add proxy_protocol feature for load_balancer

IBM-Cloud · Mar 11, 2021 · 0ad1291 · 0ad1291
1 parent 2bbdc33
commit 0ad1291
Show file tree

Hide file tree

Showing 6 changed files with 132 additions and 12 deletions.
diff --git a/ibm/resource_ibm_is_lb_listener.go b/ibm/resource_ibm_is_lb_listener.go
@@ -26,6 +26,7 @@ const (
 	isLBListenerDeleting            = "deleting"
 	isLBListenerDeleted             = "done"
 	isLBListenerProvisioning        = "provisioning"
+	isLBListenerAcceptProxyProtocol = "accept_proxy_protocol"
 	isLBListenerProvisioningDone    = "done"
 	isLBListenerID                  = "listener_id"
 )
@@ -74,6 +75,13 @@ func resourceIBMISLBListener() *schema.Resource {
 				Description: "certificate instance for the Loadbalancer",
 			},
 
+			isLBListenerAcceptProxyProtocol: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Listener will forward proxy protocol",
+			},
+
 			isLBListenerConnectionLimit: {
 				Type:         schema.TypeInt,
 				Optional:     true,
@@ -152,7 +160,7 @@ func resourceIBMISLBListenerCreate(d *schema.ResourceData, meta interface{}) err
 	lbID := d.Get(isLBListenerLBID).(string)
 	port := int64(d.Get(isLBListenerPort).(int))
 	protocol := d.Get(isLBListenerProtocol).(string)
-
+	acceptProxyProtocol := d.Get(isLBListenerAcceptProxyProtocol).(bool)
 	var defPool, certificateCRN string
 	if pool, ok := d.GetOk(isLBListenerDefaultPool); ok {
 		lbPool, err := getPoolId(pool.(string))
@@ -182,7 +190,7 @@ func resourceIBMISLBListenerCreate(d *schema.ResourceData, meta interface{}) err
 			return err
 		}
 	} else {
-		err := lbListenerCreate(d, meta, lbID, protocol, defPool, certificateCRN, port, connLimit)
+		err := lbListenerCreate(d, meta, lbID, protocol, defPool, certificateCRN, port, connLimit, acceptProxyProtocol)
 		if err != nil {
 			return err
 		}
@@ -239,15 +247,16 @@ func classicLBListenerCreate(d *schema.ResourceData, meta interface{}, lbID, pro
 	return nil
 }
 
-func lbListenerCreate(d *schema.ResourceData, meta interface{}, lbID, protocol, defPool, certificateCRN string, port, connLimit int64) error {
+func lbListenerCreate(d *schema.ResourceData, meta interface{}, lbID, protocol, defPool, certificateCRN string, port, connLimit int64, acceptProxyProtocol bool) error {
 	sess, err := vpcClient(meta)
 	if err != nil {
 		return err
 	}
 	options := &vpcv1.CreateLoadBalancerListenerOptions{
-		LoadBalancerID: &lbID,
-		Port:           &port,
-		Protocol:       &protocol,
+		LoadBalancerID:      &lbID,
+		Port:                &port,
+		Protocol:            &protocol,
+		AcceptProxyProtocol: &acceptProxyProtocol,
 	}
 	if defPool != "" {
 		options.DefaultPool = &vpcv1.LoadBalancerPoolIdentity{
@@ -449,6 +458,7 @@ func lbListenerGet(d *schema.ResourceData, meta interface{}, lbID, lbListenerID
 	d.Set(isLBListenerLBID, lbID)
 	d.Set(isLBListenerPort, *lbListener.Port)
 	d.Set(isLBListenerProtocol, *lbListener.Protocol)
+	d.Set(isLBListenerAcceptProxyProtocol, *lbListener.AcceptProxyProtocol)
 	d.Set(isLBListenerID, lbListenerID)
 	if lbListener.DefaultPool != nil {
 		d.Set(isLBListenerDefaultPool, *lbListener.DefaultPool.ID)
@@ -633,6 +643,12 @@ func lbListenerUpdate(d *schema.ResourceData, meta interface{}, lbID, lbListener
 		hasChanged = true
 	}
 
+	if d.HasChange(isLBListenerAcceptProxyProtocol) {
+		acceptProxyProtocol := d.Get(isLBListenerAcceptProxyProtocol).(bool)
+		loadBalancerListenerPatchModel.AcceptProxyProtocol = &acceptProxyProtocol
+		hasChanged = true
+	}
+
 	if d.HasChange(isLBListenerConnectionLimit) {
 		connLimit = int64(d.Get(isLBListenerConnectionLimit).(int))
 		loadBalancerListenerPatchModel.ConnectionLimit = &connLimit

diff --git a/ibm/resource_ibm_is_lb_listener_test.go b/ibm/resource_ibm_is_lb_listener_test.go
@@ -44,6 +44,8 @@ func TestAccIBMISLBListener_basic(t *testing.T) {
 						"ibm_is_lb_listener.testacc_lb_listener", "port", port1),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_listener.testacc_lb_listener", "protocol", protocol1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_listener.testacc_lb_listener", "accept_proxy_protocol", "true"),
 				),
 			},
 
