From aeda7c96cd4668fd13a9e37837eedf9131ec17c3 Mon Sep 17 00:00:00 2001 From: Rohit Upadhyay Date: Tue, 12 Sep 2023 19:26:07 +0530 Subject: [PATCH 1/8] Added new resource to create ltm cipher rules --- bigip/provider.go | 1 + bigip/resource_bigip_ltm_cipher_rule.go | 163 ++++++++++++++++++ bigip/resource_bigip_ltm_cipher_rule_test.go | 37 ++++ docs/resources/bigip_ltm_cipher_rule.md | 44 +++++ .../github.com/f5devcentral/go-bigip/ltm.go | 40 +++++ 5 files changed, 285 insertions(+) create mode 100644 bigip/resource_bigip_ltm_cipher_rule.go create mode 100644 bigip/resource_bigip_ltm_cipher_rule_test.go create mode 100644 docs/resources/bigip_ltm_cipher_rule.md diff --git a/bigip/provider.go b/bigip/provider.go index 8e5f21ee5..25e33bdc3 100644 --- a/bigip/provider.go +++ b/bigip/provider.go @@ -111,6 +111,7 @@ func Provider() *schema.Provider { "bigip_net_route": resourceBigipNetRoute(), "bigip_net_selfip": resourceBigipNetSelfIP(), "bigip_net_vlan": resourceBigipNetVlan(), + "bigip_ltm_cipher_rule": resourceBigipLtmCipherRule(), "bigip_ltm_irule": resourceBigipLtmIRule(), "bigip_ltm_datagroup": resourceBigipLtmDataGroup(), "bigip_ltm_monitor": resourceBigipLtmMonitor(), diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go new file mode 100644 index 000000000..7a72fab09 --- /dev/null +++ b/bigip/resource_bigip_ltm_cipher_rule.go @@ -0,0 +1,163 @@ +package bigip + +import ( + "context" + "fmt" + "log" + "os" + "strings" + + bigip "github.com/f5devcentral/go-bigip" + "github.com/f5devcentral/go-bigip/f5teem" + "github.com/google/uuid" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func resourceBigipLtmCipherRule() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceBigipLtmCipherRuleCreate, + ReadContext: resourceBigipLtmCipherRuleRead, + UpdateContext: resourceBigipLtmCipherRuleUpdate, + DeleteContext: resourceBigipLtmCipherRuleDelete, + Importer: &schema.ResourceImporter{ + StateContext: schema.ImportStatePassthroughContext, + }, + + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Description: "The cipher rule name.", + Required: true, + }, + "partition": { + Type: schema.TypeString, + Description: "The partition name.", + Optional: true, + Default: "Common", + }, + "cipher_suites": { + Type: schema.TypeString, + Description: "The cipher suites.", + Default: "DEFAULT", + Optional: true, + }, + "dh_groups": { + Type: schema.TypeString, + Description: "The DH groups.", + Optional: true, + }, + "signature_algorithms": { + Type: schema.TypeString, + Description: "The signature algorithms.", + Optional: true, + }, + "full_path": { + Type: schema.TypeString, + Description: "The full path of the cipher rule.", + Computed: true, + }, + }, + } +} + +func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + name := d.Get("name").(string) + partition := d.Get("partition").(string) + log.Println("[INFO] Creating Cipher Rule: ", name, " in partition: ", partition) + cipherRule := &bigip.CipherRule{ + Name: name, + Partition: partition, + Cipher: d.Get("cipher_suites").(string), + DHGroups: d.Get("dh_groups").(string), + SignatureAlgorithms: d.Get("signature_algorithms").(string), + } + err := client.CreateCipherRule(cipherRule) + if err != nil { + return diag.FromErr(err) + } + fullPath := fmt.Sprintf("/%s/%s", partition, name) + d.SetId(fullPath) + if !client.Teem { + id := uuid.New() + uniqueID := id.String() + assetInfo := f5teem.AssetInfo{ + Name: "Terraform-provider-bigip", + Version: client.UserAgent, + Id: uniqueID, + } + apiKey := os.Getenv("TEEM_API_KEY") + teemDevice := f5teem.AnonymousClient(assetInfo, apiKey) + f := map[string]interface{}{ + "Terraform Version": client.UserAgent, + } + tsVer := strings.Split(client.UserAgent, "/") + err = teemDevice.Report(f, "bigip_ltm_pool", tsVer[3]) + if err != nil { + log.Printf("[ERROR]Sending Telemetry data failed:%v", err) + } + } + return resourceBigipLtmCipherRuleRead(ctx, d, meta) +} + +func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + + id := d.Id() + id = strings.Replace(id, "/", "", 1) + name_partition := strings.Split(id, "/") + name := name_partition[1] + partition := name_partition[0] + + log.Printf("----------------name_partition: %v------------------", name_partition) + + log.Println("[INFO] Reading Cipher Rule: ", name) + cipherRule, err := client.GetCipherRule(name, partition) + if err != nil { + return diag.FromErr(err) + } + if cipherRule == nil { + return diag.FromErr(fmt.Errorf("cipher Rule not found")) + } + fullPath := fmt.Sprintf("/%s/%s", partition, name) + _ = d.Set("name", cipherRule.Name) + _ = d.Set("partition", cipherRule.Partition) + _ = d.Set("cipher_suites", cipherRule.Cipher) + _ = d.Set("dh_groups", cipherRule.DHGroups) + _ = d.Set("signature_algorithms", cipherRule.SignatureAlgorithms) + _ = d.Set("full_path", fullPath) + return nil +} + +func resourceBigipLtmCipherRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + name := d.Get("name").(string) + partition := d.Get("partition").(string) + log.Println("[INFO] Updating Cipher Rule: ", name, " in partition: ", partition) + cipherRule := &bigip.CipherRule{ + Name: name, + Partition: partition, + Cipher: d.Get("cipher_suites").(string), + DHGroups: d.Get("dh_groups").(string), + SignatureAlgorithms: d.Get("signature_algorithms").(string), + } + err := client.ModifyCipherRule(cipherRule) + if err != nil { + return diag.FromErr(err) + } + return resourceBigipLtmCipherRuleRead(ctx, d, meta) +} + +func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + name := d.Get("name").(string) + partition := d.Get("partition").(string) + log.Println("[INFO] Deleting Cipher Rule: ", name, " in partition: ", partition) + err := client.DeleteCipherRule(name, partition) + if err != nil { + return diag.FromErr(err) + } + d.SetId("") + return nil +} diff --git a/bigip/resource_bigip_ltm_cipher_rule_test.go b/bigip/resource_bigip_ltm_cipher_rule_test.go new file mode 100644 index 000000000..c2e9b28d9 --- /dev/null +++ b/bigip/resource_bigip_ltm_cipher_rule_test.go @@ -0,0 +1,37 @@ +package bigip + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" +) + +const testResourceCipherRule = ` +resource "bigip_ltm_cipher_rule" "testcipher" { + name = "testcipher" + partition = "Common" + cipher_suites = "fips" + dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096" + signature_algorithms = "DEFAULT" +}` + +func TestAccCipherRule(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { + testAcctPreCheck(t) + }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testResourceCipherRule, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "name", "testcipher"), + resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "partition", "Common"), + resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "cipher_suites", "fips"), + resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "dh_groups", "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096"), + resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "signature_algorithms", "DEFAULT"), + ), + }, + }, + }) +} diff --git a/docs/resources/bigip_ltm_cipher_rule.md b/docs/resources/bigip_ltm_cipher_rule.md new file mode 100644 index 000000000..4b838fa60 --- /dev/null +++ b/docs/resources/bigip_ltm_cipher_rule.md @@ -0,0 +1,44 @@ +--- +layout: "bigip" +page_title: "BIG-IP: bigip_ltm_cipher_rule" +subcategory: "Local Traffic Manager(LTM)" +description: |- + Provides details about bigip_ltm_cipher_rule resource +--- + +# bigip\_ltm\_cipher\_rule + +`bigip_ltm_cipher_rule` Manages F5 BIG-IP LTM cipher rule via iControl REST API. + +## Example Usage + +```hcl +resource "bigip_ltm_cipher_rule" "test_cipher_rule" { + name = "test_cipher_rule" + partition = "Uncommon" + cipher_suites = "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384" + dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096" + signature_algorithms = "DEFAULT" +} +``` + +## Argument Reference + +* `name` - (Required,type `string`) Name of the Cipher Rule. + +* `partition` - (Optional,type `string`) The Partition in which the Cipher Rule will be created. + +* `cipher_suites` - (Required,type `string`) This is a colon (:) separated string of cipher suites. example, `TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384`. The default value for this attribute is `DEFAULT`. + +* `dh_groups` - (Optional,type `string`) Specifies the DH Groups algorithms, separated by colons (:). + +* `signature_algorithms` - (Optional,type `string`) Specifies the Signature Algorithms, separated by colons (:). + + +## Importing +An existing cipher rule can be imported into this resource by supplying the cipher rule's `full path` as `id`. +An example is below: +```sh +$ terraform import bigip_ltm_cipher_rule.test_cipher_rule /Common/test_cipher_rule + +``` diff --git a/vendor/github.com/f5devcentral/go-bigip/ltm.go b/vendor/github.com/f5devcentral/go-bigip/ltm.go index b0e626d57..8a664f0d1 100644 --- a/vendor/github.com/f5devcentral/go-bigip/ltm.go +++ b/vendor/github.com/f5devcentral/go-bigip/ltm.go @@ -1886,6 +1886,14 @@ type HttpCompressionProfile struct { VaryHeader string `json:"varyHeader,omitempty"` } +type CipherRule struct { + Name string `json:"name,omitempty"` + Partition string `json:"partition,omitempty"` + Cipher string `json:"cipher,omitempty"` + DHGroups string `json:"dhGroups,omitempty"` + SignatureAlgorithms string `json:"signatureAlgorithms,omitempty"` +} + const ( uriLtm = "ltm" uriNode = "node" @@ -1928,6 +1936,8 @@ const ( uriSSL = "ssl" uriUniversal = "universal" uriCreateDraft = "?options=create-draft" + uriCipher = "cipher" + uriRule = "rule" ) var cidr = map[string]string{ @@ -3918,3 +3928,33 @@ func (b *BigIP) DeleteHttpCompressionProfile(name string) error { func (b *BigIP) ModifyHttpCompressionProfile(name string, config *HttpCompressionProfile) error { return b.put(config, uriLtm, uriProfile, uriHttpcompress, name) } + +func (b *BigIP) CreateCipherRule(cipherRule *CipherRule) error { + return b.post(cipherRule, uriLtm, uriCipher, uriRule) +} + +func (b *BigIP) ModifyCipherRule(cipherRule *CipherRule) error { + modifyPath := fmt.Sprintf("~%s~%s", cipherRule.Partition, cipherRule.Name) + return b.patch(cipherRule, uriLtm, uriCipher, uriRule, modifyPath) +} + +func (b *BigIP) DeleteCipherRule(name, partition string) error { + deletePath := fmt.Sprintf("~%s~%s", partition, name) + return b.delete(uriLtm, uriCipher, uriRule, deletePath) +} + +func (b *BigIP) GetCipherRule(name, partition string) (*CipherRule, error) { + cipherRule := &CipherRule{} + fullPath := fmt.Sprintf("~%s~%s", partition, name) + log.Printf("-------------------fullPath: %s--------------------", fullPath) + err, ok := b.getForEntity(&cipherRule, uriLtm, uriCipher, uriRule, fullPath) + if err != nil { + return nil, err + } + + if !ok { + return nil, nil + } + + return cipherRule, nil +} From cb795bfb1c8d51721e567789cea1fb171aefad68 Mon Sep 17 00:00:00 2001 From: Rohit Upadhyay Date: Wed, 13 Sep 2023 11:33:55 +0530 Subject: [PATCH 2/8] fixed terrafmt lint issues --- docs/resources/bigip_ltm_cipher_rule.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/resources/bigip_ltm_cipher_rule.md b/docs/resources/bigip_ltm_cipher_rule.md index 4b838fa60..97f8d4d40 100644 --- a/docs/resources/bigip_ltm_cipher_rule.md +++ b/docs/resources/bigip_ltm_cipher_rule.md @@ -14,10 +14,10 @@ description: |- ```hcl resource "bigip_ltm_cipher_rule" "test_cipher_rule" { - name = "test_cipher_rule" - partition = "Uncommon" - cipher_suites = "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384" - dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096" + name = "test_cipher_rule" + partition = "Uncommon" + cipher_suites = "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384" + dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096" signature_algorithms = "DEFAULT" } ``` From f3072b8abfdc38072f7b24896eb4db38d489de6f Mon Sep 17 00:00:00 2001 From: Rohit Upadhyay Date: Wed, 13 Sep 2023 12:21:22 +0530 Subject: [PATCH 3/8] fixed typo --- bigip/resource_bigip_ltm_cipher_rule.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go index 7a72fab09..43d330d67 100644 --- a/bigip/resource_bigip_ltm_cipher_rule.go +++ b/bigip/resource_bigip_ltm_cipher_rule.go @@ -93,7 +93,7 @@ func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceDat "Terraform Version": client.UserAgent, } tsVer := strings.Split(client.UserAgent, "/") - err = teemDevice.Report(f, "bigip_ltm_pool", tsVer[3]) + err = teemDevice.Report(f, "bigip_ltm_cipher_rule", tsVer[3]) if err != nil { log.Printf("[ERROR]Sending Telemetry data failed:%v", err) } From b96694ba99f0ed1c4f50eca25e537a90dfaec3ea Mon Sep 17 00:00:00 2001 From: Rohit Upadhyay Date: Wed, 13 Sep 2023 16:15:19 +0530 Subject: [PATCH 4/8] Documentation correction --- bigip/resource_bigip_ltm_policy.go | 1 + bigip/resource_bigip_ltm_virtual_server.go | 9 +++++---- docs/resources/bigip_ltm_cipher_rule.md | 3 +++ docs/resources/bigip_ltm_policy.md | 2 +- docs/resources/bigip_ltm_virtual_server.md | 2 ++ 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/bigip/resource_bigip_ltm_policy.go b/bigip/resource_bigip_ltm_policy.go index 99e34459c..fe5cd0162 100644 --- a/bigip/resource_bigip_ltm_policy.go +++ b/bigip/resource_bigip_ltm_policy.go @@ -56,6 +56,7 @@ func resourceBigipLtmPolicy() *schema.Resource { Optional: true, Description: "Publish the Policy", ForceNew: true, + Deprecated: "This attribute is not required anymore because the resource automatically publishes the policy, for that reason this field is deprecated and will be removed in a future release.", }, "controls": { Type: schema.TypeSet, diff --git a/bigip/resource_bigip_ltm_virtual_server.go b/bigip/resource_bigip_ltm_virtual_server.go index 190af2ee2..26e43550d 100644 --- a/bigip/resource_bigip_ltm_virtual_server.go +++ b/bigip/resource_bigip_ltm_virtual_server.go @@ -211,10 +211,11 @@ func resourceBigipLtmVirtualServer() *schema.Resource { Description: "Specifies a network protocol name you want the system to use to direct traffic on this virtual server. The default is TCP. The Protocol setting is not available when you select Performance (HTTP) as the Type.", }, "policies": { - Type: schema.TypeSet, - Elem: &schema.Schema{Type: schema.TypeString}, - Set: schema.HashString, - Optional: true, + Type: schema.TypeSet, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + Optional: true, + Description: "Specifies the policies for the virtual server", }, "vlans": { Type: schema.TypeSet, diff --git a/docs/resources/bigip_ltm_cipher_rule.md b/docs/resources/bigip_ltm_cipher_rule.md index 97f8d4d40..d400f52e5 100644 --- a/docs/resources/bigip_ltm_cipher_rule.md +++ b/docs/resources/bigip_ltm_cipher_rule.md @@ -34,6 +34,9 @@ resource "bigip_ltm_cipher_rule" "test_cipher_rule" { * `signature_algorithms` - (Optional,type `string`) Specifies the Signature Algorithms, separated by colons (:). +## Read-Only + +* `full_path` - (String) The full path of the cipher rule, e.g. /Common/test_cipher_rule. ## Importing An existing cipher rule can be imported into this resource by supplying the cipher rule's `full path` as `id`. diff --git a/docs/resources/bigip_ltm_policy.md b/docs/resources/bigip_ltm_policy.md index 633466cc0..de22e7b50 100644 --- a/docs/resources/bigip_ltm_policy.md +++ b/docs/resources/bigip_ltm_policy.md @@ -37,7 +37,7 @@ resource "bigip_ltm_policy" "test-policy" { } depends_on = [bigip_ltm_pool.mypool] } -``` +``` ## Argument Reference diff --git a/docs/resources/bigip_ltm_virtual_server.md b/docs/resources/bigip_ltm_virtual_server.md index 04ffb2bae..9acb46fd7 100644 --- a/docs/resources/bigip_ltm_virtual_server.md +++ b/docs/resources/bigip_ltm_virtual_server.md @@ -90,6 +90,8 @@ resource "bigip_ltm_virtual_server" "https" { * `vlans` - (Optional) The virtual server is enabled/disabled on this set of VLANs,enable/disabled will be desided by attribute `vlan_enabled` +* `policies` - (Optional) Specifies the policies for the virtual server. + * `vlans_enabled` - (Optional Bool) Enables the virtual server on the VLANs specified by the `vlans` option. By default it is `false` i.e vlanDisabled on specified vlans, if we want enable virtual server on VLANs specified by `vlans`, mark this attribute to `true`. From 826232c21a05cee50beacfa7a87009d54a5d4ff7 Mon Sep 17 00:00:00 2001 From: Rohit Upadhyay Date: Thu, 14 Sep 2023 11:43:43 +0530 Subject: [PATCH 5/8] Added deprection msg for published_policy in the docs --- docs/resources/bigip_ltm_policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/bigip_ltm_policy.md b/docs/resources/bigip_ltm_policy.md index de22e7b50..e123af305 100644 --- a/docs/resources/bigip_ltm_policy.md +++ b/docs/resources/bigip_ltm_policy.md @@ -49,7 +49,7 @@ resource "bigip_ltm_policy" "test-policy" { * `requires` - (Optional) Specifies the protocol -* `published_copy` - (Optional) If you want to publish the policy else it will be deployed in Drafts mode. +* `published_copy` - (Deprecated) If you want to publish the policy else it will be deployed in Drafts mode. This attribute is deprecated and will be removed in a future release. * `controls` - (Optional) Specifies the controls From 9d0555839fc81ff3414399c00e0b3c814a53a19c Mon Sep 17 00:00:00 2001 From: Rohit Upadhyay Date: Thu, 14 Sep 2023 16:59:43 +0530 Subject: [PATCH 6/8] Added note in the docs for bigip_ltm_policy resource --- bigip/resource_bigip_ssl_key_cert.go | 2 +- docs/resources/bigip_ltm_policy.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/bigip/resource_bigip_ssl_key_cert.go b/bigip/resource_bigip_ssl_key_cert.go index 282950647..c25a4f481 100644 --- a/bigip/resource_bigip_ssl_key_cert.go +++ b/bigip/resource_bigip_ssl_key_cert.go @@ -7,7 +7,7 @@ import ( "log" "strings" - "github.com/f5devcentral/go-bigip" + bigip "github.com/f5devcentral/go-bigip" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" ) diff --git a/docs/resources/bigip_ltm_policy.md b/docs/resources/bigip_ltm_policy.md index e123af305..01923d8ab 100644 --- a/docs/resources/bigip_ltm_policy.md +++ b/docs/resources/bigip_ltm_policy.md @@ -41,6 +41,9 @@ resource "bigip_ltm_policy" "test-policy" { ## Argument Reference +> [!NOTE] +> The attribute `published_copy` is not required anymore as the resource automatically publishes the policy, hence it's deprecated and will be removed from future release. + * `name`- (Required) Name of the Policy ( policy name should be in full path which is combination of partition and policy name ) * `strategy` - (Optional) Specifies the match strategy From be9ca2f3e9a9d0262edd1eae4ef52cbaa23bf78e Mon Sep 17 00:00:00 2001 From: chinthalapalli Date: Fri, 29 Sep 2023 15:21:44 +0530 Subject: [PATCH 7/8] adding cipher group/rule rebase --- bigip/provider.go | 3 +- bigip/resource_bigip_awaf_policy.go | 2 +- bigip/resource_bigip_ltm_cipher_group.go | 143 ++++++++++++++++++ bigip/resource_bigip_ltm_cipher_group_test.go | 76 ++++++++++ bigip/resource_bigip_ltm_cipher_rule.go | 117 +++++++------- bigip/resource_bigip_ltm_cipher_rule_test.go | 70 ++++++--- docs/resources/bigip_ltm_cipher_group.md | 40 +++++ docs/resources/bigip_ltm_cipher_rule.md | 23 +-- .../github.com/f5devcentral/go-bigip/ltm.go | 79 ++++++++-- 9 files changed, 440 insertions(+), 113 deletions(-) create mode 100644 bigip/resource_bigip_ltm_cipher_group.go create mode 100644 bigip/resource_bigip_ltm_cipher_group_test.go create mode 100644 docs/resources/bigip_ltm_cipher_group.md diff --git a/bigip/provider.go b/bigip/provider.go index 25e33bdc3..aa0312deb 100644 --- a/bigip/provider.go +++ b/bigip/provider.go @@ -111,7 +111,6 @@ func Provider() *schema.Provider { "bigip_net_route": resourceBigipNetRoute(), "bigip_net_selfip": resourceBigipNetSelfIP(), "bigip_net_vlan": resourceBigipNetVlan(), - "bigip_ltm_cipher_rule": resourceBigipLtmCipherRule(), "bigip_ltm_irule": resourceBigipLtmIRule(), "bigip_ltm_datagroup": resourceBigipLtmDataGroup(), "bigip_ltm_monitor": resourceBigipLtmMonitor(), @@ -166,6 +165,8 @@ func Provider() *schema.Provider { "bigip_ipsec_profile": resourceBigipIpsecProfile(), "bigip_waf_policy": resourceBigipAwafPolicy(), "bigip_vcmp_guest": resourceBigipVcmpGuest(), + "bigip_ltm_cipher_rule": resourceBigipLtmCipherRule(), + "bigip_ltm_cipher_group": resourceBigipLtmCipherGroup(), }, } p.ConfigureContextFunc = func(ctx context.Context, d *schema.ResourceData) (interface{}, diag.Diagnostics) { diff --git a/bigip/resource_bigip_awaf_policy.go b/bigip/resource_bigip_awaf_policy.go index 063fbf6f7..f4604ad31 100644 --- a/bigip/resource_bigip_awaf_policy.go +++ b/bigip/resource_bigip_awaf_policy.go @@ -540,7 +540,7 @@ func getpolicyConfig(d *schema.ResourceData) (string, error) { fullPath = fmt.Sprintf("/%s/%s", partition, name) } var appLang1 string - appLang1 = "auto-detect" + appLang1 = "utf-8" if val, ok := d.GetOk("application_language"); ok { appLang1 = val.