fastly · Integralist · Feb 5, 2021 · Jan 8, 2021 · Jan 20, 2021 · Jan 21, 2021
diff --git a/docs/resources/service_compute.md b/docs/resources/service_compute.md
@@ -588,6 +588,8 @@ Required:
 Optional:
 
 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication
 

diff --git a/docs/resources/service_v1.md b/docs/resources/service_v1.md
@@ -1044,6 +1044,8 @@ Optional:
 - **placement** (String) Where in the generated VCL the logging call should be placed
 - **response_condition** (String) The name of the condition to apply
 - **tls_ca_cert** (String) A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`
+- **tls_client_cert** (String) The client certificate used to make authenticated requests. Must be in PEM format.
+- **tls_client_key** (String, Sensitive) The client private key used to make authenticated requests. Must be in PEM format.
 - **tls_hostname** (String) The hostname used to verify the server's certificate. It can either be the Common Name or a Subject Alternative Name (SAN)
 - **token** (String, Sensitive) The Splunk token to be used for authentication
 

diff --git a/fastly/block_fastly_service_v1_splunk.go b/fastly/block_fastly_service_v1_splunk.go
@@ -83,6 +83,8 @@ func (h *SplunkServiceAttributeHandler) Process(d *schema.ResourceData, latestVe
 			Token:             sf["token"].(string),
 			TLSHostname:       sf["tls_hostname"].(string),
 			TLSCACert:         sf["tls_ca_cert"].(string),
+			TLSClientCert:     sf["tls_client_cert"].(string),
+			TLSClientKey:      sf["tls_client_key"].(string),
 			Format:            vla.format,
 			FormatVersion:     uintOrDefault(vla.formatVersion),
 			ResponseCondition: vla.responseCondition,
@@ -149,6 +151,19 @@ func (h *SplunkServiceAttributeHandler) Register(s *schema.Resource) error {
 			DefaultFunc: schema.EnvDefaultFunc("FASTLY_SPLUNK_CA_CERT", ""),
 			Description: "A secure certificate to authenticate the server with. Must be in PEM format. You can provide this certificate via an environment variable, `FASTLY_SPLUNK_CA_CERT`",
 		},
+		"tls_client_cert": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			DefaultFunc: schema.EnvDefaultFunc("FASTLY_SPLUNK_CLIENT_CERT", ""),
+			Description: "The client certificate used to make authenticated requests. Must be in PEM format.",
+		},
+		"tls_client_key": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			DefaultFunc: schema.EnvDefaultFunc("FASTLY_SPLUNK_CLIENT_KEY", ""),
+			Description: "The client private key used to make authenticated requests. Must be in PEM format.",
+			Sensitive:   true,
+		},
 	}
 
 	if h.GetServiceMetadata().serviceType == ServiceTypeVCL {
@@ -202,6 +217,8 @@ func flattenSplunks(splunkList []*gofastly.Splunk) []map[string]interface{} {
 			"token":              s.Token,
 			"tls_hostname":       s.TLSHostname,
 			"tls_ca_cert":        s.TLSCACert,
+			"tls_client_cert":    s.TLSClientCert,
+			"tls_client_key":     s.TLSClientKey,
 		}
 
 		// prune any empty values that come from the default string value in structs

diff --git a/fastly/block_fastly_service_v1_splunk_test.go b/fastly/block_fastly_service_v1_splunk_test.go
@@ -13,7 +13,7 @@ import (
 )
 
 func TestResourceFastlyFlattenSplunk(t *testing.T) {
-	_, cert, err := generateKeyAndCert()
+	key, cert, err := generateKeyAndCert()
 	if err != nil {
 		t.Errorf("Failed to generate key and cert: %s", err)
 	}
@@ -32,8 +32,15 @@ func TestResourceFastlyFlattenSplunk(t *testing.T) {
 					ResponseCondition: "error_response",
 					Placement:         "waf_debug",
 					Token:             "test-token",
-					TLSCACert:         cert,
-					TLSHostname:       "example.com",
+					// The same certificate is used here for
+					// TLSCACert and TLSClientCert, but this
+					// is strictly for testing. In practice
+					// the same value should not be used for
+					// these two fields.
+					TLSCACert:     cert,
+					TLSHostname:   "example.com",
+					TLSClientCert: cert,
+					TLSClientKey:  key,
 				},
 			},
 			local: []map[string]interface{}{
@@ -46,7 +53,14 @@ func TestResourceFastlyFlattenSplunk(t *testing.T) {
 					"placement":          "waf_debug",
 					"token":              "test-token",
 					"tls_hostname":       "example.com",
-					"tls_ca_cert":        cert,
+					// The same certificate is used here for
+					// TLSCACert and TLSClientCert, but this
+					// is strictly for testing. In practice
+					// the same value should not be used for
+					// these two fields.
+					"tls_ca_cert":     cert,
+					"tls_client_cert": cert,
+					"tls_client_key":  key,
 				},
 			},
 		},
@@ -192,7 +206,7 @@ func TestAccFastlyServiceV1_splunk_complete(t *testing.T) {
 	var service gofastly.ServiceDetail
 	serviceName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
 
