ading cipher rules and cipher groups

F5Networks · Sep 25, 2023 · 8538a1d · 8538a1d
1 parent f56ac29
commit 8538a1d
Show file tree

Hide file tree

Showing 7 changed files with 507 additions and 1 deletion.
diff --git a/bigip/provider.go b/bigip/provider.go
@@ -165,6 +165,8 @@ func Provider() *schema.Provider {
 			"bigip_ipsec_profile":                   resourceBigipIpsecProfile(),
 			"bigip_waf_policy":                      resourceBigipAwafPolicy(),
 			"bigip_vcmp_guest":                      resourceBigipVcmpGuest(),
+			"bigip_ltm_cipher_rule":                 resourceBigipLtmCipherRule(),
+			"bigip_ltm_cipher_group":                resourceBigipLtmCipherGroup(),
 		},
 	}
 	p.ConfigureContextFunc = func(ctx context.Context, d *schema.ResourceData) (interface{}, diag.Diagnostics) {

diff --git a/bigip/resource_bigip_awaf_policy.go b/bigip/resource_bigip_awaf_policy.go
@@ -540,7 +540,7 @@ func getpolicyConfig(d *schema.ResourceData) (string, error) {
 		fullPath = fmt.Sprintf("/%s/%s", partition, name)
 	}
 	var appLang1 string
-	appLang1 = "auto-detect"
+	appLang1 = "utf-8"
 	if val, ok := d.GetOk("application_language"); ok {
 		appLang1 = val.(string)
 	}