@@ -57,6 +59,8 @@ func TestAccIBMISLBListener_basic(t *testing.T) {
 						"ibm_is_lb_listener.testacc_lb_listener", "protocol", protocol2),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_listener.testacc_lb_listener", "connection_limit", connLimit),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_listener.testacc_lb_listener", "accept_proxy_protocol", "false"),
 				),
 			},
 		},
@@ -186,6 +190,7 @@ func testAccCheckIBMISLBListenerConfig(vpcname, subnetname, zone, cidr, lbname,
 		lb = "${ibm_is_lb.testacc_LB.id}"
 		port = %s
 		protocol = "%s"
+		accept_proxy_protocol = true
 }`, vpcname, subnetname, zone, cidr, lbname, port, protocol)
 
 }
@@ -212,6 +217,7 @@ func testAccCheckIBMISLBListenerConfigUpdate(vpcname, subnetname, zone, cidr, lb
 		port = %s
 		protocol = "%s"
 		connection_limit = %s
+		accept_proxy_protocol = false
 }`, vpcname, subnetname, zone, cidr, lbname, port, protocol, connLimit)
 
 }
diff --git a/ibm/resource_ibm_is_lb_pool.go b/ibm/resource_ibm_is_lb_pool.go
@@ -28,6 +28,7 @@ const (
 	isLBPoolSessPersistenceType       = "session_persistence_type"
 	isLBPoolSessPersistenceCookieName = "session_persistence_cookie_name"
 	isLBPoolProvisioningStatus        = "provisioning_status"
+	isLBPoolProxyProtocol             = "proxy_protocol"
 	isLBPoolActive                    = "active"
 	isLBPoolCreatePending             = "create_pending"
 	isLBPoolUpdatePending             = "update_pending"
@@ -140,6 +141,14 @@ func resourceIBMISLBPool() *schema.Resource {
 				Description: "Status of the LB Pool",
 			},
 
+			isLBPoolProxyProtocol: {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: InvokeValidator("ibm_is_lb_pool", isLBPoolProxyProtocol),
+				Description:  "PROXY protocol setting for this pool",
+			},
+
 			isLBPool: {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -161,6 +170,7 @@ func resourceIBMISLBPoolValidator() *ResourceValidator {
 	algorithm := "round_robin, weighted_round_robin, least_connections"
 	protocol := "http, tcp, https"
 	persistanceType := "source_ip"
+	proxyProtocol := "disabled, v1, v2"
 	validateSchema = append(validateSchema,
 		ValidateSchema{
 			Identifier:                 isLBPoolName,
@@ -191,6 +201,13 @@ func resourceIBMISLBPoolValidator() *ResourceValidator {
 			Type:                       TypeString,
 			Required:                   true,
 			AllowedValues:              protocol})
+	validateSchema = append(validateSchema,
+		ValidateSchema{
+			Identifier:                 isLBPoolProxyProtocol,
+			ValidateFunctionIdentifier: ValidateAllowedStringValue,
+			Type:                       TypeString,
+			Required:                   true,
+			AllowedValues:              proxyProtocol})
 	validateSchema = append(validateSchema,
 		ValidateSchema{
 			Identifier:                 isLBPoolSessPersistenceType,
@@ -219,7 +236,7 @@ func resourceIBMISLBPoolCreate(d *schema.ResourceData, meta interface{}) error {
 	healthTimeOut := int64(d.Get(isLBPoolHealthTimeout).(int))
 	healthType := d.Get(isLBPoolHealthType).(string)
 
-	var spType, cName, healthMonitorURL string
+	var spType, cName, healthMonitorURL, pProtocol string
 	var healthMonitorPort int64
 	if pt, ok := d.GetOk(isLBPoolSessPersistenceType); ok {
 		spType = pt.(string)
@@ -228,6 +245,9 @@ func resourceIBMISLBPoolCreate(d *schema.ResourceData, meta interface{}) error {
 	if cn, ok := d.GetOk(isLBPoolSessPersistenceCookieName); ok {
 		cName = cn.(string)
 	}
+	if pp, ok := d.GetOk(isLBPoolProxyProtocol); ok {
+		pProtocol = pp.(string)
+	}
 
 	if hmu, ok := d.GetOk(isLBPoolHealthMonitorURL); ok {
 		healthMonitorURL = hmu.(string)
@@ -246,7 +266,7 @@ func resourceIBMISLBPoolCreate(d *schema.ResourceData, meta interface{}) error {
 			return err
 		}
 	} else {
-		err := lbPoolCreate(d, meta, name, lbID, algorithm, protocol, healthType, spType, cName, healthMonitorURL, healthDelay, maxRetries, healthTimeOut, healthMonitorPort)
+		err := lbPoolCreate(d, meta, name, lbID, algorithm, protocol, healthType, spType, cName, healthMonitorURL, pProtocol, healthDelay, maxRetries, healthTimeOut, healthMonitorPort)
 		if err != nil {
 			return err
 		}
@@ -312,7 +332,7 @@ func classicLBPoolCreate(d *schema.ResourceData, meta interface{}, name, lbID, a
 	return nil
 }
 
