F5Networks · RavinderReddyF5 · Oct 11, 2023 · Oct 3, 2023 · Oct 4, 2023 · Oct 4, 2023
diff --git a/bigip/provider.go b/bigip/provider.go
@@ -139,6 +139,7 @@ func Provider() *schema.Provider {
 			"bigip_sys_dns":                         resourceBigipSysDns(),
 			"bigip_sys_iapp":                        resourceBigipSysIapp(),
 			"bigip_sys_ntp":                         resourceBigipSysNtp(),
+			"bigip_sys_ocsp":                        resourceBigipSysOcsp(),
 			"bigip_sys_provision":                   resourceBigipSysProvision(),
 			"bigip_sys_snmp":                        resourceBigipSysSnmp(),
 			"bigip_sys_snmp_traps":                  resourceBigipSysSnmpTraps(),

diff --git a/bigip/resource_bigip_ltm_cipher_group.go b/bigip/resource_bigip_ltm_cipher_group.go
@@ -113,7 +113,18 @@ func resourceBigipLtmCipherGroupRead(ctx context.Context, d *schema.ResourceData
 	}
 	_ = d.Set("name", cipherGroup.FullPath)
 	_ = d.Set("ordering", cipherGroup.Ordering)
-	log.Printf("[INFO] Cipher group response :%+v", cipherGroup)
+	var allowList []interface{}
+	for _, val := range cipherGroup.Allow {
+		tmpCipher := fmt.Sprintf("/%s/%s", val.(map[string]interface{})["partition"].(string), val.(map[string]interface{})["name"].(string))
+		allowList = append(allowList, tmpCipher)
+	}
+	_ = d.Set("allow", allowList)
+	var requireList []interface{}
+	for _, val := range cipherGroup.Require {
+		tmpCipher := fmt.Sprintf("/%s/%s", val.(map[string]interface{})["partition"].(string), val.(map[string]interface{})["name"].(string))
+		requireList = append(requireList, tmpCipher)
+	}
+	_ = d.Set("require", requireList)
 	return nil
 }
 

diff --git a/bigip/resource_bigip_ltm_cipher_rule.go b/bigip/resource_bigip_ltm_cipher_rule.go
@@ -48,11 +48,13 @@ func resourceBigipLtmCipherRule() *schema.Resource {
 			"dh_groups": {
 				Type:        schema.TypeString,
 				Optional:    true,
+				Computed:    true,
 				Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
 			},
 			"signature_algorithms": {
 				Type:        schema.TypeString,
 				Optional:    true,
+				Computed:    true,
 				Description: "Specifies the Signature Algorithms, separated by colons (:), that you want to include in the cipher rule. You can also type a special keyword, DEFAULT, which represents the recommended set of signature algorithms",
 			},
 		},
@@ -108,9 +110,8 @@ func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 	log.Printf("[INFO] Cipher rule response :%+v", cipherRule)
-	_ = d.Set("name", cipherRule.Name)
-	_ = d.Set("partition", cipherRule.Partition)
-	_ = d.Set("cipher_suites", cipherRule.Cipher)
+	_ = d.Set("name", cipherRule.FullPath)
+	_ = d.Set("cipher", cipherRule.Cipher)
 	_ = d.Set("dh_groups", cipherRule.DhGroups)
 	_ = d.Set("signature_algorithms", cipherRule.SignatureAlgorithms)
 	return nil

