Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

netapp_account_resource add missing Active Directory properties #25340

Merged
merged 15 commits into from
Mar 21, 2024
78 changes: 68 additions & 10 deletions internal/services/netapp/netapp_account_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,8 @@ func resourceNetAppAccount() *pluginsdk.Resource {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringMatch(
regexp.MustCompile(`^[\da-zA-Z]{1,10}$`),
`The smb server name can not be longer than 10 characters in length.`,
regexp.MustCompile(`^[\da-zA-Z\-]{1,10}$`),
`smb_server_name can contain a mix of numbers, upper/lowercase letters, dashes, and be no longer than 10 characters.`,
),
},
"username": {
Expand All @@ -102,8 +102,58 @@ func resourceNetAppAccount() *pluginsdk.Resource {
ValidateFunc: validation.StringIsNotEmpty,
},
"organizational_unit": {
Type: pluginsdk.TypeString,
Optional: true,
Type: pluginsdk.TypeString,
Optional: true,
Default: "CN=Computers",
katbyte marked this conversation as resolved.
Show resolved Hide resolved
Description: "The Organizational Unit (OU) within the Windows Active Directory where machines will be created. If blank, defaults to 'CN=Computers'",
},
"site_name": {
Type: pluginsdk.TypeString,
Optional: true,
Default: "Default-First-Site-Name",
katbyte marked this conversation as resolved.
Show resolved Hide resolved
Description: "The Active Directory site the service will limit Domain Controller discovery to. If blank, defaults to 'Default-First-Site-Name'",
},
"ad_name": {
bruceharrison1984 marked this conversation as resolved.
Show resolved Hide resolved
Type: pluginsdk.TypeString,
Optional: true,
Description: "Name of the active directory machine. This optional parameter is used only while creating kerberos volume.",
},
"kdc_ip": {
bruceharrison1984 marked this conversation as resolved.
Show resolved Hide resolved
Type: pluginsdk.TypeString,
Optional: true,
ValidateFunc: validation.IsIPv4Address,
Description: "IP address of the KDC server (usually same the DC). This optional parameter is used only while creating kerberos volume.",
},
"enable_aes_encryption": {
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Description: "If enabled, AES encryption will be enabled for SMB communication.",
},
"allow_local_nfs_users_with_ldap": {
bruceharrison1984 marked this conversation as resolved.
Show resolved Hide resolved
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Description: "If enabled, NFS client local users can also (in addition to LDAP users) access the NFS volumes.",
},
"enable_ldap_over_tls": {
bruceharrison1984 marked this conversation as resolved.
Show resolved Hide resolved
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Description: "Specifies whether or not the LDAP traffic needs to be secured via TLS.",
},
"server_root_ca_certificate": {
Type: pluginsdk.TypeString,
Sensitive: true,
Optional: true,
RequiredWith: []string{"active_directory.0.enable_ldap_over_tls"},
Description: "When LDAP over SSL/TLS is enabled, the LDAP client is required to have base64 encoded Active Directory Certificate Service's self-signed root CA certificate, this optional parameter is used only for dual protocol with LDAP user-mapping volumes.",
},
"enable_ldap_signing": {
bruceharrison1984 marked this conversation as resolved.
Show resolved Hide resolved
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Description: "Specifies whether or not the LDAP traffic needs to be signed.",
},
},
},
Expand Down Expand Up @@ -300,12 +350,20 @@ func expandNetAppActiveDirectories(input []interface{}) *[]netappaccounts.Active
dns := strings.Join(*utils.ExpandStringSlice(v["dns_servers"].([]interface{})), ",")