-func lbPoolCreate(d *schema.ResourceData, meta interface{}, name, lbID, algorithm, protocol, healthType, spType, cName, healthMonitorURL string, healthDelay, maxRetries, healthTimeOut, healthMonitorPort int64) error {
+func lbPoolCreate(d *schema.ResourceData, meta interface{}, name, lbID, algorithm, protocol, healthType, spType, cName, healthMonitorURL, pProtocol string, healthDelay, maxRetries, healthTimeOut, healthMonitorPort int64) error {
 	sess, err := vpcClient(meta)
 	if err != nil {
 		return err
@@ -347,6 +367,9 @@ func lbPoolCreate(d *schema.ResourceData, meta interface{}, name, lbID, algorith
 			Type: &spType,
 		}
 	}
+	if pProtocol != "" {
+		options.ProxyProtocol = &pProtocol
+	}
 	lbPool, response, err := sess.CreateLoadBalancerPool(options)
 	if err != nil {
 		return fmt.Errorf("[DEBUG] lbpool create err: %s\n%s", err, response)
@@ -489,6 +512,7 @@ func lbPoolGet(d *schema.ResourceData, meta interface{}, lbID, lbPoolID string)
 		// d.Set(isLBPoolSessPersistenceCookieName, *lbPool.SessionPersistence.CookieName)
 	}
 	d.Set(isLBPoolProvisioningStatus, *lbPool.ProvisioningStatus)
+	d.Set(isLBPoolProxyProtocol, *lbPool.ProxyProtocol)
 	getLoadBalancerOptions := &vpcv1.GetLoadBalancerOptions{
 		ID: &lbID,
 	}
@@ -674,6 +698,12 @@ func lbPoolUpdate(d *schema.ResourceData, meta interface{}, lbID, lbPoolID strin
 		hasChanged = true
 	}
 
+	if d.HasChange(isLBPoolProxyProtocol) {
+		proxyProtocol := d.Get(isLBPoolProxyProtocol).(string)
+		loadBalancerPoolPatchModel.ProxyProtocol = &proxyProtocol
+		hasChanged = true
+	}
+
 	if d.HasChange(isLBPoolName) || d.HasChange(isLBPoolAlgorithm) || d.HasChange(isLBPoolProtocol) || hasChanged {
 		name := d.Get(isLBPoolName).(string)
 		algorithm := d.Get(isLBPoolAlgorithm).(string)

diff --git a/ibm/resource_ibm_is_lb_pool_test.go b/ibm/resource_ibm_is_lb_pool_test.go
@@ -24,13 +24,15 @@ func TestAccIBMISLBPool_basic(t *testing.T) {
 	poolName1 := fmt.Sprintf("tflbpoolu%d", acctest.RandIntRange(10, 100))
 	alg1 := "round_robin"
 	protocol1 := "http"
+	proxyProtocol1 := "disabled"
 	delay1 := "45"
 	retries1 := "5"
 	timeout1 := "15"
 	healthType1 := "http"
 
