Update schema for r/netowrking_port_v2 (#1045)

Update schema for `r/netowrking_port_v2` Summary of the Pull Request Add possibility to enable/disable port_security_enabled Resolves: #1043 PR Checklist Refers to: #1043 Tests added/passed. Documentation updated. Schema updated. Acceptance Steps Performed === RUN TestAccNetworkingV2Port_basic --- PASS: TestAccNetworkingV2Port_basic (70.27s) === RUN TestAccNetworkingV2Port_noip --- PASS: TestAccNetworkingV2Port_noip (69.81s) === RUN TestAccNetworkingV2Port_allowedAddressPairs --- PASS: TestAccNetworkingV2Port_allowedAddressPairs (92.12s) === RUN TestAccNetworkingV2Port_portSecurity_enabled --- PASS: TestAccNetworkingV2Port_portSecurity_enabled (82.48s) === RUN TestAccNetworkingV2Port_timeout --- PASS: TestAccNetworkingV2Port_timeout (70.40s) PASS Process finished with the exit code 0 Reviewed-by: None <None> Reviewed-by: Anton Sidelnikov <None>
opentelekomcloud · May 6, 2021 · 4ea4f36 · 4ea4f36
1 parent c2e4e90
commit 4ea4f36
Show file tree

Hide file tree

Showing 3 changed files with 248 additions and 64 deletions.
diff --git a/docs/resources/networking_port_v2.md b/docs/resources/networking_port_v2.md
@@ -48,6 +48,11 @@ The following arguments are supported:
   port. The security groups must be specified by ID and not name (as opposed
   to how they are configured with the Compute Instance).
 
+* `no_security_groups` - (Optional) If set to `true`, then no security groups
+  are applied to the port. If set to `false` and no `security_group_ids` are specified,
+  then the port will yield to the default behavior of the Networking service,
+  which is to usually apply the `"default"` security group.
+
 * `device_id` - (Optional) The ID of the device attached to the port. Changing this
   creates a new port.
 
@@ -74,6 +79,13 @@ The `allowed_address_pairs` block supports:
 
 * `mac_address` - (Optional) The additional MAC address.
 
+* `port_security_enabled` - (Optional) Whether to explicitly enable or disable
+  port security on the port. Port Security is usually enabled by default, so
+  omitting argument will usually result in a value of `true`. Setting this
+  explicitly to `false` will disable port security. In order to disable port
+  security, the port must not have any security groups. Valid values are `true`
+  and `false`.
+
 ## Attributes Reference
 
 The following attributes are exported:
@@ -94,6 +106,8 @@ The following attributes are exported:
 
 * `all fixed_ips` - The collection of Fixed IP addresses on the port in the order returned by the Network v2 API.
 
+* `port_security_enabled` - See Argument Reference above.
+
 ## Import
 
 Ports can be imported using the `id`, e.g.

diff --git a/opentelekomcloud/acceptance/vpc/resource_opentelekomcloud_networking_port_v2_test.go b/opentelekomcloud/acceptance/vpc/resource_opentelekomcloud_networking_port_v2_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+	"github.com/opentelekomcloud/gophertelekomcloud/openstack/networking/v2/extensions/portsecurity"
 	"github.com/opentelekomcloud/gophertelekomcloud/openstack/networking/v2/networks"
 	"github.com/opentelekomcloud/gophertelekomcloud/openstack/networking/v2/ports"
 	"github.com/opentelekomcloud/gophertelekomcloud/openstack/networking/v2/subnets"
@@ -15,6 +16,11 @@ import (
 	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/cfg"
 )
 