(string) } diff --git a/bigip/resource_bigip_ltm_cipher_group.go b/bigip/resource_bigip_ltm_cipher_group.go new file mode 100644 index 000000000..e2de11a60 --- /dev/null +++ b/bigip/resource_bigip_ltm_cipher_group.go @@ -0,0 +1,143 @@ +// Copyright 2023 F5 Networks Inc. +// This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. +// If a copy of the MPL was not distributed with this file, You can obtain one at https://mozilla.org/MPL/2.0/. + +package bigip + +import ( + "context" + "fmt" + bigip "github.com/f5devcentral/go-bigip" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "log" +) + +func resourceBigipLtmCipherGroup() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceBigipLtmCipherGroupCreate, + ReadContext: resourceBigipLtmCipherGroupRead, + UpdateContext: resourceBigipLtmCipherGroupUpdate, + DeleteContext: resourceBigipLtmCipherGroupDelete, + Importer: &schema.ResourceImporter{ + StateContext: schema.ImportStatePassthroughContext, + }, + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + Description: "Name of the cipher group,name should be in pattern ``partition` + `cipher group name``", + ForceNew: true, + ValidateFunc: validateF5Name, + }, + "description": { + Type: schema.TypeString, + Optional: true, + Description: "Specifies descriptive text that identifies the cipher rule", + }, + "ordering": { + Type: schema.TypeString, + Optional: true, + Computed: true, + //Default: "default", + Description: "Controls the order of the Cipher String list in the Cipher Audit section. Options are Default, Speed, Strength, FIPS, and Hardware. The rules are processed in the order listed", + }, + "allow": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Description: "Specifies the configuration of the allowed groups of ciphers. You can select a cipher rule from the Available Cipher Rules list", + }, + "require": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Description: "Specifies the configuration of the restrict groups of ciphers. You can select a cipher rule from the Available Cipher Rules list", + }, + }, + } +} + +func resourceBigipLtmCipherGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + + name := d.Get("name").(string) + + log.Printf("[INFO] Creating Cipher rule:%+v", name) + + cipherGrouptmp := &bigip.CipherGroupReq{} + cipherGrouptmp.Name = name + cipherGroup, err := getCipherGroupConfig(d, cipherGrouptmp) + if err != nil { + return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) + } + log.Printf("[INFO] cipherGroup config :%+v", cipherGroup) + err = client.AddLtmCipherGroup(cipherGroup) + if err != nil { + return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err)) + } + d.SetId(name) + return resourceBigipLtmCipherGroupRead(ctx, d, meta) +} + +func resourceBigipLtmCipherGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + name := d.Id() + log.Printf("[INFO] Fetching Cipher group :%+v", name) + + cipherGroup, err := client.GetLtmCipherGroup(name) + if err != nil { + log.Printf("[ERROR] Unable to retrieve cipher group %s %v :", name, err) + return diag.FromErr(err) + } + _ = d.Set("name", cipherGroup.FullPath) + _ = d.Set("ordering", cipherGroup.Ordering) + log.Printf("[INFO] Cipher group response :%+v", cipherGroup) + return nil +} + +func resourceBigipLtmCipherGroupUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + name := d.Id() + cipherGrouptmp := &bigip.CipherGroupReq{} + cipherGrouptmp.Name = name + cipherGroupconfig, err := getCipherGroupConfig(d, cipherGrouptmp) + if err != nil { + return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) + } + if err := client.ModifyLtmCipherGroup(name, cipherGroupconfig); err != nil { + return diag.FromErr(fmt.Errorf("error modifying cipher group %s: %v", name, err)) + } + + return resourceBigipLtmCipherGroupRead(ctx, d, meta) +} + +func resourceBigipLtmCipherGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*bigip.BigIP) + + name := d.Id() + log.Printf("[INFO] Deleting cipher group :%+v", name) + err := client.DeleteLtmCipherGroup(name) + + if err != nil { + log.Printf("[ERROR] Unable to Delete cipher rule %s %v : ", name, err) + return diag.FromErr(err) + } + d.SetId("") + return nil +} + +func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroupReq) (*bigip.CipherGroupReq, error) { + cipherGroup.Ordering = d.Get("ordering").(string) + if p, ok := d.GetOk("allow"); ok { + for _, r := range p.(*schema.Set).List() { + cipherGroup.Allow = append(cipherGroup.Allow, r.(string)) + } + } + if p, ok := d.GetOk("require"); ok { + for _, r := range p.(*schema.Set).List() { + cipherGroup.Require = append(cipherGroup.Require, r.(string)) + } + } + return cipherGroup, nil +} diff --git a/bigip/resource_bigip_ltm_cipher_group_test.go b/bigip/resource_bigip_ltm_cipher_group_test.go new file mode 100644 index 000000000..094c0a0da --- /dev/null +++ b/bigip/resource_bigip_ltm_cipher_group_test.go @@ -0,0 +1,76 @@ +/* +Original work from https://github.com/DealerDotCom/terraform-provider-bigip +Modifications Copyright 2019 F5 Networks Inc. +This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. +If a copy of the MPL was not distributed with this file,You can obtain one at https://mozilla.org/MPL/2.0/. +*/ +package bigip + +import ( + "fmt" + "testing" + + bigip "github.com/f5devcentral/go-bigip" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +const testCipherGroupConfigTC1 = ` +resource "bigip_ltm_cipher_group" "test-cipher-group" { + name = "/Common/test-cipher-group-01" + //cipher = "aes" +} +` + +func TestAccBigipLtmCipherGroupCreateTC1(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { + testAcctPreCheck(t) + }, + Providers: testAccProviders, + CheckDestroy: testCheckCipherGroupDestroyed, + Steps: []resource.TestStep{ + { + Config: testCipherGroupConfigTC1, + Check: resource.ComposeTestCheckFunc( + testCheckCipherGroupExists("/Common/test-cipher-group-01"), + resource.TestCheckResourceAttr("bigip_ltm_cipher_group.test-cipher-group", "name", "/Common/test-cipher-group-01"), + ), + }, + }, + }) +} + +func testCheckCipherGroupExists(name string) resource.TestCheckFunc { + return func(s *terraform.State) error { + client := testAccProvider.Meta().(*bigip.BigIP) + + p, err := client.GetLtmCipherGroup(name) + if err != nil { + return err + } + if p == nil { + return fmt.Errorf("Pool %s does not exist ", name) + } + + return nil + } +} + +func testCheckCipherGroupDestroyed(s *terraform.State) error { + client := testAccProvider.Meta().