Merge pull request #874 from F5Networks/devel_29092023

adding cipher group/rules documentations
F5Networks · Sep 29, 2023 · e7b2f81 · e7b2f81
2 parents 644d868 + 7cec485
commit e7b2f81
Show file tree

Hide file tree

Showing 15 changed files with 206 additions and 71 deletions.
diff --git a/bigip/resource_bigip_ltm_cipher_group.go b/bigip/resource_bigip_ltm_cipher_group.go
@@ -7,10 +7,15 @@ package bigip
 import (
 	"context"
 	"fmt"
+	"log"
+	"os"
+	"strings"
+
 	bigip "github.com/f5devcentral/go-bigip"
+	"github.com/f5devcentral/go-bigip/f5teem"
+	"github.com/google/uuid"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"log"
 )
 
 func resourceBigipLtmCipherGroup() *schema.Resource {
@@ -26,7 +31,7 @@ func resourceBigipLtmCipherGroup() *schema.Resource {
 			"name": {
 				Type:         schema.TypeString,
 				Required:     true,
-				Description:  "Name of the cipher rule,name should be in pattern ``partition` + `cipher rule name``",
+				Description:  "Name of the cipher group,name should be in pattern ``partition` + `cipher group name``",
 				ForceNew:     true,
 				ValidateFunc: validateF5Name,
 			},
@@ -36,22 +41,24 @@ func resourceBigipLtmCipherGroup() *schema.Resource {
 				Description: "Specifies descriptive text that identifies the cipher rule",
 			},
 			"ordering": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Description: "Specifies one or more Cipher Suites used.Note: For SM2, type the following cipher suite string: ECC-SM4-SM3.",
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				//Default:     "default",
+				Description: "Controls the order of the Cipher String list in the Cipher Audit section. Options are Default, Speed, Strength, FIPS, and Hardware. The rules are processed in the order listed",
 			},
 			"allow": {
 				Type:        schema.TypeSet,
 				Optional:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
-				Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
+				Description: "Specifies the configuration of the allowed groups of ciphers. You can select a cipher rule from the Available Cipher Rules list",
 			},
 			"require": {
 				Type:        schema.TypeSet,
 				Optional:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
-				Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
-			},
+				Description: "Specifies the configuration of the restrict groups of ciphers. You can select a cipher rule from the Available Cipher Rules list",
+      },
 		},
 	}
 }
@@ -65,15 +72,32 @@ func resourceBigipLtmCipherGroupCreate(ctx context.Context, d *schema.ResourceDa
 
 	cipherGrouptmp := &bigip.CipherGroupReq{}
 	cipherGrouptmp.Name = name
-	cipherGroup, err := getCipherGroupConfig(d, cipherGrouptmp)
-	if err != nil {
-		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
-	}
+	cipherGroup := getCipherGroupConfig(d, cipherGrouptmp)
+
 	log.Printf("[INFO] cipherGroup config :%+v", cipherGroup)
-	err = client.AddLtmCipherGroup(cipherGroup)
+	err := client.AddLtmCipherGroup(cipherGroup)
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err))
 	}
+	if !client.Teem {
+		id := uuid.New()
+		uniqueID := id.String()
+		assetInfo := f5teem.AssetInfo{
+			Name:    "Terraform-provider-bigip",
+			Version: client.UserAgent,
+			Id:      uniqueID,
+		}
+		apiKey := os.Getenv("TEEM_API_KEY")
+		teemDevice := f5teem.AnonymousClient(assetInfo, apiKey)
+		f := map[string]interface{}{
+			"Terraform Version": client.UserAgent,
+		}
+		tsVer := strings.Split(client.UserAgent, "/")
+		err = teemDevice.Report(f, "bigip_ltm_cipher_group", tsVer[3])
+		if err != nil {
+			log.Printf("[ERROR]Sending Telemetry data failed:%v", err)
+		}
+	}
 	d.SetId(name)
 	return resourceBigipLtmCipherGroupRead(ctx, d, meta)
 }
@@ -82,13 +106,14 @@ func resourceBigipLtmCipherGroupRead(ctx context.Context, d *schema.ResourceData
 	client := meta.(*bigip.BigIP)
 	name := d.Id()
 	log.Printf("[INFO] Fetching Cipher group :%+v", name)
-
-	cipherRule, err := client.GetLtmCipherGroup(name)
+	cipherGroup, err := client.GetLtmCipherGroup(name)
 	if err != nil {
-		log.Printf("[ERROR] Unable to retrieve cipher rule %s  %v :", name, err)
+		log.Printf("[ERROR] Unable to retrieve cipher group %s  %v :", name, err)
 		return diag.FromErr(err)
 	}
-	log.Printf("[INFO] Cipher rule response :%+v", cipherRule)
+	_ = d.Set("name", cipherGroup.FullPath)
+	_ = d.Set("ordering", cipherGroup.Ordering)
+	log.Printf("[INFO] Cipher group response :%+v", cipherGroup)
 	return nil
 }
 