+type testPortWithExtensions struct {
+	ports.Port
+	portsecurity.PortSecurityExt
+}
+
 func TestAccNetworkingV2Port_basic(t *testing.T) {
 	var network networks.Network
 	var port ports.Port
@@ -63,7 +69,7 @@ func TestAccNetworkingV2Port_noip(t *testing.T) {
 func TestAccNetworkingV2Port_allowedAddressPairs(t *testing.T) {
 	var network networks.Network
 	var subnet subnets.Subnet
-	var vrrp_port_1, vrrp_port_2, instance_port ports.Port
+	var vrrpPort1, vrrpPort2, instancePort ports.Port
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { common.TestAccPreCheck(t) },
@@ -75,9 +81,38 @@ func TestAccNetworkingV2Port_allowedAddressPairs(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					TestAccCheckNetworkingV2SubnetExists("opentelekomcloud_networking_subnet_v2.vrrp_subnet", &subnet),
 					TestAccCheckNetworkingV2NetworkExists("opentelekomcloud_networking_network_v2.vrrp_network", &network),
-					testAccCheckNetworkingV2PortExists("opentelekomcloud_networking_port_v2.vrrp_port_1", &vrrp_port_1),
-					testAccCheckNetworkingV2PortExists("opentelekomcloud_networking_port_v2.vrrp_port_2", &vrrp_port_2),
-					testAccCheckNetworkingV2PortExists("opentelekomcloud_networking_port_v2.instance_port", &instance_port),
+					testAccCheckNetworkingV2PortExists("opentelekomcloud_networking_port_v2.vrrp_port_1", &vrrpPort1),
+					testAccCheckNetworkingV2PortExists("opentelekomcloud_networking_port_v2.vrrp_port_2", &vrrpPort2),
+					testAccCheckNetworkingV2PortExists("opentelekomcloud_networking_port_v2.instance_port", &instancePort),
+				),
+			},
+		},
+	})
+}
+
+func TestAccNetworkingV2Port_portSecurity_enabled(t *testing.T) {
+	var port testPortWithExtensions
+	resourceName := "opentelekomcloud_networking_port_v2.port_1"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { common.TestAccPreCheck(t) },
+		Providers:    common.TestAccProviders,
+		CheckDestroy: testAccCheckNetworkingV2PortDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNetworkingV2PortSecurityEnabled,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckNetworkingV2PortWithExtensionsExists(resourceName, &port),
+					resource.TestCheckResourceAttr(resourceName, "port_security_enabled", "true"),
+					testAccCheckNetworkingV2PortPortSecurity(&port, true),
+				),
+			},
+			{
+				Config: testAccNetworkingV2PortSecurityDisabled,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckNetworkingV2PortWithExtensionsExists(resourceName, &port),
+					resource.TestCheckResourceAttr(resourceName, "port_security_enabled", "false"),
+					testAccCheckNetworkingV2PortPortSecurity(&port, false),
 				),
 			},
 		},
@@ -108,19 +143,19 @@ func TestAccNetworkingV2Port_timeout(t *testing.T) {
 
 func testAccCheckNetworkingV2PortDestroy(s *terraform.State) error {
 	config := common.TestAccProvider.Meta().(*cfg.Config)
-	networkingClient, err := config.NetworkingV2Client(env.OS_REGION_NAME)
+	client, err := config.NetworkingV2Client(env.OS_REGION_NAME)
 	if err != nil {
-		return fmt.Errorf("Error creating OpenTelekomCloud networking client: %s", err)
+		return fmt.Errorf("error creating OpenTelekomCloud NetworkingV2 client: %w", err)
 	}
 
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "opentelekomcloud_networking_port_v2" {
 			continue
 		}
 
-		_, err := ports.Get(networkingClient, rs.Primary.ID).Extract()
+		_, err := ports.Get(client, rs.Primary.ID).Extract()
 		if err == nil {
-			return fmt.Errorf("Port still exists")
+			return fmt.Errorf("port still exists")
 		}
 	}
 
@@ -131,26 +166,26 @@ func testAccCheckNetworkingV2PortExists(n string, port *ports.Port) resource.Tes
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
 		if !ok {
-			return fmt.Errorf("Not found: %s", n)
+			return fmt.Errorf("not found: %s", n)
 		}
 
 		if rs.Primary.ID == "" {
-			return fmt.Errorf("No ID is set")
+			return fmt.Errorf("no ID is set")
 		}
 
 		config := common.TestAccProvider.Meta().(*cfg.Config)
-		networkingClient, err := config.NetworkingV2Client(env.OS_REGION_NAME)
+		client, err := config.NetworkingV2Client(env.OS_REGION_NAME)
 		if err != nil {
-			return fmt.Errorf("Error creating OpenTelekomCloud networking client: %s", err)
+			return fmt.Errorf("error creating OpenTelekomCloud NetworkingV2 client: %w", err)
 		}
 
