CIS: TLS Settings development (#1954)

IBM-Cloud · Oct 14, 2020 · 85a8f35 · 85a8f35
1 parent e46ddc2
commit 85a8f35
Show file tree

Hide file tree

Showing 8 changed files with 394 additions and 0 deletions.
diff --git a/examples/ibm-cis/README.md b/examples/ibm-cis/README.md
@@ -15,6 +15,7 @@ These types of resources are supported:
 * [ CIS Rate Limit ](https://cloud.ibm.com/docs/terraform?topic=terraform-cis-resources#cis-rate-limit)
 * [ CIS Edge Functions Action ](https://cloud.ibm.com/docs/terraform?topic=terraform-cis-resources#cis-edge-functions-action)
 * [ CIS Edge Functions Trigger ](https://cloud.ibm.com/docs/terraform?topic=terraform-cis-resources#cis-edge-functions-trigger)
+* [ CIS TLS Settings](https://cloud.ibm.com/docs/terraform?topic=terraform-cis-resources#cis-tls-settings)
 
 ## Terraform versions
 
@@ -206,6 +207,17 @@ resource "ibm_cis_edge_functions_trigger" "test_trigger" {
 }
 ```
 
+`CIS TLS Settings`
+```hcl
+resource "ibm_cis_tls_settings" "tls_settings" {
+  cis_id          = data.ibm_cis.cis.id
+  domain_id       = data.ibm_cis_domain.cis_domain.domain_id
+  tls_1_3         = "off"
+  min_tls_version = "1.2"
+  universal_ssl   = true
+}
+```
+
 ## CIS Data Sources
 `CIS Instance`
 ```hcl
@@ -262,6 +274,7 @@ data "ibm_cis_edge_functions_triggers" "test_triggers" {
 - [Rate Limiting Cloud Docs](https://cloud.ibm.com/docs/cis?topic=cis-cis-rate-limiting#rate-limiting-configure-response)
 - [Rate Limiting CLI](https://cloud.ibm.com/docs/cis?topic=cis-cli-plugin-cis-cli#ratelimit)
 - [Edge Functions CLI](https://cloud.ibm.com/docs/cis?topic=cis-cli-plugin-cis-cli#edge-functions)
+- [TLS Settings CLI](https://cloud.ibm.com/docs/cis-cli-plugin?topic=cis-cli-plugin-cis-cli#show-tls-setting)
 
 ## Notes
 
@@ -334,6 +347,9 @@ Customise the variables in `variables.tf` to your local environment and chosen D
 | action_name | The Edge Functions action name | `string` | yes |
 | script | script content | `string` | yes |
 | pattern_url | domain name pattern url| `string` | yes |
+| tls_1_3 | The TLS Version 1.3 `on`, `off`, `zrt` setting | `string` | no |
+| min_tls_version | The Minimum TLS Version setting | `string` | no |
+| universal_ssl | The Universal SSL enable/disable setting | `boolean` | no |
 
 ## Outputs
 

diff --git a/examples/ibm-cis/main.tf b/examples/ibm-cis/main.tf
@@ -189,3 +189,12 @@ data "ibm_cis_edge_functions_triggers" "test_triggers" {
   cis_id    = ibm_cis_edge_functions_trigger.test_trigger.cis_id
   domain_id = ibm_cis_edge_functions_trigger.test_trigger.domain_id
 }
+
+# CIS TLS Settings
+resource "ibm_cis_tls_settings" "tls_settings" {
+  cis_id          = data.ibm_cis.cis.id
+  domain_id       = data.ibm_cis_domain.cis_domain.domain_id
+  tls_1_3         = "off"
+  min_tls_version = "1.2"
+  universal_ssl   = true
+}
diff --git a/examples/ibm-cis/outputs.tf b/examples/ibm-cis/outputs.tf
@@ -24,3 +24,7 @@ output "ibm_cis_edge_function_trigger_output" {
 output "domain_setting" {
   value = ibm_cis_domain_settings.test_domain_settings
 }
+
+output "ibm_cis_tls_settings_output" {
+  value = ibm_cis_tls_settings.tls_settings
+}
diff --git a/ibm/provider.go b/ibm/provider.go
@@ -323,6 +323,7 @@ func Provider() terraform.ResourceProvider {
 			"ibm_cis_rate_limit":                                 resourceIBMCISRateLimit(),
 			"ibm_cis_edge_functions_action":                      resourceIBMCISEdgeFunctionsAction(),
 			"ibm_cis_edge_functions_trigger":                     resourceIBMCISEdgeFunctionsTrigger(),
+			"ibm_cis_tls_settings":                               resourceIBMCISTLSSettings(),
 			"ibm_compute_autoscale_group":                        resourceIBMComputeAutoScaleGroup(),
 			"ibm_compute_autoscale_policy":                       resourceIBMComputeAutoScalePolicy(),
 			"ibm_compute_bare_metal":                             resourceIBMComputeBareMetal(),
@@ -480,6 +481,7 @@ func Validator() ValidatorDict {
 				"ibm_cis_healthcheck":                  resourceIBMCISHealthCheckValidator(),
 				"ibm_cis_rate_limit":                   resourceIBMCISRateLimitValidator(),
 				"ibm_cis_domain_settings":              resourceIBMCISDomainSettingValidator(),
+				"ibm_cis_tls_settings":                 resourceIBMCISTLSSettingsValidator(),
 				"ibm_tg_gateway":                       resourceIBMTGValidator(),
 				"ibm_tg_connection":                    resourceIBMTransitGatewayConnectionValidator(),
 				"ibm_dl_virtual_connection":            resourceIBMdlGatewayVCValidator(),

