From eb49f9ca30868a1b4d17f9eb7d6d7c1edb199624 Mon Sep 17 00:00:00 2001 From: William Guilherme Date: Wed, 31 Aug 2022 01:29:40 +0200 Subject: [PATCH] Updated tcp/udp ports app_segment_inspection (#177) * Updated zpa_application_segment_pra * Updated Changelog * Updated tcp/udp ports app_segment_inspection * Updated appsegment inspection * Updated application_segment --- zpa/resource_zpa_application_segment.go | 57 +++++-------- ...urce_zpa_application_segment_inspection.go | 79 ++++++++++++++----- ...zpa_application_segment_inspection_test.go | 2 +- ...source_zpa_application_segment_pra_test.go | 12 +-- 4 files changed, 83 insertions(+), 67 deletions(-) diff --git a/zpa/resource_zpa_application_segment.go b/zpa/resource_zpa_application_segment.go index efbb2d09..62abfde7 100644 --- a/zpa/resource_zpa_application_segment.go +++ b/zpa/resource_zpa_application_segment.go @@ -134,11 +134,6 @@ func resourceApplicationSegment() *schema.Resource { "CONTINUOUS", }, false), }, - "select_connector_close_to_app": { - Type: schema.TypeBool, - Optional: true, - Computed: true, - }, "icmp_access_type": { Type: schema.TypeString, Optional: true, @@ -195,14 +190,6 @@ func resourceApplicationSegment() *schema.Resource { } } -func applicationSegmentValidation(appSegment applicationsegment.ApplicationSegmentResource) error { - - if appSegment.SelectConnectorCloseToApp && appSegment.UDPAppPortRange != nil { - return fmt.Errorf("selecting app connector closer to app can be only enabled for tcp applications") - } - return nil -} - func resourceApplicationSegmentCreate(d *schema.ResourceData, m interface{}) error { zClient := m.(*Client) @@ -212,9 +199,6 @@ func resourceApplicationSegmentCreate(d *schema.ResourceData, m interface{}) err log.Println("[ERROR] Please provde a valid segment group for the application segment") return fmt.Errorf("please provde a valid segment group for the application segment") } - if err := applicationSegmentValidation(req); err != nil { - return err - } resp, _, err := zClient.applicationsegment.Create(req) if err != nil { return err @@ -253,7 +237,6 @@ func resourceApplicationSegmentRead(d *schema.ResourceData, m interface{}) error _ = d.Set("enabled", resp.Enabled) _ = d.Set("health_check_type", resp.HealthCheckType) _ = d.Set("health_reporting", resp.HealthReporting) - _ = d.Set("select_connector_close_to_app", resp.SelectConnectorCloseToApp) _ = d.Set("icmp_access_type", resp.IcmpAccessType) _ = d.Set("ip_anchored", resp.IpAnchored) _ = d.Set("is_cname_enabled", resp.IsCnameEnabled) @@ -297,9 +280,6 @@ func resourceApplicationSegmentUpdate(d *schema.ResourceData, m interface{}) err log.Println("[ERROR] Please provde a valid segment group for the application segment") return fmt.Errorf("please provde a valid segment group for the application segment") } - if err := applicationSegmentValidation(req); err != nil { - return err - } if _, err := zClient.applicationsegment.Update(id, req); err != nil { return err } @@ -359,25 +339,24 @@ func expandStringInSlice(d *schema.ResourceData, key string) []string { func expandApplicationSegmentRequest(d *schema.ResourceData, zClient *Client, id string) applicationsegment.ApplicationSegmentResource { details := applicationsegment.ApplicationSegmentResource{ - SegmentGroupID: d.Get("segment_group_id").(string), - SegmentGroupName: d.Get("segment_group_name").(string), - BypassType: d.Get("bypass_type").(string), - ConfigSpace: d.Get("config_space").