banyansecurity · nareshkakubal · Aug 16, 2023 · Aug 15, 2023
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,5 @@
 # This GitHub action can publish assets for release when a tag is created.
-# Currently its setup to run on any tag that matches the pattern "v*" (ie. v0.1.0).
+# Currently its setup to run on any tag that matches the pattern "v*" (i.e. v0.1.0).
 #
 # This uses an action (paultyng/ghaction-import-gpg) that assumes you set your 
 # private key in the `GPG_PRIVATE_KEY` secret and passphrase in the `GPG_PASSPHRASE`

diff --git a/banyan/resource_accesstier.go b/banyan/resource_accesstier.go
@@ -9,14 +9,14 @@ import (
 	"github.com/banyansecurity/terraform-banyan-provider/client"
 	"github.com/banyansecurity/terraform-banyan-provider/client/accesstier"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
 func resourceAccessTier() *schema.Resource {
 	return &schema.Resource{
-		Description:   "The access tier resource allows for configuration of the access tier API object. We recommend utilizing the banyansecurity/banyan-accesstier2 terraform registry module specific to your cloud provider. For more information about the access tier see the [documentation](https://docs.banyansecurity.io/docs/banyan-components/accesstier/)",
+		Description:   "The access tier resource allows for configuration of the access tier API object. We recommend utilizing the [banyan-accesstier2](https://registry.terraform.io/modules/banyansecurity/banyan-accesstier2) Terraform registry module specific to your cloud provider. For more information about the access tier see the [documentation](https://docs.banyansecurity.io/docs/banyan-components/accesstier/)",
 		CreateContext: resourceAccessTierCreate,
 		ReadContext:   resourceAccessTierRead,
 		UpdateContext: resourceAccessTierUpdate,
@@ -429,13 +429,13 @@ func resourceAccessTierUpdate(ctx context.Context, d *schema.ResourceData, m int
 
 func resourceAccessTierDelete(ctx context.Context, d *schema.ResourceData, m interface{}) (diagnostics diag.Diagnostics) {
 	c := m.(*client.Holder)
-	err := resource.RetryContext(ctx, 180*time.Second, func() *resource.RetryError {
+	err := retry.RetryContext(ctx, 180*time.Second, func() *retry.RetryError {
 		err := c.AccessTier.Delete(d.Id())
 		if err != nil {
 			if err.Error() == "access_tier not found" {
 				return nil
 			}
-			return resource.RetryableError(err)
+			return retry.RetryableError(err)
 		}
 		return nil
 	})

diff --git a/banyan/resource_connector.go b/banyan/resource_connector.go
@@ -7,7 +7,7 @@ import (
 	"github.com/banyansecurity/terraform-banyan-provider/client"
 	"github.com/banyansecurity/terraform-banyan-provider/client/satellite"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/pkg/errors"
 )
@@ -73,7 +73,7 @@ func resourceConnector() *schema.Resource {
 }
 
 func connectorFromState(d *schema.ResourceData) (info satellite.Info) {
-	// if access_tiers not set, use ["*"]
+	// if access_tiers not set, use \["*"\]
 	ats := convertSchemaSetToStringSlice(d.Get("access_tiers").(*schema.Set))
 	if ats == nil {
 		ats = []string{"*"}
@@ -155,13 +155,13 @@ func resourceConnectorUpdate(ctx context.Context, d *schema.ResourceData, m inte
 
 func resourceConnectorDelete(ctx context.Context, d *schema.ResourceData, m interface{}) (diagnostics diag.Diagnostics) {
 	c := m.(*client.Holder)
-	err := resource.RetryContext(ctx, 180*time.Second, func() *resource.RetryError {
+	err := retry.RetryContext(ctx, 180*time.Second, func() *retry.RetryError {
 		err := c.Satellite.Delete(d.Id())
 		if err != nil {
 			if err.Error() == "connector not found" {
 				return nil
 			}
-			return resource.RetryableError(err)
+			return retry.RetryableError(err)
 		}
 		return nil
 	})