result := netappaccounts.ActiveDirectory{
Dns: utils.String(dns),
Domain: utils.String(v["domain"].(string)),
OrganizationalUnit: utils.String(v["organizational_unit"].(string)),
Password: utils.String(v["password"].(string)),
SmbServerName: utils.String(v["smb_server_name"].(string)),
Username: utils.String(v["username"].(string)),
Dns: utils.String(dns),
Domain: utils.String(v["domain"].(string)),
OrganizationalUnit: utils.String(v["organizational_unit"].(string)),
Password: utils.String(v["password"].(string)),
SmbServerName: utils.String(v["smb_server_name"].(string)),
Username: utils.String(v["username"].(string)),
Site: utils.String(v["site_name"].(string)),
AdName: utils.String(v["ad_name"].(string)),
KdcIP: utils.String(v["kdc_ip"].(string)),
AesEncryption: utils.Bool(v["enable_aes_encryption"].(bool)),
AllowLocalNfsUsersWithLdap: utils.Bool(v["allow_local_nfs_users_with_ldap"].(bool)),
LdapOverTLS: utils.Bool(v["enable_ldap_over_tls"].(bool)),
ServerRootCACertificate: utils.String(v["server_root_ca_certificate"].(string)),
LdapSigning: utils.Bool(v["enable_ldap_signing"].(bool)),
}

results = append(results, result)
Expand Down
35 changes: 28 additions & 7 deletions internal/services/netapp/netapp_account_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (

type NetAppAccountResource struct{}

func TestAccNetAppAccount(t *testing.T) {
func TestAccNetAppAccountResource(t *testing.T) {
// NOTE: this is a combined test rather than separate split out tests since
// Azure allows only one active directory can be joined to a single subscription at a time for NetApp Account.
// The CI system runs all tests in parallel, so the tests need to be changed to run one at a time.
Expand Down Expand Up @@ -85,6 +85,19 @@ func testAccNetAppAccount_complete(t *testing.T) {
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("active_directory.#").HasValue("1"),
check.That(data.ResourceName).Key("active_directory.0.username").HasValue("aduser"),
check.That(data.ResourceName).Key("active_directory.0.password").HasValue("aduserpwd"),
check.That(data.ResourceName).Key("active_directory.0.smb_server_name").HasValue("SMB-SERVER"),
check.That(data.ResourceName).Key("active_directory.0.dns_servers.#").HasValue("2"),
check.That(data.ResourceName).Key("active_directory.0.domain").HasValue("westcentralus.com"),
check.That(data.ResourceName).Key("active_directory.0.organizational_unit").HasValue("OU=FirstLevel"),
check.That(data.ResourceName).Key("active_directory.0.site_name").HasValue("My-Site-Name"),
check.That(data.ResourceName).Key("active_directory.0.ad_name").HasValue("My-AD-Server"),
check.That(data.ResourceName).Key("active_directory.0.enable_aes_encryption").HasValue("true"),
check.That(data.ResourceName).Key("active_directory.0.allow_local_nfs_users_with_ldap").HasValue("true"),
check.That(data.ResourceName).Key("active_directory.0.enable_ldap_over_tls").HasValue("true"),
check.That(data.ResourceName).Key("active_directory.0.server_root_ca_certificate").HasValue("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNZekNDQWN5Z0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREF1TVFzd0NRWURWUVFHRXdKVlV6RU0gCk1Bb0dBMVVFQ2hNRFNVSk5NUkV3RHdZRFZRUUxFd2hNYjJOaGJDQkRRVEFlRncwNU9URXlNakl3TlRBd01EQmEgCkZ3MHdNREV5TWpNd05EVTVOVGxhTUM0eEN6QUpCZ05WQkFZVEFsVlRNUXd3Q2dZRFZRUUtFd05KUWsweEVUQVAgCkJnTlZCQXNUQ0V4dlkyRnNJRU5CTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEMmJaRW8gCjd4R2FYMi8wR0hrck5GWnZseEJvdTl2MUptdC9QRGlUTVB2ZThyOUZlSkFRMFFkdkZTVC8wSlBRWUQyMHJIMGIgCmltZERMZ05kTnlubXlSb1MyUy9JSW5mcG1mNjlpeWMyRzBUUHlSdm1ISWlPWmJkQ2QrWUJIUWkxYWRrajE3TkQgCmNXajZTMTR0VnVyRlg3M3p4MHNOb01TNzlxM3R1WEtyRHN4ZXV3SURBUUFCbzRHUU1JR05NRXNHQ1ZVZER3R0cgCitFSUJEUVErRXp4SFpXNWxjbUYwWldRZ1lua2dkR2hsSUZObFkzVnlaVmRoZVNCVFpXTjFjbWwwZVNCVFpYSjIgClpYSWdabTl5SUU5VEx6TTVNQ0FvVWtGRFJpa3dEZ1lEVlIwUEFRSC9CQVFEQWdBR01BOEdBMVVkRXdFQi93UUYgCk1BTUJBZjh3SFFZRFZSME9CQllFRkozK29jUnlDVEp3MDY3ZExTd3IvbmFseDZZTU1BMEdDU3FHU0liM0RRRUIgCkJRVUFBNEdCQU1hUXp0K3phajFHVTc3eXpscjhpaU1CWGdkUXJ3c1paV0pvNWV4bkF1Y0pBRVlRWm1PZnlMaU0gCkQ2b1lxK1puZnZNMG44Ry9ZNzlxOG5od3Z1eHBZT25SU0FYRnA2eFNrcklPZVp0Sk1ZMWgwMExLcC9KWDNOZzEgCnN2WjJhZ0UxMjZKSHNRMGJoek41VEtzWWZid2ZUd2ZqZFdBR3k2VmYxbllpL3JPK3J5TU8KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLSA="),
check.That(data.ResourceName).Key("active_directory.0.enable_ldap_signing").HasValue("true"),
check.That(data.ResourceName).Key("tags.%").HasValue("2"),
check.That(data.ResourceName).Key("tags.FoO").HasValue("BaR"),
),
Expand Down Expand Up @@ -228,12 +241,20 @@ resource "azurerm_netapp_account" "test" {
resource_group_name = azurerm_resource_group.test.name

