Cloudstack security group (#9103)
* Add cloudstack_security_group resource * Update github.com/xanzy/go-cloudstack/cloudstack * Add support for security_group * Add documentation for cloudstack_security_group
This commit is contained in:
parent
aaff62242d
commit
d030b62b0b
|
@ -54,6 +54,7 @@ func Provider() terraform.ResourceProvider {
|
||||||
"cloudstack_nic": resourceCloudStackNIC(),
|
"cloudstack_nic": resourceCloudStackNIC(),
|
||||||
"cloudstack_port_forward": resourceCloudStackPortForward(),
|
"cloudstack_port_forward": resourceCloudStackPortForward(),
|
||||||
"cloudstack_secondary_ipaddress": resourceCloudStackSecondaryIPAddress(),
|
"cloudstack_secondary_ipaddress": resourceCloudStackSecondaryIPAddress(),
|
||||||
|
"cloudstack_security_group": resourceCloudStackSecurityGroup(),
|
||||||
"cloudstack_ssh_keypair": resourceCloudStackSSHKeyPair(),
|
"cloudstack_ssh_keypair": resourceCloudStackSSHKeyPair(),
|
||||||
"cloudstack_static_nat": resourceCloudStackStaticNAT(),
|
"cloudstack_static_nat": resourceCloudStackStaticNAT(),
|
||||||
"cloudstack_template": resourceCloudStackTemplate(),
|
"cloudstack_template": resourceCloudStackTemplate(),
|
||||||
|
|
|
@ -0,0 +1,310 @@
|
||||||
|
package cloudstack
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
|
"github.com/xanzy/go-cloudstack/cloudstack"
|
||||||
|
)
|
||||||
|
|
||||||
|
func resourceCloudStackSecurityGroup() *schema.Resource {
|
||||||
|
return &schema.Resource{
|
||||||
|
Create: resourceCloudStackSecurityGroupCreate,
|
||||||
|
Read: resourceCloudStackSecurityGroupRead,
|
||||||
|
Delete: resourceCloudStackSecurityGroupDelete,
|
||||||
|
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"name": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"description": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
Computed: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"project": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"rules": &schema.Schema{
|
||||||
|
Type: schema.TypeList,
|
||||||
|
ForceNew: true,
|
||||||
|
Optional: true,
|
||||||
|
Elem: &schema.Resource{
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"cidr_list": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"security_group": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"protocol": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"ports": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"traffic_type": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
Default: "ingress",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceCloudStackSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
cs := meta.(*cloudstack.CloudStackClient)
|
||||||
|
|
||||||
|
name := d.Get("name").(string)
|
||||||
|
|
||||||
|
// Create a new parameter struct
|
||||||
|
p := cs.SecurityGroup.NewCreateSecurityGroupParams(name)
|
||||||
|
|
||||||
|
// Set the description
|
||||||
|
if description, ok := d.GetOk("description"); ok {
|
||||||
|
p.SetDescription(description.(string))
|
||||||
|
} else {
|
||||||
|
p.SetDescription(name)
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there is a project supplied, we retrieve and set the project id
|
||||||
|
if err := setProjectid(p, cs, d); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Creating security group %s", name)
|
||||||
|
r, err := cs.SecurityGroup.CreateSecurityGroup(p)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Security group %s successfully created with ID: %s", name, r.Id)
|
||||||
|
d.SetId(r.Id)
|
||||||
|
|
||||||
|
// Create Rules
|
||||||
|
rules := d.Get("rules").([]interface{})
|
||||||
|
for _, r := range rules {
|
||||||
|
|
||||||
|
rule := r.(map[string]interface{})
|
||||||
|
|
||||||
|
m := splitPorts.FindStringSubmatch(rule["ports"].(string))
|
||||||
|
startPort, err := strconv.Atoi(m[1])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