 	alg2 := "least_connections"
 	protocol2 := "tcp"
+	proxyProtocol2 := "v2"
 	delay2 := "60"
 	retries2 := "3"
 	timeout2 := "30"
@@ -53,6 +55,8 @@ func TestAccIBMISLBPool_basic(t *testing.T) {
 						"ibm_is_lb_pool.testacc_lb_pool", "algorithm", alg1),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_pool.testacc_lb_pool", "protocol", protocol1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "proxy_protocol", proxyProtocol1),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_pool.testacc_lb_pool", "health_delay", delay1),
 					resource.TestCheckResourceAttr(
@@ -74,6 +78,8 @@ func TestAccIBMISLBPool_basic(t *testing.T) {
 						"ibm_is_lb_pool.testacc_lb_pool", "algorithm", alg2),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_pool.testacc_lb_pool", "protocol", protocol2),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "proxy_protocol", proxyProtocol1),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_pool.testacc_lb_pool", "health_delay", delay2),
 					resource.TestCheckResourceAttr(
@@ -84,6 +90,30 @@ func TestAccIBMISLBPool_basic(t *testing.T) {
 						"ibm_is_lb_pool.testacc_lb_pool", "health_type", healthType2),
 				),
 			},
+			resource.TestStep{
+				Config: testAccCheckIBMISLBPoolConfigWithProxy(vpcname, subnetname, ISZoneName, ISCIDR, name, poolName, alg1, protocol1, proxyProtocol2, delay1, retries1, timeout1, healthType1),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIBMISLBPoolExists("ibm_is_lb_pool.testacc_lb_pool", lb),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb.testacc_LB", "name", name),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "name", poolName),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "algorithm", alg1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "protocol", protocol1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "proxy_protocol", proxyProtocol2),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "health_delay", delay1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "health_retries", retries1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "health_timeout", timeout1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "health_type", healthType1),
+				),
+			},
 		},
 	})
 }
@@ -96,6 +126,7 @@ func TestAccIBMISLBPool_port(t *testing.T) {
 	poolName := fmt.Sprintf("tflbpoolc%d", acctest.RandIntRange(10, 100))
 	alg1 := "round_robin"
 	protocol1 := "http"
+	proxyProtocol1 := "disabled"
 	delay1 := "45"
 	retries1 := "5"
 	timeout1 := "15"
@@ -119,6 +150,8 @@ func TestAccIBMISLBPool_port(t *testing.T) {
 						"ibm_is_lb_pool.testacc_lb_pool", "algorithm", alg1),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_pool.testacc_lb_pool", "protocol", protocol1),
+					resource.TestCheckResourceAttr(
+						"ibm_is_lb_pool.testacc_lb_pool", "proxy_protocol", proxyProtocol1),
 					resource.TestCheckResourceAttr(
 						"ibm_is_lb_pool.testacc_lb_pool", "health_delay", delay1),
 					resource.TestCheckResourceAttr(
@@ -241,7 +274,7 @@ func testAccCheckIBMISLBPoolConfig(vpcname, subnetname, zone, cidr, name, poolNa
 	resource "ibm_is_vpc" "testacc_vpc" {
 		name = "%s"
 	}
-	
+
 	resource "ibm_is_subnet" "testacc_subnet" {
 		name = "%s"
 		vpc = "${ibm_is_vpc.testacc_vpc.id}"
@@ -271,7 +304,7 @@ func testAccCheckIBMISLBPoolPortConfig(vpcname, subnetname, zone, cidr, name, po
 	resource "ibm_is_vpc" "testacc_vpc" {
 		name = "%s"
 	}
-	
+
 	resource "ibm_is_subnet" "testacc_subnet" {
 		name = "%s"
 		vpc = "${ibm_is_vpc.testacc_vpc.id}"
@@ -295,3 +328,34 @@ func testAccCheckIBMISLBPoolPortConfig(vpcname, subnetname, zone, cidr, name, po
 }`, vpcname, subnetname, zone, cidr, name, poolName, algorithm, protocol, delay, retries, timeout, healthType, port)
 
 }
+
+func testAccCheckIBMISLBPoolConfigWithProxy(vpcname, subnetname, zone, cidr, name, poolName, algorithm, protocol, proxyProtocol, delay, retries, timeout, healthType string) string {
+	return fmt.Sprintf(`
+
+	resource "ibm_is_vpc" "testacc_vpc" {
+		name = "%s"
+	}
+
+	resource "ibm_is_subnet" "testacc_subnet" {
+		name = "%s"
+		vpc = "${ibm_is_vpc.testacc_vpc.id}"
+		zone = "%s"
+		ipv4_cidr_block = "%s"
+	}
+	resource "ibm_is_lb" "testacc_LB" {
+		name = "%s"
+		subnets = ["${ibm_is_subnet.testacc_subnet.id}"]
+	}
+	resource "ibm_is_lb_pool" "testacc_lb_pool" {
+		name = "%s"
+		lb = "${ibm_is_lb.testacc_LB.id}"
+		algorithm = "%s"
+		protocol = "%s"
+		proxy_protocol = "%s"
+		health_delay= %s
+		health_retries = %s
+		health_timeout = %s
+		health_type = "%s"
+}`, vpcname, subnetname, zone, cidr, name, poolName, algorithm, protocol, proxyProtocol, delay, retries, timeout, healthType)
+
+}
diff --git a/website/docs/r/is_lb_listener.html.markdown b/website/docs/r/is_lb_listener.html.markdown
@@ -65,6 +65,7 @@ The following arguments are supported:
 * `default_pool` - (Optional, string) The load balancer pool unique identifier.
 * `certificate_instance` - (Optional, string) CRN of the certificate instance.
 * `connection_limit` - (Optional, int) The connection limit of the listener. Valid range  1 to 15000. Network load balancer does not support `connection_limit` argument.
+* `accept_proxy_protocol` - (Optional, boolean) If true, listener will forward PROXY protocol information. Supported by load balancers in the application family otherwise false. Default: false.
 
 ## Attribute Reference