terraform-lxd · simondeziel · Aug 30, 2024 · Jul 20, 2024 · Aug 23, 2024 · Aug 23, 2024
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -33,10 +33,6 @@ jobs:
     env:
       TF_ACC: "1"
       GO111MODULE: "on"
-      LXD_REMOTE: localhost
-      LXD_SCHEME: https
-      LXD_ADDR: localhost
-      LXD_PORT: 8443
       LXD_GENERATE_CLIENT_CERTS: "true"
       LXD_ACCEPT_SERVER_CERTIFICATE: "true"
 
@@ -51,7 +47,7 @@ jobs:
         run: |
           sudo snap refresh lxd --channel=${{ matrix.channel }}
           sudo lxd waitready --timeout 60
-          sudo lxd init --auto --network-port="$LXD_PORT" --network-address="$LXD_ADDR"
+          sudo lxd init --auto --network-port=8443 --network-address=localhost
           sudo chmod 777 /var/snap/lxd/common/lxd/unix.socket
 
           # 5.0/* currently use core20 which ships with a buggy lvm2 package so
@@ -64,8 +60,8 @@ jobs:
             sudo snap restart --reload lxd
           fi
 
-          # Generate trust token.
-          echo "LXD_TOKEN=$(lxc config trust add --name lxd-terraform-provider --quiet)" >> $GITHUB_ENV
+          # Add HTTPS remote.
+          lxc remote add localhost "$(lxc config trust add --name lxd-terraform-provider --quiet)"
 
       - name: Configure OVN
         run: |

diff --git a/docs/index.md b/docs/index.md
@@ -39,16 +39,14 @@ provider "lxd" {
 
   remote {
     name     = "lxd-server-1"
-    scheme   = "https"
-    address  = "10.1.1.8"
+    address  = "https://10.1.1.8:8443"
     password = "password"
     default  = true
   }
 
   remote {
     name    = "lxd-server-2"
-    scheme  = "https"
-    address = "10.1.2.8"
+    address = "https://10.1.2.8"
     token   = "token"
   }
 }
@@ -77,7 +75,13 @@ The following arguments are supported:
 
 The `remote` block supports:
 
-* `address` - *Optional* - The address of the remote.
+* `name` - *Optional* - The name of the remote.
+
+* `protocol` - *Optional* - The protocol of remote server (`lxd` or `simplestreams`).
+
+* `address` - *Optional* - The remote address in format `[<scheme>://]<host>[:<port>]`.
+  Scheme can be set to either `unix` or `https`. If scheme is not set, it will default to `unix` if first character is `/`, otherwise to `https`.
+  Port can be set only for remote HTTPS servers. Port value defaults to `8443` for `lxd` protocol, and to `443` for `simplestreams` protocol.
 
 * `default` - *Optional* - Whether this should be the default remote.
 	This remote will then be used when one is not specified in a resource.
@@ -88,22 +92,13 @@ The `remote` block supports:
 	for more information.
 	The default can also be set with the `LXD_REMOTE` Environment variable.
 
-* `name` - *Optional* - The name of the remote.
-
 * `password` - *Optional* - The [trust password](https://documentation.ubuntu.com/lxd/en/latest/authentication/#adding-client-certificates-using-a-trust-password)
   used for initial authentication with the LXD remote. This method is **not recommended** and has
   been removed in LXD 6.1. Please, use `token` instead.
 
 * `token` - *Optional* - The one-time trust [token](https://documentation.ubuntu.com/lxd/en/latest/authentication/#adding-client-certificates-using-tokens)
   used for initial authentication with the LXD remote.
 
-* `port` - *Optional* - The port of the remote.
-
-* `protocol` - *Optional* - The protocol of remote server (`lxd` or `simplestreams`).
-
-* `scheme` - *Optional* Whether to connect to the remote via `https` or
-	`unix` (UNIX socket). Defaults to `unix` for LXD remote and `https` for simplestreams remote.
-
 ## Undefined Remote
 
 If you choose to _not_ define a `remote`, this provider will attempt
@@ -117,9 +112,8 @@ The required variables are:
 
 * `LXD_REMOTE` - The name of the remote.
 * `LXD_ADDR` - The address of the LXD remote.
-* `LXD_PORT` - The port of the LXD remote.
 * `LXD_PASSWORD` - The password of the LXD remote.
-* `LXD_SCHEME` - The scheme to use (`unix` or `https`).
+* `LXD_TOKEN` - The trust token of the LXD remote.
 
