[D] Network Security Group

[R] Add NSG [R] Add NSG Action [R] Add NSG Member [R] Add NSG Member test
powervs-ibm · Sep 3, 2024 · 85a94b1 · 85a94b1
1 parent a69ee03
commit 85a94b1
Show file tree

Hide file tree

Showing 20 changed files with 2,211 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ toolchain go1.22.5
 require (
 	github.com/IBM-Cloud/bluemix-go v0.0.0-20240719075425-078fcb3a55be
 	github.com/IBM-Cloud/container-services-go-sdk v0.0.0-20240725064144-454a2ae23113
-	github.com/IBM-Cloud/power-go-client v1.7.0
+	github.com/IBM-Cloud/power-go-client v1.8.0-beta12
 	github.com/IBM/apigateway-go-sdk v0.0.0-20210714141226-a5d5d49caaca
 	github.com/IBM/appconfiguration-go-admin-sdk v0.3.0
 	github.com/IBM/appid-management-go-sdk v0.0.0-20210908164609-dd0e0eaf732f

diff --git a/go.sum b/go.sum
@@ -118,8 +118,8 @@ github.com/IBM-Cloud/bluemix-go v0.0.0-20240719075425-078fcb3a55be/go.mod h1:/7h
 github.com/IBM-Cloud/container-services-go-sdk v0.0.0-20240725064144-454a2ae23113 h1:f2Erqfea1dKpaTFagTJM6W/wnD3JGq/Vn9URh8nuRwk=
 github.com/IBM-Cloud/container-services-go-sdk v0.0.0-20240725064144-454a2ae23113/go.mod h1:xUQL9SGAjoZFd4GNjrjjtEpjpkgU7RFXRyHesbKTjiY=
 github.com/IBM-Cloud/ibm-cloud-cli-sdk v0.5.3/go.mod h1:RiUvKuHKTBmBApDMUQzBL14pQUGKcx/IioKQPIcRQjs=
-github.com/IBM-Cloud/power-go-client v1.7.0 h1:/GuGwPMTKoCZACfnwt7b6wKr4v32q1VO1AMFGNETRN4=
-github.com/IBM-Cloud/power-go-client v1.7.0/go.mod h1:9izycYAmNQ+NAdVPXDC3fHYxqWLjlR2YiwqKYveMv5Y=
+github.com/IBM-Cloud/power-go-client v1.8.0-beta12 h1:4DXa4lUMGKlf7cWrBG+nWa9Gdiz20z1O9h1gSX4Q7JY=
+github.com/IBM-Cloud/power-go-client v1.8.0-beta12/go.mod h1:oAkZiHX25cmr2Yun5V0q6CpnUemegvSrpcEy/oQcjzU=
 github.com/IBM-Cloud/softlayer-go v1.0.5-tf h1:koUAyF9b6X78lLLruGYPSOmrfY2YcGYKOj/Ug9nbKNw=
 github.com/IBM-Cloud/softlayer-go v1.0.5-tf/go.mod h1:6HepcfAXROz0Rf63krk5hPZyHT6qyx2MNvYyHof7ik4=
 github.com/IBM/apigateway-go-sdk v0.0.0-20210714141226-a5d5d49caaca h1:crniVcf+YcmgF03NmmfonXwSQ73oJF+IohFYBwknMxs=

diff --git a/ibm/acctest/acctest.go b/ibm/acctest/acctest.go
@@ -217,6 +217,7 @@ var (
 	Pi_instance_name                string
 	Pi_key_name                     string
 	Pi_network_name                 string
+	Pi_network_security_group_id    string
 	Pi_placement_group_name         string
 	Pi_replication_volume_name      string
 	Pi_resource_group_id            string
@@ -1061,6 +1062,11 @@ func init() {
 		fmt.Println("[INFO] Set the environment variable PI_NETWORK_NAME for testing ibm_pi_network_name resource else it is set to default value 'terraform-test-power'")
 	}
 