(string), - PassiveHealthEnabled: d.Get("passive_health_enabled").(bool), - IcmpAccessType: d.Get("icmp_access_type").(string), - Description: d.Get("description").(string), - DomainNames: SetToStringList(d, "domain_names"), - DoubleEncrypt: d.Get("double_encrypt").(bool), - Enabled: d.Get("enabled").(bool), - HealthCheckType: d.Get("health_check_type").(string), - HealthReporting: d.Get("health_reporting").(string), - SelectConnectorCloseToApp: d.Get("select_connector_close_to_app").(bool), - IpAnchored: d.Get("ip_anchored").(bool), - IsCnameEnabled: d.Get("is_cname_enabled").(bool), - Name: d.Get("name").(string), - ServerGroups: expandAppServerGroups(d), - TCPAppPortRange: []common.NetworkPorts{}, - UDPAppPortRange: []common.NetworkPorts{}, + SegmentGroupID: d.Get("segment_group_id").(string), + SegmentGroupName: d.Get("segment_group_name").(string), + BypassType: d.Get("bypass_type").(string), + ConfigSpace: d.Get("config_space").(string), + PassiveHealthEnabled: d.Get("passive_health_enabled").(bool), + IcmpAccessType: d.Get("icmp_access_type").(string), + Description: d.Get("description").(string), + DomainNames: SetToStringList(d, "domain_names"), + DoubleEncrypt: d.Get("double_encrypt").(bool), + Enabled: d.Get("enabled").(bool), + HealthCheckType: d.Get("health_check_type").(string), + HealthReporting: d.Get("health_reporting").(string), + IpAnchored: d.Get("ip_anchored").(bool), + IsCnameEnabled: d.Get("is_cname_enabled").(bool), + Name: d.Get("name").(string), + ServerGroups: expandAppServerGroups(d), + TCPAppPortRange: []common.NetworkPorts{}, + UDPAppPortRange: []common.NetworkPorts{}, } remoteTCPAppPortRanges := []string{} remoteUDPAppPortRanges := []string{} diff --git a/zpa/resource_zpa_application_segment_inspection.go b/zpa/resource_zpa_application_segment_inspection.go index 0896abed..d101d57b 100644 --- a/zpa/resource_zpa_application_segment_inspection.go +++ b/zpa/resource_zpa_application_segment_inspection.go @@ -82,6 +82,15 @@ func resourceApplicationSegmentInspection() *schema.Resource { Description: "UDP port ranges used to access the app.", Elem: &schema.Schema{Type: schema.TypeString}, }, + "config_space": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + "DEFAULT", + "SIEM", + }, false), + Default: "DEFAULT", + }, "description": { Type: schema.TypeString, Optional: true, @@ -294,12 +303,11 @@ func resourceApplicationSegmentInspection() *schema.Resource { func resourceApplicationSegmentInspectionCreate(d *schema.ResourceData, m interface{}) error { zClient := m.(*Client) - req := expandInspectionApplicationSegment(d) - log.Printf("[INFO] Creating inspection application segment request\n%+v\n", req) - + req := expandInspectionApplicationSegment(d, zClient, "") + log.Printf("[INFO] Creating application segment request\n%+v\n", req) if req.SegmentGroupID == "" { - log.Println("[ERROR] Please provde a valid segment group for the inspection application segment") - return fmt.Errorf("please provde a valid segment group for the inspection application segment") + log.Println("[ERROR] Please provde a valid segment group for the application segment") + return fmt.Errorf("please provde a valid segment group for the application segment") } resp, _, err := zClient.applicationsegmentinspection.Create(req) @@ -331,6 +339,7 @@ func resourceApplicationSegmentInspectionRead(d *schema.ResourceData, m interfac _ = d.Set("segment_group_id", resp.SegmentGroupID) _ = d.Set("segment_group_name", resp.SegmentGroupName) _ = d.Set("bypass_type", resp.BypassType) + _ = d.Set("config_space", resp.ConfigSpace) _ = d.Set("domain_names", resp.DomainNames) _ = d.Set("name", resp.Name) _ = d.Set("description", resp.Description) @@ -344,15 +353,12 @@ func resourceApplicationSegmentInspectionRead(d *schema.ResourceData, m interfac _ = d.Set("health_reporting", resp.HealthReporting) _ = d.Set("tcp_port_ranges", resp.TCPPortRanges) _ = d.Set("udp_port_ranges", resp.UDPPortRanges) + _ = d.Set("server_groups", flattenInspectionAppServerGroupsSimple(resp)) if err := d.Set("common_apps_dto", flattenInspectionCommonAppsDto(resp.InspectionAppDto)); err != nil { return fmt.Errorf("failed to read common application in application segment %s", err) } - if err := d.Set("server_groups", flattenInspectionAppServerGroups(resp.AppServerGroups)); err != nil { - return fmt.Errorf("failed to read app server groups %s", err) - } - if err := d.Set("tcp_port_range", flattenNetworkPorts(resp.TCPAppPortRange)); err != nil { return err } @@ -365,12 +371,24 @@ func resourceApplicationSegmentInspectionRead(d *schema.ResourceData, m interfac } +func flattenInspectionAppServerGroupsSimple(serverGroup *applicationsegmentinspection.AppSegmentInspection) []interface{} { + result := make([]interface{}, 1) + mapIds := make(map[string]interface{}) + ids := make([]string, len(serverGroup.AppServerGroups)) + for i, group := range serverGroup.AppServerGroups { + ids[i] = group.ID + } + mapIds["id"] = ids + result[0] = mapIds + return result +} + func resourceApplicationSegmentInspectionUpdate(d *schema.ResourceData, m interface{}) error { zClient := m.(*Client) id := d.Id() log.Printf("[INFO] Updating inspection application segment ID: %v\n", id) - req := expandInspectionApplicationSegment(d) + req := expandInspectionApplicationSegment(d, zClient, id) if d.HasChange("segment_group_id") && req.SegmentGroupID == "" { log.Println("[ERROR] Please provde a valid segment group for the inspection application segment") @@ -424,10 +442,11 @@ func detachInspectionPortalsFromGroup(client *Client, segmentID, segmentGroupID } -func expandInspectionApplicationSegment(d *schema.ResourceData) applicationsegmentinspection.AppSegmentInspection { +func expandInspectionApplicationSegment(d *schema.ResourceData, zClient *Client, id string) applicationsegmentinspection.AppSegmentInspection { details := applicationsegmentinspection.AppSegmentInspection{ SegmentGroupID: d.Get("segment_group_id").(string), BypassType: d.Get("bypass_type").(string), + ConfigSpace: d.Get("config_space").(string), PassiveHealthEnabled: d.Get("passive_health_enabled").(bool), ICMPAccessType: d.Get("icmp_access_type").(string), Description: d.Get("description").(string), @@ -452,20 +471,38 @@ func expandInspectionApplicationSegment(d *schema.ResourceData) applicationsegme if d.HasChange("server_groups") { details.AppServerGroups = expandInspectionAppServerGroups(d) } - TCPAppPortRange := expandNetwokPorts(d, "tcp_port_range") - if TCPAppPortRange != nil { - details.TCPAppPortRange = TCPAppPortRange + remoteTCPAppPortRanges := []string{} + remoteUDPAppPortRanges := []string{} + if zClient != nil && id != "" { + resource, _, err := zClient.applicationsegment.Get(id) + if err == nil { + remoteTCPAppPortRanges = resource.TCPPortRanges + remoteUDPAppPortRanges = resource.UDPPortRanges + } } - UDPAppPortRange := expandNetwokPorts(d, "udp_port_range") - if UDPAppPortRange != nil { - details.UDPAppPortRange = UDPAppPortRange + TCPAppPortRange := expandAppSegmentNetwokPorts(d, "tcp_port_range") + TCPAppPortRanges := convertToPortRange(d.Get("tcp_port_ranges").