feat: tcr - support multiple security policy

Author: Kagashino

tencentcloud/resource_tc_tcr_instance.go

@@ -27,18 +27,19 @@ package tencentcloud
 import (
 	"context"
 	"fmt"
-
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	tcr "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tcr/v20190924"
 	"github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+	"log"
 )
 
 func resourceTencentCloudTcrInstance() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceTencentCloudTcrInstanceCreate,
 		Read:   resourceTencentCloudTcrInstanceRead,
 		Update: resourceTencentCloudTcrInstanceUpdate,
-		Delete: resourceTencentCLoudTcrInstanceDelete,
+		Delete: resourceTencentCloudTcrInstanceDelete,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
@@ -67,6 +68,35 @@ func resourceTencentCloudTcrInstance() *schema.Resource {
 				Default:     false,
 				Description: "Control public network access.",
 			},
+			"security_policy": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: "Public network access allowlist policies of the TCR instance.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cidr_block": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "The public network IP address of the access source.",
+						},
+						"description": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Remarks of policy.",
+						},
+						"index": {
+							Type:        schema.TypeInt,
+							Computed:    true,
+							Description: "Index of policy.",
+						},
+						"version": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Version of policy.",
+						},
+					},
+				},
+			},
 			//Computed values
 			"status": {
 				Type:        schema.TypeString,
@@ -104,17 +134,23 @@ func resourceTencentCloudTcrInstanceCreate(d *schema.ResourceData, meta interfac
 	logId := getLogId(contextNil)
 	ctx := context.WithValue(context.TODO(), logIdKey, logId)
 
-	tcrService := TCRService{client: meta.(*TencentCloudClient).apiV3Conn}
+	client := meta.(*TencentCloudClient).apiV3Conn
+	tcrService := TCRService{client: client}
 
 	var (
 		name           = d.Get("name").(string)
 		insType        = d.Get("instance_type").(string)
 		outErr, inErr  error
 		instanceId     string
 		instanceStatus string
-		operation      bool
+		operation      = d.Get("open_public_operation").(bool)
 	)
 
+	// Check if security_policy but open_public_operation is false
+	if _, ok := d.GetOk("security_policy"); ok && !operation {
+		return fmt.Errorf("`open_public_operation` must be `true` if `security_policy` set")
+	}
+
 	outErr = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
 		instanceId, inErr = tcrService.CreateTCRInstance(ctx, name, insType, map[string]string{})
 		if inErr != nil {
@@ -147,9 +183,11 @@ func resourceTencentCloudTcrInstanceCreate(d *schema.ResourceData, meta interfac
 		return err
 	}
 	if instanceStatus == "Running" {
+		openPublicOperation, ok := d.GetOk("open_public_operation")
+		operation = openPublicOperation.(bool)
+
 		outErr = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
-			if v, ok := d.GetOk("open_public_operation"); ok {
-				operation = v.(bool)
+			if ok {
 				if operation {
 					inErr = tcrService.ManageTCRExternalEndpoint(ctx, instanceId, "Create")
 				} else {
@@ -164,6 +202,38 @@ func resourceTencentCloudTcrInstanceCreate(d *schema.ResourceData, meta interfac
 		if outErr != nil {
 			return outErr
 		}
+
+		if raw, ok := d.GetOk("security_policy"); ok && operation {
+			// Waiting for External EndPoint opened
+			err = resource.Retry(5*readRetryTimeout, func() *resource.RetryError {
+				var (
+					status string
+				)
+				status, _, err =  tcrService.DescribeExternalEndpointStatus(ctx, instanceId)
+				if err != nil {
+					return resource.NonRetryableError(fmt.Errorf("an error occured during DescribeExternalEndpointStatus: %s", err.Error()))
+				}
+
+				if status == "Opened" {
+					return nil
+				}
+
+				if status == "Opening" {
+					return resource.RetryableError(fmt.Errorf("external endpoint status is `%s`, retrying", status))
+				}
+
+				return resource.NonRetryableError(fmt.Errorf("unexpected external endpoint status: `%s`", status))
+			})
+
+			if err != nil {
+				return err
+			}
+			if err := resourceTencentCloudTcrSecurityPolicyAdd(d, meta, raw.(*schema.Set).List()); err != nil {
+				return err
+			}
+		} else if !operation {
+			log.Printf("[WARN] `open_public_operation` was not opened, skip `security_policy` set.")
+		}
 	}
 
 	if tags := helper.GetTags(d, "tags"); len(tags) > 0 {
@@ -185,7 +255,8 @@ func resourceTencentCloudTcrInstanceRead(d *schema.ResourceData, meta interface{
 	ctx := context.WithValue(context.TODO(), logIdKey, logId)
 
 	var outErr, inErr error
-	tcrService := TCRService{client: meta.(*TencentCloudClient).apiV3Conn}
+	client := meta.(*TencentCloudClient).apiV3Conn
+	tcrService := TCRService{client: client}
 	instance, has, outErr := tcrService.DescribeTCRInstanceById(ctx, d.Id())
 	if outErr != nil {
 		outErr = resource.Retry(readRetryTimeout, func() *resource.RetryError {
@@ -234,6 +305,31 @@ func resourceTencentCloudTcrInstanceRead(d *schema.ResourceData, meta interface{
 	_ = d.Set("internal_end_point", instance.InternalEndpoint)
 	_ = d.Set("public_status", publicStatus)
 