@@ -97,10 +122,7 @@ func resourceBigipLtmCipherGroupUpdate(ctx context.Context, d *schema.ResourceDa
 	name := d.Id()
 	cipherGrouptmp := &bigip.CipherGroupReq{}
 	cipherGrouptmp.Name = name
-	cipherGroupconfig, err := getCipherGroupConfig(d, cipherGrouptmp)
-	if err != nil {
-		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
-	}
+	cipherGroupconfig := getCipherGroupConfig(d, cipherGrouptmp)
 	if err := client.ModifyLtmCipherGroup(name, cipherGroupconfig); err != nil {
 		return diag.FromErr(fmt.Errorf("error modifying cipher group %s: %v", name, err))
 	}
@@ -123,7 +145,8 @@ func resourceBigipLtmCipherGroupDelete(ctx context.Context, d *schema.ResourceDa
 	return nil
 }
 
-func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroupReq) (*bigip.CipherGroupReq, error) {
+
+func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroupReq) *bigip.CipherGroupReq {
 	cipherGroup.Ordering = d.Get("ordering").(string)
 	if p, ok := d.GetOk("allow"); ok {
 		for _, r := range p.(*schema.Set).List() {
@@ -134,6 +157,6 @@ func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroup
 		for _, r := range p.(*schema.Set).List() {
 			cipherGroup.Require = append(cipherGroup.Require, r.(string))
 		}
-	}
-	return cipherGroup, nil
+	}	
+  return cipherGroup
 }
diff --git a/bigip/resource_bigip_ltm_cipher_group_test.go b/bigip/resource_bigip_ltm_cipher_group_test.go
@@ -17,8 +17,10 @@ import (
 
 const testCipherGroupConfigTC1 = `
 resource "bigip_ltm_cipher_group" "test-cipher-group" {
-	name = "/Common/test-cipher-group-01"
-	//cipher = "aes"
+  name     = "/Common/test-cipher-group-01"
+  allow    = ["/Common/f5-aes"]
+  require  = ["/Common/f5-quic"]
+  ordering = "speed"
 }
 `
 

diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go
@@ -7,10 +7,15 @@ package bigip
 import (
 	"context"
 	"fmt"
+	"log"
+	"os"
+	"strings"
+
 	bigip "github.com/f5devcentral/go-bigip"
+	"github.com/f5devcentral/go-bigip/f5teem"
+	"github.com/google/uuid"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"log"
 )
 
 func resourceBigipLtmCipherRule() *schema.Resource {
@@ -37,7 +42,7 @@ func resourceBigipLtmCipherRule() *schema.Resource {
 			},
 			"cipher": {
 				Type:        schema.TypeString,
-				Optional:    true,
+				Required:    true,
 				Description: "Specifies one or more Cipher Suites used.Note: For SM2, type the following cipher suite string: ECC-SM4-SM3.",
 			},
 			"dh_groups": {
@@ -56,37 +61,58 @@ func resourceBigipLtmCipherRule() *schema.Resource {
 
 func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*bigip.BigIP)
-
 	name := d.Get("name").(string)
 
 	log.Printf("[INFO] Creating Cipher rule:%+v", name)
 