diff --git a/bigip/resource_bigip_ltm_profile_http.go b/bigip/resource_bigip_ltm_profile_http.go
@@ -166,9 +166,10 @@ func resourceBigipLtmProfileHttp() *schema.Resource {
 				Description: "Specifies how the system handles HTTP content that is chunked by a server. The default is Selective",
 			},
 			"server_agent_name": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
+				Type:     schema.TypeString,
+				Optional: true,
+				// Computed:    true,
+				Default:     "BigIP",
 				Description: "Specifies the value of the Server header in responses that the BIG-IP itself generates. The default is BigIP. If no string is specified, then no Server header will be added to such responses",
 			},
 			"via_host_name": {
@@ -197,6 +198,72 @@ func resourceBigipLtmProfileHttp() *schema.Resource {
 				Computed:    true,
 				Description: "Specifies alternative XFF headers instead of the default X-forwarded-for header",
 			},
+			"http_strict_transport_security": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"include_subdomains": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Default:     "enabled",
+							Description: "Specifies whether to include the includeSubdomains directive in the HSTS header.",
+						},
+						"maximum_age": {
+							Type:        schema.TypeInt,
+							Optional:    true,
+							Default:     16070400,
+							Description: "Specifies the maximum age to assume the connection should remain secure.",
+						},
+						"mode": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Default:     "disabled",
+							Description: "Specifies whether to include the HSTS response header.",
+						},
+						"preload": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Default:     "disabled",
+							Description: "Specifies whether to include the preload directive in the HSTS header.",
+						},
+					},
+				},
+			},
+			"enforcement": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"known_methods": {
+							Type:        schema.TypeList,
+							Computed:    true,
+							Elem:        &schema.Schema{Type: schema.TypeString},
+							Optional:    true,
+							Description: "Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them.",
+						},
+						"max_header_count": {
+							Type:        schema.TypeInt,
+							Optional:    true,
+							Default:     64,
+							Description: "Specifies the maximum number of headers allowed in HTTP request/response.",
+						},
+						"max_header_size": {
+							Type:        schema.TypeInt,
+							Optional:    true,
+							Default:     32768,
+							Description: "Specifies the maximum header size.",
+						},
+						"unknown_method": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Default:     "allow",
+							Description: "Specifies whether to allow, reject or switch to pass-through mode when an unknown HTTP method is parsed.",
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -325,6 +392,37 @@ func resourceBigipLtmProfileHttpRead(ctx context.Context, d *schema.ResourceData
 	}
 	_ = d.Set("xff_alternative_names", pp.XffAlternativeNames)
 
+	var enforcementList []interface{}
+	enforcement := make(map[string]interface{})
+	enforcement["max_header_count"] = pp.Enforcement.MaxHeaderCount
+	enforcement["max_header_size"] = pp.Enforcement.MaxHeaderSize
+	enforcement["unknown_method"] = pp.Enforcement.UnknownMethod
+
+	if p, ok := d.GetOk("enforcement"); ok {
+		for _, r := range p.(*schema.Set).List() {
+			if len(r.(map[string]interface{})["known_methods"].([]interface{})) != 0 {
+				enforcement["known_methods"] = pp.Enforcement.KnownMethods
+			}
+		}
+	}
+
+	enforcementList = append(enforcementList, enforcement)
+
+	if _, ok := d.GetOk("enforcement"); ok {
+		_ = d.Set("enforcement", enforcementList)
+	}
+
+	var hstsList []interface{}
+	hsts := make(map[string]interface{})
+	hsts["include_subdomains"] = pp.Hsts.IncludeSubdomains
+	hsts["maximum_age"] = pp.Hsts.MaximumAge
+	hsts["mode"] = pp.Hsts.Mode
+	hsts["preload"] = pp.Hsts.Preload
+
+	hstsList = append(hstsList, hsts)
+	if _, ok := d.GetOk("http_strict_transport_security"); ok {
+		_ = d.Set("http_strict_transport_security", hstsList)
+	}
 	return nil
 }
 
@@ -337,6 +435,7 @@ func resourceBigipLtmProfileHttpUpdate(ctx context.Context, d *schema.ResourceDa
 		Name: name,
 	}
 	config := getHttpProfileConfig(d, pss)
+
 	err := client.ModifyHttpProfile(name, config)
 
