Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VPCEP]: whitelisting for opentelekomcloud_vpcep_service_v1 #2221

Merged
merged 2 commits into from Jul 11, 2023
Merged

[VPCEP]: whitelisting for opentelekomcloud_vpcep_service_v1 #2221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
346e6b2
init
Jul 11, 2023
7236d35
reno
Jul 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/resources/vpcep_service_v1.md
View file
Open in desktop
Expand Up @@ -14,6 +14,8 @@ Manages a VPC Endpoint Service v1 resource within OpenTelekomCloud.
```hcl
variable os_subnet_id {}
variable vpc_id {}
variable domain_id_1 {}
variable domain_id_2 {}

resource "opentelekomcloud_lb_loadbalancer_v2" "lb_1" {
vip_subnet_id = var.os_subnet_id
Expand All @@ -30,6 +32,8 @@ resource "opentelekomcloud_vpcep_service_v1" "service" {
server_port = 8080
}

whitelist = [var.domain_id_1, var.domain_id_2]

tags = {
"key" : "value",
}
Expand Down Expand Up @@ -84,6 +88,8 @@ The following arguments are supported:

* `port` - (Required) Lists the port mappings opened to the VPC endpoint service. See below for the details.

* `whitelist` - (Optional) Lists of domain IDs of target users.

* `tcp_proxy` - (Optional) Specifies whether the client IP address and port number or `marker_id` information is
transmitted to the server.
This parameter is available only when the server can parse fields tcp option and tcp payload.
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Expand Up @@ -14,7 +14,7 @@ require (
github.com/jinzhu/copier v0.3.5
github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
github.com/mitchellh/go-homedir v1.1.0
github.com/opentelekomcloud/gophertelekomcloud v0.7.1-0.20230707114449-73da2e88df88
github.com/opentelekomcloud/gophertelekomcloud v0.7.1-0.20230710130340-2dec0fbc8985
github.com/unknwon/com v1.0.1
golang.org/x/crypto v0.1.0
golang.org/x/sync v0.1.0
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Expand Up @@ -156,6 +156,8 @@ github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
github.com/opentelekomcloud/gophertelekomcloud v0.7.1-0.20230707114449-73da2e88df88 h1:B8GT9dvLWl7M/AdbPGfFX4d5FGt7xHW2BtulbViqLfY=
github.com/opentelekomcloud/gophertelekomcloud v0.7.1-0.20230707114449-73da2e88df88/go.mod h1:9Deb3q2gJvq5dExV+aX+iO+G+mD9Zr9uFt+YY9ONmq0=
github.com/opentelekomcloud/gophertelekomcloud v0.7.1-0.20230710130340-2dec0fbc8985 h1:4TMIinHCDVu1tG551zTCSUG0JwiZwvh/pxuQYBUQlK0=
github.com/opentelekomcloud/gophertelekomcloud v0.7.1-0.20230710130340-2dec0fbc8985/go.mod h1:9Deb3q2gJvq5dExV+aX+iO+G+mD9Zr9uFt+YY9ONmq0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
Expand Down
4 changes: 3 additions & 1 deletion opentelekomcloud/acceptance/vpcep/resource_opentelekomcloud_vpcep_service_test.go
View file
Open in desktop
Expand Up @@ -156,6 +156,7 @@ resource "opentelekomcloud_vpcep_service_v1" "service" {
tags = {
"key" : "value",
}
whitelist = ["698f9bf85ca9437a9b2f41132ab3aa0e"]
}
`, common.DataSourceSubnet, name)
}
Expand Down Expand Up @@ -184,12 +185,13 @@ resource "opentelekomcloud_vpcep_service_v1" "service" {
port {
client_port = 81
server_port = 8081
protocol = "UDP"
protocol = "TCP"
}

tags = {
"key" : "value",
}
whitelist = ["698f9bf85ca9437a9b2f41132ab3aa0e", "e8df38eb4e4f4f148e06d8db527059c7"]
}
`, common.DataSourceSubnet, name)
}
85 changes: 84 additions & 1 deletion opentelekomcloud/services/vpcep/resource_opentelekomcloud_vpcep_service_v1.go
View file
Open in desktop
Expand Up @@ -3,13 +3,15 @@ package vpcep
import (
"context"
"regexp"
"strings"
"time"

"github.com/hashicorp/go-multierror"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
golangsdk "github.com/opentelekomcloud/gophertelekomcloud"
"github.com/opentelekomcloud/gophertelekomcloud/openstack/vpcep/v1/endpoints"
"github.com/opentelekomcloud/gophertelekomcloud/openstack/vpcep/v1/services"
"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common"
"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/cfg"
Expand Down Expand Up @@ -124,6 +126,14 @@ func ResourceVPCEPServiceV1() *schema.Resource {
),
DiffSuppressFunc: common.SuppressCaseInsensitive,
},
"whitelist": {
Type: schema.TypeSet,
Optional: true,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"tags": {
Type: schema.TypeMap,