diff --git a/banyan/resource_policy_infra.go b/banyan/resource_policy_infra.go
@@ -11,7 +11,7 @@ import (
 
 func resourcePolicyInfra() *schema.Resource {
 	return &schema.Resource{
-		Description:   "The infrastructure policy resource is used to manage the lifecycle of policies which will be attached to services of the type \"banyan_service_db\" \"banyan_service_k8s\" \"banyan_service_rdp\" and \"banyan_service_ssh\" . For more information on Banyan policies, see the [documentation.](https://docs.banyanops.com/docs/feature-guides/administer-security-policies/policies/manage-policies/)",
+		Description:   "The infrastructure policy resource is used to manage the lifecycle of policies which will be attached to services of the type `banyan_service_db` `banyan_service_k8s` `banyan_service_rdp` and `banyan_service_ssh` . For more information on Banyan policies, see the [documentation.](https://docs.banyanops.com/docs/feature-guides/administer-security-policies/policies/manage-policies/)",
 		CreateContext: resourcePolicyInfraCreate,
 		ReadContext:   resourcePolicyInfraRead,
 		UpdateContext: resourcePolicyInfraUpdate,

diff --git a/banyan/resource_policy_tunnel.go b/banyan/resource_policy_tunnel.go
@@ -14,7 +14,7 @@ import (
 
 func resourcePolicyTunnel() *schema.Resource {
 	return &schema.Resource{
-		Description:   "The tunnel policy resource is used to manage the lifecycle of policies which will be attached to services of the type \"banyan_service_tunnel\". For more information on Banyan policies, see the [documentation.](https://docs.banyanops.com/docs/feature-guides/administer-security-policies/policies/manage-policies/)",
+		Description:   "The tunnel policy resource is used to manage the lifecycle of policies which will be attached to services of the type `banyan_service_tunnel`. For more information on Banyan policies, see the [documentation.](https://docs.banyanops.com/docs/feature-guides/administer-security-policies/policies/manage-policies/)",
 		CreateContext: resourcePolicyTunnelCreate,
 		ReadContext:   resourcePolicyTunnelRead,
 		UpdateContext: resourcePolicyTunnelUpdate,

diff --git a/banyan/resource_policy_web.go b/banyan/resource_policy_web.go
@@ -14,7 +14,7 @@ import (
 
 func resourcePolicyWeb() *schema.Resource {
 	return &schema.Resource{
-		Description:   "The web policy resource is used to manage the lifecycle of policies which will be attached to services of the type \"banyan_service_web\". For more information on Banyan policies, see the [documentation.](https://docs.banyanops.com/docs/feature-guides/administer-security-policies/policies/manage-policies/)",
+		Description:   "The web policy resource is used to manage the lifecycle of policies which will be attached to services of the type `banyan_service_web`. For more information on Banyan policies, see the [documentation.](https://docs.banyanops.com/docs/feature-guides/administer-security-policies/policies/manage-policies/)",
 		CreateContext: resourcePolicyWebCreate,
 		ReadContext:   resourcePolicyWebRead,
 		UpdateContext: resourcePolicyWebUpdate,