-		found, err := ports.Get(networkingClient, rs.Primary.ID).Extract()
+		found, err := ports.Get(client, rs.Primary.ID).Extract()
 		if err != nil {
 			return err
 		}
 
 		if found.ID != rs.Primary.ID {
-			return fmt.Errorf("Port not found")
+			return fmt.Errorf("port not found")
 		}
 
 		*port = *found
@@ -159,10 +194,43 @@ func testAccCheckNetworkingV2PortExists(n string, port *ports.Port) resource.Tes
 	}
 }
 
+func testAccCheckNetworkingV2PortWithExtensionsExists(n string, port *testPortWithExtensions) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("no ID is set")
+		}
+
+		config := common.TestAccProvider.Meta().(*cfg.Config)
+		client, err := config.NetworkingV2Client(env.OS_REGION_NAME)
+		if err != nil {
+			return fmt.Errorf("error creating OpenTelekomCloud NetworkingV2 client: %s", err)
+		}
+
+		var found testPortWithExtensions
+		err = ports.Get(client, rs.Primary.ID).ExtractInto(&found)
+		if err != nil {
+			return err
+		}
+
+		if found.ID != rs.Primary.ID {
+			return fmt.Errorf("port not found")
+		}
+
+		*port = found
+
+		return nil
+	}
+}
+
 func testAccCheckNetworkingV2PortCountFixedIPs(port *ports.Port, expected int) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		if len(port.FixedIPs) != expected {
-			return fmt.Errorf("Expected %d Fixed IPs, got %d", expected, len(port.FixedIPs))
+			return fmt.Errorf("expected %d Fixed IPs, got %d", expected, len(port.FixedIPs))
 		}
 
 		return nil
@@ -172,7 +240,17 @@ func testAccCheckNetworkingV2PortCountFixedIPs(port *ports.Port, expected int) r
 func testAccCheckNetworkingV2PortCountSecurityGroups(port *ports.Port, expected int) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		if len(port.SecurityGroups) != expected {
-			return fmt.Errorf("Expected %d Security Groups, got %d", expected, len(port.SecurityGroups))
+			return fmt.Errorf("expected %d Security Groups, got %d", expected, len(port.SecurityGroups))
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckNetworkingV2PortPortSecurity(port *testPortWithExtensions, expected bool) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if port.PortSecurityEnabled != expected {
+			return fmt.Errorf("port has wrong port_security_enabled. Expected %t, got %t", expected, port.PortSecurityEnabled)
 		}
 
 		return nil
@@ -361,6 +439,52 @@ resource "opentelekomcloud_networking_port_v2" "port_1" {
 }
 `
 
+const testAccNetworkingV2PortSecurityDisabled = `
+resource "opentelekomcloud_networking_network_v2" "network_1" {
+  name = "network_1"
+}
+resource "opentelekomcloud_networking_subnet_v2" "subnet_1" {
+  name       = "subnet_1"
+  cidr       = "192.168.199.0/24"
+  ip_version = 4
+  network_id = opentelekomcloud_networking_network_v2.network_1.id
+}
+
+resource "opentelekomcloud_networking_port_v2" "port_1" {
+  name                  = "port_1"
+  network_id            = opentelekomcloud_networking_network_v2.network_1.id
+  port_security_enabled = false
+  no_security_groups    = true
+  fixed_ip {
+    subnet_id  = opentelekomcloud_networking_subnet_v2.subnet_1.id
+    ip_address = "192.168.199.23"
+  }
+}
+`
+
+const testAccNetworkingV2PortSecurityEnabled = `
+resource "opentelekomcloud_networking_network_v2" "network_1" {
+  name = "network_1"
+}
+resource "opentelekomcloud_networking_subnet_v2" "subnet_1" {
+  name       = "subnet_1"
+  cidr       = "192.168.199.0/24"
+  ip_version = 4
+  network_id = opentelekomcloud_networking_network_v2.network_1.id
+}
+
+resource "opentelekomcloud_networking_port_v2" "port_1" {
+  name                  = "port_1"
+  network_id            = opentelekomcloud_networking_network_v2.network_1.id
+  port_security_enabled = true
+  no_security_groups    = false
+  fixed_ip {
+    subnet_id  = opentelekomcloud_networking_subnet_v2.subnet_1.id
+    ip_address = "192.168.199.23"
+  }
+}
+`
+
 const testAccNetworkingV2Port_timeout = `
 resource "opentelekomcloud_networking_network_v2" "network_1" {
   name = "network_1"