Optional: true,
Expand Down Expand Up @@ -175,6 +185,14 @@ func resourceVPCEPServiceCreate(ctx context.Context, d *schema.ResourceData, met
return fmterr.Errorf("error waiting for VPC EP service to become available: %w", err)
}

endpointList := getEndpointDomains(d)
if endpointList != nil {
_, err = endpoints.BatchUpdateWhitelist(client, d.Id(), *endpointList)
if err != nil {
return fmterr.Errorf("error updating VPC EP whitelist domains: %w", err)
}
}

clientCtx := common.CtxWithClient(ctx, client, keyClient)
return resourceVPCEPServiceRead(clientCtx, d, meta)
}
Expand All @@ -198,6 +216,11 @@ func resourceVPCEPServiceRead(ctx context.Context, d *schema.ResourceData, meta
return fmterr.Errorf("error reading VPC EP service: %w", err)
}

whitelist, err := endpoints.GetWhitelist(client, d.Id())
if err != nil {
fmterr.Errorf("error querying VPC EP whitelist: %w", err)
}

mErr := multierror.Append(
d.Set("port_id", svc.PortID),
d.Set("pool_id", svc.PoolID),
Expand All @@ -209,6 +232,7 @@ func resourceVPCEPServiceRead(ctx context.Context, d *schema.ResourceData, meta
d.Set("server_type", svc.ServerType),
d.Set("port", portsSlice(svc.Ports)),
d.Set("tags", common.TagsToMap(svc.Tags)),
d.Set("whitelist", whitelistSlice(*whitelist)),
)

if err := mErr.ErrorOrNil(); err != nil {
Expand Down Expand Up @@ -246,7 +270,7 @@ func resourceVPCEPServiceUpdate(ctx context.Context, d *schema.ResourceData, met

_, err = services.Update(client, d.Id(), opts).Extract()
if err != nil {
return fmterr.Errorf("error creating VPC EP service: %w", err)
return fmterr.Errorf("error updating VPC EP service: %w", err)
}

err = services.WaitForServiceStatus(
Expand All @@ -257,6 +281,42 @@ func resourceVPCEPServiceUpdate(ctx context.Context, d *schema.ResourceData, met
return fmterr.Errorf("error waiting for VPC EP service to become available: %w", err)
}

if d.HasChange("whitelist") {
o, n := d.GetChange("whitelist")
oldr := o.(*schema.Set)
newr := n.(*schema.Set)
var whitelistRemove []string
var whitelistAdd []string

for _, r := range oldr.Difference(newr).List() {
whitelistRemove = append(whitelistRemove, "iam:domain::"+r.(string))
}

if len(whitelistRemove) > 0 {
_, err = endpoints.BatchUpdateWhitelist(client, d.Id(), endpoints.BatchUpdateReq{
Permissions: whitelistRemove,
Action: "remove",
})
if err != nil {
return fmterr.Errorf("error updating VPC EP whitelist domains: %w", err)
}
}

for _, r := range newr.Difference(oldr).List() {
whitelistAdd = append(whitelistAdd, "iam:domain::"+r.(string))
}

if len(whitelistAdd) > 0 {
_, err = endpoints.BatchUpdateWhitelist(client, d.Id(), endpoints.BatchUpdateReq{
Permissions: whitelistAdd,
Action: "add",
})
if err != nil {
return fmterr.Errorf("error updating VPC EP whitelist domains: %w", err)
}
}
}

clientCtx := common.CtxWithClient(ctx, client, keyClient)
return resourceVPCEPServiceRead(clientCtx, d, meta)
}
Expand Down Expand Up @@ -318,6 +378,21 @@ func getPorts(d *schema.ResourceData) []services.PortMapping {
return pMapping
}

func getEndpointDomains(d *schema.ResourceData) *endpoints.BatchUpdateReq {
whitelistSet := d.Get("whitelist").(*schema.Set).List()
if len(whitelistSet) == 0 {
return nil
}
var whitelistMapping endpoints.BatchUpdateReq
var whiteList []string
for _, w := range whitelistSet {
whiteList = append(whiteList, "iam:domain::"+w.(string))
}
whitelistMapping.Permissions = whiteList
whitelistMapping.Action = "add"
return &whitelistMapping
}

func portsSlice(pts []services.PortMapping) []interface{} {
ports := make([]interface{}, len(pts))
for i, p := range pts {
Expand All @@ -329,3 +404,11 @@ func portsSlice(pts []services.PortMapping) []interface{} {
}
return ports
}

func whitelistSlice(whitelist endpoints.GetWhitelistResponse) []string {
var domains []string
for _, perm := range whitelist.Permissions {
domains = append(domains, strings.TrimPrefix(perm.Permission, "iam:domain::"))
}
return domains
}
4 changes: 4 additions & 0 deletions releasenotes/notes/vpcep_whitelist-9772f71895469582.yaml
View file
Open in desktop
@@ -0,0 +1,4 @@
---
enhancements:
- |
**[VPCEP]** Domain whitelist implementation for ``opentelekomcloud_vpcep_service_v1`` (`#2221 <https://github.com/opentelekomcloud/terraform-provider-opentelekomcloud/pull/2221>`_)