Cipher rule

bigip/provider.go

@@ -111,6 +111,7 @@ func Provider() *schema.Provider {
 			"bigip_net_route":                       resourceBigipNetRoute(),
 			"bigip_net_selfip":                      resourceBigipNetSelfIP(),
 			"bigip_net_vlan":                        resourceBigipNetVlan(),
+			"bigip_ltm_cipher_rule":                 resourceBigipLtmCipherRule(),
 			"bigip_ltm_irule":                       resourceBigipLtmIRule(),
 			"bigip_ltm_datagroup":                   resourceBigipLtmDataGroup(),
 			"bigip_ltm_monitor":                     resourceBigipLtmMonitor(),

bigip/resource_bigip_ltm_cipher_rule.go

@@ -0,0 +1,163 @@
+package bigip
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	bigip "github.com/f5devcentral/go-bigip"
+	"github.com/f5devcentral/go-bigip/f5teem"
+	"github.com/google/uuid"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceBigipLtmCipherRule() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceBigipLtmCipherRuleCreate,
+		ReadContext:   resourceBigipLtmCipherRuleRead,
+		UpdateContext: resourceBigipLtmCipherRuleUpdate,
+		DeleteContext: resourceBigipLtmCipherRuleDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Description: "The cipher rule name.",
+				Required:    true,
+			},
+			"partition": {
+				Type:        schema.TypeString,
+				Description: "The partition name.",
+				Optional:    true,
+				Default:     "Common",
+			},
+			"cipher_suites": {
+				Type:        schema.TypeString,
+				Description: "The cipher suites.",
+				Default:     "DEFAULT",
+				Optional:    true,
+			},
+			"dh_groups": {
+				Type:        schema.TypeString,
+				Description: "The DH groups.",
+				Optional:    true,
+			},
+			"signature_algorithms": {
+				Type:        schema.TypeString,
+				Description: "The signature algorithms.",
+				Optional:    true,
+			},
+			"full_path": {
+				Type:        schema.TypeString,
+				Description: "The full path of the cipher rule.",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Get("name").(string)
+	partition := d.Get("partition").(string)
+	log.Println("[INFO] Creating Cipher Rule: ", name, " in partition: ", partition)
+	cipherRule := &bigip.CipherRule{
+		Name:                name,
+		Partition:           partition,
+		Cipher:              d.Get("cipher_suites").(string),
+		DHGroups:            d.Get("dh_groups").(string),
+		SignatureAlgorithms: d.Get("signature_algorithms").(string),
+	}
+	err := client.CreateCipherRule(cipherRule)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	fullPath := fmt.Sprintf("/%s/%s", partition, name)
+	d.SetId(fullPath)
+	if !client.Teem {
+		id := uuid.New()
+		uniqueID := id.String()
+		assetInfo := f5teem.AssetInfo{
+			Name:    "Terraform-provider-bigip",
+			Version: client.UserAgent,
+			Id:      uniqueID,
+		}
+		apiKey := os.Getenv("TEEM_API_KEY")
+		teemDevice := f5teem.AnonymousClient(assetInfo, apiKey)
+		f := map[string]interface{}{
+			"Terraform Version": client.UserAgent,
+		}
+		tsVer := strings.Split(client.UserAgent, "/")
+		err = teemDevice.Report(f, "bigip_ltm_cipher_rule", tsVer[3])
+		if err != nil {
+			log.Printf("[ERROR]Sending Telemetry data failed:%v", err)
+		}
+	}
+	return resourceBigipLtmCipherRuleRead(ctx, d, meta)
+}
+
+func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+
+	id := d.Id()
+	id = strings.Replace(id, "/", "", 1)
+	name_partition := strings.Split(id, "/")
+	name := name_partition[1]
+	partition := name_partition[0]
+
+	log.Printf("----------------name_partition: %v------------------", name_partition)
+
+	log.Println("[INFO] Reading Cipher Rule: ", name)
+	cipherRule, err := client.GetCipherRule(name, partition)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	if cipherRule == nil {
+		return diag.FromErr(fmt.Errorf("cipher Rule not found"))
+	}
+	fullPath := fmt.Sprintf("/%s/%s", partition, name)
+	_ = d.Set("name", cipherRule.Name)
+	_ = d.Set("partition", cipherRule.Partition)
+	_ = d.Set("cipher_suites", cipherRule.Cipher)
+	_ = d.Set("dh_groups", cipherRule.DHGroups)
+	_ = d.Set("signature_algorithms", cipherRule.SignatureAlgorithms)
+	_ = d.Set("full_path", fullPath)
+	return nil
+}
+
+func resourceBigipLtmCipherRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Get("name").(string)
+	partition := d.Get("partition").(string)
+	log.Println("[INFO] Updating Cipher Rule: ", name, " in partition: ", partition)
+	cipherRule := &bigip.CipherRule{
+		Name:                name,
+		Partition:           partition,
+		Cipher:              d.Get("cipher_suites").(string),
+		DHGroups:            d.Get("dh_groups").(string),
+		SignatureAlgorithms: d.Get("signature_algorithms").(string),
+	}
+	err := client.ModifyCipherRule(cipherRule)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	return resourceBigipLtmCipherRuleRead(ctx, d, meta)
+}
+
+func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*bigip.BigIP)
+	name := d.Get("name").(string)
+	partition := d.Get("partition").(string)
+	log.Println("[INFO] Deleting Cipher Rule: ", name, " in partition: ", partition)
+	err := client.DeleteCipherRule(name, partition)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	d.SetId("")
+	return nil
+}