+	request := tcr.NewDescribeSecurityPoliciesRequest()
+	request.RegistryId = helper.String(d.Id())
+	response, err := client.UseTCRClient().DescribeSecurityPolicies(request)
+	if err == nil {
+		if response.Response.SecurityPolicySet != nil {
+			securityPolicySet := response.Response.SecurityPolicySet
+			policies := make([]interface{}, 0, len(securityPolicySet))
+			for i := range securityPolicySet {
+				item := securityPolicySet[i]
+				policy := make(map[string]interface{})
+				policy["cidr_block"] = *item.CidrBlock
+				policy["description"] = *item.Description
+				policy["index"] = *item.PolicyIndex
+				policy["version"] = *item.PolicyVersion
+				policies = append(policies, policy)
+			}
+			if err := d.Set("security_policy", policies); err != nil {
+				return err
+			}
+		}
+	} else {
+		_ = d.Set("security_policy", make([]interface{}, 0))
+		log.Printf("[WARN] %s error: %s", request.GetAction(), err.Error())
+	}
+
 	tags := make(map[string]string, len(instance.TagSpecification.Tags))
 	for _, tag := range instance.TagSpecification.Tags {
 		tags[*tag.Key] = *tag.Value
@@ -259,16 +355,13 @@ func resourceTencentCloudTcrInstanceUpdate(d *schema.ResourceData, meta interfac
 	if d.HasChange("open_public_operation") {
 		operation = d.Get("open_public_operation").(bool)
 		outErr = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
-			if v, ok := d.GetOk("open_public_operation"); ok {
-				operation = v.(bool)
-				if operation {
-					inErr = tcrService.ManageTCRExternalEndpoint(ctx, instanceId, "Create")
-				} else {
-					inErr = tcrService.ManageTCRExternalEndpoint(ctx, instanceId, "Delete")
-				}
-				if inErr != nil {
-					return retryError(inErr)
-				}
+			if operation {
+				inErr = tcrService.ManageTCRExternalEndpoint(ctx, instanceId, "Create")
+			} else {
+				inErr = tcrService.ManageTCRExternalEndpoint(ctx, instanceId, "Delete")
+			}
+			if inErr != nil {
+				return retryError(inErr)
 			}
 			return nil
 		})
@@ -277,6 +370,53 @@ func resourceTencentCloudTcrInstanceUpdate(d *schema.ResourceData, meta interfac
 		}
 	}
 
+	if d.HasChange("security_policy") {
+		var err error
+		// Waiting for External EndPoint opened
+		err = resource.Retry(5*readRetryTimeout, func() *resource.RetryError {
+			var (
+				status string
+			)
+			status, _, err =  tcrService.DescribeExternalEndpointStatus(ctx, instanceId)
+			if err != nil {
+				return resource.NonRetryableError(fmt.Errorf("an error occured during DescribeExternalEndpointStatus: %s", err.Error()))
+			}
+
+			if status == "Opened" {
+				return nil
+			}
+
+			if status == "Opening" {
+				return resource.RetryableError(fmt.Errorf("external endpoint status is `%s`, retrying", status))
+			}
+
+			return resource.NonRetryableError(fmt.Errorf("unexpected external endpoint status: `%s`", status))
+		})
+
+		if err != nil {
+			return err
+		}
+
+		o, n := d.GetChange("security_policy")
+		os := o.(*schema.Set)
+		ns := n.(*schema.Set)
+		add := ns.Difference(os).List()
+		remove := os.Difference(ns).List()
+		if len(remove) > 0 {
+			err := resourceTencentCloudTcrSecurityPolicyRemove(d, meta, remove)
+			if err != nil {
+				return err
+			}
+		}
+		if len(add) > 0 {
+			err := resourceTencentCloudTcrSecurityPolicyAdd(d, meta, add)
+			if err != nil {
+				return err
+			}
+		}
+		d.SetPartial("security_policy")
+	}
+
 	if d.HasChange("tags") {
 		oldTags, newTags := d.GetChange("tags")
 		replaceTags, deleteTags := diffTags(oldTags.(map[string]interface{}), newTags.(map[string]interface{}))
@@ -292,7 +432,7 @@ func resourceTencentCloudTcrInstanceUpdate(d *schema.ResourceData, meta interfac
 	return resourceTencentCloudTcrInstanceRead(d, meta)
 }
 