diff --git a/banyan/resource_service_tunnel.go b/banyan/resource_service_tunnel.go
@@ -333,21 +333,25 @@ func flattenServiceTunnelSpec(d *schema.ResourceData, tun servicetunnel.ServiceT
 			return err
 		}
 	} else {
-		ats := p1.AccessTiers
+		var ats []string
 		err = d.Set("connectors", nil)
 		if err != nil {
 			return err
 		}
 		for _, eachPeer := range tun.Spec.PeerAccessTiers {
 			ats = append(ats, eachPeer.AccessTiers...)
 			if eachPeer.PublicCIDRs != nil {
-				err = d.Set("public_cidrs_include", eachPeer.PublicCIDRs.Include)
-				if err != nil {
-					return err
+				if len(eachPeer.PublicCIDRs.Include) > 0 {
+					err = d.Set("public_cidrs_include", eachPeer.PublicCIDRs.Include)
+					if err != nil {
+						return err
+					}
 				}
-				err = d.Set("public_cidrs_exclude", eachPeer.PublicCIDRs.Exclude)
-				if err != nil {
-					return err
+				if len(eachPeer.PublicCIDRs.Exclude) > 0 {
+					err = d.Set("public_cidrs_exclude", eachPeer.PublicCIDRs.Exclude)
+					if err != nil {
+						return err
+					}
 				}
 				if len(eachPeer.AccessTiers) > 0 {
 					err = d.Set("public_traffic_tunnel_via_access_tier", eachPeer.AccessTiers[0])
@@ -358,13 +362,17 @@ func flattenServiceTunnelSpec(d *schema.ResourceData, tun servicetunnel.ServiceT
 
 			}
 			if eachPeer.PublicDomains != nil {
-				err = d.Set("public_domains_include", eachPeer.PublicDomains.Include)
-				if err != nil {
-					return err
+				if len(eachPeer.PublicDomains.Include) > 0 {
+					err = d.Set("public_domains_include", eachPeer.PublicDomains.Include)
+					if err != nil {
+						return err
+					}
 				}
-				err = d.Set("public_domains_exclude", eachPeer.PublicDomains.Exclude)
-				if err != nil {
-					return err
+				if len(eachPeer.PublicDomains.Exclude) > 0 {
+					err = d.Set("public_domains_exclude", eachPeer.PublicDomains.Exclude)
+					if err != nil {
+						return err
+					}
 				}
 				if len(eachPeer.AccessTiers) > 0 {
 					err = d.Set("public_traffic_tunnel_via_access_tier", eachPeer.AccessTiers[0])

diff --git a/banyan/resource_service_tunnel_test.go b/banyan/resource_service_tunnel_test.go
@@ -91,7 +91,7 @@ func TestSchemaServiceTunnel_tunnel_public_select_at_from_multiple(t *testing.T)
 		"name":                                  "tunnel-domains",
 		"description":                           "describe tunnel-domains",
 		"cluster":                               "cluster1",
-		"access_tiers":                          []interface{}{"gcp-tdnovpn-v2", "gcp-tdnovpn-v1"},
+		"access_tiers":                          []interface{}{"gcp-tdnovpn-v1", "gcp-tdnovpn-v2"},
 		"public_cidrs_include":                  []interface{}{"8.8.8.8/32", "75.75.75.75/32", "75.75.76.76/32"},
 		"public_domains_include":                []interface{}{"cnn.com", "icanhazip.com", "fast.com", "yahoo.com", "banyansecurity.io"},
 		"public_traffic_tunnel_via_access_tier": "gcp-tdnovpn-v2",