bigip/resource_bigip_ltm_cipher_rule_test.go

@@ -0,0 +1,37 @@
+package bigip
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+const testResourceCipherRule = `
+resource "bigip_ltm_cipher_rule" "testcipher" {
+  name = "testcipher"
+  partition = "Common"
+  cipher_suites = "fips"
+  dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096"
+  signature_algorithms = "DEFAULT"
+}`
+
+func TestAccCipherRule(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAcctPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testResourceCipherRule,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "name", "testcipher"),
+					resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "partition", "Common"),
+					resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "cipher_suites", "fips"),
+					resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "dh_groups", "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096"),
+					resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "signature_algorithms", "DEFAULT"),
+				),
+			},
+		},
+	})
+}

bigip/resource_bigip_ltm_policy.go

@@ -56,6 +56,7 @@ func resourceBigipLtmPolicy() *schema.Resource {
 				Optional:    true,
 				Description: "Publish the Policy",
 				ForceNew:    true,
+				Deprecated:  "This attribute is not required anymore because the resource automatically publishes the policy, for that reason this field is deprecated and will be removed in a future release.",
 			},
 			"controls": {
 				Type:     schema.TypeSet,

bigip/resource_bigip_ltm_virtual_server.go

@@ -211,10 +211,11 @@ func resourceBigipLtmVirtualServer() *schema.Resource {
 				Description: "Specifies a network protocol name you want the system to use to direct traffic on this virtual server. The default is TCP. The Protocol setting is not available when you select Performance (HTTP) as the Type.",
 			},
 			"policies": {
-				Type:     schema.TypeSet,
-				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set:      schema.HashString,
-				Optional: true,
+				Type:        schema.TypeSet,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Set:         schema.HashString,
+				Optional:    true,
+				Description: "Specifies the policies for the virtual server",
 			},
 			"vlans": {
 				Type:     schema.TypeSet,

bigip/resource_bigip_ssl_key_cert.go

@@ -97,6 +97,10 @@
 		Passphrase: passphrase,
 	}
 
+	t, err := client.StartTransaction()
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error while starting transaction: %v", err))
+	}
 	err = client.AddKey(&keyCfg)
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error while adding the ssl key: %v", err))
@@ -105,6 +109,10 @@
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error while uploading the ssl cert: %v", err))
 	}
+	err = client.CommitTransaction(t.TransID)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error while ending transaction: %d", err))
+	}
 
