Merge pull request #31073 from DrFaust92/lustre-root

r/fsx_lustre_file_system - add `root_squash_configuration`
hashicorp · May 3, 2023 · 4c6403e · 4c6403e
2 parents 686eb1c + f517e92
commit 4c6403e
Show file tree

Hide file tree

Showing 4 changed files with 133 additions and 0 deletions.
diff --git a/.changelog/31073.txt b/.changelog/31073.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_fsx_lustre_file_system: Add `root_squash_configuration` argument
+```
diff --git a/internal/service/fsx/lustre_file_system.go b/internal/service/fsx/lustre_file_system.go
@@ -245,6 +245,28 @@ func ResourceLustreFileSystem() *schema.Resource {
 					},
 				},
 			},
+			"root_squash_configuration": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"no_squash_nids": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validation.StringMatch(regexp.MustCompile(`^([0-9\[\]\-]*\.){3}([0-9\[\]\-]*)@tcp$`), "must be in the standard Lustre NID foramt"),
+							},
+						},
+						"root_squash": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validation.StringMatch(regexp.MustCompile(`^([0-9]{1,10}):([0-9]{1,10})$`), "must be in the format UID:GID"),
+						},
+					},
+				},
+			},
 		},
 
 		CustomizeDiff: customdiff.Sequence(
@@ -370,6 +392,11 @@ func resourceLustreFileSystemCreate(ctx context.Context, d *schema.ResourceData,
 		backupInput.LustreConfiguration.LogConfiguration = expandLustreLogCreateConfiguration(v.([]interface{}))
 	}
 
+	if v, ok := d.GetOk("root_squash_configuration"); ok && len(v.([]interface{})) > 0 {
+		input.LustreConfiguration.RootSquashConfiguration = expandLustreRootSquashConfiguration(v.([]interface{}))
+		backupInput.LustreConfiguration.RootSquashConfiguration = expandLustreRootSquashConfiguration(v.([]interface{}))
+	}
+
 	if v, ok := d.GetOk("backup_id"); ok {
 		backupInput.BackupId = aws.String(v.(string))
 
@@ -440,6 +467,11 @@ func resourceLustreFileSystemUpdate(ctx context.Context, d *schema.ResourceData,
 			waitAdminAction = true
 		}
 
+		if d.HasChange("root_squash_configuration") {
+			input.LustreConfiguration.RootSquashConfiguration = expandLustreRootSquashConfiguration(d.Get("root_squash_configuration").([]interface{}))
+			waitAdminAction = true
+		}
+
 		_, err := conn.UpdateFileSystemWithContext(ctx, input)
 		if err != nil {
 			return sdkdiag.AppendErrorf(diags, "updating FSX Lustre File System (%s): %s", d.Id(), err)
@@ -517,6 +549,10 @@ func resourceLustreFileSystemRead(ctx context.Context, d *schema.ResourceData, m
 		return sdkdiag.AppendErrorf(diags, "setting log_configuration: %s", err)
 	}
 
+	if err := d.Set("root_squash_configuration", flattenLustreRootSquashConfiguration(lustreConfig.RootSquashConfiguration)); err != nil {
+		return sdkdiag.AppendErrorf(diags, "setting root_squash_configuration: %s", err)
+	}
+
 	SetTagsOut(ctx, filesystem.Tags)
 
 	d.Set("vpc_id", filesystem.VpcId)
@@ -556,6 +592,43 @@ func resourceLustreFileSystemDelete(ctx context.Context, d *schema.ResourceData,
 	return diags
 }
 
+func expandLustreRootSquashConfiguration(l []interface{}) *fsx.LustreRootSquashConfiguration {
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	data := l[0].(map[string]interface{})
+	req := &fsx.LustreRootSquashConfiguration{}
+
+	if v, ok := data["root_squash"].(string); ok && v != "" {
+		req.RootSquash = aws.String(v)
+	}
+
+	if v, ok := data["no_squash_nids"].(*schema.Set); ok && v.Len() > 0 {
+		req.NoSquashNids = flex.ExpandStringSet(v)
+	}
+
+	return req
+}
+
+func flattenLustreRootSquashConfiguration(adopts *fsx.LustreRootSquashConfiguration) []map[string]interface{} {
+	if adopts == nil {
+		return []map[string]interface{}{}
+	}
+
+	m := map[string]interface{}{}
+
+	if adopts.RootSquash != nil {
+		m["root_squash"] = aws.StringValue(adopts.RootSquash)
+	}
+
+	if adopts.NoSquashNids != nil {
+		m["no_squash_nids"] = flex.FlattenStringSet(adopts.NoSquashNids)
+	}
+
+	return []map[string]interface{}{m}
+}
+
 func expandLustreLogCreateConfiguration(l []interface{}) *fsx.LustreLogCreateConfiguration {
 	if len(l) == 0 || l[0] == nil {
 		return nil

diff --git a/internal/service/fsx/lustre_file_system_test.go b/internal/service/fsx/lustre_file_system_test.go
@@ -674,6 +674,43 @@ func TestAccFSxLustreFileSystem_logConfig(t *testing.T) {
 	})
 }
 