diff --git a/ibm/resource_ibm_cis_tls_settings.go b/ibm/resource_ibm_cis_tls_settings.go
@@ -0,0 +1,199 @@
+package ibm
+
+import (
+	"log"
+
+	"github.com/IBM/go-sdk-core/v3/core"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+const (
+	ibmCISTLSSettings           = "ibm_cis_tls_settings"
+	cisTLSSettingsUniversalSSL  = "universal_ssl"
+	cisTLSSettingsTLS12Only     = "tls_1_2_only"
+	cisTLSSettingsTLS13         = "tls_1_3"
+	cisTLSSettingsMinTLSVersion = "min_tls_version"
+)
+
+func resourceIBMCISTLSSettings() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			cisID: {
+				Type:        schema.TypeString,
+				Description: "CIS instance crn",
+				Required:    true,
+			},
+			cisDomainID: {
+				Type:        schema.TypeString,
+				Description: "Associated CIS domain",
+				Required:    true,
+			},
+			cisTLSSettingsUniversalSSL: {
+				Type:        schema.TypeBool,
+				Description: "Universal SSL setting",
+				Optional:    true,
+				Computed:    true,
+			},
+			cisTLSSettingsTLS13: {
+				Type:             schema.TypeString,
+				Description:      "TLS 1.3 setting",
+				Optional:         true,
+				Computed:         true,
+				ValidateFunc:     InvokeValidator(ibmCISTLSSettings, cisTLSSettingsTLS13),
+				DiffSuppressFunc: suppressTLS13Diff,
+			},
+			cisTLSSettingsMinTLSVersion: {
+				Type:         schema.TypeString,
+				Description:  "Minimum version of TLS required",
+				Optional:     true,
+				ValidateFunc: InvokeValidator(ibmCISTLSSettings, cisTLSSettingsMinTLSVersion),
+				Default:      "1.1",
+			},
+		},
+		Create:   resourceCISTLSSettingsUpdate,
+		Read:     resourceCISTLSSettingsRead,
+		Update:   resourceCISTLSSettingsUpdate,
+		Delete:   resourceCISTLSSettingsDelete,
+		Importer: &schema.ResourceImporter{},
+	}
+}
+
+func resourceIBMCISTLSSettingsValidator() *ResourceValidator {
+	validateSchema := make([]ValidateSchema, 1)
+
+	validateSchema = append(validateSchema,
+		ValidateSchema{
+			Identifier:                 cisTLSSettingsTLS13,
+			ValidateFunctionIdentifier: ValidateAllowedStringValue,
+			Type:                       TypeString,
+			Required:                   true,
+			AllowedValues:              "on, off, zrt"})
+	validateSchema = append(validateSchema,
+		ValidateSchema{
+			Identifier:                 cisTLSSettingsMinTLSVersion,
+			ValidateFunctionIdentifier: ValidateAllowedStringValue,
+			Type:                       TypeString,
+			Required:                   true,
+			AllowedValues:              "1.1, 1.2, 1.3, 1.4"})
+	ibmCISTLSSettingsResourceValidator := ResourceValidator{
+		ResourceName: ibmCISTLSSettings,
+		Schema:       validateSchema}
+	return &ibmCISTLSSettingsResourceValidator
+}
+
+func resourceCISTLSSettingsUpdate(d *schema.ResourceData, meta interface{}) error {
+	cisClient, err := meta.(ClientSession).CisSSLClientSession()
+	if err != nil {
+		return err
+	}
+	crn := d.Get(cisID).(string)
+	zoneID := d.Get(cisDomainID).(string)
+	cisClient.Crn = core.StringPtr(crn)
+	cisClient.ZoneIdentifier = core.StringPtr(zoneID)
+
+	if d.HasChange(cisTLSSettingsTLS12Only) ||
+		d.HasChange(cisTLSSettingsTLS13) ||
+		d.HasChange(cisTLSSettingsUniversalSSL) ||
+		d.HasChange(cisTLSSettingsMinTLSVersion) {
+
+		// TLS 1.3 setting
+		if tls13, ok := d.GetOk(cisTLSSettingsTLS13); ok {
+			opt := cisClient.NewChangeTls13SettingOptions()
+			opt.SetValue(tls13.(string))
+			_, resp, err := cisClient.ChangeTls13Setting(opt)
+			if err != nil {
+				log.Printf("Update TLS 1.3 setting Failed : %v\n", resp)
+				return err
+			}
+		}
+
+		// Universal SSL setting
+		if universalSSL, ok := d.GetOkExists(cisTLSSettingsUniversalSSL); ok {
+			opt := cisClient.NewChangeUniversalCertificateSettingOptions()
+			opt.SetEnabled(universalSSL.(bool))
+			resp, err := cisClient.ChangeUniversalCertificateSetting(opt)
+			if err != nil {
+				log.Printf("Update universal ssl setting Failed : %v\n", resp)
+				return err
+			}
+		}
+
+		// Minimum TLS version
+		if minTLSVer, ok := d.GetOk(cisTLSSettingsMinTLSVersion); ok {
+			cisClient, err := meta.(ClientSession).CisDomainSettingsClientSession()
+			if err != nil {
+				return err
+			}
+			cisClient.Crn = core.StringPtr(crn)
+			cisClient.ZoneIdentifier = core.StringPtr(zoneID)
+			opt := cisClient.NewUpdateMinTlsVersionOptions()
+			opt.SetValue(minTLSVer.(string))
+			_, resp, err := cisClient.UpdateMinTlsVersion(opt)
+			if err != nil {
+				log.Printf("Update minimum TLS version setting Failed : %v\n", resp)
+				return err
+			}
+		}
+	}
+	d.SetId(convertCisToTfTwoVar(zoneID, crn))
+	return resourceCISTLSSettingsRead(d, meta)
+}
+
+func resourceCISTLSSettingsRead(d *schema.ResourceData, meta interface{}) error {
+	cisClient, err := meta.(ClientSession).CisSSLClientSession()
+	if err != nil {
+		return err
+	}
+	zoneID, crn, _ := convertTftoCisTwoVar(d.Id())
+	cisClient.Crn = core.StringPtr(crn)
+	cisClient.ZoneIdentifier = core.StringPtr(zoneID)
+
+	// TLS 1.3 setting
+	tls13Result, resp, err := cisClient.GetTls13Setting(cisClient.NewGetTls13SettingOptions())
+	if err != nil {
+		log.Printf("Get TLS 1.3 setting failed : %v\n", resp)
+		return err
+	}
+
+	// Universal SSL setting
+	universalSSLResult, resp, err := cisClient.GetUniversalCertificateSetting(
+		cisClient.NewGetUniversalCertificateSettingOptions())
+	if err != nil {
+		log.Printf("Update TLS 1.3 setting failed : %v\n", resp)
+		return err
+	}
+
+	// Minumum TLS version setting
+	minTLSClient, err := meta.(ClientSession).CisDomainSettingsClientSession()
+	if err != nil {
+		return err
+	}
+	minTLSClient.Crn = core.StringPtr(crn)
+	minTLSClient.ZoneIdentifier = core.StringPtr(zoneID)
+	minTLSVerResult, resp, err := minTLSClient.GetMinTlsVersion(
+		minTLSClient.NewGetMinTlsVersionOptions())
+	if err != nil {
+		log.Printf("Min TLS Version setting get request failed : %v", resp)
+		return err
+	}
+	d.Set(cisID, crn)
+	d.Set(cisDomainID, zoneID)
+	d.Set(cisTLSSettingsTLS13, tls13Result.Result.Value)
+	d.Set(cisTLSSettingsUniversalSSL, universalSSLResult.Result.Enabled)
+	d.Set(cisTLSSettingsMinTLSVersion, minTLSVerResult.Result.Value)
+	return nil
+}
+
+func resourceCISTLSSettingsDelete(d *schema.ResourceData, meta interface{}) error {
+	// Nothing to delete on CIS resource
+	d.SetId("")
+	return nil
+}
+
+func suppressTLS13Diff(k, old, new string, d *schema.ResourceData) bool {