 	id := keyName + "_" + certName
 	d.SetId(id)
@@ -166,6 +174,11 @@
 	}
 
 	keyFullPath := fmt.Sprintf("/%s/%s", partition, keyName)
+
+	t, err := client.StartTransaction()
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error while trying to start transaction: %s", err))
+	}
 	err = client.ModifyKey(keyFullPath, &keyCfg)
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error while trying to modify the ssl key (%s): %s", keyFullPath, err))
@@ -175,6 +188,10 @@
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error while updating the ssl certificate (%s): %s", certName, err))
 	}
+	err = client.CommitTransaction(t.TransID)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error while trying to end transaction: %s", err))
+	}
 
 	return resourceBigipSSLKeyCertRead(ctx, d, meta)
 }
@@ -191,7 +208,12 @@
 	keyFullPath := "/" + partition + "/" + keyName
 	certFullPath := "/" + partition + "/" + certName
 
-	err := client.DeleteKey(keyFullPath)
+	t, err := client.StartTransaction()
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error while starting transaction: %v", err))
+	}
+
+	err = client.DeleteKey(keyFullPath)
 	if err != nil {
 		log.Printf("[ERROR] unable to delete the ssl key (%s) (%v) ", keyFullPath, err)
 	}
@@ -201,6 +223,11 @@
 		log.Printf("[ERROR] unable to delete the ssl certificate (%s) (%v) ", certFullPath, err)
 	}
 
+	err = client.CommitTransaction(t.TransID)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error while ending transaction: %v", err))
+	}
+
 	d.SetId("")
 	return nil
 }

bigip/resource_bigip_ssl_key_cert_test.go

@@ -1,6 +1,9 @@
 package bigip
 
 import (
+	"fmt"
+	"log"
+	"os"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -16,6 +19,29 @@ resource "bigip_ssl_key_cert" "testkeycert" {
 }
 `
 
+var sslProfileCertKey = `
+resource "bigip_ssl_key_cert" "testkeycert" {
+  partition   = "Common"
+  key_name    = "ssl-test-key"
+  key_content = "${file("` + folder + `/../examples/%s")}"
+  cert_name    = "ssl-test-cert"
+  cert_content = "${file("` + folder + `/../examples/%s")}"
+}
+
+resource "bigip_ltm_profile_server_ssl" "test-ServerSsl" {
+  name          = "/Common/test-ServerSsl"
+  defaults_from = "/Common/serverssl"
+  authenticate  = "always"
+  ciphers       = "DEFAULT"
+  cert          = "/Common/ssl-test-cert"
+  key           = "/Common/ssl-test-key"
+
+  depends_on = [
+	bigip_ssl_key_cert.testkeycert
+  ]
+}
+`
+
 func TestAccBigipSSLCertKeyCreate(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -45,3 +71,44 @@ func TestAccBigipSSLCertKeyCreate(t *testing.T) {
 		},
 	})
 }
+
+func TestAccBigipSSLCertKeyCreateCertKeyProfile(t *testing.T) {
+	create := fmt.Sprintf(sslProfileCertKey, "serverkey.key", "servercert.crt")
+	modify := fmt.Sprintf(sslProfileCertKey, "serverkey2.key", "servercert2.crt")
+	crt1Content, _ := os.ReadFile(folder + `/../examples/` + "servercert.crt")
+	key1Content, _ := os.ReadFile(folder + `/../examples/` + "serverkey.key")
+	crt2Content, _ := os.ReadFile(folder + `/../examples/` + "servercert2.crt")
+	key2Content, _ := os.ReadFile(folder + `/../examples/` + "serverkey2.key")
+
+	log.Println(create)
+	log.Println(modify)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAcctPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: create,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "key_name", "ssl-test-key"),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "cert_name", "ssl-test-cert"),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "partition", "Common"),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "key_content", string(key1Content)),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "cert_content", string(crt1Content)),
+				),
+				Destroy: false,
+			},
+			{
+				Config: modify,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "key_name", "ssl-test-key"),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "cert_name", "ssl-test-cert"),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "partition", "Common"),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "key_content", string(key2Content)),
+					resource.TestCheckResourceAttr("bigip_ssl_key_cert.testkeycert", "cert_content", string(crt2Content)),
+				),
+			},
+		},
+	})
+}