+	Pi_network_security_group_id = os.Getenv("PI_NETWORK_SECURITY_GROUP_ID")
+	if Pi_network_security_group_id == "" {
+		Pi_network_security_group_id = "terraform-test-power"
+		fmt.Println("[INFO] Set the environment variable PI_NETWORK_SECURITY_GROUP_ID for testing ibm_pi_network_security_group resource else it is set to default value 'terraform-test-power'")
+	}
 	Pi_volume_name = os.Getenv("PI_VOLUME_NAME")
 	if Pi_volume_name == "" {
 		Pi_volume_name = "terraform-test-power"

diff --git a/ibm/provider/provider.go b/ibm/provider/provider.go
@@ -652,6 +652,8 @@ func Provider() *schema.Provider {
 			"ibm_pi_key":                                    power.DataSourceIBMPIKey(),
 			"ibm_pi_keys":                                   power.DataSourceIBMPIKeys(),
 			"ibm_pi_network_port":                           power.DataSourceIBMPINetworkPort(),
+			"ibm_pi_network_security_group":                 power.DataSourceIBMPINetworkSecurityGroup(),
+			"ibm_pi_network-security-groups":                power.DataSourceIBMPINetworkSecurityGroups(),
 			"ibm_pi_network":                                power.DataSourceIBMPINetwork(),
 			"ibm_pi_networks":                               power.DataSourceIBMPINetworks(),
 			"ibm_pi_placement_group":                        power.DataSourceIBMPIPlacementGroup(),
@@ -1297,6 +1299,9 @@ func Provider() *schema.Provider {
 			"ibm_pi_ipsec_policy":                    power.ResourceIBMPIIPSecPolicy(),
 			"ibm_pi_key":                             power.ResourceIBMPIKey(),
 			"ibm_pi_network_port_attach":             power.ResourceIBMPINetworkPortAttach(),
+			"ibm_pi_network_security_group_action":   power.ResourceIBMPINetworkSecurityGroupAction(),
+			"ibm_pi_network_security_group_member":   power.ResourceIBMPINetworkSecurityGroupMember(),
+			"ibm_pi_network_security_group":          power.ResourceIBMPINetworkSecurityGroup(),
 			"ibm_pi_network":                         power.ResourceIBMPINetwork(),
 			"ibm_pi_placement_group":                 power.ResourceIBMPIPlacementGroup(),
 			"ibm_pi_shared_processor_pool":           power.ResourceIBMPISharedProcessorPool(),

