Merge pull request #905 from F5Networks/ltm_profile_http

Fixed issue #834, #836
F5Networks · Nov 20, 2023 · 28e382b · 28e382b
2 parents bffe3a8 + 1cc25e1
commit 28e382b
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 27 deletions.
diff --git a/bigip/resource_bigip_ltm_profile_http.go b/bigip/resource_bigip_ltm_profile_http.go
@@ -200,30 +200,31 @@ func resourceBigipLtmProfileHttp() *schema.Resource {
 			"http_strict_transport_security": {
 				Type:     schema.TypeSet,
 				Optional: true,
+				Computed: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"include_subdomains": {
 							Type:        schema.TypeString,
 							Optional:    true,
-							Default:     "enabled",
+							Computed:    true,
 							Description: "Specifies whether to include the includeSubdomains directive in the HSTS header.",
 						},
 						"maximum_age": {
 							Type:        schema.TypeInt,
 							Optional:    true,
-							Default:     16070400,
+							Computed:    true,
 							Description: "Specifies the maximum age to assume the connection should remain secure.",
 						},
 						"mode": {
 							Type:        schema.TypeString,
 							Optional:    true,
-							Default:     "disabled",
+							Computed:    true,
 							Description: "Specifies whether to include the HSTS response header.",
 						},
 						"preload": {
 							Type:        schema.TypeString,
 							Optional:    true,
-							Default:     "disabled",
+							Computed:    true,
 							Description: "Specifies whether to include the preload directive in the HSTS header.",
 						},
 					},
@@ -243,21 +244,21 @@ func resourceBigipLtmProfileHttp() *schema.Resource {
 							Description: "Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them.",
 						},
 						"max_header_count": {
-							Type:        schema.TypeInt,
-							Optional:    true,
-							Default:     64,
+							Type:     schema.TypeInt,
+							Optional: true,
+							Computed: true,
 							Description: "Specifies the maximum number of headers allowed in HTTP request/response.",
 						},
 						"max_header_size": {
-							Type:        schema.TypeInt,
-							Optional:    true,
-							Default:     32768,
+							Type:     schema.TypeInt,
+							Optional: true,
+							Computed: true,
 							Description: "Specifies the maximum header size.",
 						},
 						"unknown_method": {
-							Type:        schema.TypeString,
-							Optional:    true,
-							Default:     "allow",
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
 							Description: "Specifies whether to allow, reject or switch to pass-through mode when an unknown HTTP method is parsed.",
 						},
 					},
@@ -490,8 +491,8 @@ func getHttpProfileConfig(d *schema.ResourceData, config *bigip.HttpProfile) *bi
 
 	for _, r := range p.(*schema.Set).List() {
 		config.Hsts.IncludeSubdomains = r.(map[string]interface{})["include_subdomains"].(string)
-		config.Hsts.Mode = r.(map[string]interface{})["preload"].(string)
-		config.Hsts.Preload = r.(map[string]interface{})["mode"].(string)
+		config.Hsts.Mode = r.(map[string]interface{})["mode"].(string)
+		config.Hsts.Preload = r.(map[string]interface{})["preload"].(string)
 		config.Hsts.MaximumAge = r.(map[string]interface{})["maximum_age"].(int)
 	}
 

diff --git a/bigip/resource_bigip_ltm_profile_http_test.go b/bigip/resource_bigip_ltm_profile_http_test.go
@@ -7,12 +7,12 @@ package bigip
 
 import (
 	"fmt"
-	"regexp"
-	"testing"
-
 	bigip "github.com/f5devcentral/go-bigip"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"regexp"
+	"strings"
+	"testing"
 )
 
 var TestHttpName = fmt.Sprintf("/%s/test-http", TestPartition)
@@ -107,6 +107,15 @@ func TestAccBigipLtmProfileHttpUpdateServerAgent(t *testing.T) {
 					resource.TestCheckResourceAttr(resFullName, "server_agent_name", "myBIG-IP"),
 				),
 			},
+			{
+				Config: testaccbigipltmprofilehttpDefaultConfig(TestPartition, TestHttpName, "http-profile-test"),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(TestHttpName),
+					resource.TestCheckResourceAttr(resFullName, "name", TestHttpName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+					resource.TestCheckResourceAttr(resFullName, "server_agent_name", "myBIG-IP"),
+				),
+			},
 		},
 	})
 }
@@ -383,6 +392,27 @@ func TestAccBigipLtmProfileHttpUpdateEnforcement(t *testing.T) {
 					resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_size", "80"),
 				),
 			},
+			{
+				Config: testaccbigipltmprofilehttpUpdateParam(instName, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(instFullName),
+					resource.TestCheckResourceAttr(resFullName, "name", instFullName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "CONNECT"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "DELETE"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "GET"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "HEAD"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "LOCK"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "POST"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "PROPFIND"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "PUT"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "TRACE"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "UNLOCK"),
+					resource.TestCheckResourceAttr(resFullName, "enforcement.0.unknown_method", "allow"),
+					resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_count", "40"),
+					resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_size", "80"),
+				),
+			},
 		},
 	})
 }
@@ -419,6 +449,18 @@ func TestAccBigipLtmProfileHttpUpdateHSTS(t *testing.T) {
 					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.maximum_age", "80"),
 				),
 			},
+			{
+				Config: testaccbigipltmprofilehttpUpdateParam(instName, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(instFullName),
+					resource.TestCheckResourceAttr(resFullName, "name", instFullName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.include_subdomains", "disabled"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.preload", "enabled"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.mode", "enabled"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.maximum_age", "80"),
+				),
+			},
 		},
 	})
 }
@@ -470,6 +512,9 @@ func testCheckHttpsDestroyed(s *terraform.State) error {
 		name := rs.Primary.ID
 		http, err := client.GetHttpProfile(name)
 		if err != nil {
+			if strings.Contains(err.Error(), "not found") {
+				return nil
+			}
 			return err
 		}
 		if http != nil {

