diff --git a/docs/resources/elb_security_policy.md b/docs/resources/elb_security_policy.md new file mode 100644 index 000000000..c0449979d --- /dev/null +++ b/docs/resources/elb_security_policy.md @@ -0,0 +1,75 @@ +--- +subcategory: "Dedicated Load Balance (Dedicated ELB)" +--- + +# flexibleengine_elb_security_policy + +Manages an ELB security policy resource within Flexibleengine. + +## Example Usage + +```hcl +resource "flexibleengine_elb_security_policy" "test" { + name = "security_policy_test" + description = "this is a security policy" + protocols = ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + ciphers = ["ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES128-GCM-SHA256"] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `region` - (Optional, String, ForceNew) Specifies the region in which to create the resource. + If omitted, the provider-level region will be used. Changing this parameter will create a new resource. + +* `protocols` - (Required, List) Specifies the TSL protocol list which the security policy select. + Value options: **TLSv1**, **TLSv1.1**, **TLSv1.2**, and **TLSv1.3**. + +* `ciphers` - (Required, List) Specifies the cipher suite list of the security policy. + The protocol and cipher suite must match. That is to say, there must be at least one cipher suite in + ciphers that matches the protocol. The following cipher suites are supported: + **ECDHE-RSA-AES256-GCM-SHA384**, **ECDHE-RSA-AES128-GCM-SHA256**, **ECDHE-ECDSA-AES256-GCM-SHA384**, + **ECDHE-ECDSA-AES128-GCM-SHA256**, **AES128-GCM-SHA256**, **AES256-GCM-SHA384**, **ECDHE-ECDSA-AES128-SHA256**, + **ECDHE-RSA-AES128-SHA256**, **AES128-SHA256**, **AES256-SHA256**, **ECDHE-ECDSA-AES256-SHA384**, + **ECDHE-RSA-AES256-SHA384**, **ECDHE-ECDSA-AES128-SHA**, **ECDHE-RSA-AES128-SHA**, **ECDHE-RSA-AES256-SHA**, + **ECDHE-ECDSA-AES256-SHA**, **AES128-SHA**, **AES256-SHA**, **CAMELLIA128-SHA**, **DES-CBC3-SHA**, + **CAMELLIA256-SHA**, **ECDHE-RSA-CHACHA20-POLY1305**, **ECDHE-ECDSA-CHACHA20-POLY1305**, **TLS_AES_128_GCM_SHA256**, + **TLS_AES_256_GCM_SHA384**, **TLS_CHACHA20_POLY1305_SHA256**, **TLS_AES_128_CCM_SHA256**, + **TLS_AES_128_CCM_8_SHA256**. + +* `name` - (Optional, String) Specifies the ELB security policy name. + The name contains only Chinese characters, letters, digits, underscores (_), and hyphens (-), + and cannot exceed 255 characters. + +* `description` - (Optional, String) Specifies the description of the ELB security policy. + The value can contain 0 to 255 characters. + +* `enterprise_project_id` - (Optional, String, ForceNew) Specifies the enterprise project ID to which the Enterprise + router belongs. + + Changing this parameter will create a new resource. + +## Attribute Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The resource ID. + +* `listeners` - The listener which the security policy associated with. + The [listeners](#elb_listeners) structure is documented below. + + +The `listeners` block supports: + +* `id` - The listener id. + +## Import + +The elb security policies can be imported using the `id`, e.g. + +```bash +$ terraform import flexibleengine_elb_security_policy.test +0ce123456a00f2591fabc00385ff1234 +``` diff --git a/flexibleengine/acceptance/resource_flexibleengine_elb_security_policy_test.go b/flexibleengine/acceptance/resource_flexibleengine_elb_security_policy_test.go new file mode 100644 index 000000000..60d4591cb --- /dev/null +++ b/flexibleengine/acceptance/resource_flexibleengine_elb_security_policy_test.go @@ -0,0 +1,122 @@ +package acceptance + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + + "github.com/chnsz/golangsdk" + + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config" + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance" + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/utils" +) + +func