active_directory {
username = "aduser"
password = "aduserpwd"
smb_server_name = "SMBSERVER"
dns_servers = ["1.2.3.4"]
domain = "westcentralus.com"
organizational_unit = "OU=FirstLevel"
username = "aduser"
password = "aduserpwd"
smb_server_name = "SMB-SERVER"
dns_servers = ["1.2.3.4", "1.2.3.5"]
domain = "westcentralus.com"
organizational_unit = "OU=FirstLevel"
site_name = "My-Site-Name"
ad_name = "My-AD-Server"
kdc_ip = "192.168.1.1"
enable_aes_encryption = true
allow_local_nfs_users_with_ldap = true
enable_ldap_over_tls = true
server_root_ca_certificate = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNZekNDQWN5Z0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREF1TVFzd0NRWURWUVFHRXdKVlV6RU0gCk1Bb0dBMVVFQ2hNRFNVSk5NUkV3RHdZRFZRUUxFd2hNYjJOaGJDQkRRVEFlRncwNU9URXlNakl3TlRBd01EQmEgCkZ3MHdNREV5TWpNd05EVTVOVGxhTUM0eEN6QUpCZ05WQkFZVEFsVlRNUXd3Q2dZRFZRUUtFd05KUWsweEVUQVAgCkJnTlZCQXNUQ0V4dlkyRnNJRU5CTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEMmJaRW8gCjd4R2FYMi8wR0hrck5GWnZseEJvdTl2MUptdC9QRGlUTVB2ZThyOUZlSkFRMFFkdkZTVC8wSlBRWUQyMHJIMGIgCmltZERMZ05kTnlubXlSb1MyUy9JSW5mcG1mNjlpeWMyRzBUUHlSdm1ISWlPWmJkQ2QrWUJIUWkxYWRrajE3TkQgCmNXajZTMTR0VnVyRlg3M3p4MHNOb01TNzlxM3R1WEtyRHN4ZXV3SURBUUFCbzRHUU1JR05NRXNHQ1ZVZER3R0cgCitFSUJEUVErRXp4SFpXNWxjbUYwWldRZ1lua2dkR2hsSUZObFkzVnlaVmRoZVNCVFpXTjFjbWwwZVNCVFpYSjIgClpYSWdabTl5SUU5VEx6TTVNQ0FvVWtGRFJpa3dEZ1lEVlIwUEFRSC9CQVFEQWdBR01BOEdBMVVkRXdFQi93UUYgCk1BTUJBZjh3SFFZRFZSME9CQllFRkozK29jUnlDVEp3MDY3ZExTd3IvbmFseDZZTU1BMEdDU3FHU0liM0RRRUIgCkJRVUFBNEdCQU1hUXp0K3phajFHVTc3eXpscjhpaU1CWGdkUXJ3c1paV0pvNWV4bkF1Y0pBRVlRWm1PZnlMaU0gCkQ2b1lxK1puZnZNMG44Ry9ZNzlxOG5od3Z1eHBZT25SU0FYRnA2eFNrcklPZVp0Sk1ZMWgwMExLcC9KWDNOZzEgCnN2WjJhZ0UxMjZKSHNRMGJoek41VEtzWWZid2ZUd2ZqZFdBR3k2VmYxbllpL3JPK3J5TU8KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLSA="
enable_ldap_signing = true
}