(*bigip.BigIP) + for _, rs := range s.RootModule().Resources { + if rs.Type != "bigip_ltm_cipher_group" { + continue + } + name := rs.Primary.ID + pool, err := client.GetLtmCipherGroup(name) + if err != nil { + return err + } + if pool != nil { + return fmt.Errorf("Cipher rule %s not destroyed ", name) + } + } + return nil +} diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go index 43d330d67..796325a93 100644 --- a/bigip/resource_bigip_ltm_cipher_rule.go +++ b/bigip/resource_bigip_ltm_cipher_rule.go @@ -1,3 +1,7 @@ +// Copyright 2023 F5 Networks Inc. +// This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. +// If a copy of the MPL was not distributed with this file, You can obtain one at https://mozilla.org/MPL/2.0/. + package bigip import ( @@ -23,39 +27,33 @@ func resourceBigipLtmCipherRule() *schema.Resource { Importer: &schema.ResourceImporter{ StateContext: schema.ImportStatePassthroughContext, }, - Schema: map[string]*schema.Schema{ "name": { - Type: schema.TypeString, - Description: "The cipher rule name.", - Required: true, + Type: schema.TypeString, + Required: true, + Description: "Name of the cipher rule,name should be in pattern ``partition` + `cipher rule name``", + ForceNew: true, + ValidateFunc: validateF5Name, }, - "partition": { + "description": { Type: schema.TypeString, - Description: "The partition name.", Optional: true, - Default: "Common", + Description: "Specifies descriptive text that identifies the cipher rule", }, - "cipher_suites": { + "cipher": { Type: schema.TypeString, - Description: "The cipher suites.", - Default: "DEFAULT", - Optional: true, + Required: true, + Description: "Specifies one or more Cipher Suites used.Note: For SM2, type the following cipher suite string: ECC-SM4-SM3.", }, "dh_groups": { Type: schema.TypeString, - Description: "The DH groups.", Optional: true, + Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups", }, "signature_algorithms": { Type: schema.TypeString, - Description: "The signature algorithms.", Optional: true, - }, - "full_path": { - Type: schema.TypeString, - Description: "The full path of the cipher rule.", - Computed: true, + Description: "Specifies the Signature Algorithms, separated by colons (:), that you want to include in the cipher rule. You can also type a special keyword, DEFAULT, which represents the recommended set of signature algorithms", }, }, } @@ -64,21 +62,21 @@ func resourceBigipLtmCipherRule() *schema.Resource { func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*bigip.BigIP) name := d.Get("name").(string) - partition := d.Get("partition").(string) - log.Println("[INFO] Creating Cipher Rule: ", name, " in partition: ", partition) - cipherRule := &bigip.CipherRule{ - Name: name, - Partition: partition, - Cipher: d.Get("cipher_suites").(string), - DHGroups: d.Get("dh_groups").(string), - SignatureAlgorithms: d.Get("signature_algorithms").(string), + + log.Printf("[INFO] Creating Cipher rule:%+v", name) + + cipherRuletmp := &bigip.CipherRuleReq{} + cipherRuletmp.Name = name + cipherRule, err := getCipherRuleConfig(d, cipherRuletmp) + if err != nil { + return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) } - err := client.CreateCipherRule(cipherRule) + log.Printf("[INFO] cipherRule config :%+v", cipherRule) + err = client.AddLtmCipherRule(cipherRule) if err != nil { - return diag.FromErr(err) + return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err)) } - fullPath := fmt.Sprintf("/%s/%s", partition, name) - d.SetId(fullPath) + d.SetId(name) if !client.Teem { id := uuid.New() uniqueID := id.String() @@ -103,61 +101,54 @@ func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceDat func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*bigip.BigIP) - - id := d.Id() - id = strings.Replace(id, "/", "", 1) - name_partition := strings.Split(id, "/") - name := name_partition[1] - partition := name_partition[0] - - log.Printf("----------------name_partition: %v------------------", name_partition) - - log.Println("[INFO] Reading Cipher Rule: ", name) - cipherRule, err := client.GetCipherRule(name, partition) + name := d.Id() + log.Printf("[INFO] Fetching Cipher rule :%+v", name) + cipherRule, err := client.GetLtmCipherRule(name) if err != nil { + log.Printf("[ERROR] Unable to retrieve cipher rule %s %v :", name, err) return diag.FromErr(err) } - if cipherRule == nil { - return diag.FromErr(fmt.Errorf("cipher Rule not found")) - } - fullPath := fmt.Sprintf("/%s/%s", partition, name) + log.Printf("[INFO] Cipher rule response :%+v", cipherRule) _ = d.Set("name", cipherRule.Name) _ = d.Set("partition", cipherRule.Partition) _ = d.Set("cipher_suites", cipherRule.Cipher) - _ = d.Set("dh_groups", cipherRule.DHGroups) + _ = d.Set("dh_groups", cipherRule.DhGroups) _ = d.Set("signature_algorithms", cipherRule.SignatureAlgorithms) - _ = d.Set("full_path", fullPath) return nil } func resourceBigipLtmCipherRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*bigip.BigIP) - name := d.Get("name").(string) - partition := d.Get("partition").(string) - log.Println("[INFO] Updating Cipher Rule: ", name, " in partition: ", partition) - cipherRule := &bigip.CipherRule{ - Name: name, - Partition: partition, - Cipher: d.Get("cipher_suites").(string), - DHGroups: d.Get("dh_groups").(string), - SignatureAlgorithms: d.Get("signature_algorithms").(string), - } - err := client.ModifyCipherRule(cipherRule) + + name := d.Id() + cipherRuletmp := &bigip.CipherRuleReq{} + cipherRuletmp.Name = name + cipheRuleconfig, err := getCipherRuleConfig(d, cipherRuletmp) if err != nil { - return diag.FromErr(err) + return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) + } + if err := client.ModifyLtmCipherRule(name, cipheRuleconfig); err != nil { + return diag.FromErr(fmt.Errorf("error modifying cipher rule %s: %v", name, err)) } return resourceBigipLtmCipherRuleRead(ctx, d, meta) } func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*bigip.BigIP) - name := d.Get("name").(string) - partition := d.Get("partition").(string) - log.Println("[INFO] Deleting Cipher Rule: ", name, " in partition: ", partition) - err := client.DeleteCipherRule(name, partition) + name := d.Id() + log.Printf("[INFO] Deleting cipher rule :%+v", name) + err := client.DeleteLtmCipherRule(name) if err != nil { + log.Printf("[ERROR] Unable to Delete cipher rule %s %v : ", name, err) return diag.FromErr(err) } d.SetId("") return nil } +func getCipherRuleConfig(d *schema.ResourceData, cipherRule *bigip.CipherRuleReq) (*bigip.CipherRuleReq, error) { + cipherRule.Cipher = d.Get("cipher").(string) + cipherRule.DhGroups = d.Get("dh_groups").(string) + cipherRule.SignatureAlgorithms = d.Get("signature_algorithms").