 ## PKI Support
 

diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/hashicorp/terraform-plugin-framework-timeouts v0.4.1
 	github.com/hashicorp/terraform-plugin-framework-validators v0.13.0
 	github.com/hashicorp/terraform-plugin-go v0.23.0
+	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
 	github.com/hashicorp/terraform-plugin-testing v1.10.0
 	github.com/mitchellh/go-homedir v1.1.0
@@ -46,7 +47,6 @@ require (
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/terraform-exec v0.21.0 // indirect
 	github.com/hashicorp/terraform-json v0.22.1 // indirect
-	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect

diff --git a/internal/acctest/checks.go b/internal/acctest/checks.go
@@ -2,10 +2,13 @@ package acctest
 
 import (
 	"fmt"
+	"net"
 	"os/exec"
 	"strings"
 	"testing"
+	"time"
 
+	"github.com/canonical/lxd/shared/api"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/terraform-lxd/terraform-provider-lxd/internal/utils"
@@ -37,7 +40,7 @@ func PreCheckLxdVersion(t *testing.T, versionConstraint string) {
 	serverVersion := apiServer.Environment.ServerVersion
 	ok, err := utils.CheckVersion(serverVersion, versionConstraint)
 	if err != nil {
-		t.Fatal(err)
+		t.Fatalf("Failed to check LXD server version: %v", err)
 	}
 
 	if !ok {
@@ -110,6 +113,74 @@ func PreCheckRoot(t *testing.T) {
 	}
 }
 
+// PreCheckServerExposed skips the test if the server is not exposed on the localhost
+// over port 8443. This is required for remote provider tests.
+func PreCheckLocalServerHTTPS(t *testing.T) {
+	conn, err := net.DialTimeout("tcp", "127.0.0.1:8443", 1*time.Second)
+	if err != nil {
+		t.Skip(`Skipping remote provider test. LXD is not available on "https://127.0.0.1:8443"`)
+	}
+
+	conn.Close()
+}
+
+// ConfigureTrustPassword sets and returns the trust password. If the server
+// does not support trust password, the test is skipped.
+func ConfigureTrustPassword(t *testing.T) string {
+	password := "test-pass"
+
+	// Only servers with LXD version < 6.0.0 support trust password.
+	PreCheckLxdVersion(t, "< 6.0.0")
+
+	server, err := testProvider().InstanceServer("", "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	apiServer, etag, err := server.GetServer()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	apiServer.Config["core.trust_password"] = password
+
+	err = server.UpdateServer(apiServer.Writable(), etag)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return password
+}
+
+// ConfigureTrustToken ensures the trust token is set to "test-pass". If the server
+// does not support trust password, the test is skipped.
+func ConfigureTrustToken(t *testing.T) string {
+	server, err := testProvider().InstanceServer("", "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create new token.
+	tokenPost := api.CertificatesPost{
+		Name:  "tf-test-token",
+		Type:  "client",
+		Token: true,
+	}
+
+	op, err := server.CreateCertificateToken(tokenPost)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	opAPI := op.Get()
+	token, err := opAPI.ToCertificateAddToken()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return token.String()
+}
+
 // PrintResourceState is a test check function that prints the entire state
 // of a resource with the given name. This check should be used only for
 // debuging purposes.

diff --git a/internal/acctest/provider_factory.go b/internal/acctest/provider_factory.go
@@ -1,10 +1,10 @@
 package acctest
 
 import (
+	"fmt"
 	"strings"
 	"sync"
 
-	lxd_config "github.com/canonical/lxd/lxc/config"
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
 	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
 	"github.com/terraform-lxd/terraform-provider-lxd/internal/provider"
@@ -35,9 +35,16 @@ func testProvider() *provider_config.LxdProviderConfig {
 	defer testProviderMutex.Unlock()
 
 	if testProviderConfig == nil {
-		config := lxd_config.DefaultConfig()
-		acceptClientCert := true
-		testProviderConfig = provider_config.NewLxdProvider(config, acceptClientCert)
+		var err error
+
+		options := provider_config.Options{
+			AcceptServerCertificate: true,
+		}
+
+		testProviderConfig, err = provider_config.NewLxdProviderConfig("test", nil, options)
+		if err != nil {
+			panic(fmt.Sprintf("Failed to initialize provider: %v", err))
+		}
 	}
 
 	return testProviderConfig