diff --git a/docs/resources/bigip_ltm_profile_http.md b/docs/resources/bigip_ltm_profile_http.md
@@ -73,7 +73,7 @@ resource "bigip_ltm_profile_http" "sanjose-http" {
 
 * `xff_alternative_names` - (Optional) Specifies alternative XFF headers instead of the default X-forwarded-for header.
 
-* `server_agent_name` - (Optional) Specifies the value of the Server header in responses that the BIG-IP itself generates. The default is BigIP. If no string is specified, then default value will be added to such responses. In order to remove it, "none" string is to be passed.
+* `server_agent_name` - (Optional) Specifies the value of the Server header in responses that the BIG-IP itself generates. The default is BigIP. In order to remove it, "none" string is to be passed. If server_agent_name is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "BigIP" explicitly.
 
 * `enforcement` -See [Enforcement](#enforcement) below for more details.
 
@@ -83,26 +83,26 @@ resource "bigip_ltm_profile_http" "sanjose-http" {
 
 The `enforcement` block supports the following:
 
-* `known_methods` - (Optional , `list`) Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them. Default value is [CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK].If no value is specified while creating, then default value will be assigned. In order to remove it, [""]  list is to be passed.
+* `known_methods` - (Optional , `list`) Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them. Default value is [CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK].If no value is specified while creating, then default value will be assigned by BigIP. In order to remove it, [""] list is to be passed. If known_methods is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value , we need to pass [CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK] explicitly.
 
-* `unknown_method` - (Optional , `string`) Specifies whether to allow, reject or switch to pass-through mode when an unknown HTTP method is parsed. Default value is allow. If no string is specified, then default value will be assigned.
+* `unknown_method` - (Optional , `string`) Specifies whether to allow, reject or switch to pass-through mode when an unknown HTTP method is parsed. Default value is "allow". If no string is specified while creating, then default value will be assigned by BigIP. If unknown_method is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "allow" explicitly.
 
-* `max_header_count` - (Optional , `int`) Specifies the maximum number of headers allowed in HTTP request/response. The default is 64 headers.If no value is specified, then default value will be assigned.
+* `max_header_count` - (Optional , `int`) Specifies the maximum number of headers allowed in HTTP request/response. The default is 64 headers.If no value is specified while creating, then default value will be assigned by BigIP. If max_header_count is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "64" explicitly.
 
-* `max_header_size` - (Optional , `int`) Specifies the maximum header size.The default value is 32768.If no string is specified, then default value will be assigned.
+* `max_header_size` - (Optional , `int`) Specifies the maximum header size. The default value is 32768. If no string is specified while creating, then default value will be assigned by BigIP. If max_header_size is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "32768" explicitly.
 
 
 ### Http_Strict_Transport_Security
 
 The `http_strict_transport_security` block supports the following:
 
-* `include_subdomains` - (Optional , `string`) Specifies whether to include the includeSubdomains directive in the HSTS header. The default is enabled. If no string is specified, then default value will be assigned.
+* `include_subdomains` - (Optional , `string`) The Include Subdomains setting applies the HSTS policy to the HSTS host and its subdomains. The default is "enabled". If no string is specified during Create, then default value will be assigned by BigIp. If include_subdomains is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "enabled" explicitly.
 
-* `preload` - (Optional , `string`) Specifies whether to include the preload directive in the HSTS header. The default is disabled. If no string is specified, then default value will be assigned.
+* `preload` - (Optional , `string`) An HSTS preload list is a list of domains built into a web browser. When you enable the Preload setting, the domain for the web site that this HTTP profile is associated with is submitted for inclusion in the browser's preload list. The default is "disabled". If no string is specified during Create, then default value will be assigned by BigIp. If preload is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "disabled" explicitly.
 
-* `mode` - (Optional , `string`) Specifies whether to include the HSTS response header. The default is disabled.If no string is specified, then default value will be assigned.
+* `mode` - (Optional , `string`) The Mode setting enables and disables HSTS functionality within the HTTP profile. The default is "disabled". If no string is specified during Create, then default value will be assigned by BigIp. If mode is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass "disabled" explicitly.
 
-* `maximum_age` - (Optional , `int`) Specifies the maximum age to assume the connection should remain secure. The default is 16070400 seconds. If no value is specified, then default value will be assigned.
+* `maximum_age` - (Optional , `int`) The Maximum Age value specifies the length of time, in seconds, that HSTS functionality requests that clients only use HTTPS to connect to the current host and any subdomains of the current host's domain name.  The default is 16070400 seconds. If no value is specified during Create, then default value will be assigned by BigIp. If maximum_age is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value , we need to pass 16070400 explicitly.
 
 
 ## Import