 	if err != nil {
@@ -387,5 +486,28 @@ func getHttpProfileConfig(d *schema.ResourceData, config *bigip.HttpProfile) *bi
 	config.ViaRequest = d.Get("via_request").(string)
 	config.ViaResponse = d.Get("via_response").(string)
 	config.XffAlternativeNames = setToInterfaceSlice(d.Get("xff_alternative_names").(*schema.Set))
+	config.LwsWidth = d.Get("lws_width").(int)
+	p := d.Get("http_strict_transport_security")
+
+	for _, r := range p.(*schema.Set).List() {
+		config.Hsts.IncludeSubdomains = r.(map[string]interface{})["include_subdomains"].(string)
+		config.Hsts.Mode = r.(map[string]interface{})["preload"].(string)
+		config.Hsts.Preload = r.(map[string]interface{})["mode"].(string)
+		config.Hsts.MaximumAge = r.(map[string]interface{})["maximum_age"].(int)
+	}
+
+	v := d.Get("enforcement")
+
+	for _, r := range v.(*schema.Set).List() {
+		var knownMethods []string
+		for _, val := range r.(map[string]interface{})["known_methods"].([]interface{}) {
+			knownMethods = append(knownMethods, val.(string))
+		}
+		config.Enforcement.KnownMethods = knownMethods
+		config.Enforcement.UnknownMethod = r.(map[string]interface{})["unknown_method"].(string)
+		config.Enforcement.MaxHeaderCount = r.(map[string]interface{})["max_header_count"].(int)
+		config.Enforcement.MaxHeaderSize = r.(map[string]interface{})["max_header_size"].(int)
+	}
+
 	return config
 }
diff --git a/bigip/resource_bigip_ltm_profile_http_test.go b/bigip/resource_bigip_ltm_profile_http_test.go
@@ -342,6 +342,87 @@ func TestAccBigipLtmProfileHttpUpdateEncryptCookies(t *testing.T) {
 	})
 }
 
+func TestAccBigipLtmProfileHttpUpdateEnforcement(t *testing.T) {
+	t.Parallel()
+	var instName = "test-http-Update-enforcement"
+	var instFullName = fmt.Sprintf("/%s/%s", TestPartition, instName)
+	resFullName := fmt.Sprintf("%s.%s", resHttpName, instName)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAcctPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckHttpsDestroyed,
+		Steps: []resource.TestStep{
+			{
+				Config: testaccbigipltmprofilehttpUpdateParam(instName, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(instFullName),
+					resource.TestCheckResourceAttr(resFullName, "name", instFullName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+				),
+			},
+			{
+				Config: testaccbigipltmprofilehttpUpdateParam(instName, "enforcement"),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(instFullName),
+					resource.TestCheckResourceAttr(resFullName, "name", instFullName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "CONNECT"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "DELETE"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "GET"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "HEAD"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "LOCK"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "POST"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "PROPFIND"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "PUT"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "TRACE"),
+					resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "UNLOCK"),
+					resource.TestCheckResourceAttr(resFullName, "enforcement.0.unknown_method", "allow"),
+					resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_count", "40"),
+					resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_size", "80"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccBigipLtmProfileHttpUpdateHSTS(t *testing.T) {
+	t.Parallel()
+	var instName = "test-http-Update-hsts"
+	var instFullName = fmt.Sprintf("/%s/%s", TestPartition, instName)
+	resFullName := fmt.Sprintf("%s.%s", resHttpName, instName)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAcctPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckHttpsDestroyed,
+		Steps: []resource.TestStep{
+			{
+				Config: testaccbigipltmprofilehttpUpdateParam(instName, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(instFullName),
+					resource.TestCheckResourceAttr(resFullName, "name", instFullName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+				),
+			},
+			{
+				Config: testaccbigipltmprofilehttpUpdateParam(instName, "hsts"),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckhttpExists(instFullName),
+					resource.TestCheckResourceAttr(resFullName, "name", instFullName),
+					resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.include_subdomains", "disabled"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.preload", "enabled"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.mode", "enabled"),
+					resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.maximum_age", "80"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccBigipLtmProfileHttpImport(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -469,6 +550,22 @@ func testaccbigipltmprofilehttpUpdateParam(instName, updateParam string) string
 	case "basic_auth_realm":
 		resPrefix = fmt.Sprintf(`%s
 			  basic_auth_realm = "titanic"`, resPrefix)
+	case "enforcement":
+		resPrefix = fmt.Sprintf(`%s
+			enforcement {
+				known_methods = ["CONNECT","DELETE","GET","HEAD","LOCK","OPTIONS","POST","PROPFIND","PUT","TRACE","UNLOCK"]
+				unknown_method = "allow"
+				max_header_count = 40
+				max_header_size = 80
+			}`, resPrefix)
+	case "hsts":
+		resPrefix = fmt.Sprintf(`%s
+				http_strict_transport_security {
+					include_subdomains = "disabled"
+					preload = "enabled"
+					mode = "enabled"
+					maximum_age = 80
+				}`, resPrefix)
 	default:
 	}
 	return fmt.Sprintf(`%s

diff --git a/bigip/resource_bigip_ltm_profile_ssl_client.go b/bigip/resource_bigip_ltm_profile_ssl_client.go
@@ -328,6 +328,13 @@ func resourceBigipLtmProfileClientSsl() *schema.Resource {
 				Description: "ModSSL Methods enabled / disabled.  Default is disabled.",
 			},
 