diff --git a/ibm/service/power/data_source_ibm_pi_network_security_group.go b/ibm/service/power/data_source_ibm_pi_network_security_group.go
@@ -0,0 +1,314 @@
+// Copyright IBM Corp. 2024 All Rights Reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package power
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/IBM-Cloud/power-go-client/clients/instance"
+	"github.com/IBM-Cloud/power-go-client/power/models"
+	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func DataSourceIBMPINetworkSecurityGroup() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceIBMPINetworkSecurityGroupRead,
+
+		Schema: map[string]*schema.Schema{
+			// Arguments
+			Arg_CloudInstanceID: {
+				Description:  "The GUID of the service instance associated with an account.",
+				Required:     true,
+				Type:         schema.TypeString,
+				ValidateFunc: validation.NoZeroValues,
+			},
+			Arg_NetworkSecurityGroupID: {
+				Description:  "network security group ID.",
+				Required:     true,
+				Type:         schema.TypeString,
+				ValidateFunc: validation.NoZeroValues,
+			},
+			// Attributes
+			Attr_CRN: {
+				Computed:    true,
+				Description: "The network security group's crn.",
+				Type:        schema.TypeString,
+			},
+			Attr_Members: {
+				Computed:    true,
+				Description: "The list of IPv4 addresses and, or network interfaces in the network security group.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						Attr_ID: {
+							Computed:    true,
+							Description: "The ID of the member in a network security group.",
+							Type:        schema.TypeString,
+						},
+						Attr_MacAddress: {
+							Computed:    true,
+							Description: "The mac address of a network interface included if the type is network-interface.",
+							Type:        schema.TypeString,
+						},
+						Attr_Target: {
+							Computed:    true,
+							Description: "If ipv4-address type, then IPv4 address or if network-interface type, then network interface ID.",
+							Type:        schema.TypeString,
+						},
+						Attr_Type: {
+							Computed:    true,
+							Description: "The type of member.",
+							Type:        schema.TypeString,
+						},
+					},
+				},
+				Type: schema.TypeList,
+			},
+			Attr_Name: {
+				Computed:    true,
+				Description: "The name of the network security group.",
+				Type:        schema.TypeString,
+			},
+			Attr_Rules: {
+				Computed:    true,
+				Description: "The list of rules in the network security group.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						Attr_Action: {
+							Computed:    true,
+							Description: "The action to take if the rule matches network traffic.",
+							Type:        schema.TypeString,
+						},
+						Attr_DestinationPort: {
+							Computed:    true,
+							Description: "The list of destination port.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									Attr_Maximum: {
+										Computed:    true,
+										Description: "The end of the port range, if applicable, If values are not present then all ports are in the range.",
+										Type:        schema.TypeInt,
+									},
+									Attr_Minimum: {
+										Computed:    true,
+										Description: "The start of the port range, if applicable. If values are not present then all ports are in the range.",
+										Type:        schema.TypeInt,
+									},
+								},
+							},
+							Type: schema.TypeList,
+						},
+						Attr_ID: {
+							Computed:    true,
+							Description: "The ID of the rule in a network security group.",
+							Type:        schema.TypeString,
+						},
+						Attr_Protocol: {
+							Computed:    true,
+							Description: "The list of protocol.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									Attr_ICMPTypes: {
+										Computed:    true,
+										Description: "If icmp type, the list of ICMP packet types (by numbers) affected by ICMP rules and if not present then all types are matched.",
+										Elem: &schema.Schema{
+											Type: schema.TypeInt,
+										},
+										Type: schema.TypeList,
+									},
+									Attr_TCPFlags: {
+										Computed:    true,
+										Description: "If tcp type, the list of TCP flags and if not present then all flags are matched.",
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												Attr_Flag: {
+													Computed:    true,
+													Description: "TCP flag.",
+													Type:        schema.TypeString,
+												},
+											},
+										},
+										Type: schema.TypeList,
+									},
+									Attr_Type: {
+										Computed:    true,
+										Description: "The protocol of the network traffic.",
+										Type:        schema.TypeString,
+									},
+								},
+							},
+							Type: schema.TypeList,
+						},
+						Attr_Remote: {
+							Computed:    true,
+							Description: "List of remote.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									Attr_ID: {
+										Computed:    true,
+										Description: "The ID of the remote Network Address Group or network security group the rules apply to. Not required for default-network-address-group.",
