datasource/tls_certificate: Use local TLS server and certificate for verify failure testing #517
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…verify failure testing Reference: #516 Previously (likely due to external SSL certificate rotation): ``` === RUN TestAccDataSourceCertificate_BadSSL data_source_certificate_test.go:166: Step 2/2 error: Check failed: Check 14/14 error: data.tls_certificate.test: Attribute 'certificates.1.sha1_fingerprint' expected "6922cd864f3c6299f6e751a019e5ddcdbc415a71", got "eede8b066561000952c3e599d4873eed75512a3b" --- FAIL: TestAccDataSourceCertificate_BadSSL (0.64s) ``` The goal of this test is to ensure the data source returns an error if there is an invalid SSL certificate chain, which can be accomplished by running a local TLS server with expired or otherwise invalid SSL certificate. There still is one external, real-world URL test with `TestAccDataSourceCertificate_TerraformIO`. It seems important to ensure there is one valid URL test for complete coverage though. If that test becomes a regular problem, a local TLS server could potentially be spun up with a valid SSL certificate via Let's Encrypt or something, however that effort is not being prioritized at the moment.
SBGoods
approved these changes
May 17, 2024
| @@ -163,46 +163,33 @@ func TestAccDataSourceCertificate_TerraformIO(t *testing.T) { | |||
| // It can potentially break over time, and we will need to keep the | |||
There was a problem hiding this comment.
nit: Do we still need this note if we're no longer using an external certificate?
There was a problem hiding this comment.
Ha, nope, thank you will remove.
… for verify testing
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #516
Previously (likely due to external SSL certificate rotation):
The goal of this test is to ensure the data source returns an error if there is an invalid SSL certificate chain, which can be accomplished by running a local TLS server with expired or otherwise invalid SSL certificate.
There still is one external, real-world URL test with
TestAccDataSourceCertificate_TerraformIO. It seems important to ensure there is one valid URL test for complete coverage though. If that test becomes a regular problem, a local TLS server could potentially be spun up with a valid SSL certificate via Let's Encrypt or something, however that effort is not being prioritized at the moment.