Added ACL Support to the Terraform Provider #64
Conversation
|
|
||
| func (r *AclResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) { | ||
| resp.Schema = schema.Schema{ | ||
| MarkdownDescription: "", |
|
|
||
| func (d *AclDataSource) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) { | ||
| resp.Schema = schema.Schema{ | ||
| MarkdownDescription: "", |
There was a problem hiding this comment.
You also need to add examples/resources/bloxone_dns_acl.tf and examples/data-sources/bloxone_dns_acls.tf
There was a problem hiding this comment.
Both files are added
docs/data-sources/dns_acls.md
Outdated
|
|
||
| # bloxone_dns_acls (Data Source) | ||
|
|
||
| Retrieves information about existing Authoritative DNS ACLs. |
There was a problem hiding this comment.
| Retrieves information about existing Authoritative DNS ACLs. | |
| Retrieves information about existing named Access Control Lists. |
There was a problem hiding this comment.
Ahh, my comment vanished. @mathewab Please add the suggested change in the corresponding service file. Would make it easier for the addressee. Just a thought :)
There was a problem hiding this comment.
Sure :) Will keep that in mind next time .
docs/resources/dns_acl.md
Outdated
|
|
||
| # bloxone_dns_acl (Resource) | ||
|
|
||
| Manages an Access Control List (ACL). |
There was a problem hiding this comment.
| Manages an Access Control List (ACL). | |
| Manages a named Access Control List (ACL). |
docs/resources/dns_auth_zone.md
Outdated
| resource "bloxone_dns_acl" "test" { | ||
| name = "test-acl" | ||
| } |
There was a problem hiding this comment.
Even though an empty ACL is possible, it is not useful. For our examples, it would be better to have an ACL with basic list, where the transfer_acl can follow the following order
deny any
allow acl 192.168.1.0/24
deny ip 192.168.1.1
allow tsig test-tsig.
There was a problem hiding this comment.
I see that you have removed the nested acl altogether. Sorry if I was not clear in my comments. We do want the nested ACL as well, but not a nested ACL that is empty. So the whole resource should look something like this
resource "bloxone_dns_auth_zone" "example" {
fqdn = "domain.com."
primary_type = "cloud"
# Other optional fields
comment = "Example of an Authoritative Zone"
tags = {
site = "Site A"
}
query_acl = [
{
access = "deny"
element = "ip"
address = "192.168.1.1"
},
{
element = "acl"
acl = bloxone_dns_acl.example_acl.id
},
{
access = "allow"
element = "tsig_key"
tsig_key = {
key = bloxone_keys_tsig.example_tsig.id
}
},
{
access = "deny"
element = "any"
},
]
update_acl = [
{
access = "allow"
element = "any"
},
]
transfer_acl = [
{
access = "allow"
element = "any"
},
]
}
resource "bloxone_keys_tsig" "example_tsig" {
name = "example_tsig.domain.com."
}
resource "bloxone_dns_acl" "example_acl" {
name = "example_acl"
elements = [
{
access = "deny"
element = "ip"
address = "192.168.1.0/24"
},
]
}
docs/resources/dns_auth_zone.md
Outdated
| resource "bloxone_dns_acl" "test" { | ||
| name = "test-acl" | ||
| } | ||
|
|
||
| resource "bloxone_dns_auth_zone" "example" { | ||
| fqdn = "example.com." |
There was a problem hiding this comment.
| fqdn = "example.com." | |
| fqdn = "domain.com." |
There was a problem hiding this comment.
I believe we should set standards for naming in the tf files. Maybe we can talk about this offline and come up with a standard.
docs/resources/dns_auth_zone.md
Outdated
| @@ -13,6 +13,14 @@ Manages an authoritative zone. | |||
| ## Example Usage | |||
|
|
|||
| ```terraform | |||
| resource "bloxone_keys_tsig" "test" { | |||
There was a problem hiding this comment.
Don't use "test" as name in the examples
| Check: resource.ComposeTestCheckFunc( | ||
| testAccCheckAuthZoneExists(context.Background(), resourceName, &v), | ||
| resource.TestCheckResourceAttr(resourceName, "transfer_acl.0.access", "deny"), | ||
| resource.TestCheckResourceAttr(resourceName, "transfer_acl.0.element", "tsig_key"), |
There was a problem hiding this comment.
Please add check to verify Tsig key ID as well.
Applies to all UTs
| Check: resource.ComposeTestCheckFunc( | ||
| testAccCheckAuthZoneExists(context.Background(), resourceName, &v), | ||
| resource.TestCheckResourceAttr(resourceName, "transfer_acl.0.element", "acl"), | ||
| ), |
There was a problem hiding this comment.
Please add check to verify ACL ID as well.
Applies to all UTs
| @@ -1,5 +1,9 @@ | |||
| resource "bloxone_keys_tsig" "example_tsig" { | |||
| name = "test-tsig." | |||
There was a problem hiding this comment.
| name = "test-tsig." | |
| name = "example_tsig.domain.com." |
There was a problem hiding this comment.
Modified as instructed !
docs/resources/dns_auth_zone.md
Outdated
| resource "bloxone_dns_acl" "test" { | ||
| name = "test-acl" | ||
| } |
There was a problem hiding this comment.
I see that you have removed the nested acl altogether. Sorry if I was not clear in my comments. We do want the nested ACL as well, but not a nested ACL that is empty. So the whole resource should look something like this
resource "bloxone_dns_auth_zone" "example" {
fqdn = "domain.com."
primary_type = "cloud"
# Other optional fields
comment = "Example of an Authoritative Zone"
tags = {
site = "Site A"
}
query_acl = [
{
access = "deny"
element = "ip"
address = "192.168.1.1"
},
{
element = "acl"
acl = bloxone_dns_acl.example_acl.id
},
{
access = "allow"
element = "tsig_key"
tsig_key = {
key = bloxone_keys_tsig.example_tsig.id
}
},
{
access = "deny"
element = "any"
},
]
update_acl = [
{
access = "allow"
element = "any"
},
]
transfer_acl = [
{
access = "allow"
element = "any"
},
]
}
resource "bloxone_keys_tsig" "example_tsig" {
name = "example_tsig.domain.com."
}
resource "bloxone_dns_acl" "example_acl" {
name = "example_acl"
elements = [
{
access = "deny"
element = "ip"
address = "192.168.1.0/24"
},
]
}
…r-bloxone into update_acl_type
No description provided.