+										Type:        schema.TypeString,
+									},
+									Attr_Type: {
+										Computed:    true,
+										Description: "The type of remote group the rules apply to.",
+										Type:        schema.TypeString,
+									},
+								},
+							},
+							Type: schema.TypeList,
+						},
+						Attr_SourcePort: {
+							Computed:    true,
+							Description: "ist of source port",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									Attr_Maximum: {
+										Computed:    true,
+										Description: "The end of the port range, if applicable, If values are not present then all ports are in the range.",
+										Type:        schema.TypeInt,
+									},
+									Attr_Minimum: {
+										Computed:    true,
+										Description: "The start of the port range, if applicable. If values are not present then all ports are in the range.",
+										Type:        schema.TypeInt,
+									},
+								},
+							},
+							Type: schema.TypeList,
+						},
+					},
+				},
+				Type: schema.TypeList,
+			},
+			Attr_UserTags: {
+				Computed:    true,
+				Description: "The user tags associated with this resource.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Type:        schema.TypeList,
+			},
+		},
+	}
+}
+
+func dataSourceIBMPINetworkSecurityGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	sess, err := meta.(conns.ClientSession).IBMPISession()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	cloudInstanceID := d.Get(Arg_CloudInstanceID).(string)
+	nsgClient := instance.NewIBMIPINetworkSecurityGroupClient(ctx, sess, cloudInstanceID)
+
+	networkSecurityGroup, err := nsgClient.Get(d.Get(Arg_NetworkSecurityGroupID).(string))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(*networkSecurityGroup.ID)
+	d.Set(Attr_CRN, networkSecurityGroup.Crn)
+
+	if len(networkSecurityGroup.Members) > 0 {
+		members := []map[string]interface{}{}
+		for _, mbr := range networkSecurityGroup.Members {
+			mbrMap := networkSecurityGroupMemberToMap(mbr)
+			members = append(members, mbrMap)
+		}
+		d.Set(Attr_Members, members)
+	}
+
+	d.Set(Attr_Name, networkSecurityGroup.Name)
+
+	if len(networkSecurityGroup.Rules) > 0 {
+		rules := []map[string]interface{}{}
+		for _, rule := range networkSecurityGroup.Rules {
+			ruleMap := networkSecurityGroupRuleToMap(rule)
+			rules = append(rules, ruleMap)
+		}
+		d.Set(Attr_Rules, rules)
+	}
+
+	if len(networkSecurityGroup.UserTags) > 0 {
+		d.Set(Attr_UserTags, networkSecurityGroup.UserTags)
+	}
+
+	return nil
+}
+
+func networkSecurityGroupMemberToMap(mbr *models.NetworkSecurityGroupMember) map[string]interface{} {
+	mbrMap := make(map[string]interface{})
+	mbrMap[Attr_ID] = mbr.ID
+	if mbr.MacAddress != "" {
+		mbrMap[Attr_MacAddress] = mbr.MacAddress
+	}
+	mbrMap[Attr_Target] = mbr.Target
+	mbrMap[Attr_Type] = mbr.Type
+	return mbrMap
+}
+
+func networkSecurityGroupRuleToMap(rule *models.NetworkSecurityGroupRule) map[string]interface{} {
+	ruleMap := make(map[string]interface{})
+	ruleMap[Attr_Action] = rule.Action
+	if rule.DestinationPort != nil {
+		destinationPortMap := networkSecurityGroupRulePortToMap(rule.DestinationPort)
+		ruleMap[Attr_DestinationPort] = []map[string]interface{}{destinationPortMap}
+	}
+
+	ruleMap[Attr_ID] = rule.ID
+
+	protocolMap := networkSecurityGroupRuleProtocolToMap(rule.Protocol)
+	ruleMap[Attr_Protocol] = []map[string]interface{}{protocolMap}
+
+	remoteMap := networkSecurityGroupRuleRemoteToMap(rule.Remote)
+
+	ruleMap[Attr_Remote] = []map[string]interface{}{remoteMap}
+
+	if rule.SourcePort != nil {
+		sourcePortMap := networkSecurityGroupRulePortToMap(rule.SourcePort)
+		ruleMap[Attr_SourcePort] = []map[string]interface{}{sourcePortMap}
+	}
+
+	return ruleMap
+}
+
+func networkSecurityGroupRulePortToMap(port *models.NetworkSecurityGroupRulePort) map[string]interface{} {
+	portMap := make(map[string]interface{})
+	portMap[Attr_Maximum] = port.Maximum
+	portMap[Attr_Minimum] = port.Minimum
+	return portMap
+}
+
+func networkSecurityGroupRuleProtocolToMap(protocol *models.NetworkSecurityGroupRuleProtocol) map[string]interface{} {
+	protocolMap := make(map[string]interface{})
+	if protocol.IcmpTypes != nil {
+		protocolMap[Attr_ICMPTypes] = protocol.IcmpTypes
+	}
+	if len(protocol.TCPFlags) > 0 {
+		tcpFlags := []map[string]interface{}{}
+		for _, tcpFlagsItem := range protocol.TCPFlags {
+			tcpFlagsItemMap := make(map[string]interface{})
+			tcpFlagsItemMap[Attr_Flag] = tcpFlagsItem.Flag
+			tcpFlags = append(tcpFlags, tcpFlagsItemMap)
+		}
+		protocolMap[Attr_TCPFlags] = tcpFlags
+	}
+	if protocol.Type != "" {
+		protocolMap[Attr_Type] = protocol.Type
+	}
+	return protocolMap
+}
+
+func networkSecurityGroupRuleRemoteToMap(remote *models.NetworkSecurityGroupRuleRemote) map[string]interface{} {
+	remoteMap := make(map[string]interface{})
+	if remote.ID != "" {
+		remoteMap[Attr_ID] = remote.ID
+	}
+	if remote.Type != "" {
+		remoteMap[Attr_Type] = remote.Type
+	}
+	return remoteMap
+}