+			"ocsp_stapling": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "disabled",
+				Description: "Specifies whether the system uses OCSP stapling.",
+			},
+
 			"tm_options": {
 				Type:     schema.TypeSet,
 				Elem:     &schema.Schema{Type: schema.TypeString},
@@ -686,6 +693,10 @@ func resourceBigipLtmProfileClientSSLRead(ctx context.Context, d *schema.Resourc
 		_ = d.Set("tm_options", tmOptions)
 	}
 
+	if _, ok := d.GetOk("ocsp_stapling"); ok {
+		_ = d.Set("ocsp_stapling", obj.OcspStapling)
+	}
+
 	if _, ok := d.GetOk("proxy_ca_cert"); ok {
 		_ = d.Set("proxy_ca_cert", obj.ProxyCaCert)
 	}
@@ -856,6 +867,7 @@ func getClientSslConfig(d *schema.ResourceData, config *bigip.ClientSSLProfile)
 	config.CaFile = d.Get("ca_file").(string)
 	config.CacheSize = d.Get("cache_size").(int)
 	config.CacheTimeout = d.Get("cache_timeout").(int)
+	config.OcspStapling = d.Get("ocsp_stapling").(string)
 	log.Printf("[DEBUG] Length of certKeyChains :%+v", len(certKeyChains))
 	log.Printf("[DEBUG] certKeyChains :%+v", certKeyChains)
 	if len(certKeyChains) == 0 {
@@ -873,8 +885,8 @@ func getClientSslConfig(d *schema.ResourceData, config *bigip.ClientSSLProfile)
 		config.Ciphers = ciphers.(string)
 		config.CipherGroup = "none"
 	}
-	if cipher_grp, ok := d.GetOk("cipher_group"); ok && cipher_grp != "none" {
-		config.CipherGroup = cipher_grp.(string)
+	if cipherGrp, ok := d.GetOk("cipher_group"); ok && cipherGrp != "none" {
+		config.CipherGroup = cipherGrp.(string)
 		config.Ciphers = "none"
 	}
 	config.ClientCertCa = d.Get("client_cert_ca").(string)

diff --git a/bigip/resource_bigip_ltm_profile_ssl_server.go b/bigip/resource_bigip_ltm_profile_ssl_server.go
@@ -493,8 +493,12 @@ func resourceBigipLtmProfileServerSslRead(ctx context.Context, d *schema.Resourc
 	_ = d.Set("ca_file", obj.CaFile)
 	_ = d.Set("cert", obj.Cert)
 	_ = d.Set("chain", obj.Chain)
-	_ = d.Set("ciphers", obj.Ciphers)
-	_ = d.Set("cipher_group", obj.CipherGroup)
+	if _, ok := d.GetOk("ciphers"); ok {
+		_ = d.Set("ciphers", obj.Ciphers)
+	}
+	if _, ok := d.GetOk("cipher_group"); ok {
+		_ = d.Set("cipher_group", obj.CipherGroup)
+	}
 	_ = d.Set("expire_cert_response_control", obj.ExpireCertResponseControl)
 	_ = d.Set("cache_size", obj.CacheSize)
 	_ = d.Set("handshake_timeout", obj.HandshakeTimeout)
@@ -637,8 +641,8 @@ func getServerSslConfig(d *schema.ResourceData, config *bigip.ServerSSLProfile)
 		config.Ciphers = ciphers.(string)
 		config.CipherGroup = "none"
 	}
-	if cipher_grp, ok := d.GetOk("cipher_group"); ok && cipher_grp != "none" {
-		config.CipherGroup = cipher_grp.(string)
+	if cipherGrp, ok := d.GetOk("cipher_group"); ok && cipherGrp != "none" {
+		config.CipherGroup = cipherGrp.(string)
 		config.Ciphers = "none"
 	}
 	config.ExpireCertResponseControl = d.Get("expire_cert_response_control").(string)