([]interface{})) + if isSameSlice(TCPAppPortRange, TCPAppPortRanges) || isSameSlice(TCPAppPortRange, remoteTCPAppPortRanges) { + details.TCPPortRanges = TCPAppPortRanges + } else { + details.TCPPortRanges = TCPAppPortRange } - if d.HasChange("udp_port_ranges") { - details.UDPPortRanges = convertToListString(d.Get("udp_port_ranges")) + + UDPAppPortRange := expandAppSegmentNetwokPorts(d, "udp_port_range") + UDPAppPortRanges := convertToPortRange(d.Get("udp_port_ranges").([]interface{})) + if isSameSlice(UDPAppPortRange, UDPAppPortRanges) || isSameSlice(UDPAppPortRange, remoteUDPAppPortRanges) { + details.UDPPortRanges = UDPAppPortRanges + } else { + details.UDPPortRanges = UDPAppPortRange } - if d.HasChange("tcp_port_ranges") { - details.TCPPortRanges = convertToListString(d.Get("tcp_port_ranges")) + + if details.TCPPortRanges == nil { + details.TCPPortRanges = []string{} } + if details.UDPPortRanges == nil { + details.UDPPortRanges = []string{} + } + return details } diff --git a/zpa/resource_zpa_application_segment_inspection_test.go b/zpa/resource_zpa_application_segment_inspection_test.go index 2b8cf0aa..c6ecfcfa 100644 --- a/zpa/resource_zpa_application_segment_inspection_test.go +++ b/zpa/resource_zpa_application_segment_inspection_test.go @@ -74,7 +74,7 @@ func testAccCheckApplicationSegmentInspectionDestroy(s *terraform.State) error { continue } - _, _, err := client.applicationsegment.GetByName(rs.Primary.Attributes["name"]) + _, _, err := client.applicationsegmentinspection.GetByName(rs.Primary.Attributes["name"]) if err == nil { return fmt.Errorf("Inspection Application Segment still exists") } diff --git a/zpa/resource_zpa_application_segment_pra_test.go b/zpa/resource_zpa_application_segment_pra_test.go index 956a66ea..f00201d7 100644 --- a/zpa/resource_zpa_application_segment_pra_test.go +++ b/zpa/resource_zpa_application_segment_pra_test.go @@ -70,13 +70,13 @@ func testAccCheckApplicationSegmentPRADestroy(s *terraform.State) error { client := testAccProvider.Meta().(*Client) for _, rs := range s.RootModule().Resources { - if rs.Type != resourcetype.ZPAApplicationSegment { + if rs.Type != resourcetype.ZPAApplicationSegmentPRA { continue } - _, _, err := client.applicationsegment.GetByName(rs.Primary.Attributes["name"]) + _, _, err := client.applicationsegmentpra.GetByName(rs.Primary.Attributes["name"]) if err == nil { - return fmt.Errorf("Application Segment still exists") + return fmt.Errorf("Application Segment PRA still exists") } return nil @@ -88,10 +88,10 @@ func testAccCheckApplicationSegmentPRAExists(resource string, segment *applicati return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[resource] if !ok { - return fmt.Errorf("Application Segment Not found: %s", resource) + return fmt.Errorf("Application Segment PRA Not found: %s", resource) } if rs.Primary.ID == "" { - return fmt.Errorf("no Application Segment ID is set") + return fmt.Errorf("no Application Segment PRA ID is set") } client := testAccProvider.Meta().(*Client) resp, _, err := client.applicationsegmentpra.GetByName(rs.Primary.Attributes["name"]) @@ -114,7 +114,7 @@ func testAccCheckApplicationSegmentPRAConfigure(resourceTypeAndName, generatedNa // segment group resource %s -// application segment resource +// application segment pra resource %s data "%s" "%s" {