(string) + cipherRule.Description = d.Get("description").(string) + return cipherRule, nil +} diff --git a/bigip/resource_bigip_ltm_cipher_rule_test.go b/bigip/resource_bigip_ltm_cipher_rule_test.go index c2e9b28d9..0382d4781 100644 --- a/bigip/resource_bigip_ltm_cipher_rule_test.go +++ b/bigip/resource_bigip_ltm_cipher_rule_test.go @@ -1,37 +1,71 @@ package bigip import ( - "testing" - + "fmt" + bigip "github.com/f5devcentral/go-bigip" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "testing" ) -const testResourceCipherRule = ` -resource "bigip_ltm_cipher_rule" "testcipher" { - name = "testcipher" - partition = "Common" - cipher_suites = "fips" - dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096" - signature_algorithms = "DEFAULT" -}` +const testCipherRuleConfigTC1 = ` +resource "bigip_ltm_cipher_rule" "test-cipher-rule" { + name = "/Common/test-cipher-rule" + cipher = "aes" +} +` -func TestAccCipherRule(t *testing.T) { +func TestAccBigipLtmCipherRuleCreateTC1(t *testing.T) { resource.Test(t, resource.TestCase{ PreCheck: func() { testAcctPreCheck(t) }, - Providers: testAccProviders, + Providers: testAccProviders, + CheckDestroy: testCheckCipherRuleDestroyed, Steps: []resource.TestStep{ { - Config: testResourceCipherRule, + Config: testCipherRuleConfigTC1, Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "name", "testcipher"), - resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "partition", "Common"), - resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "cipher_suites", "fips"), - resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "dh_groups", "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096"), - resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.testcipher", "signature_algorithms", "DEFAULT"), + testCheckCipherRuleExists("/Common/test-cipher-rule"), + resource.TestCheckResourceAttr("bigip_ltm_cipher_rule.test-cipher-rule", "name", "/Common/test-cipher-rule"), ), }, }, }) } + +func testCheckCipherRuleExists(name string) resource.TestCheckFunc { + return func(s *terraform.State) error { + client := testAccProvider.Meta().(*bigip.BigIP) + + p, err := client.GetLtmCipherRule(name) + if err != nil { + return err + } + if p == nil { + return fmt.Errorf("Pool %s does not exist ", name) + } + + return nil + } +} + +func testCheckCipherRuleDestroyed(s *terraform.State) error { + client := testAccProvider.Meta().(*bigip.BigIP) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "bigip_ltm_cipher_rule" { + continue + } + + name := rs.Primary.ID + pool, err := client.GetLtmCipherRule(name) + if err != nil { + return err + } + if pool != nil { + return fmt.Errorf("Cipher rule %s not destroyed ", name) + } + } + return nil +} diff --git a/docs/resources/bigip_ltm_cipher_group.md b/docs/resources/bigip_ltm_cipher_group.md new file mode 100644 index 000000000..4c157fb29 --- /dev/null +++ b/docs/resources/bigip_ltm_cipher_group.md @@ -0,0 +1,40 @@ +--- +layout: "bigip" +page_title: "BIG-IP: bigip_ltm_cipher_rule" +subcategory: "Local Traffic Manager(LTM)" +description: |- +Provides details about bigip_ltm_cipher_rule resource +--- + +# bigip\_ltm\_cipher\_group + +`bigip_ltm_cipher_group` Manages F5 BIG-IP LTM cipher group using iControl REST. + +## Example Usage + +```hcl +resource "bigip_ltm_cipher_group" "test-cipher-group" { + name = "/Common/test-cipher-group-01" + allow = ["/Common/f5-aes"] + require = ["/Common/f5-quic"] + ordering = "speed" +} +``` + +## Argument Reference + +* `name` - (Required,type `string`) Name of the Cipher group. Name should be in pattern `partition` + `cipher_group_name` + +* `allow` - (Optional,type `list` of `strings` ) Specifies the configuration of the allowed groups of ciphers. You can select a cipher rule from the Available Cipher Rules list. + +* `require` - (Optional,type `list` of `string`) Specifies the configuration of the restrict groups of ciphers. You can select a cipher rule from the Available Cipher Rules list. + +* `ordering` - (Optional,type `string`) Controls the order of the Cipher String list in the Cipher Audit section. Options are Default, Speed, Strength, FIPS, and Hardware. The rules are processed in the order listed. + +## Importing +An existing cipher group can be imported into this resource by supplying the cipher rule full path name ex : `/partition/name` +An example is below: +```sh +$ terraform import bigip_ltm_cipher_group.test_cipher_group /Common/test_cipher_group + +``` \ No newline at end of file diff --git a/docs/resources/bigip_ltm_cipher_rule.md b/docs/resources/bigip_ltm_cipher_rule.md index d400f52e5..78c5d2b1f 100644 --- a/docs/resources/bigip_ltm_cipher_rule.md +++ b/docs/resources/bigip_ltm_cipher_rule.md @@ -7,16 +7,14 @@ description: |- --- # bigip\_ltm\_cipher\_rule - -`bigip_ltm_cipher_rule` Manages F5 BIG-IP LTM cipher rule via iControl REST API. +`bigip_ltm_cipher_rule` Manages F5 BIG-IP LTM cipher rule using iControl REST. ## Example Usage ```hcl resource "bigip_ltm_cipher_rule" "test_cipher_rule" { - name = "test_cipher_rule" - partition = "Uncommon" - cipher_suites = "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384" + name = "/Common/test_cipher_rule" + cipher = "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384" dh_groups = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096" signature_algorithms = "DEFAULT" } @@ -24,24 +22,19 @@ resource "bigip_ltm_cipher_rule" "test_cipher_rule" { ## Argument Reference -* `name` - (Required,type `string`) Name of the Cipher Rule. +* `name` - (Required,type `string`) Name of the Cipher Rule. Name should be in pattern `partition` + `cipher_rule_name` -* `partition` - (Optional,type `string`) The Partition in which the Cipher Rule will be created. +* `description` - (Optional,type `string`) The Partition in which the Cipher Rule will be created. -* `cipher_suites` - (Required,type `string`) This is a colon (:) separated string of cipher suites. example, `TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384`. The default value for this attribute is `DEFAULT`. +* `cipher` - (Required,type `string`) Specifies one or more Cipher Suites used,this is a colon (:) separated string of cipher suites. example, `TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384`. * `dh_groups` - (Optional,type `string`) Specifies the DH Groups algorithms, separated by colons (:). * `signature_algorithms` - (Optional,type `string`) Specifies the Signature Algorithms, separated by colons (:). -## Read-Only - -* `full_path` - (String) The full path of the cipher rule, e.g. /Common/test_cipher_rule. - ## Importing -An existing cipher rule can be imported into this resource by supplying the cipher rule's `full path` as `id`. +An existing cipher rule can be imported into this resource by supplying the cipher rule