diff --git a/banyan/resource_service_web.go b/banyan/resource_service_web.go
@@ -7,6 +7,7 @@ import (
 	"github.com/banyansecurity/terraform-banyan-provider/client/service"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"log"
 	"strconv"
 )
@@ -161,6 +162,24 @@ func WebSchema() (s map[string]*schema.Schema) {
 				Type: schema.TypeString,
 			},
 		},
+		"custom_trust_cookie": {
+			Type:     schema.TypeSet,
+			MaxItems: 1,
+			Optional: true,
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"same_site_policy": {
+						Type:         schema.TypeString,
+						Optional:     true,
+						ValidateFunc: validation.StringInSlice([]string{"lax", "none", "strict"}, false),
+					},
+					"trust_cookie_path": {
+						Type:     schema.TypeString,
+						Optional: true,
+					},
+				},
+			},
+		},
 		"service_account_access": {
 			Type:     schema.TypeSet,
 			MaxItems: 1,
@@ -296,40 +315,60 @@ func resourceServiceWebRead(ctx context.Context, d *schema.ResourceData, m inter
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	err = d.Set("custom_http_headers", svc.CreateServiceSpec.Spec.Headers)
-	if err != nil {
-		return diag.FromErr(err)
+	if len(svc.CreateServiceSpec.Spec.Headers) > 0 {
+		err = d.Set("custom_http_headers", svc.CreateServiceSpec.Spec.Headers)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
-	err = d.Set("dns_overrides", svc.CreateServiceSpec.Spec.BackendDNSOverrides)
-	if err != nil {
-		return diag.FromErr(err)
+	if len(svc.CreateServiceSpec.Spec.BackendDNSOverrides) > 0 {
+		err = d.Set("dns_overrides", svc.CreateServiceSpec.Spec.BackendDNSOverrides)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
-	err = d.Set("whitelist", svc.CreateServiceSpec.Spec.Backend.BackendWhitelist)
-	if err != nil {
-		return diag.FromErr(err)
+	if len(svc.CreateServiceSpec.Spec.Backend.BackendWhitelist) > 0 {
+		err = d.Set("whitelist", svc.CreateServiceSpec.Spec.Backend.BackendWhitelist)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 	exemptions, err := flattenExemptions(svc.CreateServiceSpec.Spec.HTTPSettings.ExemptedPaths)
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	err = d.Set("exemptions", exemptions)
-	if err != nil {
-		return diag.FromErr(err)
+	if len(exemptions) > 0 {
+		err = d.Set("exemptions", exemptions)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 	if len(svc.CreateServiceSpec.Spec.ClientCIDRs) > 0 {
 		return diag.Errorf("Client CIDRs are deprecated cannot import if it is set.")
 	}
+	if svc.CreateServiceSpec.Spec.CertSettings.Letsencrypt {
+		err = d.Set("letsencrypt", svc.CreateServiceSpec.Spec.CertSettings.Letsencrypt)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
 	customTlsCert := flattenCustomTLSCert(svc.CreateServiceSpec.Spec.CustomTLSCert)
 	if len(customTlsCert) != 0 {
 		err = d.Set("custom_tls_cert", customTlsCert)
 		if err != nil {
 			return diag.FromErr(err)
 		}
 	}
-	err = d.Set("service_account_access", flattenServiceAccountAccess(svc.CreateServiceSpec.Spec.TokenLoc))
+	err = d.Set("custom_trust_cookie", flattenCustomTrustCookie(svc.CreateServiceSpec.Spec.CustomTrustCookie))
 	if err != nil {
 		return diag.FromErr(err)
 	}
+	if svc.CreateServiceSpec.Spec.TokenLoc != nil && svc.CreateServiceSpec.Spec.TokenLoc.AuthorizationHeader {
+		err = d.Set("service_account_access", flattenServiceAccountAccess(svc.CreateServiceSpec.Spec.TokenLoc))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
 	return
 }
 
@@ -499,16 +538,30 @@ func expandCustomTLSCert(d *schema.ResourceData) service.CustomTLSCert {
 
 func expandWebHTTPSettings(d *schema.ResourceData) (httpSettings service.HTTPSettings) {
 	httpSettings = service.HTTPSettings{
-		Enabled:         true,
-		OIDCSettings:    expandWebOIDCSettings(d),
-		ExemptedPaths:   expandWebExemptedPaths(d),
-		Headers:         expandCustomHttpHeaders(d),
-		HTTPHealthCheck: expandWebHTTPHealthCheck(),
-		TokenLoc:        expandWebTokenLoc(d),
+		Enabled:           true,
+		CustomTrustCookie: expandCustomTrustCookie(d),
+		OIDCSettings:      expandWebOIDCSettings(d),
+		ExemptedPaths:     expandWebExemptedPaths(d),
+		Headers:           expandCustomHttpHeaders(d),
+		HTTPHealthCheck:   expandWebHTTPHealthCheck(),
+		TokenLoc:          expandWebTokenLoc(d),
 	}
 	return
 }
+func expandCustomTrustCookie(d *schema.ResourceData) *service.CustomTrustCookie {
+	v, ok := d.GetOk("custom_trust_cookie")
+	if !ok {
+		return nil
+	}
+	tc := v.(*schema.Set).List()
+	sameSitePolicy := tc[0].(map[string]interface{})["same_site_policy"].(string)
+	trustCookiePath := tc[0].(map[string]interface{})["trust_cookie_path"].(string)
 
