Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added ACL Support to the Terraform Provider #64

Merged
merged 10 commits into from
Feb 8, 2024
Merged

Added ACL Support to the Terraform Provider #64

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
8c28868
Added ACl Support
unasra Feb 6, 2024
54af888
Updated Docs
unasra Feb 6, 2024
a796748
Resolved Review comments
unasra Feb 6, 2024
2a9ced4
Addressed Review comments
unasra Feb 6, 2024
73023ee
Fixed Example files and added checks to UTs
unasra Feb 7, 2024
312c902
Update dns_auth_zone.md
mathewab Feb 8, 2024
9234f4a
update authz_zone resource
venkat-iblox Feb 8, 2024
4516e51
Update resource file as instructed
unasra Feb 8, 2024
8434075
Merge branch 'update_acl_type' of github.com:unasra/terraform-provide…
unasra Feb 8, 2024
42d79ce
Updated docs
unasra Feb 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 110 additions & 0 deletions docs/data-sources/dns_acls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "bloxone_dns_acls Data Source - terraform-provider-bloxone"
subcategory: "DNS"
description: |-
Retrieves information about existing Authoritative DNS ACLs.
---

# bloxone_dns_acls (Data Source)

Retrieves information about existing Authoritative DNS ACLs.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Retrieves information about existing Authoritative DNS ACLs.
Retrieves information about existing named Access Control Lists.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, my comment vanished. @mathewab Please add the suggested change in the corresponding service file. Would make it easier for the addressee. Just a thought :)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure :) Will keep that in mind next time .

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed


## Example Usage

```terraform
# Get DNS ACLs filtered by an attribute
data "bloxone_dns_acls" "example_by_attribute" {
filters = {
"name" = "example_acl"
}
}

# Get DNS ACLs filtered by tag
data "bloxone_dns_acls" "example_by_tag" {
tag_filters = {
site = "Site A"
}
}

# Get all DNS ACLs
data "bloxone_dns_acls" "example_all" {
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Optional

- `filters` (Map of String) Filter are used to return a more specific list of results. Filters can be used to match resources by specific attributes, e.g. name. If you specify multiple filters, the results returned will have only resources that match all the specified filters.
- `tag_filters` (Map of String) Tag Filters are used to return a more specific list of results filtered by tags. If you specify multiple filters, the results returned will have only resources that match all the specified filters.

### Read-Only

- `results` (Attributes List) (see [below for nested schema](#nestedatt--results))

<a id="nestedatt--results"></a>
### Nested Schema for `results`

Required:

- `name` (String) ACL object name.

Optional:

- `comment` (String) Optional. Comment for ACL.
- `list` (Attributes List) Optional. Ordered list of access control elements. Elements are evaluated in order to determine access. If evaluation reaches the end of the list then access is denied. (see [below for nested schema](#nestedatt--results--list))
- `tags` (Map of String) Tagging specifics.

Read-Only:

- `id` (String) The resource identifier.

<a id="nestedatt--results--list"></a>
### Nested Schema for `results.list`

Required:

- `element` (String) Type of element.

Allowed values:
* _any_
* _ip_
* _acl_
* _tsig_key_

Optional:

- `access` (String) Access permission for _element_.

Allowed values:
* _allow_
* _deny_

Must be empty if _element_ is _acl_.
- `acl` (String) The resource identifier.
- `address` (String) Optional. Data for _ip_ _element_. Must be empty if _element_ is not _ip_.
- `tsig_key` (Attributes) (see [below for nested schema](#nestedatt--results--list--tsig_key))

<a id="nestedatt--results--list--tsig_key"></a>
### Nested Schema for `results.list.tsig_key`

Required:

- `key` (String) The resource identifier.

Read-Only:

- `algorithm` (String) TSIG key algorithm.

Possible values:
* _hmac_sha256_
* _hmac_sha1_
* _hmac_sha224_
* _hmac_sha384_
* _hmac_sha512_
- `comment` (String) Comment for TSIG key.
- `name` (String) TSIG key name, FQDN.
- `protocol_name` (String) TSIG key name in punycode.
- `secret` (String, Sensitive) TSIG key secret, base64 string.
120 changes: 120 additions & 0 deletions docs/resources/dns_acl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "bloxone_dns_acl Resource - terraform-provider-bloxone"
subcategory: "DNS"
description: |-
Manages an Access Control List (ACL).
---

# bloxone_dns_acl (Resource)

Manages an Access Control List (ACL).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Manages an Access Control List (ACL).
Manages a named Access Control List (ACL).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed


## Example Usage

```terraform
resource "bloxone_keys_tsig" "test" {
name = "test-tsig."
}

resource "bloxone_dns_acl" "test_acl" {
name = "test-acl"
}

resource "bloxone_dns_acl" "example_acl" {
name = "example_dns_acl"

# Other Optional fields
comment = "An example acl"
tags = {
site = "Site A"
}
list = [
{
access = "allow"
element = "ip"
address = "192.168.1.1"
},
{
access = "deny"
element = "any"
},
{
element = "acl"
acl = bloxone_dns_acl.test_acl.id
},
{
element = "tsig_key"
access = "deny"
tsig_key = {
key = bloxone_keys_tsig.test.id
}
}
]
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `name` (String) ACL object name.

### Optional

- `comment` (String) Optional. Comment for ACL.
- `list` (Attributes List) Optional. Ordered list of access control elements. Elements are evaluated in order to determine access. If evaluation reaches the end of the list then access is denied. (see [below for nested schema](#nestedatt--list))
- `tags` (Map of String) Tagging specifics.

### Read-Only

- `id` (String) The resource identifier.

<a id="nestedatt--list"></a>
### Nested Schema for `list`

Required:

- `element` (String) Type of element.