endPort := startPort
|
||||||
|
if m[2] != "" {
|
||||||
|
endPort, err = strconv.Atoi(m[2])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
traffic := rule["traffic_type"].(string)
|
||||||
|
if traffic == "ingress" {
|
||||||
|
param := cs.SecurityGroup.NewAuthorizeSecurityGroupIngressParams()
|
||||||
|
|
||||||
|
param.SetSecuritygroupid(d.Id())
|
||||||
|
if cidrlist := rule["cidr_list"]; cidrlist != "" {
|
||||||
|
param.SetCidrlist([]string{cidrlist.(string)})
|
||||||
|
log.Printf("[DEBUG] cidr = %v", cidrlist)
|
||||||
|
}
|
||||||
|
if securitygroup := rule["security_group"]; securitygroup != "" {
|
||||||
|
// Get the security group details
|
||||||
|
ag, count, err := cs.SecurityGroup.GetSecurityGroupByName(
|
||||||
|
securitygroup.(string),
|
||||||
|
cloudstack.WithProject(d.Get("project").(string)),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
if count == 0 {
|
||||||
|
log.Printf("[DEBUG] Security group %s does not longer exist", d.Get("name").(string))
|
||||||
|
d.SetId("")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Found %v groups matching", count)
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
log.Printf("[DEBUG] ag = %v", ag)
|
||||||
|
m := make(map[string]string)
|
||||||
|
m[ag.Account] = ag.Name
|
||||||
|
log.Printf("[DEBUG] m = %v", m)
|
||||||
|
param.SetUsersecuritygrouplist(m)
|
||||||
|
}
|
||||||
|
param.SetStartport(startPort)
|
||||||
|
param.SetEndport(endPort)
|
||||||
|
param.SetProtocol(rule["protocol"].(string))
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Authorizing Ingress Rule %#v", param)
|
||||||
|
_, err := cs.SecurityGroup.AuthorizeSecurityGroupIngress(param)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
} else if traffic == "egress" {
|
||||||
|
param := cs.SecurityGroup.NewAuthorizeSecurityGroupEgressParams()
|
||||||
|
|
||||||
|
param.SetSecuritygroupid(d.Id())
|
||||||
|
if cidrlist := rule["cidr_list"]; cidrlist != "" {
|
||||||
|
param.SetCidrlist([]string{cidrlist.(string)})
|
||||||
|
log.Printf("[DEBUG] cidr = %v", cidrlist)
|
||||||
|
}
|
||||||
|
if securitygroup := rule["security_group"]; securitygroup != "" {
|
||||||
|
// Get the security group details
|
||||||
|
ag, count, err := cs.SecurityGroup.GetSecurityGroupByName(
|
||||||
|
securitygroup.(string),
|
||||||
|
cloudstack.WithProject(d.Get("project").(string)),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
if count == 0 {
|
||||||
|
log.Printf("[DEBUG] Security group %s does not longer exist", d.Get("name").(string))
|
||||||
|
d.SetId("")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Found %v groups matching", count)
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
log.Printf("[DEBUG] ag = %v", ag)
|
||||||
|
m := make(map[string]string)
|
||||||
|
m[ag.Account] = ag.Name
|
||||||
|
log.Printf("[DEBUG] m = %v", m)
|
||||||
|
param.SetUsersecuritygrouplist(m)
|
||||||
|
}
|
||||||
|
param.SetStartport(startPort)
|
||||||
|
param.SetEndport(endPort)
|
||||||
|
param.SetProtocol(rule["protocol"].(string))
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Authorizing Egress Rule %#v", param)
|
||||||
|
_, err := cs.SecurityGroup.AuthorizeSecurityGroupEgress(param)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return fmt.Errorf(
|
||||||
|
"Parameter traffic_type only accepts 'ingress' or 'egress' as values")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return resourceCloudStackSecurityGroupRead(d, meta)
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceCloudStackSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
cs := meta.(*cloudstack.CloudStackClient)
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Retrieving security group %s (ID=%s)", d.Get("name").(string), d.Id())
|
||||||
|
|
||||||
|
// Get the security group details
|
||||||
|
ag, count, err := cs.SecurityGroup.GetSecurityGroupByID(
|
||||||
|
d.Id(),
|
||||||
|
cloudstack.WithProject(d.Get("project").(string)),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
if count == 0 {
|
||||||
|
log.Printf("[DEBUG] Security group %s does not longer exist", d.Get("name").(string))
|
||||||
|
d.SetId("")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] Found %v groups matching", count)
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update the config
|
||||||
|
d.Set("name", ag.Name)
|
||||||
|
d.Set("description", ag.Description)
|
||||||
|
|
||||||
|
var rules []interface{}
|
||||||
|
for _, r := range ag.Ingressrule {
|
||||||
|
var ports string
|
||||||
|
if r.Startport == r.Endport {
|
||||||
|
ports = strconv.Itoa(r.Startport)
|
||||||
|
} else {
|
||||||
|
ports = fmt.Sprintf("%v-%v", r.Startport, r.Endport)
|
||||||
|
}
|
||||||
|
rule := map[string]interface{}{
|
||||||
|
"cidr_list": r.Cidr,
|
||||||
|
"ports": ports,
|
||||||
|
"protocol": r.Protocol,
|
||||||
|
"traffic_type": "ingress",
|
||||||
|
"security_group": r.Securitygroupname,
|
||||||
|
}
|
||||||
|
rules = append(rules, rule)
|
||||||
|
}
|
||||||
|
for _, r := range ag.Egressrule {
|
||||||
|
var ports string
|
||||||
|
if r.Startport == r.Endport {
|
||||||
|
ports = strconv.Itoa(r.Startport)
|
||||||
|
} else {
|
||||||
|
ports = fmt.Sprintf("%s-%s", r.Startport, r.Endport)
|
||||||
|
}
|
||||||
|
rule := map[string]interface{}{
|
||||||
|
"cidr_list": r.Cidr,
|
||||||
|
"ports": ports,
|
||||||
|
"protocol": r.Protocol,
|
||||||
|
"traffic_type": "egress",
|
||||||
|
"security_group": r.Securitygroupname,
|
||||||
|
}
|
||||||
|
rules = append(rules, rule)
|
||||||
|
}
|
||||||
|
d.Set("rules", rules)
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceCloudStackSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
cs := meta.(*cloudstack.CloudStackClient)
|
||||||
|
|
||||||
|
// Create a new parameter struct
|
||||||
|
p := cs.SecurityGroup.NewDeleteSecurityGroupParams()
|
||||||
|
p.SetId(d.Id())
|
||||||
|
|
||||||
|
// If there is a project supplied, we retrieve and set the project id
|
||||||
|
if err := setProjectid(p, cs, d); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete the security group
|
||||||
|
_, err := cs.SecurityGroup.DeleteSecurityGroup(p)
|
||||||
|
if err != nil {
|
||||||
|
// This is a very poor way to be told the ID does no longer exist :(
|
||||||
|
if strings.Contains(err.Error(), fmt.Sprintf(
|
||||||
|
"Invalid parameter id value=%s due to incorrect long value format, "+
|
||||||
|
"or entity does not exist", d.Id())) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Errorf("Error deleting security group: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
|
@ -107,6 +107,10 @@ func (s *SecurityGroupService) CreateSecurityGroup(p *CreateSecurityGroupParams)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if resp, err = getRawValue(resp); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
var r CreateSecurityGroupResponse
|
var r CreateSecurityGroupResponse
|
||||||
if err := json.Unmarshal(resp, &r); err != nil {
|
if err := json.Unmarshal(resp, &r); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -329,8 +333,8 @@ func (p *AuthorizeSecurityGroupIngressParams) toURLValues() url.Values {
|
||||||
if v, found := p.p["usersecuritygrouplist"]; found {
|
if v, found := p.p["usersecuritygrouplist"]; found {
|
||||||
i := 0
|
i := 0
|
||||||
for k, vv := range v.(map[string]string) {
|
for k, vv := range v.(map[string]string) {
|
||||||
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].key", i), k)
|
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].account", i), k)
|
||||||
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].value", i), vv)
|
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].group", i), vv)
|
||||||
i++
|
i++