+func TestAccFSxLustreFileSystem_rootSquashConfig(t *testing.T) {
+	ctx := acctest.Context(t)
+	var filesystem fsx.FileSystem
+	resourceName := "aws_fsx_lustre_file_system.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); acctest.PreCheckPartitionHasService(t, fsx.EndpointsID) },
+		ErrorCheck:               acctest.ErrorCheck(t, fsx.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckLustreFileSystemDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLustreFileSystemConfig_rootSquash("365534:65534"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLustreFileSystemExists(ctx, resourceName, &filesystem),
+					resource.TestCheckResourceAttr(resourceName, "root_squash_configuration.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "root_squash_configuration.0.root_squash", "365534:65534"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"security_group_ids"},
+			},
+			{
+				Config: testAccLustreFileSystemConfig_rootSquash("355534:64534"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLustreFileSystemExists(ctx, resourceName, &filesystem),
+					resource.TestCheckResourceAttr(resourceName, "root_squash_configuration.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "root_squash_configuration.0.root_squash", "355534:64534"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccFSxLustreFileSystem_fromBackup(t *testing.T) {
 	ctx := acctest.Context(t)
 	var filesystem fsx.FileSystem
@@ -1390,3 +1427,17 @@ resource "aws_fsx_lustre_file_system" "test" {
 }
 `, rName, status))
 }
+
+func testAccLustreFileSystemConfig_rootSquash(uid string) string {
+	return acctest.ConfigCompose(testAccLustreFileSystemBaseConfig(), fmt.Sprintf(`
+resource "aws_fsx_lustre_file_system" "test" {
+  storage_capacity = 1200
+  subnet_ids       = [aws_subnet.test1.id]
+  deployment_type  = data.aws_partition.current.partition == "aws-us-gov" ? "SCRATCH_2" : null # GovCloud does not support SCRATCH_1
+
+  root_squash_configuration {
+    root_squash = %[1]q
+  }
+}
+`, uid))
+}
diff --git a/website/docs/r/fsx_lustre_file_system.html.markdown b/website/docs/r/fsx_lustre_file_system.html.markdown
@@ -47,12 +47,18 @@ The following arguments are supported:
 * `data_compression_type` - (Optional) Sets the data compression configuration for the file system. Valid values are `LZ4` and `NONE`. Default value is `NONE`. Unsetting this value reverts the compression type back to `NONE`.
 * `file_system_type_version` - (Optional) Sets the Lustre version for the file system that you're creating. Valid values are 2.10 for `SCRATCH_1`, `SCRATCH_2` and `PERSISTENT_1` deployment types. Valid values for 2.12 include all deployment types.
 * `log_configuration` - (Optional) The Lustre logging configuration used when creating an Amazon FSx for Lustre file system. When logging is enabled, Lustre logs error and warning events for data repositories associated with your file system to Amazon CloudWatch Logs.
+* `root_squash_configuration` - (Optional) The Lustre root squash configuration used when creating an Amazon FSx for Lustre file system. When enabled, root squash restricts root-level access from clients that try to access your file system as a root user.
 
 ### log_configuration
 
 * `destination` - (Optional) The Amazon Resource Name (ARN) that specifies the destination of the logs. The name of the Amazon CloudWatch Logs log group must begin with the `/aws/fsx` prefix. If you do not provide a destination, Amazon FSx will create and use a log stream in the CloudWatch Logs `/aws/fsx/lustre` log group.
 * `level` - (Optional) Sets which data repository events are logged by Amazon FSx. Valid values are `WARN_ONLY`, `FAILURE_ONLY`, `ERROR_ONLY`, `WARN_ERROR` and `DISABLED`. Default value is `DISABLED`.
 
+### root_squash_configuration
+
+* `no_squash_nids` - (Optional) When root squash is enabled, you can optionally specify an array of NIDs of clients for which root squash does not apply. A client NID is a Lustre Network Identifier used to uniquely identify a client. You can specify the NID as either a single address or a range of addresses: 1. A single address is described in standard Lustre NID format by specifying the client’s IP address followed by the Lustre network ID (for example, 10.0.1.6@tcp). 2. An address range is described using a dash to separate the range (for example, 10.0.[2-10].[1-255]@tcp).
+* `root_squash` - (Optional) You enable root squash by setting a user ID (UID) and group ID (GID) for the file system in the format UID:GID (for example, 365534:65534). The UID and GID values can range from 0 to 4294967294.
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported: