From 706f94c8e100c9ba0ff4f7d7d95583c129ca9997 Mon Sep 17 00:00:00 2001
From: Gonzalo Infante <gonzalo.infante@noviscorp.com>
Date: Sat, 5 Oct 2019 18:18:05 -0300
Subject: [PATCH 1/4] add CA param

---
 mysql/provider.go | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/mysql/provider.go b/mysql/provider.go
index 810e49767..c56860f79 100644
--- a/mysql/provider.go
+++ b/mysql/provider.go
@@ -1,8 +1,11 @@
 package mysql
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"strings"
 	"time"
@@ -73,6 +76,11 @@ func Provider() terraform.ResourceProvider {
 				Type:     schema.TypeInt,
 				Optional: true,
 			},
+
+			"ssl_ca": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
@@ -96,12 +104,23 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		proto = "unix"
 	}
 
+	var tlsConfig = d.Get("tls").(string)
+	var sslCa = d.Get("ssl_ca").(string)
+	if sslCa != "" {
+		switch tlsConfig {
+		case "false", "":
+			tlsConfig = "false"
+		default:
+			tlsConfig = "custom"
+		}
+	}
+
 	conf := mysql.Config{
 		User:                 d.Get("username").(string),
 		Passwd:               d.Get("password").(string),
 		Net:                  proto,
 		Addr:                 endpoint,
-		TLSConfig:            d.Get("tls").(string),
+		TLSConfig:            tlsConfig,
 		AllowNativePasswords: true,
 	}
 
@@ -110,6 +129,22 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		return dialer.Dial("tcp", network)
 	})
 
+	if tlsConfig == "custom" {
+		rootCertPool := x509.NewCertPool()
+		pem, err := ioutil.ReadFile(sslCa)
+		if err != nil {
+			return nil, fmt.Errorf("Could not open CA file %s", sslCa)
+		}
+		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+			return nil, fmt.Errorf("Could not read a valid PEM certificate")
+		}
+
+		mysql.RegisterTLSConfig("custom", &tls.Config{
+			RootCAs:            rootCertPool,
+			InsecureSkipVerify: d.Get("tls").(string) == "skip-verify",
+		})
+	}
+
 	return &MySQLConfiguration{
 		Config:          &conf,
 		MaxConnLifetime: time.Duration(d.Get("max_conn_lifetime_sec").(int)) * time.Second,
@@ -160,6 +195,9 @@ func connectToMySQL(conf *MySQLConfiguration) (*sql.DB, error) {
 		}
 
 		err = db.Ping()
+		if err, ok := err.(x509.UnknownAuthorityError); ok {
+			return resource.NonRetryableError(err)
+		}
 		if err != nil {
 			return resource.RetryableError(err)
 		}

From a9028d9aea1c7ac5e9266f4f62c8dcf35e8d0e9d Mon Sep 17 00:00:00 2001
From: Gonzalo Infante <gonzalo.infante@noviscorp.com>
Date: Mon, 7 Oct 2019 11:45:51 -0300
Subject: [PATCH 2/4] interpret the ssl_ca as the file contents of a PEM file

---
 mysql/provider.go | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/mysql/provider.go b/mysql/provider.go
index c56860f79..6a3c757f0 100644
--- a/mysql/provider.go
+++ b/mysql/provider.go
@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"database/sql"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"strings"
 	"time"
@@ -131,11 +130,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 
 	if tlsConfig == "custom" {
 		rootCertPool := x509.NewCertPool()
-		pem, err := ioutil.ReadFile(sslCa)
-		if err != nil {
-			return nil, fmt.Errorf("Could not open CA file %s", sslCa)
-		}
-		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+		sslCaBytes := []byte(sslCa)
+		if ok := rootCertPool.AppendCertsFromPEM(sslCaBytes); !ok {
 			return nil, fmt.Errorf("Could not read a valid PEM certificate")
 		}
 

From 1a12c3d68d24642301451f4e40010644f62834da Mon Sep 17 00:00:00 2001
From: Gonzalo Infante <gonzalo.infante@noviscorp.com>
Date: Mon, 7 Oct 2019 12:08:41 -0300
Subject: [PATCH 3/4] set a CA certificate only when tls is set to true

---
 mysql/provider.go | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/mysql/provider.go b/mysql/provider.go
index 6a3c757f0..e3e10fe79 100644
--- a/mysql/provider.go
+++ b/mysql/provider.go
@@ -105,13 +105,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 
 	var tlsConfig = d.Get("tls").(string)
 	var sslCa = d.Get("ssl_ca").(string)
-	if sslCa != "" {
-		switch tlsConfig {
-		case "false", "":
-			tlsConfig = "false"
-		default:
-			tlsConfig = "custom"
-		}
+	if sslCa != "" && tlsConfig == "true" {
+		tlsConfig = "custom"
 	}
 
 	conf := mysql.Config{

From 673767960284040738642f96b756f0ace6dc8a12 Mon Sep 17 00:00:00 2001
From: Gonzalo Infante <gonzalo.infante@noviscorp.com>
Date: Mon, 7 Oct 2019 12:11:02 -0300
Subject: [PATCH 4/4] add documentation for the ssl_ca argument

---
 website/docs/index.html.markdown | 1 +
 1 file changed, 1 insertion(+)

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
index e9232c044..2701206ad 100644
--- a/website/docs/index.html.markdown
+++ b/website/docs/index.html.markdown
@@ -82,3 +82,4 @@ The following arguments are supported:
 * `tls` - (Optional) The TLS configuration. One of `false`, `true`, or `skip-verify`. Defaults to `false`.
 * `max_conn_lifetime_sec` - (Optional) Sets the maximum amount of time a connection may be reused. If d <= 0, connections are reused forever.
 * `max_open_conns` - (Optional) Sets the maximum number of open connections to the database. If n <= 0, then there is no limit on the number of open connections.
+* `ssl_ca` - (Optional) The contents of the PEM file of a CA. Used when the `tls` argument is set to `true`.
\ No newline at end of file