Adding Advanced configuration support for service

banyan/data_source_oidc_settings.go

@@ -57,14 +57,38 @@ func dataSourceOidcSettingsRead(ctx context.Context, d *schema.ResourceData, m i
 		diagnostics = diag.FromErr(err)
 		return
 	}
-	d.Set("issuer_url", oidcSettings.IssuerUrl)
-	d.Set("authorization_endpoint", oidcSettings.AuthorizationEndpoint)
-	d.Set("token_endpoint", oidcSettings.TokenEndpoint)
-	d.Set("jwks_endpoint", oidcSettings.JwksEndpoint)
-	d.Set("redirect_url", oidcSettings.IssuerUrl+"/callback")
-	d.Set("scope", oidcSettings.Scope)
-	d.Set("userinfo _endpoint", oidcSettings.UserinfoEndpoint)
-	d.Set("openid_configuration_endpoint", oidcSettings.OpenidConfigurationEndpoint)
+	err = d.Set("issuer_url", oidcSettings.IssuerUrl)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("authorization_endpoint", oidcSettings.AuthorizationEndpoint)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("token_endpoint", oidcSettings.TokenEndpoint)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("jwks_endpoint", oidcSettings.JwksEndpoint)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("redirect_url", oidcSettings.IssuerUrl+"/callback")
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("scope", oidcSettings.Scope)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("userinfo _endpoint", oidcSettings.UserinfoEndpoint)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("openid_configuration_endpoint", oidcSettings.OpenidConfigurationEndpoint)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 	d.SetId("singleton")
 	return
 }

banyan/resource_policy_tunnel.go

@@ -75,7 +75,6 @@ func PolicyTunnelSchema() (s map[string]*schema.Schema) {
 								"allow": {
 									Type:        schema.TypeList,
 									Description: "Role names to include ",
-									MaxItems:    1,
 									Optional:    true,
 									Elem: &schema.Resource{
 										Schema: map[string]*schema.Schema{
@@ -118,7 +117,6 @@ func PolicyTunnelSchema() (s map[string]*schema.Schema) {
 								"deny": {
 									Type:        schema.TypeList,
 									Description: "Role names to include ",
-									MaxItems:    1,
 									Optional:    true,
 									Elem: &schema.Resource{
 										Schema: map[string]*schema.Schema{
@@ -242,19 +240,19 @@ func resourcePolicyTunnelDelete(ctx context.Context, d *schema.ResourceData, m i
 }
 
 func invalidL4AccessRules(d *schema.ResourceData) error {
-	allow_all := []policy.L4Rule{{CIDRs: []string{"*"}, Protocols: []string{"ALL"}, Ports: []string{"*"}}}
+	allowAll := []policy.L4Rule{{CIDRs: []string{"*"}, Protocols: []string{"ALL"}, Ports: []string{"*"}}}
 
 	m := d.Get("access").([]interface{})
 	for _, raw := range m {
 		data := raw.(map[string]interface{})
-		l4_access := data["l4_access"].([]interface{})
-		if len(l4_access) == 0 || l4_access[0] == nil {
+		l4Access := data["l4_access"].([]interface{})
+		if len(l4Access) == 0 || l4Access[0] == nil {
 			continue
 		}
-		l4_rules := l4_access[0].(map[string]interface{})
-		allow_rule := expandL4Rules(l4_rules["allow"].([]interface{}))
-		deny_rule := expandL4Rules(l4_rules["deny"].([]interface{}))
-		if reflect.DeepEqual(allow_rule, allow_all) && deny_rule == nil {
+		l4Rules := l4Access[0].(map[string]interface{})
+		allowRule := expandL4Rules(l4Rules["allow"].([]interface{}))
+		denyRule := expandL4Rules(l4Rules["deny"].([]interface{}))
+		if reflect.DeepEqual(allowRule, allowAll) && denyRule == nil {
 			return errors.New("redundant l4_access block with allow_all rules; remove l4_access block entirely")
 		}
 	}

banyan/resource_policy_web.go

@@ -181,20 +181,20 @@ func resourcePolicyWebDelete(ctx context.Context, d *schema.ResourceData, m inte
 }
 
 func invalidL7AccessRules(d *schema.ResourceData) error {
-	allow_all := policy.L7Access{Resources: []string{"*"}, Actions: []string{"*"}}
+	allowAll := policy.L7Access{Resources: []string{"*"}, Actions: []string{"*"}}
 