full path name ex : `/partition/name` An example is below: ```sh $ terraform import bigip_ltm_cipher_rule.test_cipher_rule /Common/test_cipher_rule - -``` +``` \ No newline at end of file diff --git a/vendor/github.com/f5devcentral/go-bigip/ltm.go b/vendor/github.com/f5devcentral/go-bigip/ltm.go index 8a664f0d1..4e57c326f 100644 --- a/vendor/github.com/f5devcentral/go-bigip/ltm.go +++ b/vendor/github.com/f5devcentral/go-bigip/ltm.go @@ -1900,6 +1900,7 @@ const ( uriPool = "pool" uriPoolMember = "members" uriProfile = "profile" + uriCipher = "cipher" uriServerSSL = "server-ssl" uriClientSSL = "client-ssl" uriVirtual = "virtual" @@ -1936,7 +1937,6 @@ const ( uriSSL = "ssl" uriUniversal = "universal" uriCreateDraft = "?options=create-draft" - uriCipher = "cipher" uriRule = "rule" ) @@ -3929,25 +3929,31 @@ func (b *BigIP) ModifyHttpCompressionProfile(name string, config *HttpCompressio return b.put(config, uriLtm, uriProfile, uriHttpcompress, name) } -func (b *BigIP) CreateCipherRule(cipherRule *CipherRule) error { - return b.post(cipherRule, uriLtm, uriCipher, uriRule) +type CipherRuleReq struct { + Name string `json:"name,omitempty"` + Partition string `json:"partition,omitempty"` + FullPath string `json:"fullPath,omitempty"` + Cipher string `json:"cipher,omitempty"` + Description string `json:"description,omitempty"` + DhGroups string `json:"dhGroups,omitempty"` + SignatureAlgorithms string `json:"signatureAlgorithms,omitempty"` } -func (b *BigIP) ModifyCipherRule(cipherRule *CipherRule) error { - modifyPath := fmt.Sprintf("~%s~%s", cipherRule.Partition, cipherRule.Name) - return b.patch(cipherRule, uriLtm, uriCipher, uriRule, modifyPath) +func (b *BigIP) AddLtmCipherRule(config *CipherRuleReq) error { + return b.post(config, uriLtm, uriCipher, "rule") } -func (b *BigIP) DeleteCipherRule(name, partition string) error { - deletePath := fmt.Sprintf("~%s~%s", partition, name) - return b.delete(uriLtm, uriCipher, uriRule, deletePath) +func (b *BigIP) ModifyLtmCipherRule(name string, config *CipherRuleReq) error { + return b.put(config, uriLtm, uriCipher, "rule", name) } -func (b *BigIP) GetCipherRule(name, partition string) (*CipherRule, error) { - cipherRule := &CipherRule{} - fullPath := fmt.Sprintf("~%s~%s", partition, name) - log.Printf("-------------------fullPath: %s--------------------", fullPath) - err, ok := b.getForEntity(&cipherRule, uriLtm, uriCipher, uriRule, fullPath) +func (b *BigIP) DeleteLtmCipherRule(name string) error { + return b.delete(uriLtm, uriCipher, "rule", name) +} + +func (b *BigIP) GetLtmCipherRule(name string) (*CipherRuleReq, error) { + var cipherRule CipherRuleReq + err, ok := b.getForEntity(&cipherRule, uriLtm, uriCipher, "rule", name) if err != nil { return nil, err } @@ -3955,6 +3961,49 @@ func (b *BigIP) GetCipherRule(name, partition string) (*CipherRule, error) { if !ok { return nil, nil } + return &cipherRule, nil +} + +// +//type PolicyRule struct { +//Name string `json:"name,omitempty"` +//Partition string `json:"partition,omitempty"` +//NameReference struct { +//Link string `json:"link,omitempty"` +//} `json:"nameReference,omitempty"` +//} + +type CipherGroupReq struct { + Name string `json:"name,omitempty"` + Partition string `json:"partition,omitempty"` + FullPath string `json:"fullPath,omitempty"` + Ordering string `json:"ordering,omitempty"` + Allow []interface{} `json:"allow,omitempty"` + Require []interface{} `json:"require,omitempty"` +} - return cipherRule, nil +func (b *BigIP) AddLtmCipherGroup(config *CipherGroupReq) error { + return b.post(config, uriLtm, uriCipher, "group") } + +func (b *BigIP) ModifyLtmCipherGroup(name string, config *CipherGroupReq) error { + return b.put(config, uriLtm, uriCipher, "group", name) +} + +func (b *BigIP) DeleteLtmCipherGroup(name string) error { + return b.delete(uriLtm, uriCipher, "group", name) +} + +func (b *BigIP) GetLtmCipherGroup(name string) (*CipherGroupReq, error) { + var cipherGroup CipherGroupReq + err, ok := b.getForEntity(&cipherGroup, uriLtm, uriCipher, "group", name) + if err != nil { + return nil, err + } + + if !ok { + return nil, nil + } + + return &cipherGroup, nil +} \ No newline at end of file From 72c12b6073e26a10c90c5d849ef27f0c586a580a Mon Sep 17 00:00:00 2001 From: chinthalapalli Date: Fri, 29 Sep 2023 16:00:04 +0530 Subject: [PATCH 8/8] adding vendor sync changes --- bigip/resource_bigip_ltm_cipher_group.go | 44 ++++++++++++++----- bigip/resource_bigip_ltm_cipher_group_test.go | 6 ++- bigip/resource_bigip_ltm_cipher_rule.go | 17 +++---- bigip/resource_bigip_ltm_cipher_rule_test.go | 7 +-- go.mod | 4 +- go.sum | 9 ++-- vendor/modules.txt | 6 +-- 7 files changed, 56 insertions(+), 37 deletions(-) diff --git a/bigip/resource_bigip_ltm_cipher_group.go b/bigip/resource_bigip_ltm_cipher_group.go index e2de11a60..cba80377b 100644 --- a/bigip/resource_bigip_ltm_cipher_group.go +++ b/bigip/resource_bigip_ltm_cipher_group.go @@ -7,10 +7,15 @@ package bigip import ( "context" "fmt" + "log" + "os" + "strings" + bigip "github.com/f5devcentral/go-bigip" + "github.com/f5devcentral/go-bigip/f5teem" + "github.com/google/uuid" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "log" ) func resourceBigipLtmCipherGroup() *schema.Resource { @@ -67,15 +72,32 @@ func resourceBigipLtmCipherGroupCreate(ctx context.Context, d *schema.ResourceDa cipherGrouptmp := &bigip.CipherGroupReq{} cipherGrouptmp.Name = name - cipherGroup, err := getCipherGroupConfig(d, cipherGrouptmp) - if err != nil { - return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) - } + cipherGroup := getCipherGroupConfig(d, cipherGrouptmp) + log.Printf("[INFO] cipherGroup config :%+v", cipherGroup) - err = client.AddLtmCipherGroup(cipherGroup) + err := client.AddLtmCipherGroup(cipherGroup) if err != nil { return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err)) } + if !client.Teem { + id := uuid.New() + uniqueID := id.String() + assetInfo := f5teem.AssetInfo{ + Name: "Terraform-provider-bigip", + Version: client.UserAgent, + Id: uniqueID, + } + apiKey := os.Getenv("TEEM_API_KEY") + teemDevice := f5teem.AnonymousClient(assetInfo, apiKey) + f := map[string]interface{}{ + "Terraform Version": client.UserAgent, + } + tsVer := strings.Split(client.UserAgent, "/") + err = teemDevice.Report(f, "bigip_ltm_cipher_group", tsVer[3]) + if err != nil { + log.Printf("[ERROR]Sending Telemetry data failed:%v", err) + } + } d.SetId(name) return resourceBigipLtmCipherGroupRead(ctx, d, meta) } @@ -101,10 +123,8 @@ func resourceBigipLtmCipherGroupUpdate(ctx context.Context, d *schema.ResourceDa name := d.Id() cipherGrouptmp := &bigip.CipherGroupReq{} cipherGrouptmp.Name = name - cipherGroupconfig, err := getCipherGroupConfig(d, cipherGrouptmp) - if err != nil { - return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) - } + cipherGroupconfig := getCipherGroupConfig(d, cipherGrouptmp) + if err := client.ModifyLtmCipherGroup(name, cipherGroupconfig); err != nil { return diag.FromErr(fmt.Errorf("error modifying cipher group %s: %v", name, err)) } @@ -127,7 +147,7 @@ func resourceBigipLtmCipherGroupDelete(ctx context.Context, d *schema.ResourceDa return nil } -func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroupReq) (*bigip.CipherGroupReq, error) { +func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroupReq) *bigip.CipherGroupReq { cipherGroup.Ordering = d.Get("ordering").