Add TLS support to Temporal server connection #3

Author: psendyk

docs/index.md

@@ -35,3 +35,4 @@ provider "temporal" {
 
 - `address` (String) Address of the Temporal server. Of the form `host:port`.
 - `namespace` (String) Namespace to operate in.
+- `tls` (Bool) Whether to use TLS for the Temporal server connection. Defaults to `false`.

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/hashicorp/terraform-plugin-testing v1.9.0
 	go.temporal.io/api v1.34.0
 	go.temporal.io/sdk v1.27.0
+	google.golang.org/grpc v1.64.0
 	google.golang.org/protobuf v1.34.1
 )
 
@@ -94,7 +95,6 @@ require (
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect
-	google.golang.org/grpc v1.64.0 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

internal/provider/namespace_resource.go

@@ -164,9 +164,9 @@ func (r *namespaceResource) Schema(_ context.Context, _ resource.SchemaRequest,
 			},
 			"history_archival_state": schema.StringAttribute{
 				MarkdownDescription: "History archival state. Accepted values: `disabled`, `enabled`. History archival must be enabled at the cluster level first to be able to enable it for a namespace.",
-				Optional:    true,
-				Computed:    true,
-				Default:     stringdefault.StaticString("disabled"),
+				Optional:            true,
+				Computed:            true,
+				Default:             stringdefault.StaticString("disabled"),
 				Validators: []validator.String{
 					validators.StringInSliceValidator{
 						AllowedValues: []string{"enabled", "disabled"},
@@ -376,6 +376,7 @@ func (r *namespaceResource) Delete(ctx context.Context, req resource.DeleteReque
 
 	_, err := r.client.OperatorService().DeleteNamespace(ctx, &operatorservice.DeleteNamespaceRequest{
 		NamespaceId: data.ID.ValueString(),
+		Namespace:   data.Name.ValueString(),
 	})
 	if err != nil {
 		resp.Diagnostics.AddError("Error while deleting namespace "+data.Name.ValueString(), err.Error())

internal/provider/provider.go

@@ -2,9 +2,15 @@ package provider
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"os"
+	"strconv"
 
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/provider"
@@ -22,6 +28,7 @@ var (
 type temporalProviderModel struct {
 	Address   types.String `tfsdk:"address"`
 	Namespace types.String `tfsdk:"namespace"`
+	TLS       types.Bool   `tfsdk:"tls"`
 }
 
 type providerConfig struct {
@@ -55,13 +62,17 @@ func (p *temporalProvider) Schema(_ context.Context, _ provider.SchemaRequest, r
 		MarkdownDescription: "The Temporal Terraform Provider allows you to manage [Temporal](https://temporal.io/) resources using [Terraform](https://www.terraform.io/).",
 		Attributes: map[string]schema.Attribute{
 			"address": schema.StringAttribute{
-				Optional:    true,
+				Optional:            true,
 				MarkdownDescription: "Address of the Temporal server. Of the form `host:port`.",
 			},
 			"namespace": schema.StringAttribute{
 				Optional:    true,
 				Description: "Namespace to operate in.",
 			},
+			"tls": schema.BoolAttribute{
+				Optional:            true,
+				MarkdownDescription: "Whether to use TLS for the Temporal server connection. Defaults to `false`.",
+			},
 		},
 	}
 }
@@ -83,6 +94,22 @@ func (p *temporalProvider) Configure(ctx context.Context, req provider.Configure
 		address = config.Address.ValueString()
 	}
 
+	tlsEnabled := false
+	if !config.TLS.IsNull() {
+		tlsEnabled = config.TLS.ValueBool()
+	} else if os.Getenv("TLS") != "" {
+		var err error
+		tlsEnabled, err = strconv.ParseBool(os.Getenv("TLS"))
+		if err != nil {
+			resp.Diagnostics.AddAttributeError(
+				path.Root("tls"),
+				fmt.Sprintf("Invalid value for TLS parameter: %s", os.Getenv("TLS")),
+				"TLS parameter value must be one of: true, false",
+			)
+			return
+		}
+	}
+
 	namespace := "default"
 	if !config.Namespace.IsNull() {
 		namespace = config.Namespace.ValueString()
@@ -104,10 +131,27 @@ func (p *temporalProvider) Configure(ctx context.Context, req provider.Configure
 		return
 	}
 
-	temporalClient, err := client.Dial(client.Options{
+	clientOptions := client.Options{
 		HostPort:  address,
 		Namespace: namespace,
-	})
+	}
+	if tlsEnabled {
+		pool, err := x509.SystemCertPool()
+		if err != nil {
+			resp.Diagnostics.AddError("Couldn't load the system CA certificate pool", err.Error())
+			return
+		}
+		creds := credentials.NewTLS(&tls.Config{
+			RootCAs: pool,
+		})
+		dialOptions := []grpc.DialOption{
+			grpc.WithTransportCredentials(creds),
+		}
+		clientOptions.ConnectionOptions = client.ConnectionOptions{
+			DialOptions: dialOptions,
+		}
+	}
+	temporalClient, err := client.Dial(clientOptions)
 	if err != nil {
 		resp.Diagnostics.AddError("Failed to establish a connection with the Temporal server on "+address, err.Error())
 		return