 	m := d.Get("access").([]interface{})
 	for _, raw := range m {
 		data := raw.(map[string]interface{})
-		l7_access := data["l7_access"].([]interface{})
-		if len(l7_access) == 0 || l7_access[0] == nil || len(l7_access) != 1 {
+		l7Access := data["l7_access"].([]interface{})
+		if len(l7Access) == 0 || l7Access[0] == nil || len(l7Access) != 1 {
 			continue
 		}
-		l7_rules := l7_access[0].(map[string]interface{})
-		actions := convertSchemaSetToStringSlice(l7_rules["actions"].(*schema.Set))
-		resources := convertSchemaSetToStringSlice(l7_rules["resources"].(*schema.Set))
-		allow_l7 := policy.L7Access{Resources: resources, Actions: actions}
-		if reflect.DeepEqual(allow_l7, allow_all) {
+		l7Rules := l7Access[0].(map[string]interface{})
+		actions := convertSchemaSetToStringSlice(l7Rules["actions"].(*schema.Set))
+		resources := convertSchemaSetToStringSlice(l7Rules["resources"].(*schema.Set))
+		allowL7 := policy.L7Access{Resources: resources, Actions: actions}
+		if reflect.DeepEqual(allowL7, allowAll) {
 			return errors.New("redundant l7_access block with allow_all rules; remove l7_access block entirely")
 		}
 	}

banyan/resource_service_db.go

@@ -71,6 +71,12 @@ func DbSchema() map[string]*schema.Schema {
 			Required:    true,
 			Description: "The external-facing network address for this service; ex. website.example.com",
 		},
+		"suppress_device_trust_verification": {
+			Type:        schema.TypeBool,
+			Description: "suppress_device_trust_verification disables Device Trust Verification for a service if set to true",
+			Optional:    true,
+			Default:     false,
+		},
 		"port": {
 			Type:         schema.TypeInt,
 			Optional:     true,
@@ -101,6 +107,12 @@ func DbSchema() map[string]*schema.Schema {
 			Default:     "",
 			Description: "Name of the icon which will be displayed to the end user. The icon names can be found in the UI in the service config",
 		},
+		"disable_private_dns": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "By default, Private DNS Override will be set to true i.e disable_private_dns is false. On the device, the domain name will resolve over the service tunnel to the correct Access Tier's public IP address. If you turn off Private DNS Override i.e. disable_private_dns is set to true, you need to explicitly set a private DNS entry for the service domain name.",
+		},
 		"cluster": {
 			Type:        schema.TypeString,
 			Description: "(Depreciated) Sets the cluster / shield for the service",
@@ -196,7 +208,7 @@ func DbFromState(d *schema.ResourceData) (svc service.CreateService) {
 			Description: d.Get("description").(string),
 			ClusterName: d.Get("cluster").(string),
 			Tags:        expandDatabaseMetatdataTags(d),
-			Autorun:     extractAutorun(d),
+			Autorun:     expandAutorun(d),
 		},
 		Kind:       "BanyanService",
 		APIVersion: "rbac.banyanops.com/v1",

banyan/resource_service_k8s.go

@@ -71,6 +71,13 @@ func K8sSchema() map[string]*schema.Schema {
 			Required:    true,
 			Description: "The external-facing network address for this service; ex. website.example.com",
 		},
+		"suppress_device_trust_verification": {
+			Type:        schema.TypeBool,
+			Description: "suppress_device_trust_verification disables Device Trust Verification for a service if set to true",
+			Optional:    true,
+			Default:     false,
+		},
+
 		"port": {
 			Type:         schema.TypeInt,
 			Optional:     true,
@@ -90,6 +97,12 @@ func K8sSchema() map[string]*schema.Schema {
 			Default:     "",
 			Description: "Name of the icon which will be displayed to the end user. The icon names can be found in the UI in the service config",
 		},
+		"disable_private_dns": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "By default, Private DNS Override will be set to true i.e disable_private_dns is false. On the device, the domain name will resolve over the service tunnel to the correct Access Tier's public IP address. If you turn off Private DNS Override i.e. disable_private_dns is set to true, you need to explicitly set a private DNS entry for the service domain name.",
+		},
 		"cluster": {
 			Type:        schema.TypeString,
 			Description: "(Depreciated) Sets the cluster / shield for the service",
@@ -186,7 +199,7 @@ func K8sFromState(d *schema.ResourceData) (svc service.CreateService) {
 			Description: d.Get("description").(string),
 			ClusterName: d.Get("cluster").(string),
 			Tags:        expandK8sMetatdataTags(d),
-			Autorun:     extractAutorun(d),
+			Autorun:     expandAutorun(d),
 		},
 		Kind:       "BanyanService",
 		APIVersion: "rbac.banyanops.com/v1",

