From c86ed1f2029f631473818802975bff027e4e7b9c Mon Sep 17 00:00:00 2001 From: chinthalapalli Date: Wed, 14 Feb 2024 14:51:29 +0530 Subject: [PATCH] adding devel changes --- docs/index.md | 4 ++ go.mod | 2 +- go.sum | 4 +- internal/provider/config_backup_resource.go | 1 - internal/provider/interface_resource.go | 1 + internal/provider/lag_resource_test.go | 3 +- internal/provider/provider.go | 47 +++++++++++--- internal/provider/tenant_image_data_source.go | 1 + internal/provider/tenant_resource.go | 14 +++- internal/provider/vlan_resource.go | 3 +- internal/provider/vlan_resource_test.go | 2 +- .../terraform-providers/f5osclient/f5os.go | 64 ++++++++++++++++--- vendor/modules.txt | 2 +- 13 files changed, 117 insertions(+), 31 deletions(-) diff --git a/docs/index.md b/docs/index.md index ac40319..b5ba73b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -29,6 +29,10 @@ provider "f5os" { ### Optional +- `disable_tls_verify` (Boolean) `disable_tls_verify` controls whether a client verifies the server's certificate chain and host name. default it is set to `true`. If `disable_tls_verify` is true, crypto/tls accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. +can be provided by `DISABLE_TLS_VERIFY` environment variable. + +~> **NOTE** If it is set to `false`, certificate/ca certificates should be added to `trusted store` of host where we are running this provider. - `host` (String) URI/Host details for F5os Device,can be provided via `F5OS_HOST` environment variable. - `password` (String, Sensitive) Password for F5os Device,can be provided via `F5OS_PASSWORD` environment variable. - `port` (Number) Port Number to be used to make API calls to HOST diff --git a/go.mod b/go.mod index 74a2046..61eb36a 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/hashicorp/terraform-plugin-log v0.8.0 github.com/hashicorp/terraform-plugin-testing v1.2.0 github.com/stretchr/testify v1.8.4 - gitswarm.f5net.com/terraform-providers/f5osclient v1.0.3 + gitswarm.f5net.com/terraform-providers/f5osclient v1.0.4 ) require ( diff --git a/go.sum b/go.sum index e00575b..c7e7a0f 100644 --- a/go.sum +++ b/go.sum @@ -218,8 +218,8 @@ github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6e github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zclconf/go-cty v1.13.1 h1:0a6bRwuiSHtAmqCqNOE+c2oHgepv0ctoxU4FUe43kwc= github.com/zclconf/go-cty v1.13.1/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= -gitswarm.f5net.com/terraform-providers/f5osclient v1.0.3 h1:YbDdA8oViX9PDsHHBL8EcmHVq0f3f8cM2vyJ0/GunHI= -gitswarm.f5net.com/terraform-providers/f5osclient v1.0.3/go.mod h1:k+4tg9l6yO3FlFh3dkXGc+Wl+LOB/AXu302hAX6nhDU= +gitswarm.f5net.com/terraform-providers/f5osclient v1.0.4 h1:/jNPf+40m3o+zlWdA1xPEwfWsODDVlQ6YaRLR57h9x4= +gitswarm.f5net.com/terraform-providers/f5osclient v1.0.4/go.mod h1:k+4tg9l6yO3FlFh3dkXGc+Wl+LOB/AXu302hAX6nhDU= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= diff --git a/internal/provider/config_backup_resource.go b/internal/provider/config_backup_resource.go index 0989c2b..c3e5403 100644 --- a/internal/provider/config_backup_resource.go +++ b/internal/provider/config_backup_resource.go @@ -16,7 +16,6 @@ import ( "github.com/hashicorp/terraform-plugin-framework/schema/validator" "github.com/hashicorp/terraform-plugin-framework/types" "github.com/hashicorp/terraform-plugin-log/tflog" - f5ossdk "gitswarm.f5net.com/terraform-providers/f5osclient" ) diff --git a/internal/provider/interface_resource.go b/internal/provider/interface_resource.go index af822de..c6aa2ad 100644 --- a/internal/provider/interface_resource.go +++ b/internal/provider/interface_resource.go @@ -3,6 +3,7 @@ package provider import ( "context" "fmt" + "github.com/hashicorp/terraform-plugin-framework/path" "github.com/hashicorp/terraform-plugin-framework/resource" "github.com/hashicorp/terraform-plugin-framework/resource/schema" diff --git a/internal/provider/lag_resource_test.go b/internal/provider/lag_resource_test.go index 8153b24..1e21d08 100644 --- a/internal/provider/lag_resource_test.go +++ b/internal/provider/lag_resource_test.go @@ -5,9 +5,8 @@ import ( "net/http" "testing" - "github.com/stretchr/testify/assert" - "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/stretchr/testify/assert" ) func TestAccLagInterfaceCreateTC1Resource(t *testing.T) { diff --git a/internal/provider/provider.go b/internal/provider/provider.go index e43dcb2..8d23ba2 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -28,11 +28,13 @@ type F5osProvider struct { // F5osProviderModel describes the provider data model. type F5osProviderModel struct { - Host types.String `tfsdk:"host"` - Username types.String `tfsdk:"username"` - Password types.String `tfsdk:"password"` - Port types.Int64 `tfsdk:"port"` - TeemDisable types.Bool `tfsdk:"teem_disable"` + Host types.String `tfsdk:"host"` + Username types.String `tfsdk:"username"` + Password types.String `tfsdk:"password"` + Port types.Int64 `tfsdk:"port"` + TeemDisable types.Bool `tfsdk:"teem_disable"` + DisableSslVerify types.Bool `tfsdk:"disable_tls_verify"` + // TrustedCertpath types.String `tfsdk:"trusted_cert_path"` } type TeemData struct { ResourceName string @@ -72,6 +74,14 @@ func (p *F5osProvider) Schema(ctx context.Context, req provider.SchemaRequest, r MarkdownDescription: "Port Number to be used to make API calls to HOST", Optional: true, }, + // "trusted_cert_path": schema.StringAttribute{ + // MarkdownDescription: "Valid Trusted CA Certificate path", + // Optional: true, + // }, + "disable_tls_verify": schema.BoolAttribute{ + MarkdownDescription: "`disable_tls_verify` controls whether a client verifies the server's certificate chain and host name. default it is set to `true`. If `disable_tls_verify` is true, crypto/tls accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used.\ncan be provided by `DISABLE_TLS_VERIFY` environment variable.\n\n~> **NOTE** If it is set to `false`, certificate/ca certificates should be added to `trusted store` of host where we are running this provider.", + Optional: true, + }, "teem_disable": schema.BoolAttribute{ MarkdownDescription: "If this flag set to true,sending telemetry data to TEEM will be disabled,can be provided via `TEEM_DISABLE` environment variable.", Optional: true, @@ -101,6 +111,12 @@ func (p *F5osProvider) Configure(ctx context.Context, req provider.ConfigureRequ if teemTmp == "true" { teemDisable = true } + disableSSL := true + if disableSSLtemp, ok := os.LookupEnv("DISABLE_TLS_VERIFY"); ok { + if disableSSLtemp == "false" { + disableSSL = false + } + } if !config.Host.IsNull() { host = config.Host.ValueString() } @@ -118,6 +134,17 @@ func (p *F5osProvider) Configure(ctx context.Context, req provider.ConfigureRequ if !config.TeemDisable.IsNull() { teemDisable = config.TeemDisable.ValueBool() } + if !config.DisableSslVerify.IsNull() { + disableSSL = config.DisableSslVerify.ValueBool() + } + // if !disableSSL && config.TrustedCertpath.IsNull() { + // resp.Diagnostics.AddError("trusted_cert_path is required when disable_tls_verify is set to false", "trusted_cert_path is required when disable_tls_verify is set to false") + // return + // } + // trustedCAPath := "" + // if !config.TrustedCertpath.IsNull() { + // trustedCAPath = config.TrustedCertpath.ValueString() + // } if host == "" { resp.Diagnostics.AddError( "Missing 'host' in provider configuration", @@ -145,10 +172,12 @@ func (p *F5osProvider) Configure(ctx context.Context, req provider.ConfigureRequ // Example client configuration for data sources and resources f5osConfig := &f5ossdk.F5osConfig{ - Host: host, - User: username, - Password: password, - Port: hostPort, + Host: host, + User: username, + Password: password, + Port: hostPort, + DisableSSLVerify: disableSSL, + // TrustedCACertificate: trustedCAPath, } client, err := f5ossdk.NewSession(f5osConfig) if err != nil { diff --git a/internal/provider/tenant_image_data_source.go b/internal/provider/tenant_image_data_source.go index 3f4eab8..e5c3442 100644 --- a/internal/provider/tenant_image_data_source.go +++ b/internal/provider/tenant_image_data_source.go @@ -3,6 +3,7 @@ package provider import ( "context" "fmt" + "github.com/hashicorp/terraform-plugin-framework/datasource" "github.com/hashicorp/terraform-plugin-framework/datasource/schema" "github.com/hashicorp/terraform-plugin-framework/types" diff --git a/internal/provider/tenant_resource.go b/internal/provider/tenant_resource.go index 750943c..7815d3d 100644 --- a/internal/provider/tenant_resource.go +++ b/internal/provider/tenant_resource.go @@ -3,6 +3,8 @@ package provider import ( "context" "fmt" + "strconv" + "github.com/hashicorp/terraform-plugin-framework-validators/int64validator" "github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator" "github.com/hashicorp/terraform-plugin-framework/attr" @@ -18,7 +20,6 @@ import ( "github.com/hashicorp/terraform-plugin-framework/types" "github.com/hashicorp/terraform-plugin-log/tflog" f5ossdk "gitswarm.f5net.com/terraform-providers/f5osclient" - "strconv" ) // var ( @@ -108,7 +109,7 @@ func (r *TenantResource) Schema(ctx context.Context, req resource.SchemaRequest, Validators: []validator.String{ stringvalidator.OneOf([]string{"one", "small", "medium", "large"}...), }, - Default: stringdefault.StaticString("one"), + // Default: stringdefault.StaticString("one"), }, "dag_ipv6_prefix_length": schema.Int64Attribute{ MarkdownDescription: "Configuring DAG Global IPv6 Prefix Length,value Range from `1` to `128`.Default is `128`.", @@ -409,7 +410,14 @@ func getTenantCreateConfig(ctx context.Context, req resource.CreateRequest, resp tenantSubbj.Config.PrefixLength = int(data.MgmtPrefix.ValueInt64()) tenantSubbj.Config.VcpuCoresPerNode = int(data.CpuCores.ValueInt64()) tenantSubbj.Config.DagIpv6PrefixLength = int(data.DagIpv6prefixLength.ValueInt64()) - tenantSubbj.Config.MacData.F5TenantL2InlineMacBlockSize = data.MacBlockSize.ValueString() + if !data.MacBlockSize.IsNull() && !data.MacBlockSize.IsUnknown() { + tenantSubbj.Config.MacData.F5TenantL2InlineMacBlockSize = data.MacBlockSize.ValueString() + // tenantSubbj.Config.MacData.F5TenantL2InlineMacBlockSize = "one" + } + // else { + // tenantSubbj.Config.MacData.F5TenantL2InlineMacBlockSize = data.MacBlockSize.ValueString() + // } + // tenantSubbj.Config.MacData.F5TenantL2InlineMacBlockSize = data.MacBlockSize.ValueString() if data.Memory.IsNull() { tenantSubbj.Config.Memory = 3.5*1024*int(data.CpuCores.ValueInt64()) + (512) } else { diff --git a/internal/provider/vlan_resource.go b/internal/provider/vlan_resource.go index 943cf76..afa3cb5 100644 --- a/internal/provider/vlan_resource.go +++ b/internal/provider/vlan_resource.go @@ -3,6 +3,8 @@ package provider import ( "context" "fmt" + "strconv" + "github.com/hashicorp/terraform-plugin-framework/path" "github.com/hashicorp/terraform-plugin-framework/resource" "github.com/hashicorp/terraform-plugin-framework/resource/schema" @@ -11,7 +13,6 @@ import ( "github.com/hashicorp/terraform-plugin-framework/types" "github.com/hashicorp/terraform-plugin-log/tflog" f5ossdk "gitswarm.f5net.com/terraform-providers/f5osclient" - "strconv" ) // Ensure provider defined types fully satisfy framework interfaces. diff --git a/internal/provider/vlan_resource_test.go b/internal/provider/vlan_resource_test.go index a4272a8..1dc10a1 100644 --- a/internal/provider/vlan_resource_test.go +++ b/internal/provider/vlan_resource_test.go @@ -2,11 +2,11 @@ package provider import ( "fmt" - "github.com/stretchr/testify/assert" "net/http" "testing" "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/stretchr/testify/assert" ) func TestAccVlanCreateTC1Resource(t *testing.T) { diff --git a/vendor/gitswarm.f5net.com/terraform-providers/f5osclient/f5os.go b/vendor/gitswarm.f5net.com/terraform-providers/f5osclient/f5os.go index 6a0e4e1..fb5a86f 100644 --- a/vendor/gitswarm.f5net.com/terraform-providers/f5osclient/f5os.go +++ b/vendor/gitswarm.f5net.com/terraform-providers/f5osclient/f5os.go @@ -9,6 +9,7 @@ package f5os import ( "bytes" "crypto/tls" + "crypto/x509" "encoding/json" "errors" "fmt" @@ -56,8 +57,10 @@ type F5osConfig struct { Port int Transport *http.Transport // UserAgent is an optional field that specifies the caller of this request. - UserAgent string - Teem bool + UserAgent string + Teem bool + DisableSSLVerify bool + // TrustedCACertificate string ConfigOptions *ConfigOptions } @@ -163,11 +166,33 @@ func NewSession(f5osObj *F5osConfig) (*F5os, error) { if f5osObj.ConfigOptions == nil { f5osObj.ConfigOptions = defaultConfigOptions } - tr := &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - } + tr := &http.Transport{} + f5osLogger.Info("[NewSession]", "DisableSSLVerify", hclog.Fmt("%+v", f5osObj.DisableSSLVerify)) + tr.TLSClientConfig = &tls.Config{ + InsecureSkipVerify: f5osObj.DisableSSLVerify, + } + + // if f5osObj.DisableSSLVerify { + // f5osLogger.Info("[NewSession]", "DisableSSLVerify", hclog.Fmt("%+v", f5osObj.DisableSSLVerify)) + // tr.TLSClientConfig = &tls.Config{ + // InsecureSkipVerify: true, + // } + // } else { + // f5osLogger.Info("[NewSession]", "DisableSSLVerify", hclog.Fmt("%+v", f5osObj.DisableSSLVerify)) + // tr.TLSClientConfig = &tls.Config{ + // InsecureSkipVerify: false, + // } + // rootCA, err := GetRootCA(f5osObj.TrustedCACertificate) + // if err != nil { + // return nil, err + // } + // tr.TLSClientConfig.RootCAs = rootCA + // } + // tr := &http.Transport{ + // TLSClientConfig: &tls.Config{ + // InsecureSkipVerify: true, + // }, + // } f5osSession.Host = urlString f5osSession.Transport = tr f5osSession.ConfigOptions = f5osObj.ConfigOptions @@ -179,6 +204,9 @@ func NewSession(f5osObj *F5osConfig) (*F5os, error) { f5osLogger.Debug("[NewSession]", "URL", hclog.Fmt("%+v", urlString)) req, err := http.NewRequest(method, urlString, nil) + if err != nil { + return nil, err + } req.Header.Set("Content-Type", contentTypeHeader) req.SetBasicAuth(f5osObj.User, f5osObj.Password) res, err := client.Do(req) @@ -194,8 +222,8 @@ func NewSession(f5osObj *F5osConfig) (*F5os, error) { if err != nil { return nil, err } - if strings.Contains(fmt.Sprintf("%s", string(respData)), "enable JavaScript to run this app") { - return nil, fmt.Errorf("Failed with %s", string(respData)) + if strings.Contains(string(respData), "enable JavaScript to run this app") { + return nil, fmt.Errorf("failed with %s", string(respData)) } f5osSession.Token = res.Header.Get("X-Auth-Token") f5osSession.setPlatformType() @@ -203,6 +231,22 @@ func NewSession(f5osObj *F5osConfig) (*F5os, error) { return f5osSession, nil } +func GetRootCA(path string) (*x509.CertPool, error) { + rootCAs, _ := x509.SystemCertPool() + if rootCAs == nil { + rootCAs = x509.NewCertPool() + } + certPEM, err := os.ReadFile(path) + if err != nil { + return nil, err + } + // Append our certs to the system pool + if ok := rootCAs.AppendCertsFromPEM(certPEM); !ok { + log.Printf("[DEBUG] No certs appended, using only system certs") + } + return rootCAs, nil +} + func (p *F5os) doRequest(op, path string, body []byte) ([]byte, error) { f5osLogger.Debug("[doRequest]", "Request path", hclog.Fmt("%+v", path)) if len(body) > 0 { @@ -929,7 +973,7 @@ func (p *F5os) setPlatformVersion(uriPlatformVersion string) ([]byte, error) { } defer resp.Body.Close() if resp.StatusCode == 404 { - return nil, fmt.Errorf("Platform version not supported") + return nil, fmt.Errorf("platform version not supported") } if resp.StatusCode == 200 || resp.StatusCode == 304 { bytes, _ := io.ReadAll(resp.Body) diff --git a/vendor/modules.txt b/vendor/modules.txt index 657ed45..d5941c7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -307,7 +307,7 @@ github.com/zclconf/go-cty/cty/function/stdlib github.com/zclconf/go-cty/cty/gocty github.com/zclconf/go-cty/cty/json github.com/zclconf/go-cty/cty/set -# gitswarm.f5net.com/terraform-providers/f5osclient v1.0.3 +# gitswarm.f5net.com/terraform-providers/f5osclient v1.0.4 ## explicit; go 1.21.3 gitswarm.f5net.com/terraform-providers/f5osclient # golang.org/x/crypto v0.7.0