs their staging. But requesting a standard cert should work in sandbox. And as mentioned, once it's ready the certs are all the same (hence the resource is mostly the same).

[JamesBelchamber]

Sorry chaps, fat fingers. I'd like to get this merged in but I'm also happy to be told it's not fit as it currently exists, and what is needed to be done to get it working.

[martinisoft]

Hi @JamesBelchamber we have actually released a full certificates endpoint which now allows you to request certificates via Let's Encrypt if the domain is delegated to us.

[mattgodbolt]

I'd love to have this merged into the mainline: is there anything useful I can do to help?

[ecomba]

Hey @JamesBelchamber !

Now, I am aware how old this PR is and I am sorry for the long wait. I recently took over this repo here at DNSimple and I am working (as you might have noticed) my way through it.

I am planning of making this PR part of the 0.11.0 milestone. There are a few things that need to happen before I do so though:

• At the moment this cannot be tested in regression: I will make sure to change the tests to make this happen
• Most likely this will involve me writing the Let's Encrypt resource first so that we can create that certificate for the datasource to consume.

I'm hoping to finish this before the end of next week (time of me writing this comment), but I will keep you updated.

Again, thank you so much for doing this work so long ago and sorry on behalf of the team to having made you (and everyone interested in this functionality) wait for this long. In the future this process will take less time to evaluate and be incorporated into the main stream!

Enrique