From 50a11ff81caabcb76b74d810d5668682eefc110b Mon Sep 17 00:00:00 2001
From: pizzaniels <niels@kunis.nl>
Date: Fri, 21 Apr 2023 21:23:01 +0200
Subject: [PATCH] improve ssh host cert validation

---
 files/get_cert.sh | 7 -------
 main.tf           | 5 +++++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/files/get_cert.sh b/files/get_cert.sh
index 7ff86ad..b290c8f 100755
--- a/files/get_cert.sh
+++ b/files/get_cert.sh
@@ -5,13 +5,6 @@ IFS=$'\n\t'
 eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost)"')"
 
 # TODO: Can this be done more eye-pleasingly?
-set +e
 CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '/root/ca.sh host "'"$PUBKEY"'" "'"$HOST"'".dmz')
-retval=$?
-set -e
-
-if [ retval -neq 0 ]; then
-	CERT="error"
-fi
 
 jq -n --arg cert "$CERT" '{"cert":$cert}'
diff --git a/main.tf b/main.tf
index 25f9f57..3df7c0a 100644
--- a/main.tf
+++ b/main.tf
@@ -50,6 +50,11 @@ resource "null_resource" "cert" {
     ignore_changes = [
       triggers
     ]
+    
+    postcondition {
+      condition = self.triggers["cert"] != "" || !var.use_host_cert
+      error_message = "Error retrieving host certificate."
+    }
   }
 }