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -617,8 +621,8 @@ func (p *AuthorizeSecurityGroupEgressParams) toURLValues() url.Values {
|
||||||
if v, found := p.p["usersecuritygrouplist"]; found {
|
if v, found := p.p["usersecuritygrouplist"]; found {
|
||||||
i := 0
|
i := 0
|
||||||
for k, vv := range v.(map[string]string) {
|
for k, vv := range v.(map[string]string) {
|
||||||
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].key", i), k)
|
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].account", i), k)
|
||||||
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].value", i), vv)
|
u.Set(fmt.Sprintf("usersecuritygrouplist[%d].group", i), vv)
|
||||||
i++
|
i++
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2137,11 +2137,11 @@
|
||||||
"revision": "9051bd6b44125d9472e0c148b5965692ab283d4a"
|
"revision": "9051bd6b44125d9472e0c148b5965692ab283d4a"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "CT9vuv0kaEnwEDcNywB/wD6eA54=",
|
"checksumSHA1": "s6bz9U3gi638R0Ln7v14h5+e2Wg=",
|
||||||
"comment": "v2.1.3",
|
"comment": "v2.1.3",
|
||||||
"path": "github.com/xanzy/go-cloudstack/cloudstack",
|
"path": "github.com/xanzy/go-cloudstack/cloudstack",
|
||||||
"revision": "b33e8849d135b99cb8236237524d10b41f597cb3",
|
"revision": "ff444b1afdd1961f8118bad30db9fa27cb989ced",
|
||||||
"revisionTime": "2016-08-31T14:38:59Z"
|
"revisionTime": "2016-10-24T10:36:39Z"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"path": "github.com/xanzy/ssh-agent",
|
"path": "github.com/xanzy/ssh-agent",
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
---
|
||||||
|
layout: "cloudstack"
|
||||||
|
page_title: "CloudStack: cloudstack_security_group"
|
||||||
|
sidebar_current: "docs-cloudstack-resource-security_group"
|
||||||
|
description: |-
|
||||||
|
Creates security group.
|
||||||
|
---
|
||||||
|
|
||||||
|
# cloudstack\_security\_group
|
||||||
|
|
||||||
|
Creates security group.
|
||||||
|
|
||||||
|
## Example Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
resource "cloudstack_security_group" "default" {
|
||||||
|
name = "allow_web"
|
||||||
|
description = "Allow access to HTTP and HTTPS"
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
cidr_list = "0.0.0.0/0"
|
||||||
|
protocol = "tcp"
|
||||||
|
ports = "80"
|
||||||
|
traffic_type = "ingress"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
cidr_list = "0.0.0.0/0"
|
||||||
|
protocol = "tcp"
|
||||||
|
ports = "443"
|
||||||
|
traffic_type = "ingress"
|
||||||
|
},
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Argument Reference
|
||||||
|
|
||||||
|
The following arguments are supported:
|
||||||
|
|
||||||
|
* `name` - (Required) The Name of the Security Group to create. Changing this
|
||||||
|
forces a new resource to be created.
|
||||||
|
|
||||||
|
* `description` - (Optional) The description of the Security Group to create.
|
||||||
|
Changing this forces a new resource to be created.
|
||||||
|
|
||||||
|
* `rules` - (Optional) List of rule blocks, supported fields documented below.
|
||||||
|
|
||||||
|
The `rule` block supports:
|
||||||
|
|
||||||
|
* `cidr_list` - (Optional) A CIDR list to allow access to the given ports.
|
||||||
|
|
||||||
|
* `security_group` - (Optional) A Security Group to apply the rules to.
|
||||||
|
|
||||||
|
* `protocol` - (Required) The name of the protocol to allow. Valid options are:
|
||||||
|
`tcp`, `udp` and `icmp`.
|
||||||
|
|
||||||
|
* `ports` - (Optional) List of ports and/or port ranges to allow. This can only
|
||||||
|
be specified if the protocol is TCP or UDP.
|
||||||
|
|
||||||
|
* `traffic_type` - (Optional) Weither Ingress or Egress. (Default: Ingress).
|
||||||
|
|
||||||
|
## Attributes Reference
|
||||||
|
|
||||||
|
The following attributes are exported:
|
||||||
|
|
||||||
|
* `name` - The name of the Security Group.
|
||||||
|
|
Loading…
Reference in New Issue