tags = {
Expand Down
23 changes: 20 additions & 3 deletions website/docs/r/netapp_account.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -83,18 +83,35 @@ The `active_directory` block supports the following:

* `password` - (Required) The password associated with the `username`.

* `organizational_unit` - (Optional) The Organizational Unit (OU) within the Active Directory Domain.
* `organizational_unit` - (Optional) The Organizational Unit (OU) within Active Directory where machines will be created. If blank, defaults to `CN=Computers`.

---
* `site_name` - (Optional) The Active Directory site the service will limit Domain Controller discovery to. If blank, defaults to `Default-First-Site-Name`.

* `ad_name` - (Optional) Name of the active directory machine. *This optional parameter is used only while creating a Kerberos volume.*

* `kdc_ip` - (Optional) kdc server IP addresses for the active directory machine. *This optional parameter is used only while creating a Kerberos volume.*

~> **IMPORTANT:** If you plan on using **Kerberos** volumes, both `ad_name` and `kdc_ip` are required in order to create the volume.

* `enable_aes_encryption` - (Optional) If enabled, AES encryption will be enabled for SMB communication. Defaults to `false`.

* `allow_local_nfs_users_with_ldap` - (Optional) If enabled, NFS client local users can also (in addition to LDAP users) access the NFS volumes. Defaults to `false`.

* `enable_ldap_over_tls` - (Optional) Specifies whether or not the LDAP traffic needs to be secured via TLS. Defaults to `false`.

* `server_root_ca_certificate` - (Optional) When LDAP over SSL/TLS is enabled, the LDAP client is required to have a *base64 encoded Active Directory Certificate Service's self-signed root CA certificate*, this optional parameter is used only for dual protocol with LDAP user-mapping volumes. Required if `enable_ldap_over_tls` is set to `true`.

* `enable_ldap_signing` - (Optional) Specifies whether or not the LDAP traffic needs to be signed. Defaults to `false`.

---
The `identity` block supports the following:

* `type` - (Required) The identity type, which can be `SystemAssigned` or `UserAssigned`. Only one type at a time is supported by Azure NetApp Files.
* `identity_ids` - (Optional) The identity id of the user assigned identity to use when type is `UserAssigned`

---

~> **IMPORTANT:** Changing identity type from `SystemAssigned` to `UserAssigned` is a supported operation but the reverse is not supported from within Terraform Azure NetApp Files module.
~> **IMPORTANT:** Changing identity type from `SystemAssigned` to `UserAssigned` is a supported operation but the reverse is not supported from within Terraform Azure NetApp Files module.

## Attributes Reference

Expand Down
Loading