-	_, cert, err := generateKeyAndCert()
+	key, cert, err := generateKeyAndCert()
 	if err != nil {
 		t.Errorf("Failed to generate key and cert: %s", err)
 	}
@@ -206,7 +220,14 @@ func TestAccFastlyServiceV1_splunk_complete(t *testing.T) {
 		Placement:         "waf_debug",
 		ResponseCondition: "error_response_5XX",
 		TLSHostname:       "example.com",
-		TLSCACert:         cert,
+		// The same certificate is used here for
+		// TLSCACert and TLSClientCert, but this
+		// is strictly for testing. In practice
+		// the same value should not be used for
+		// these two fields.
+		TLSCACert:     cert,
+		TLSClientCert: cert,
+		TLSClientKey:  key,
 	}
 
 	splunkLogOneUpdated := gofastly.Splunk{
@@ -218,7 +239,14 @@ func TestAccFastlyServiceV1_splunk_complete(t *testing.T) {
 		Placement:         "waf_debug",
 		ResponseCondition: "error_response_5XX",
 		TLSHostname:       "example.com",
-		TLSCACert:         cert,
+		// The same certificate is used here for
+		// TLSCACert and TLSClientCert, but this
+		// is strictly for testing. In practice
+		// the same value should not be used for
+		// these two fields.
+		TLSCACert:     cert,
+		TLSClientCert: cert,
+		TLSClientKey:  key,
 	}
 
 	splunkLogTwo := gofastly.Splunk{
@@ -230,7 +258,14 @@ func TestAccFastlyServiceV1_splunk_complete(t *testing.T) {
 		Placement:         "waf_debug",
 		ResponseCondition: "ok_response_2XX",
 		TLSHostname:       "example.com",
-		TLSCACert:         cert,
+		// The same certificate is used here for
+		// TLSCACert and TLSClientCert, but this
+		// is strictly for testing. In practice
+		// the same value should not be used for
+		// these two fields.
+		TLSCACert:     cert,
+		TLSClientCert: cert,
+		TLSClientKey:  key,
 	}
 
 	resource.Test(t, resource.TestCase{
@@ -239,7 +274,7 @@ func TestAccFastlyServiceV1_splunk_complete(t *testing.T) {
 		CheckDestroy: testAccCheckServiceV1Destroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccServiceV1SplunkConfig_useTLS(serviceName, cert),
+				Config: testAccServiceV1SplunkConfig_useTLS(serviceName, cert, key),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckServiceV1Exists("fastly_service_v1.foo", &service),
 					testAccCheckFastlyServiceV1SplunkAttributes(&service, []*gofastly.Splunk{&splunkLogOne}, ServiceTypeVCL),
@@ -251,7 +286,7 @@ func TestAccFastlyServiceV1_splunk_complete(t *testing.T) {
 			},
 
 			{
-				Config: testAccServiceV1SplunkConfig_updateUseTLS(serviceName, cert),
+				Config: testAccServiceV1SplunkConfig_updateUseTLS(serviceName, cert, key),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckServiceV1Exists("fastly_service_v1.foo", &service),
 					testAccCheckFastlyServiceV1SplunkAttributes(&service, []*gofastly.Splunk{&splunkLogOneUpdated, &splunkLogTwo}, ServiceTypeVCL),
@@ -433,11 +468,14 @@ resource "fastly_service_v1" "foo" {
 }`, serviceName, domainName, format)
 }
 
-func testAccServiceV1SplunkConfig_useTLS(serviceName string, cert string) string {
+func testAccServiceV1SplunkConfig_useTLS(serviceName, cert, key string) string {
 	domainName := fmt.Sprintf("fastly-test.tf-%s.com", acctest.RandString(10))
 
 	format := "%h %l %u %t \"%r\" %>s %b"
 
+	// The same certificate is used here for tls_ca_cert and tls_client_cert,
+	// but this is strictly for testing. In practice the same value should
+	// not be used for these two fields.
 	return fmt.Sprintf(`
 resource "fastly_service_v1" "foo" {
   name = %q
@@ -468,11 +506,13 @@ resource "fastly_service_v1" "foo" {
     placement          = "waf_debug"
     tls_hostname       = "example.com"
     tls_ca_cert        = %q
+    tls_client_cert    = %q
+    tls_client_key     = %q
     response_condition = "error_response_5XX"
   }
 
   force_destroy = true
-}`, serviceName, domainName, format, cert)
+}`, serviceName, domainName, format, cert, cert, key)
 }
 
 func testAccServiceV1SplunkConfig_update(serviceName string) string {
@@ -531,10 +571,13 @@ resource "fastly_service_v1" "foo" {
 }`, serviceName, domainName, format, format)
 }
 
-func testAccServiceV1SplunkConfig_updateUseTLS(serviceName string, cert string) string {
+func testAccServiceV1SplunkConfig_updateUseTLS(serviceName, cert, key string) string {
 	domainName := fmt.Sprintf("fastly-test.tf-%s.com", acctest.RandString(10))
 	format := "%h %l %u %%{now}V %%{req.method}V %%{req.url}V %>s %%{resp.http.Content-Length}V"
 
+	// The same certificate is used here for tls_ca_cert and tls_client_cert,
+	// but this is strictly for testing. In practice the same value should
+	// not be used for these two fields.
 	return fmt.Sprintf(`
 resource "fastly_service_v1" "foo" {
   name = %q
@@ -572,6 +615,8 @@ resource "fastly_service_v1" "foo" {
     placement          = "waf_debug"
     tls_hostname       = "example.com"
     tls_ca_cert        = %q
+    tls_client_cert    = %q
+    tls_client_key     = %q
     response_condition = "error_response_5XX"
   }
 
@@ -584,11 +629,13 @@ resource "fastly_service_v1" "foo" {
     placement          = "waf_debug"
     tls_hostname       = "example.com"
     tls_ca_cert        = %q
+    tls_client_cert    = %q
+    tls_client_key     = %q
     response_condition = "ok_response_2XX"
   }
 
   force_destroy = true
-}`, serviceName, domainName, format, cert, format, cert)
+}`, serviceName, domainName, format, cert, cert, key, format, cert, cert, key)
 }
 
 func testAccServiceV1SplunkConfig_default(serviceName string) string {