Allowed values:
* _any_
* _ip_
* _acl_
* _tsig_key_

Optional:

- `access` (String) Access permission for _element_.

Allowed values:
* _allow_
* _deny_

Must be empty if _element_ is _acl_.
- `acl` (String) The resource identifier.
- `address` (String) Optional. Data for _ip_ _element_. Must be empty if _element_ is not _ip_.
- `tsig_key` (Attributes) (see [below for nested schema](#nestedatt--list--tsig_key))

<a id="nestedatt--list--tsig_key"></a>
### Nested Schema for `list.tsig_key`

Required:

- `key` (String) The resource identifier.

Read-Only:

- `algorithm` (String) TSIG key algorithm.

Possible values:
* _hmac_sha256_
* _hmac_sha1_
* _hmac_sha224_
* _hmac_sha384_
* _hmac_sha512_
- `comment` (String) Comment for TSIG key.
- `name` (String) TSIG key name, FQDN.
- `protocol_name` (String) TSIG key name in punycode.
- `secret` (String, Sensitive) TSIG key secret, base64 string.
41 changes: 41 additions & 0 deletions docs/resources/dns_auth_zone.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@ Manages an authoritative zone.
## Example Usage

```terraform
resource "bloxone_keys_tsig" "test" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use "test" as name in the examples

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed

name = "test-tsig."
}

resource "bloxone_dns_acl" "test" {
name = "test-acl"
}
Copy link
Collaborator

@mathewab mathewab Feb 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though an empty ACL is possible, it is not useful. For our examples, it would be better to have an ACL with basic list, where the transfer_acl can follow the following order

deny any
allow acl 192.168.1.0/24
deny ip 192.168.1.1
allow tsig test-tsig.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that you have removed the nested acl altogether. Sorry if I was not clear in my comments. We do want the nested ACL as well, but not a nested ACL that is empty. So the whole resource should look something like this

resource "bloxone_dns_auth_zone" "example" {
  fqdn         = "domain.com."
  primary_type = "cloud"

  # Other optional fields
  comment = "Example of an Authoritative Zone"
  tags = {
    site = "Site A"
  }
  query_acl = [
    {
      access  = "deny"
      element = "ip"
      address = "192.168.1.1"
    },
    {
      element = "acl"
      acl = bloxone_dns_acl.example_acl.id
    },
    {
      access  = "allow"
      element = "tsig_key"
      tsig_key = {
        key = bloxone_keys_tsig.example_tsig.id
      }
    },
    {
      access  = "deny"
      element = "any"
    },
  ]
  update_acl = [
    {
      access  = "allow"
      element = "any"
    },
  ]
  transfer_acl = [
    {
      access  = "allow"
      element = "any"
    },
  ]

}

resource "bloxone_keys_tsig" "example_tsig" {
  name = "example_tsig.domain.com."
}

resource "bloxone_dns_acl" "example_acl" {
    name = "example_acl"
    elements = [
        {
        access  = "deny"
        element = "ip"
        address = "192.168.1.0/24"
        },
    ]
}


resource "bloxone_dns_auth_zone" "example" {
fqdn = "example.com."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fqdn = "example.com."
fqdn = "domain.com."

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we should set standards for naming in the tf files. Maybe we can talk about this offline and come up with a standard.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

primary_type = "cloud"
Expand All @@ -31,6 +39,17 @@ resource "bloxone_dns_auth_zone" "example" {
{
access = "deny"
element = "any"
},
{
element = "acl"
acl = bloxone_dns_acl.test.id
},
{
element = "tsig_key"
access = "deny"
tsig_key = {
key = bloxone_keys_tsig.test.id
}
}
]
update_acl = [
Expand All @@ -42,6 +61,17 @@ resource "bloxone_dns_auth_zone" "example" {
{
access = "deny"
element = "any"
},
{
element = "acl"
acl = bloxone_dns_acl.test.id
},
{
element = "tsig_key"
access = "deny"
tsig_key = {
key = bloxone_keys_tsig.test.id
}
}
]
query_acl = [
Expand All @@ -53,6 +83,17 @@ resource "bloxone_dns_auth_zone" "example" {
{
access = "deny"
element = "any"
},
{
element = "acl"
acl = bloxone_dns_acl.test.id
},
{
element = "tsig_key"
access = "deny"
tsig_key = {
key = bloxone_keys_tsig.test.id
}
}
]

Expand Down
17 changes: 17 additions & 0 deletions examples/data-sources/bloxone_dns_acls/data-source.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Get DNS ACLs filtered by an attribute
data "bloxone_dns_acls" "example_by_attribute" {
filters = {
"name" = "example_acl"
}
}

# Get DNS ACLs filtered by tag
data "bloxone_dns_acls" "example_by_tag" {
tag_filters = {
site = "Site A"
}
}

# Get all DNS ACLs
data "bloxone_dns_acls" "example_all" {
}
39 changes: 39 additions & 0 deletions examples/resources/bloxone_dns_acl/resource.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
resource "bloxone_keys_tsig" "test" {
name = "test-tsig."
}

resource "bloxone_dns_acl" "test_acl" {
name = "test-acl"
}

resource "bloxone_dns_acl" "example_acl" {
name = "example_dns_acl"

# Other Optional fields
comment = "An example acl"
tags = {
site = "Site A"
}
list = [
{
access = "allow"
element = "ip"
address = "192.168.1.1"
},
{
access = "deny"
element = "any"
},
{
element = "acl"
acl = bloxone_dns_acl.test_acl.id
},
{
element = "tsig_key"
access = "deny"
tsig_key = {
key = bloxone_keys_tsig.test.id
}
}
]
}
Loading
Loading