getSecurityPoliciesV3ResourceFunc(cfg *config.Config, state *terraform.ResourceState) (interface{}, error) { + region := OS_REGION_NAME + // getSecurityPolicy: Query the ELB security policy + var ( + getSecurityPolicyHttpUrl = "v3/{project_id}/elb/security-policies/{security_policy_id}" + getSecurityPolicyProduct = "elb" + ) + getSecurityPolicyClient, err := cfg.NewServiceClient(getSecurityPolicyProduct, region) + if err != nil { + return nil, fmt.Errorf("error creating SecurityPolicies Client: %s", err) + } + + getSecurityPolicyPath := getSecurityPolicyClient.Endpoint + getSecurityPolicyHttpUrl + getSecurityPolicyPath = strings.ReplaceAll(getSecurityPolicyPath, "{project_id}", getSecurityPolicyClient.ProjectID) + getSecurityPolicyPath = strings.ReplaceAll(getSecurityPolicyPath, "{security_policy_id}", fmt.Sprintf("%v", state.Primary.ID)) + + getSecurityPolicyOpt := golangsdk.RequestOpts{ + KeepResponseBody: true, + OkCodes: []int{ + 200, + }, + } + getSecurityPolicyResp, err := getSecurityPolicyClient.Request("GET", getSecurityPolicyPath, &getSecurityPolicyOpt) + if err != nil { + return nil, fmt.Errorf("error retrieving SecurityPolicies: %s", err) + } + return utils.FlattenResponse(getSecurityPolicyResp) +} + +func TestAccSecurityPoliciesV3_basic(t *testing.T) { + var obj interface{} + + name := acceptance.RandomAccResourceName() + rName := "flexibleengine_elb_security_policy.test" + + rc := acceptance.InitResourceCheck( + rName, + &obj, + getSecurityPoliciesV3ResourceFunc, + ) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: TestAccProviderFactories, + CheckDestroy: rc.CheckResourceDestroy(), + Steps: []resource.TestStep{ + { + Config: testSecurityPoliciesV3_basic(name), + Check: resource.ComposeTestCheckFunc( + rc.CheckResourceExists(), + resource.TestCheckResourceAttr(rName, "protocols.0", "TLSv1.1"), + resource.TestCheckResourceAttr(rName, "protocols.1", "TLSv1.2"), + resource.TestCheckResourceAttr(rName, "ciphers.0", "ECDHE-ECDSA-AES128-SHA"), + resource.TestCheckResourceAttr(rName, "ciphers.1", "ECDHE-RSA-AES256-SHA"), + ), + }, + { + Config: testSecurityPoliciesV3_basic_update(name), + Check: resource.ComposeTestCheckFunc( + rc.CheckResourceExists(), + resource.TestCheckResourceAttr(rName, "protocols.0", "TLSv1.2"), + resource.TestCheckResourceAttr(rName, "ciphers.0", "ECDHE-ECDSA-AES128-SHA"), + resource.TestCheckResourceAttr(rName, "name", name), + ), + }, + { + ResourceName: rName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testSecurityPoliciesV3_basic(name string) string { + return fmt.Sprintf(` +resource "flexibleengine_elb_security_policy" "test" { + protocols = [ + "TLSV1", + "TLSV1.1", + "TLSV1.2", + "TLSV1.3", + ] + ciphers = [ + "ECDHE-ECDSA-AES128-SHA", + "ECDHE-RSA-AES256-SHA" + ] + name = "%s" +} +`, name) +} + +func testSecurityPoliciesV3_basic_update(name string) string { + return fmt.Sprintf(` +resource "flexibleengine_elb_security_policy" "test" { + protocols = [ + "TLSv1.2" + ] + ciphers = [ + "ECDHE-ECDSA-AES128-SHA" + ] + name = "%s" +} +`, name) +} diff --git a/flexibleengine/provider.go b/flexibleengine/provider.go index 92d9261da..7fc4ca687 100644 --- a/flexibleengine/provider.go +++ b/flexibleengine/provider.go @@ -506,6 +506,7 @@ func Provider() *schema.Provider { "flexibleengine_dli_table": dli.ResourceDliTable(), "flexibleengine_dli_flinksql_job": dli.ResourceFlinkSqlJob(), "flexibleengine_drs_job": drs.ResourceDrsJob(), + "flexibleengine_elb_security_policy": elb.ResourceSecurityPolicy(), "flexibleengine_fgs_dependency": fgs.ResourceFgsDependency(), "flexibleengine_fgs_function": fgs.ResourceFgsFunctionV2(), "flexibleengine_fgs_trigger": fgs.ResourceFunctionGraphTrigger(),