diff --git a/bigip/resource_bigip_ltm_cipher_group.go b/bigip/resource_bigip_ltm_cipher_group.go
@@ -0,0 +1,139 @@
+// Copyright 2023 F5 Networks Inc.
+// This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
+// If a copy of the MPL was not distributed with this file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package bigip
+
+import (
+	"context"
+	"fmt"
+	bigip "github.com/f5devcentral/go-bigip"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"log"
+)
+
+func resourceBigipLtmCipherGroup() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceBigipLtmCipherGroupCreate,
+		ReadContext:   resourceBigipLtmCipherGroupRead,
+		UpdateContext: resourceBigipLtmCipherGroupUpdate,
+		DeleteContext: resourceBigipLtmCipherGroupDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				Description:  "Name of the cipher rule,name should be in pattern ``partition` + `cipher rule name``",
+				ForceNew:     true,
+				ValidateFunc: validateF5Name,
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies descriptive text that identifies the cipher rule",
+			},
+			"ordering": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies one or more Cipher Suites used.Note: For SM2, type the following cipher suite string: ECC-SM4-SM3.",
+			},
+			"allow": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
+			},
+			"require": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
+			},
+		},
+	}
+}
+
+func resourceBigipLtmCipherGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+
+	name := d.Get("name").(string)
+
+	log.Printf("[INFO] Creating Cipher rule:%+v", name)
+
+	cipherGrouptmp := &bigip.CipherGroupReq{}
+	cipherGrouptmp.Name = name
+	cipherGroup, err := getCipherGroupConfig(d, cipherGrouptmp)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
+	}
+	log.Printf("[INFO] cipherGroup config :%+v", cipherGroup)
+	err = client.AddLtmCipherGroup(cipherGroup)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err))
+	}
+	d.SetId(name)
+	return resourceBigipLtmCipherGroupRead(ctx, d, meta)
+}
+
+func resourceBigipLtmCipherGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Id()
+	log.Printf("[INFO] Fetching Cipher group :%+v", name)
+
+	cipherRule, err := client.GetLtmCipherGroup(name)
+	if err != nil {
+		log.Printf("[ERROR] Unable to retrieve cipher rule %s  %v :", name, err)
+		return diag.FromErr(err)
+	}
+	log.Printf("[INFO] Cipher rule response :%+v", cipherRule)
+	return nil
+}
+
+func resourceBigipLtmCipherGroupUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Id()
+	cipherGrouptmp := &bigip.CipherGroupReq{}
+	cipherGrouptmp.Name = name
+	cipherGroupconfig, err := getCipherGroupConfig(d, cipherGrouptmp)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
+	}
+	if err := client.ModifyLtmCipherGroup(name, cipherGroupconfig); err != nil {
+		return diag.FromErr(fmt.Errorf("error modifying cipher group %s: %v", name, err))
+	}
+
+	return resourceBigipLtmCipherGroupRead(ctx, d, meta)
+}
+
+func resourceBigipLtmCipherGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+
+	name := d.Id()
+	log.Printf("[INFO] Deleting cipher group :%+v", name)
+	err := client.DeleteLtmCipherGroup(name)
+
+	if err != nil {
+		log.Printf("[ERROR] Unable to Delete cipher rule %s  %v : ", name, err)
+		return diag.FromErr(err)
+	}
+	d.SetId("")
+	return nil
+}
+
+func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroupReq) (*bigip.CipherGroupReq, error) {
+	cipherGroup.Ordering = d.Get("ordering").(string)
+	if p, ok := d.GetOk("allow"); ok {
+		for _, r := range p.(*schema.Set).List() {
+			cipherGroup.Allow = append(cipherGroup.Allow, r.(string))
+		}
+	}
+	if p, ok := d.GetOk("require"); ok {
+		for _, r := range p.(*schema.Set).List() {
+			cipherGroup.Require = append(cipherGroup.Require, r.(string))
+		}
+	}
+	return cipherGroup, nil
+}
diff --git a/bigip/resource_bigip_ltm_cipher_group_test.go b/bigip/resource_bigip_ltm_cipher_group_test.go
@@ -0,0 +1,76 @@
+/*
+Original work from https://github.com/DealerDotCom/terraform-provider-bigip
+Modifications Copyright 2019 F5 Networks Inc.
+This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
+If a copy of the MPL was not distributed with this file,You can obtain one at https://mozilla.org/MPL/2.0/.
+*/
+package bigip
+
+import (
+	"fmt"
+	"testing"
+
+	bigip "github.com/f5devcentral/go-bigip"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+const testCipherGroupConfigTC1 = `
+resource "bigip_ltm_cipher_group" "test-cipher-group" {
+	name = "/Common/test-cipher-group-01"
+	//cipher = "aes"
+}
+`
+
+func TestAccBigipLtmCipherGroupCreateTC1(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAcctPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckCipherGroupDestroyed,
+		Steps: []resource.TestStep{
+			{
+				Config: testCipherGroupConfigTC1,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckCipherGroupExists("/Common/test-cipher-group-01"),
+					resource.TestCheckResourceAttr("bigip_ltm_cipher_group.test-cipher-group", "name", "/Common/test-cipher-group-01"),
+				),
+			},
+		},
+	})
+}
+
+func testCheckCipherGroupExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client := testAccProvider.Meta().(*bigip.BigIP)
+
+		p, err := client.GetLtmCipherGroup(name)
+		if err != nil {
+			return err
+		}
+		if p == nil {
+			return fmt.Errorf("Pool %s does not exist ", name)
+		}
+
+		return nil
+	}
+}
+
+func testCheckCipherGroupDestroyed(s *terraform.State) error {
+	client := testAccProvider.Meta().(*bigip.BigIP)
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "bigip_ltm_cipher_group" {
+			continue
+		}
+		name := rs.Primary.ID
+		pool, err := client.GetLtmCipherGroup(name)
+		if err != nil {
+			return err
+		}
+		if pool != nil {
+			return fmt.Errorf("Cipher rule %s not destroyed ", name)
+		}
+	}
+	return nil
+}
diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go
@@ -0,0 +1,130 @@
+// Copyright 2023 F5 Networks Inc.
+// This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
+// If a copy of the MPL was not distributed with this file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package bigip
+
+import (
+	"context"
+	"fmt"
+	bigip "github.com/f5devcentral/go-bigip"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"log"
+)
+
+func resourceBigipLtmCipherRule() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceBigipLtmCipherRuleCreate,
+		ReadContext:   resourceBigipLtmCipherRuleRead,
+		UpdateContext: resourceBigipLtmCipherRuleUpdate,
+		DeleteContext: resourceBigipLtmCipherRuleDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				Description:  "Name of the cipher rule,name should be in pattern ``partition` + `cipher rule name``",
+				ForceNew:     true,
+				ValidateFunc: validateF5Name,
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies descriptive text that identifies the cipher rule",
+			},
+			"cipher": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies one or more Cipher Suites used.Note: For SM2, type the following cipher suite string: ECC-SM4-SM3.",
+			},
+			"dh_groups": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
+			},
+			"signature_algorithms": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies the Signature Algorithms, separated by colons (:), that you want to include in the cipher rule. You can also type a special keyword, DEFAULT, which represents the recommended set of signature algorithms",
+			},
+		},
+	}
+}
+
+func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+
+	name := d.Get("name").(string)
+
+	log.Printf("[INFO] Creating Cipher rule:%+v", name)
+
+	cipherRuletmp := &bigip.CipherRuleReq{}
+	cipherRuletmp.Name = name
+	cipherRule, err := getCipherRuleConfig(d, cipherRuletmp)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
+	}
+	log.Printf("[INFO] cipherRule config :%+v", cipherRule)
+	err = client.AddLtmCipherRule(cipherRule)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err))
+	}
+	d.SetId(name)
+	return resourceBigipLtmCipherRuleRead(ctx, d, meta)
+}
+
+func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Id()
+	log.Printf("[INFO] Fetching Cipher rule :%+v", name)
+
+	cipherRule, err := client.GetLtmCipherRule(name)
+	if err != nil {
+		log.Printf("[ERROR] Unable to retrieve cipher rule %s  %v :", name, err)
+		return diag.FromErr(err)
+	}
+	log.Printf("[INFO] Cipher rule response :%+v", cipherRule)
+	return nil
+}
+
+func resourceBigipLtmCipherRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Id()
+	cipherRuletmp := &bigip.CipherRuleReq{}
+	cipherRuletmp.Name = name
+	cipheRuleconfig, err := getCipherRuleConfig(d, cipherRuletmp)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
+	}
+	if err := client.ModifyLtmCipherRule(name, cipheRuleconfig); err != nil {
+		return diag.FromErr(fmt.Errorf("error modifying cipher rule %s: %v", name, err))
+	}
+
+	return resourceBigipLtmCipherRuleRead(ctx, d, meta)
+}
+
+func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+
+	name := d.Id()
+	log.Printf("[INFO] Deleting cipher rule :%+v", name)
+	err := client.DeleteLtmCipherRule(name)
+
+	if err != nil {
+		log.Printf("[ERROR] Unable to Delete cipher rule %s  %v : ", name, err)
+		return diag.FromErr(err)
+	}
+	d.SetId("")
+	return nil
+}
+
+func getCipherRuleConfig(d *schema.ResourceData, cipherRule *bigip.CipherRuleReq) (*bigip.CipherRuleReq, error) {
+	cipherRule.Cipher = d.Get("cipher").(string)
+	cipherRule.DhGroups = d.Get("dh_groups").(string)
+	cipherRule.SignatureAlgorithms = d.Get("signature_algorithms").(string)
+	cipherRule.Description = d.Get("description").(string)
+	return cipherRule, nil
+}