 	cipherRuletmp := &bigip.CipherRuleReq{}
 	cipherRuletmp.Name = name
-	cipherRule, err := getCipherRuleConfig(d, cipherRuletmp)
-	if err != nil {
-		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
-	}
+
+	cipherRule := getCipherRuleConfig(d, cipherRuletmp)
+
 	log.Printf("[INFO] cipherRule config :%+v", cipherRule)
-	err = client.AddLtmCipherRule(cipherRule)
+	err := client.AddLtmCipherRule(cipherRule)
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err))
 	}
 	d.SetId(name)
+	if !client.Teem {
+		id := uuid.New()
+		uniqueID := id.String()
+		assetInfo := f5teem.AssetInfo{
+			Name:    "Terraform-provider-bigip",
+			Version: client.UserAgent,
+			Id:      uniqueID,
+		}
+		apiKey := os.Getenv("TEEM_API_KEY")
+		teemDevice := f5teem.AnonymousClient(assetInfo, apiKey)
+		f := map[string]interface{}{
+			"Terraform Version": client.UserAgent,
+		}
+		tsVer := strings.Split(client.UserAgent, "/")
+		err = teemDevice.Report(f, "bigip_ltm_cipher_rule", tsVer[3])
+		if err != nil {
+			log.Printf("[ERROR]Sending Telemetry data failed:%v", err)
+		}
+	}
 	return resourceBigipLtmCipherRuleRead(ctx, d, meta)
 }
 
 func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*bigip.BigIP)
 	name := d.Id()
 	log.Printf("[INFO] Fetching Cipher rule :%+v", name)
-
 	cipherRule, err := client.GetLtmCipherRule(name)
 	if err != nil {
 		log.Printf("[ERROR] Unable to retrieve cipher rule %s  %v :", name, err)
 		return diag.FromErr(err)
 	}
 	log.Printf("[INFO] Cipher rule response :%+v", cipherRule)
+	_ = d.Set("name", cipherRule.Name)
+	_ = d.Set("partition", cipherRule.Partition)
+	_ = d.Set("cipher_suites", cipherRule.Cipher)
+	_ = d.Set("dh_groups", cipherRule.DhGroups)
+	_ = d.Set("signature_algorithms", cipherRule.SignatureAlgorithms)
 	return nil
 }
 
@@ -95,24 +121,18 @@ func resourceBigipLtmCipherRuleUpdate(ctx context.Context, d *schema.ResourceDat
 	name := d.Id()
 	cipherRuletmp := &bigip.CipherRuleReq{}
 	cipherRuletmp.Name = name
-	cipheRuleconfig, err := getCipherRuleConfig(d, cipherRuletmp)
-	if err != nil {
-		return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err))
-	}
+	cipheRuleconfig := getCipherRuleConfig(d, cipherRuletmp)
 	if err := client.ModifyLtmCipherRule(name, cipheRuleconfig); err != nil {
 		return diag.FromErr(fmt.Errorf("error modifying cipher rule %s: %v", name, err))
-	}
-
+	}  
 	return resourceBigipLtmCipherRuleRead(ctx, d, meta)
 }
 
 func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*bigip.BigIP)
-
 	name := d.Id()
 	log.Printf("[INFO] Deleting cipher rule :%+v", name)
 	err := client.DeleteLtmCipherRule(name)
-
 	if err != nil {
 		log.Printf("[ERROR] Unable to Delete cipher rule %s  %v : ", name, err)
 		return diag.FromErr(err)
@@ -121,10 +141,10 @@ func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceDat
 	return nil
 }
 
-func getCipherRuleConfig(d *schema.ResourceData, cipherRule *bigip.CipherRuleReq) (*bigip.CipherRuleReq, error) {
+func getCipherRuleConfig(d *schema.ResourceData, cipherRule *bigip.CipherRuleReq) *bigip.CipherRuleReq {
 	cipherRule.Cipher = d.Get("cipher").(string)
 	cipherRule.DhGroups = d.Get("dh_groups").(string)
 	cipherRule.SignatureAlgorithms = d.Get("signature_algorithms").(string)
 	cipherRule.Description = d.Get("description").(string)
-	return cipherRule, nil
+	return cipherRule
 }
diff --git a/bigip/resource_bigip_ltm_cipher_rule_test.go b/bigip/resource_bigip_ltm_cipher_rule_test.go
@@ -1,9 +1,3 @@
-/*
-Original work from https://github.com/DealerDotCom/terraform-provider-bigip
-Modifications Copyright 2019 F5 Networks Inc.
-This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
-If a copy of the MPL was not distributed with this file,You can obtain one at https://mozilla.org/MPL/2.0/.
-*/
 package bigip
 