+	// if we enable TLS 1.3, it gives zrt in output.
+	if "zrt" == old && new == "on" {
+		return true
+	}
+	return false
+}
diff --git a/ibm/resource_ibm_cis_tls_settings_test.go b/ibm/resource_ibm_cis_tls_settings_test.go
@@ -0,0 +1,102 @@
+package ibm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccIBMCisTLSSettings_Basic(t *testing.T) {
+	name := "ibm_cis_tls_settings." + "test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheckCis(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCisTLSSettingsConfigBasic1("test", cisDomainStatic),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "tls_1_3", "off"),
+					resource.TestCheckResourceAttr(name, "universal_ssl", "true"),
+					resource.TestCheckResourceAttr(name, "min_tls_version", "1.1"),
+				),
+			},
+			{
+				Config: testAccCheckCisTLSSettingsConfigBasic2("test", cisDomainStatic),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "tls_1_3", "zrt"),
+					resource.TestCheckResourceAttr(name, "universal_ssl", "false"),
+					resource.TestCheckResourceAttr(name, "min_tls_version", "1.2"),
+				),
+			},
+			{
+				Config: testAccCheckCisTLSSettingsConfigBasic3("test", cisDomainStatic),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "tls_1_3", "off"),
+					resource.TestCheckResourceAttr(name, "universal_ssl", "false"),
+					resource.TestCheckResourceAttr(name, "min_tls_version", "1.1"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccIBMCisTLSSettings_Import(t *testing.T) {
+	name := "ibm_cis_tls_settings." + "test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCisTLSSettingsConfigBasic3("test", cisDomainStatic),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "tls_1_3", "off"),
+					resource.TestCheckResourceAttr(name, "universal_ssl", "false"),
+					resource.TestCheckResourceAttr(name, "min_tls_version", "1.1"),
+				),
+			},
+			{
+				ResourceName:      name,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccCheckCisTLSSettingsConfigBasic1(id string, cisDomainStatic string) string {
+	return testAccCheckIBMCisDomainDataSourceConfigBasic1() + fmt.Sprintf(`
+	resource "ibm_cis_tls_settings" "%[1]s" {
+		cis_id          = data.ibm_cis.cis.id
+		domain_id       = data.ibm_cis_domain.cis_domain.domain_id
+		tls_1_3         = "off"
+		min_tls_version = "1.1"
+		universal_ssl   = true
+	  }
+`, id)
+}
+func testAccCheckCisTLSSettingsConfigBasic2(id string, cisDomainStatic string) string {
+	return testAccCheckIBMCisDomainDataSourceConfigBasic1() + fmt.Sprintf(`
+	resource "ibm_cis_tls_settings" "%[1]s" {
+		cis_id          = data.ibm_cis.cis.id
+		domain_id       = data.ibm_cis_domain.cis_domain.domain_id
+		tls_1_3         = "on"
+		min_tls_version = "1.2"
+		universal_ssl   = false
+	  }
+`, id)
+}
+
+func testAccCheckCisTLSSettingsConfigBasic3(id string, cisDomainStatic string) string {
+	return testAccCheckIBMCisDomainDataSourceConfigBasic1() + fmt.Sprintf(`
+	resource "ibm_cis_tls_settings" "%[1]s" {
+		cis_id          = data.ibm_cis.cis.id
+		domain_id       = data.ibm_cis_domain.cis_domain.domain_id
+		tls_1_3         = "off"
+		min_tls_version = "1.1"
+		universal_ssl   = false
+	  }
+`, id)
+}