+	return &service.CustomTrustCookie{
+		SameSite: sameSitePolicy,
+		Path:     trustCookiePath,
+	}
+}
 func expandWebTokenLoc(d *schema.ResourceData) *service.TokenLocation {
 	v, ok := d.GetOk("service_account_access")
 	if !ok {
@@ -561,7 +614,6 @@ func expandWebExemptedPaths(d *schema.ResourceData) service.ExemptedPaths {
 	paths, err := getStringListFromPatternsPath(exemptedPaths.(*schema.Set), "legacy_paths")
 	if err != nil {
 		diag.Errorf("Unable to read paths from exempted_paths")
-
 	}
 
 	patterns, err := expandExemptedPathPatterns(exemptedPaths.(*schema.Set))
@@ -628,3 +680,19 @@ func expandWebHTTPHealthCheck() (httpHealthCheck service.HTTPHealthCheck) {
 	}
 	return
 }
+func flattenCustomTrustCookie(customTrustCookie *service.CustomTrustCookie) (flattened []interface{}) {
+	if customTrustCookie == nil {
+		return
+	}
+	tl := make(map[string]interface{})
+	if customTrustCookie.SameSite != "" {
+		tl["same_site_policy"] = customTrustCookie.SameSite
+	}
+	if customTrustCookie.Path != "" {
+		tl["trust_cookie_path"] = customTrustCookie.Path
+	}
+	if len(tl) != 0 {
+		flattened = append(flattened, tl)
+	}
+	return
+}
diff --git a/banyan/service_infra_helpers.go b/banyan/service_infra_helpers.go
@@ -52,9 +52,11 @@ func resourceServiceInfraCommonRead(svc service.GetServiceSpec, d *schema.Resour
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	err = d.Set("connector", svc.CreateServiceSpec.Spec.Backend.ConnectorName)
-	if err != nil {
-		return diag.FromErr(err)
+	if len(strings.TrimSpace(svc.CreateServiceSpec.Spec.Backend.ConnectorName)) > 0 {
+		err = d.Set("connector", svc.CreateServiceSpec.Spec.Backend.ConnectorName)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 	err = d.Set("domain", svc.CreateServiceSpec.Metadata.Tags.Domain)
 	if err != nil {
@@ -94,10 +96,12 @@ func resourceServiceInfraCommonRead(svc service.GetServiceSpec, d *schema.Resour
 	if err != nil {
 		return diag.FromErr(err)
 	}
+
 	err = d.Set("suppress_device_trust_verification", svc.CreateServiceSpec.Spec.SuppressDeviceTrustVerification)
 	if err != nil {
 		return diag.FromErr(err)
 	}
+
 	availableInApp, err := strconv.ParseBool(*svc.CreateServiceSpec.Metadata.Tags.UserFacing)
 	if err != nil {
 		diag.FromErr(err)
@@ -132,12 +136,11 @@ func flattenExemptions(paths service.ExemptedPaths) (flattened []interface{}, er
 		return
 	}
 
-	if len(paths.Patterns) > 1 {
+	if len(paths.Patterns) != 1 {
 		err = fmt.Errorf("more than one pattern not supported to import in terraform")
 		return
 	}
 	exemptions["paths"] = paths.Patterns[0].Paths
-
 	exemptions["source_cidrs"] = paths.Patterns[0].SourceCIDRs
 	exemptions["mandatory_headers"] = paths.Patterns[0].MandatoryHeaders
 	exemptions["http_methods"] = paths.Patterns[0].Methods