 import (
@@ -17,8 +11,8 @@ import (
 
 const testCipherRuleConfigTC1 = `
 resource "bigip_ltm_cipher_rule" "test-cipher-rule" {
-	name = "/Common/test-cipher-rule"
-	cipher = "aes"
+  name   = "/Common/test-cipher-rule"
+  cipher = "aes"
 }
 `
 

diff --git a/bigip/resource_bigip_ltm_policy.go b/bigip/resource_bigip_ltm_policy.go
@@ -56,6 +56,7 @@ func resourceBigipLtmPolicy() *schema.Resource {
 				Optional:    true,
 				Description: "Publish the Policy",
 				ForceNew:    true,
+				Deprecated:  "This attribute is not required anymore because the resource automatically publishes the policy, for that reason this field is deprecated and will be removed in a future release.",
 			},
 			"controls": {
 				Type:     schema.TypeSet,

diff --git a/bigip/resource_bigip_ltm_virtual_server.go b/bigip/resource_bigip_ltm_virtual_server.go
@@ -211,10 +211,11 @@ func resourceBigipLtmVirtualServer() *schema.Resource {
 				Description: "Specifies a network protocol name you want the system to use to direct traffic on this virtual server. The default is TCP. The Protocol setting is not available when you select Performance (HTTP) as the Type.",
 			},
 			"policies": {
-				Type:     schema.TypeSet,
-				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set:      schema.HashString,
-				Optional: true,
+				Type:        schema.TypeSet,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Set:         schema.HashString,
+				Optional:    true,
+				Description: "Specifies the policies for the virtual server",
 			},
 			"vlans": {
 				Type:     schema.TypeSet,

diff --git a/bigip/resource_bigip_ssl_key_cert.go b/bigip/resource_bigip_ssl_key_cert.go
@@ -7,7 +7,7 @@ import (
 	"log"
 	"strings"
 
-	"github.com/f5devcentral/go-bigip"
+	bigip "github.com/f5devcentral/go-bigip"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )

diff --git a/docs/resources/bigip_ltm_cipher_group.md b/docs/resources/bigip_ltm_cipher_group.md
@@ -0,0 +1,40 @@
+---
+layout: "bigip"
+page_title: "BIG-IP: bigip_ltm_cipher_rule"
+subcategory: "Local Traffic Manager(LTM)"
+description: |-
+Provides details about bigip_ltm_cipher_rule resource
+---
+
+# bigip\_ltm\_cipher\_group
+
+`bigip_ltm_cipher_group` Manages F5 BIG-IP LTM cipher group using iControl REST.
+
+## Example Usage
+
+```hcl
+resource "bigip_ltm_cipher_group" "test-cipher-group" {
+  name = "/Common/test-cipher-group-01"
+  allow = ["/Common/f5-aes"]
+  require = ["/Common/f5-quic"]
+  ordering = "speed"
+}
+```
+
+## Argument Reference
+
+* `name` - (Required,type `string`) Name of the Cipher group. Name should be in pattern `partition` + `cipher_group_name`
+
+* `allow` - (Optional,type `list` of `strings` ) Specifies the configuration of the allowed groups of ciphers. You can select a cipher rule from the Available Cipher Rules list.
+
+* `require` - (Optional,type `list` of `string`) Specifies the configuration of the restrict groups of ciphers. You can select a cipher rule from the Available Cipher Rules list.
+
+* `ordering` - (Optional,type `string`) Controls the order of the Cipher String list in the Cipher Audit section. Options are Default, Speed, Strength, FIPS, and Hardware. The rules are processed in the order listed.
+
+## Importing
+An existing cipher group can be imported into this resource by supplying the cipher rule full path name ex : `/partition/name`
+An example is below:
+```sh
+$ terraform import bigip_ltm_cipher_group.test_cipher_group /Common/test_cipher_group
+
+```