(string) if p, ok := d.GetOk("allow"); ok { for _, r := range p.(*schema.Set).List() { @@ -139,5 +159,5 @@ func getCipherGroupConfig(d *schema.ResourceData, cipherGroup *bigip.CipherGroup cipherGroup.Require = append(cipherGroup.Require, r.(string)) } } - return cipherGroup, nil + return cipherGroup } diff --git a/bigip/resource_bigip_ltm_cipher_group_test.go b/bigip/resource_bigip_ltm_cipher_group_test.go index 094c0a0da..29edbf4b0 100644 --- a/bigip/resource_bigip_ltm_cipher_group_test.go +++ b/bigip/resource_bigip_ltm_cipher_group_test.go @@ -17,8 +17,10 @@ import ( const testCipherGroupConfigTC1 = ` resource "bigip_ltm_cipher_group" "test-cipher-group" { - name = "/Common/test-cipher-group-01" - //cipher = "aes" + name = "/Common/test-cipher-group-01" + allow = ["/Common/f5-aes"] + require = ["/Common/f5-quic"] + ordering = "speed" } ` diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go index 796325a93..9bfbb24b3 100644 --- a/bigip/resource_bigip_ltm_cipher_rule.go +++ b/bigip/resource_bigip_ltm_cipher_rule.go @@ -67,12 +67,10 @@ func resourceBigipLtmCipherRuleCreate(ctx context.Context, d *schema.ResourceDat cipherRuletmp := &bigip.CipherRuleReq{} cipherRuletmp.Name = name - cipherRule, err := getCipherRuleConfig(d, cipherRuletmp) - if err != nil { - return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) - } + cipherRule := getCipherRuleConfig(d, cipherRuletmp) + log.Printf("[INFO] cipherRule config :%+v", cipherRule) - err = client.AddLtmCipherRule(cipherRule) + err := client.AddLtmCipherRule(cipherRule) if err != nil { return diag.FromErr(fmt.Errorf("error creating cipher rule (%s): %s", name, err)) } @@ -123,10 +121,7 @@ func resourceBigipLtmCipherRuleUpdate(ctx context.Context, d *schema.ResourceDat name := d.Id() cipherRuletmp := &bigip.CipherRuleReq{} cipherRuletmp.Name = name - cipheRuleconfig, err := getCipherRuleConfig(d, cipherRuletmp) - if err != nil { - return diag.FromErr(fmt.Errorf("reading input config failed(%s): %s", name, err)) - } + cipheRuleconfig := getCipherRuleConfig(d, cipherRuletmp) if err := client.ModifyLtmCipherRule(name, cipheRuleconfig); err != nil { return diag.FromErr(fmt.Errorf("error modifying cipher rule %s: %v", name, err)) } @@ -145,10 +140,10 @@ func resourceBigipLtmCipherRuleDelete(ctx context.Context, d *schema.ResourceDat d.SetId("") return nil } -func getCipherRuleConfig(d *schema.ResourceData, cipherRule *bigip.CipherRuleReq) (*bigip.CipherRuleReq, error) { +func getCipherRuleConfig(d *schema.ResourceData, cipherRule *bigip.CipherRuleReq) *bigip.CipherRuleReq { cipherRule.Cipher = d.Get("cipher").(string) cipherRule.DhGroups = d.Get("dh_groups").(string) cipherRule.SignatureAlgorithms = d.Get("signature_algorithms").(string) cipherRule.Description = d.Get("description").(string) - return cipherRule, nil + return cipherRule } diff --git a/bigip/resource_bigip_ltm_cipher_rule_test.go b/bigip/resource_bigip_ltm_cipher_rule_test.go index 0382d4781..5e1bb1da0 100644 --- a/bigip/resource_bigip_ltm_cipher_rule_test.go +++ b/bigip/resource_bigip_ltm_cipher_rule_test.go @@ -2,16 +2,17 @@ package bigip import ( "fmt" + "testing" + bigip "github.com/f5devcentral/go-bigip" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "testing" ) const testCipherRuleConfigTC1 = ` resource "bigip_ltm_cipher_rule" "test-cipher-rule" { - name = "/Common/test-cipher-rule" - cipher = "aes" + name = "/Common/test-cipher-rule" + cipher = "aes" } ` diff --git a/go.mod b/go.mod index 7072b3ca0..4bfe8550d 100644 --- a/go.mod +++ b/go.mod @@ -10,8 +10,8 @@ require ( github.com/Azure/azure-storage-blob-go v0.13.0 github.com/Azure/go-autorest/autorest v0.11.18 github.com/Azure/go-autorest/autorest/adal v0.9.13 - github.com/f5devcentral/go-bigip v0.0.0-20230825175646-ebe63e33298c - github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230825175646-ebe63e33298c + github.com/f5devcentral/go-bigip v0.0.0-20230929101300-4ca00e7ed5fc + github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230929101300-4ca00e7ed5fc github.com/google/uuid v1.3.0 github.com/hashicorp/terraform-plugin-sdk/v2 v2.25.0 github.com/stretchr/testify v1.8.4 diff --git a/go.sum b/go.sum index c068f41d0..fe532442b 100644 --- a/go.sum +++ b/go.sum @@ -480,10 +480,10 @@ github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= -github.com/f5devcentral/go-bigip v0.0.0-20230825175646-ebe63e33298c h1:T9+v2O4pFkDjASOoPhSOoBKU5BhqIDg1ndZg1sGjLxs= -github.com/f5devcentral/go-bigip v0.0.0-20230825175646-ebe63e33298c/go.mod h1:JZj/iVxDmEnGPyEwuNj7x0fuH2CtUBbD2J48MMp/SE8= -github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230825175646-ebe63e33298c h1:CxHMUixpOiK00IvO1ql2hEa5QPLfiV+/zy/izf98eGM= -github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230825175646-ebe63e33298c/go.mod h1:r7o5I22EvO+fps2u10bz4ZUlTlNHopQSWzVcW19hK3U= +github.com/f5devcentral/go-bigip v0.0.0-20230929101300-4ca00e7ed5fc h1:jWmvlICHswmQEL4qUc6CxIsQy2Guxwk4uE6jJWiE5/o= +github.com/f5devcentral/go-bigip v0.0.0-20230929101300-4ca00e7ed5fc/go.mod h1:0Lkr0fBU6O1yBxF2mt9JFwXpaFbIb/wAY7oM3dMJDdA= +github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230929101300-4ca00e7ed5fc h1:tlODenRp43vLPGE20j+fgrDPNNH2MJ6HyqDcLKjYOmo= +github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230929101300-4ca00e7ed5fc/go.mod h1:r7o5I22EvO+fps2u10bz4ZUlTlNHopQSWzVcW19hK3U= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= @@ -749,6 +749,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= diff --git a/vendor/modules.txt b/vendor/modules.txt index 2a2336c5f..d98666a43 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -42,10 +42,10 @@ github.com/apparentlymart/go-textseg/v13/textseg # github.com/davecgh/go-spew v1.1.1 ## explicit github.com/davecgh/go-spew/spew -# github.com/f5devcentral/go-bigip v0.0.0-20230825175646-ebe63e33298c -## explicit +# github.com/f5devcentral/go-bigip v0.0.0-20230929101300-4ca00e7ed5fc +## explicit; go 1.20 github.com/f5devcentral/go-bigip -# github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230825175646-ebe63e33298c +# github.com/f5devcentral/go-bigip/f5teem v0.0.0-20230929101300-4ca00e7ed5fc ## explicit; go 1.13 github.com/f5devcentral/go-bigip/f5teem # github.com/fatih/color v1.13.0