banyan/resource_service_rdp.go

@@ -71,6 +71,12 @@ func RdpSchema() map[string]*schema.Schema {
 			Required:    true,
 			Description: "The external-facing network address for this service; ex. website.example.com",
 		},
+		"suppress_device_trust_verification": {
+			Type:        schema.TypeBool,
+			Description: "suppress_device_trust_verification disables Device Trust Verification for a service if set to true",
+			Optional:    true,
+			Default:     false,
+		},
 		"backend_domain": {
 			Type:        schema.TypeString,
 			Required:    true,
@@ -101,6 +107,12 @@ func RdpSchema() map[string]*schema.Schema {
 			Default:     "",
 			Description: "Name of the icon which will be displayed to the end user. The icon names can be found in the UI in the service config",
 		},
+		"disable_private_dns": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "By default, Private DNS Override will be set to true i.e disable_private_dns is false. On the device, the domain name will resolve over the service tunnel to the correct Access Tier's public IP address. If you turn off Private DNS Override i.e. disable_private_dns is set to true, you need to explicitly set a private DNS entry for the service domain name.",
+		},
 		"policy": {
 			Type:        schema.TypeString,
 			Optional:    true,
@@ -183,7 +195,7 @@ func RdpFromState(d *schema.ResourceData) (svc service.CreateService) {
 			Description: d.Get("description").(string),
 			ClusterName: d.Get("cluster").(string),
 			Tags:        expandRDPMetatdataTags(d),
-			Autorun:     extractAutorun(d),
+			Autorun:     expandAutorun(d),
 		},
 		Kind:       "BanyanService",
 		APIVersion: "rbac.banyanops.com/v1",

banyan/resource_service_ssh.go

@@ -73,6 +73,12 @@ func SshSchema() map[string]*schema.Schema {
 			Required:    true,
 			Description: "The external-facing network address for this service; ex. website.example.com",
 		},
+		"suppress_device_trust_verification": {
+			Type:        schema.TypeBool,
+			Description: "suppress_device_trust_verification disables Device Trust Verification for a service if set to true",
+			Optional:    true,
+			Default:     false,
+		},
 		"backend_domain": {
 			Type:        schema.TypeString,
 			Required:    true,
@@ -103,6 +109,12 @@ func SshSchema() map[string]*schema.Schema {
 			Default:     "",
 			Description: "Name of the icon which will be displayed to the end user. The icon names can be found in the UI in the service config",
 		},
+		"disable_private_dns": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "By default, Private DNS Override will be set to true i.e disable_private_dns is false. On the device, the domain name will resolve over the service tunnel to the correct Access Tier's public IP address. If you turn off Private DNS Override i.e. disable_private_dns is set to true, you need to explicitly set a private DNS entry for the service domain name.",
+		},
 		"policy": {
 			Type:        schema.TypeString,
 			Optional:    true,
@@ -199,7 +211,7 @@ func SshFromState(d *schema.ResourceData) (svc service.CreateService) {
 			Description: d.Get("description").(string),
 			ClusterName: d.Get("cluster").(string),
 			Tags:        expandSSHMetatdataTags(d),
-			Autorun:     extractAutorun(d),
+			Autorun:     expandAutorun(d),
 		},
 		Kind:       "BanyanService",
 		APIVersion: "rbac.banyanops.com/v1",

banyan/resource_service_tcp.go

@@ -72,6 +72,12 @@ func TcpSchema() map[string]*schema.Schema {
 			Required:    true,
 			Description: "The external-facing network address for this service; ex. website.example.com",
 		},
+		"suppress_device_trust_verification": {
+			Type:        schema.TypeBool,
+			Description: "suppress_device_trust_verification disables Device Trust Verification for a service if set to true",
+			Optional:    true,
+			Default:     false,
+		},
 		"backend_domain": {
 			Type:        schema.TypeString,
 			Required:    true,
@@ -102,6 +108,12 @@ func TcpSchema() map[string]*schema.Schema {
 			Default:     "",
 			Description: "Name of the icon which will be displayed to the end user. The icon names can be found in the UI in the service config",
 		},
+		"disable_private_dns": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "By default, Private DNS Override will be set to true i.e disable_private_dns is false. On the device, the domain name will resolve over the service tunnel to the correct Access Tier's public IP address. If you turn off Private DNS Override i.e. disable_private_dns is set to true, you need to explicitly set a private DNS entry for the service domain name.",
+		},
 		"policy": {
 			Type:        schema.TypeString,
 			Optional:    true,
@@ -209,7 +221,7 @@ func TcpFromState(d *schema.ResourceData) (svc service.CreateService) {
 			Description: d.Get("description").(string),
 			ClusterName: d.Get("cluster").(string),
 			Tags:        expandTCPMetatdataTags(d),
-			Autorun:     extractAutorun(d),
+			Autorun:     expandAutorun(d),
 		},
 		Kind:       "BanyanService",
 		APIVersion: "rbac.banyanops.com/v1",