-func resourceTencentCLoudTcrInstanceDelete(d *schema.ResourceData, meta interface{}) error {
+func resourceTencentCloudTcrInstanceDelete(d *schema.ResourceData, meta interface{}) error {
 	defer logElapsed("resource.tencentcloud_tcr_instance.delete")()
 
 	logId := getLogId(contextNil)
@@ -338,3 +478,63 @@ func resourceTencentCLoudTcrInstanceDelete(d *schema.ResourceData, meta interfac
 
 	return nil
 }
+
+func resourceTencentCloudTcrSecurityPolicyAdd(d *schema.ResourceData, meta interface{}, add []interface{}) error {
+	client := meta.(*TencentCloudClient).apiV3Conn
+	request := tcr.NewCreateMultipleSecurityPolicyRequest()
+	request.RegistryId = helper.String(d.Id())
+
+	for _, i := range add {
+		dMap := i.(map[string]interface{})
+		policy := &tcr.SecurityPolicy{}
+		if cidr, ok := dMap["cidr_block"]; ok {
+			policy.CidrBlock = helper.String(cidr.(string))
+		}
+		if desc, ok := dMap["description"]; ok {
+			policy.Description = helper.String(desc.(string))
+		}
+		if index, ok := dMap["index"]; ok {
+			policy.PolicyIndex = helper.IntInt64(index.(int))
+		}
+		if version, ok := dMap["version"]; ok {
+			policy.PolicyVersion = helper.String(version.(string))
+		}
+		request.SecurityGroupPolicySet = append(request.SecurityGroupPolicySet, policy)
+	}
+
+	_, err := client.UseTCRClient().CreateMultipleSecurityPolicy(request)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func resourceTencentCloudTcrSecurityPolicyRemove(d *schema.ResourceData, meta interface{}, remove []interface{}) error {
+	client := meta.(*TencentCloudClient).apiV3Conn
+	request := tcr.NewDeleteMultipleSecurityPolicyRequest()
+	request.RegistryId = helper.String(d.Id())
+
+	for _, i := range remove {
+		dMap := i.(map[string]interface{})
+		policy := &tcr.SecurityPolicy{}
+		if cidr, ok := dMap["cidr_block"]; ok {
+			policy.CidrBlock = helper.String(cidr.(string))
+		}
+		if desc, ok := dMap["description"]; ok {
+			policy.Description = helper.String(desc.(string))
+		}
+		if index, ok := dMap["index"]; ok {
+			policy.PolicyIndex = helper.IntInt64(index.(int))
+		}
+		if version, ok := dMap["version"]; ok {
+			policy.PolicyVersion = helper.String(version.(string))
+		}
+		request.SecurityGroupPolicySet = append(request.SecurityGroupPolicySet, policy)
+	}
+
+	_, err := client.UseTCRClient().DeleteMultipleSecurityPolicy(request)
+	if err != nil {
+		return err
+	}
+	return nil
+}

tencentcloud/resource_tc_tcr_instance_test.go

@@ -41,6 +41,19 @@ func TestAccTencentCloudTCRInstance_basic_and_update(t *testing.T) {
 					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "tags.test", "test"),
 					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "delete_bucket", "true"),
 					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "open_public_operation", "true"),
+					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "security_policy.#", "2"),
+					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "security_policy.0.cidr_block", "192.168.1.1/24"),
+					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "security_policy.1.cidr_block", "10.0.0.1/16"),
+				),
+				Destroy: false,
+			},
+			{
+				Config: testAccTCRInstance_basic_update_security,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckTCRInstanceExists("tencentcloud_tcr_instance.mytcr_instance"),
+					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "open_public_operation", "true"),
+					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "security_policy.#", "1"),
+					resource.TestCheckResourceAttr("tencentcloud_tcr_instance.mytcr_instance", "security_policy.0.cidr_block", "192.168.1.1/24"),
 				),
 			},
 		},
@@ -109,7 +122,32 @@ resource "tencentcloud_tcr_instance" "mytcr_instance" {
   instance_type = "basic"
   delete_bucket = true
   open_public_operation = true
+  security_policy {
+    cidr_block = "192.168.1.1/24"
+  }
+  security_policy {
+    cidr_block = "10.0.0.1/16"
+  }
+
   tags ={
 	test = "test"
   }
 }`
+
+
+const testAccTCRInstance_basic_update_security = `
+resource "tencentcloud_tcr_instance" "mytcr_instance" {
+  name        = "testacctcrinstance1"
+  instance_type = "basic"
+  delete_bucket = true
+  open_public_operation = true
+
+  security_policy {
+    cidr_block = "192.168.1.1/24"
+  }
+
+  tags ={
+	test = "test"
+  }
+}
+`

website/docs/r/tcr_instance.html.markdown

@@ -32,8 +32,14 @@ The following arguments are supported:
 * `name` - (Required, ForceNew) Name of the TCR instance.
 * `delete_bucket` - (Optional) Indicate to delete the COS bucket which is auto-created with the instance or not.
 * `open_public_operation` - (Optional) Control public network access.
+* `security_policy` - (Optional) Public network access allowlist policies of the TCR instance.
 * `tags` - (Optional) The available tags within this TCR instance.
 
+The `security_policy` object supports the following:
+
+* `cidr_block` - (Optional) The public network IP address of the access source.
+* `description` - (Optional) Remarks of policy.
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported: