diff --git a/google/data_source_google_compute_ssl_policy.go b/google/data_source_google_compute_ssl_policy.go new file mode 100644 index 00000000000..020c852c2c9 --- /dev/null +++ b/google/data_source_google_compute_ssl_policy.go @@ -0,0 +1,29 @@ +package google + +import ( + "github.com/hashicorp/terraform/helper/schema" +) + +func dataSourceGoogleComputeSslPolicy() *schema.Resource { + // Generate datasource schema from resource + dsSchema := datasourceSchemaFromResourceSchema(resourceComputeSslPolicy().Schema) + + // Set 'Required' schema elements + addRequiredFieldsToSchema(dsSchema, "name") + + // Set 'Optional' schema elements + addOptionalFieldsToSchema(dsSchema, "project") + + return &schema.Resource{ + Read: datasourceComputeSslPolicyRead, + Schema: dsSchema, + } +} + +func datasourceComputeSslPolicyRead(d *schema.ResourceData, meta interface{}) error { + policyName := d.Get("name").(string) + + d.SetId(policyName) + + return resourceComputeSslPolicyRead(d, meta) +} diff --git a/google/data_source_google_compute_ssl_policy_test.go b/google/data_source_google_compute_ssl_policy_test.go new file mode 100644 index 00000000000..8b7462dba3e --- /dev/null +++ b/google/data_source_google_compute_ssl_policy_test.go @@ -0,0 +1,83 @@ +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccDataSourceGoogleSslPolicy(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccDataSourceGoogleSslPolicy(), + Check: resource.ComposeTestCheckFunc( + testAccDataSourceGoogleSslPolicyCheck("data.google_compute_ssl_policy.ssl_policy", "google_compute_ssl_policy.foobar"), + ), + }, + }, + }) +} + +func testAccDataSourceGoogleSslPolicyCheck(data_source_name string, resource_name string) resource.TestCheckFunc { + return func(s *terraform.State) error { + ds, ok := s.RootModule().Resources[data_source_name] + if !ok { + return fmt.Errorf("root module has no resource called %s", data_source_name) + } + + rs, ok := s.RootModule().Resources[resource_name] + if !ok { + return fmt.Errorf("can't find %s in state", resource_name) + } + + ds_attr := ds.Primary.Attributes + rs_attr := rs.Primary.Attributes + + ssl_policy_attrs_to_test := []string{ + "id", + "self_link", + "name", + "description", + "min_tls_version", + "profile", + "custom_features", + } + + for _, attr_to_check := range ssl_policy_attrs_to_test { + if ds_attr[attr_to_check] != rs_attr[attr_to_check] { + return fmt.Errorf( + "%s is %s; want %s", + attr_to_check, + ds_attr[attr_to_check], + rs_attr[attr_to_check], + ) + } + } + + return nil + } +} + +func testAccDataSourceGoogleSslPolicy() string { + return fmt.Sprintf(` + +resource "google_compute_ssl_policy" "foobar" { + name = "%s" + description = "my-description" + min_tls_version = "TLS_1_2" + profile = "MODERN" +} + +data "google_compute_ssl_policy" "ssl_policy" { + name = "${google_compute_ssl_policy.foobar.name}" +} +`, acctest.RandomWithPrefix("test-ssl-policy")) +} diff --git a/google/provider.go b/google/provider.go index 1100d1b1f3d..9db7c7bb44e 100644 --- a/google/provider.go +++ b/google/provider.go @@ -78,6 +78,7 @@ func Provider() terraform.ResourceProvider { "google_compute_region_instance_group": dataSourceGoogleComputeRegionInstanceGroup(), "google_compute_vpn_gateway": dataSourceGoogleComputeVpnGateway(), "google_compute_forwarding_rule": dataSourceGoogleComputeForwardingRule(), + "google_compute_ssl_policy": dataSourceGoogleComputeSslPolicy(), "google_container_cluster": dataSourceGoogleContainerCluster(), "google_container_engine_versions": dataSourceGoogleContainerEngineVersions(), "google_container_registry_repository": dataSourceGoogleContainerRepo(), @@ -130,6 +131,7 @@ func Provider() terraform.ResourceProvider { "google_compute_shared_vpc_host_project": resourceComputeSharedVpcHostProject(), "google_compute_shared_vpc_service_project": resourceComputeSharedVpcServiceProject(), "google_compute_ssl_certificate": resourceComputeSslCertificate(), + "google_compute_ssl_policy": resourceComputeSslPolicy(), "google_compute_subnetwork": resourceComputeSubnetwork(), "google_compute_target_http_proxy": resourceComputeTargetHttpProxy(), "google_compute_target_https_proxy": resourceComputeTargetHttpsProxy(), diff --git a/google/resource_compute_ssl_policy.go b/google/resource_compute_ssl_policy.go new file mode 100644 index 00000000000..a39f6e53987 --- /dev/null +++ b/google/resource_compute_ssl_policy.go @@ -0,0 +1,239 @@ +package google + +import ( + "fmt" + "time" + + "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" + computeBeta "google.golang.org/api/compute/v0.beta" +) + +func resourceComputeSslPolicy() *schema.Resource { + return &schema.Resource{ + Create: resourceComputeSslPolicyCreate, + Read: resourceComputeSslPolicyRead, + Update: resourceComputeSslPolicyUpdate, + Delete: resourceComputeSslPolicyDelete, + + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(2 * time.Minute), + Update: schema.DefaultTimeout(2 * time.Minute), + Delete: schema.DefaultTimeout(2 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + + "name": &schema.Schema{ + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + + "custom_features": &schema.Schema{ + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + + "description": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + ForceNew: true, // currently, the beta patch API call does not allow updating the description + }, + + "min_tls_version": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "TLS_1_0", + // Although compute-gen.go says that TLS_1_3 is a valid value, the API currently (26 Mar 2018) + // responds with an HTTP 200 but doesn't actually create/update the policy. Open bug for this: + // https://issuetracker.google.com/issues/76433946 + ValidateFunc: validation.StringInSlice([]string{"TLS_1_0", "TLS_1_1", "TLS_1_2"}, false), + }, + + "profile": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "COMPATIBLE", + ValidateFunc: validation.StringInSlice([]string{"COMPATIBLE", "MODERN", "RESTRICTED", "CUSTOM"}, false), + }, + + "project": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + }, + + "enabled_features": &schema.Schema{ + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + + "fingerprint": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + + "self_link": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + }, + + CustomizeDiff: func(diff *schema.ResourceDiff, v interface{}) error { + profile := diff.Get("profile") + customFeaturesCount := diff.Get("custom_features.#") + + // Validate that policy configs aren't incompatible during all phases + // CUSTOM profile demands non-zero custom_features, and other profiles (i.e., not CUSTOM) demand zero custom_features + if diff.HasChange("profile") || diff.HasChange("custom_features") { + if profile.(string) == "CUSTOM" { + if customFeaturesCount.(int) == 0 { + return fmt.Errorf("Error in SSL Policy %s: the profile is set to %s but no custom_features are set.", diff.Get("name"), profile.(string)) + } + } else { + if customFeaturesCount != 0 { + return fmt.Errorf("Error in SSL Policy %s: the profile is set to %s but using custom_features requires the profile to be CUSTOM.", diff.Get("name"), profile.(string)) + } + } + return nil + } + return nil + }, + } +} + +func resourceComputeSslPolicyCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + project, err := getProject(d, config) + if err != nil { + return err + } + + sslPolicy := &computeBeta.SslPolicy{ + Name: d.Get("name").(string), + Description: d.Get("description").(string), + Profile: d.Get("profile").(string), + MinTlsVersion: d.Get("min_tls_version").(string), + CustomFeatures: convertStringSet(d.Get("custom_features").(*schema.Set)), + } + + op, err := config.clientComputeBeta.SslPolicies.Insert(project, sslPolicy).Do() + if err != nil { + return fmt.Errorf("Error creating SSL Policy: %s", err) + } + + d.SetId(sslPolicy.Name) + + err = computeSharedOperationWaitTime(config.clientCompute, op, project, int(d.Timeout(schema.TimeoutCreate).Minutes()), "Creating SSL Policy") + if err != nil { + d.SetId("") // if insert fails, remove from state + return err + } + + return resourceComputeSslPolicyRead(d, meta) +} + +func resourceComputeSslPolicyRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + project, err := getProject(d, config) + if err != nil { + return err + } + + name := d.Id() + + sslPolicy, err := config.clientComputeBeta.SslPolicies.Get(project, name).Do() + if err != nil { + return handleNotFoundError(err, d, fmt.Sprintf("SSL Policy %q", name)) + } + + d.Set("name", sslPolicy.Name) + d.Set("description", sslPolicy.Description) + d.Set("min_tls_version", sslPolicy.MinTlsVersion) + d.Set("profile", sslPolicy.Profile) + d.Set("fingerprint", sslPolicy.Fingerprint) + d.Set("project", project) + d.Set("self_link", ConvertSelfLinkToV1(sslPolicy.SelfLink)) + d.Set("enabled_features", convertStringArrToInterface(sslPolicy.EnabledFeatures)) + d.Set("custom_features", convertStringArrToInterface(sslPolicy.CustomFeatures)) + + d.SetId(sslPolicy.Name) + + return nil +} + +func resourceComputeSslPolicyUpdate(d *schema.ResourceData, meta interface{}) error { + + config := meta.(*Config) + + project, err := getProject(d, config) + if err != nil { + return err + } + + name := d.Get("name").(string) + + sslPolicy := &computeBeta.SslPolicy{ + Fingerprint: d.Get("fingerprint").(string), + Profile: d.Get("profile").(string), + MinTlsVersion: d.Get("min_tls_version").(string), + } + + if v, ok := d.Get("custom_features").(*schema.Set); ok { + if v.Len() > 0 { + sslPolicy.CustomFeatures = convertStringSet(v) + } else { + sslPolicy.NullFields = append(sslPolicy.NullFields, "CustomFeatures") + } + } + + op, err := config.clientComputeBeta.SslPolicies.Patch(project, name, sslPolicy).Do() + if err != nil { + return fmt.Errorf("Error updating SSL Policy: %s", err) + } + + err = computeSharedOperationWaitTime(config.clientCompute, op, project, int(d.Timeout(schema.TimeoutUpdate).Minutes()), "Updating SSL Policy") + if err != nil { + return err + } + + return resourceComputeSslPolicyRead(d, meta) +} + +func resourceComputeSslPolicyDelete(d *schema.ResourceData, meta interface{}) error { + + config := meta.(*Config) + + project, err := getProject(d, config) + if err != nil { + return err + } + + name := d.Get("name").(string) + + op, err := config.clientComputeBeta.SslPolicies.Delete(project, name).Do() + if err != nil { + return fmt.Errorf("Error deleting SSL Policy: %s", err) + } + + err = computeSharedOperationWaitTime(config.clientCompute, op, project, int(d.Timeout(schema.TimeoutDelete).Minutes()), "Deleting Subnetwork") + if err != nil { + return err + } + + d.SetId("") + + return nil +} diff --git a/google/resource_compute_ssl_policy_test.go b/google/resource_compute_ssl_policy_test.go new file mode 100644 index 00000000000..28461ffcf56 --- /dev/null +++ b/google/resource_compute_ssl_policy_test.go @@ -0,0 +1,402 @@ +package google + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" + computeBeta "google.golang.org/api/compute/v0.beta" +) + +func TestAccComputeSslPolicy_basic(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslPolicyBasic(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.basic", &sslPolicy), + // test attribute default values + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.basic", "profile", "COMPATIBLE"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.basic", "min_tls_version", "TLS_1_0"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.basic", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeSslPolicy_profile(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslPolicyProfile(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.profile", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.profile", "profile", "MODERN"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.profile", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeSslPolicy_update(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslUpdate1(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "profile", "MODERN"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_0"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, + resource.TestStep{ + Config: testAccComputeSslUpdate2(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "profile", "RESTRICTED"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_2"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeSslPolicy_tls_version(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslPolicyTlsVersion(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.tlsversion", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.tlsversion", "min_tls_version", "TLS_1_2"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.tlsversion", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeSslPolicy_custom(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslPolicyCustom(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.custom", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.custom", "min_tls_version", "TLS_1_2"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.custom", "profile", "CUSTOM"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.custom", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeSslPolicy_update_to_custom(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslUpdate1(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "profile", "MODERN"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_0"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, + resource.TestStep{ + Config: testAccComputeSslUpdate3(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "profile", "CUSTOM"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_1"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeSslPolicy_update_from_custom(t *testing.T) { + t.Parallel() + + var sslPolicy computeBeta.SslPolicy + sslPolicyName := fmt.Sprintf("test-ssl-policy-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeSslPolicyDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccComputeSslUpdate3(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "profile", "CUSTOM"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_1"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, + resource.TestStep{ + Config: testAccComputeSslUpdate1(sslPolicyName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeSslPolicyExists( + "google_compute_ssl_policy.update", &sslPolicy), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "profile", "MODERN"), + resource.TestCheckResourceAttr( + "google_compute_ssl_policy.update", "min_tls_version", "TLS_1_0"), + ), + }, + resource.TestStep{ + ResourceName: "google_compute_ssl_policy.update", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccCheckComputeSslPolicyExists(n string, sslPolicy *computeBeta.SslPolicy) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + config := testAccProvider.Meta().(*Config) + + project, err := getTestProject(rs.Primary, config) + if err != nil { + return err + } + + name := rs.Primary.Attributes["name"] + + found, err := config.clientComputeBeta.SslPolicies.Get( + project, name).Do() + if err != nil { + return fmt.Errorf("Error Reading SSL Policy %s: %s", name, err) + } + + if found.Name != rs.Primary.ID { + return fmt.Errorf("SSL Policy not found") + } + + *sslPolicy = *found + + return nil + } +} + +func testAccCheckComputeSslPolicyDestroy(s *terraform.State) error { + config := testAccProvider.Meta().(*Config) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_compute_ssl_policy" { + continue + } + + _, err := config.clientComputeBeta.SslPolicies.Get( + config.Project, rs.Primary.ID).Do() + if err == nil { + return fmt.Errorf("SSL Policy still exists") + } + } + + return nil +} + +func testAccComputeSslPolicyBasic(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "basic" { + name = "%s" + description = "Generated by TF provider acceptance test" +} +`, resourceName) +} + +func testAccComputeSslPolicyProfile(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "profile" { + name = "%s" + description = "Generated by TF provider acceptance test" + profile = "MODERN" +} +`, resourceName) +} + +func testAccComputeSslUpdate1(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "update" { + name = "%s" + description = "Generated by TF provider acceptance test" + min_tls_version = "TLS_1_0" + profile = "MODERN" +} +`, resourceName) +} + +func testAccComputeSslUpdate2(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "update" { + name = "%s" + description = "Generated by TF provider acceptance test" + min_tls_version = "TLS_1_2" + profile = "RESTRICTED" +} +`, resourceName) +} + +func testAccComputeSslUpdate3(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "update" { + name = "%s" + description = "Generated by TF provider acceptance test" + min_tls_version = "TLS_1_1" + profile = "CUSTOM" + custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] +} +`, resourceName) +} + +func testAccComputeSslPolicyTlsVersion(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "tlsversion" { + name = "%s" + description = "Generated by TF provider acceptance test" + min_tls_version = "TLS_1_2" +} +`, resourceName) +} + +func testAccComputeSslPolicyCustom(resourceName string) string { + return fmt.Sprintf(` +resource "google_compute_ssl_policy" "custom" { + name = "%s" + description = "Generated by TF provider acceptance test" + min_tls_version = "TLS_1_2" + profile = "CUSTOM" + custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] +} +`, resourceName) +} diff --git a/website/docs/d/datasource_compute_ssl_policy.html.markdown b/website/docs/d/datasource_compute_ssl_policy.html.markdown new file mode 100644 index 00000000000..d7c7e5a2467 --- /dev/null +++ b/website/docs/d/datasource_compute_ssl_policy.html.markdown @@ -0,0 +1,51 @@ +--- +layout: "google" +page_title: "Google: google_compute_ssl_policy" +sidebar_current: "docs-google-datasource-compute-ssl-policy" +description: |- + Gets an SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. +--- + +# google\_compute\_ssl\_policy + +Gets an SSL Policy within GCE from its name, for use with Target HTTPS and Target SSL Proxies. + For more information see [the official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies). + +## Example Usage + +```tf +data "google_compute_ssl_policy" "my-ssl-policy" { + name = "production-ssl-policy" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) The name of the SSL Policy. + +- - - + +* `project` - (Optional) The ID of the project in which the resource belongs. If it + is not provided, the provider project is used. + +## Attributes Reference + +In addition to the arguments listed above, the following attributes are exported: + +* `enabled_features` - The set of enabled encryption ciphers as a result of the policy config + +* `description` - Description of this SSL Policy. + +* `min_tls_version` - The minimum supported TLS version of this policy. + +* `profile` - The Google-curated or custom profile used by this policy. + +* `custom_features` - If the `profile` is `CUSTOM`, these are the custom encryption + ciphers supported by the profile. If the `profile` is *not* `CUSTOM`, this + attribute will be empty. + +* `fingerprint` - Fingerprint of this resource. + +* `self_link` - The URI of the created resource. \ No newline at end of file diff --git a/website/docs/r/compute_ssl_policy.html.markdown b/website/docs/r/compute_ssl_policy.html.markdown new file mode 100644 index 00000000000..9fcb53ff014 --- /dev/null +++ b/website/docs/r/compute_ssl_policy.html.markdown @@ -0,0 +1,84 @@ +--- +layout: "google" +page_title: "Google: google_compute_ssl_policy" +sidebar_current: "docs-google-compute-ssl-policy" +description: |- + Manages an SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. +--- + +# google\_compute\_ssl\_policy + +Manages an SSL Policy within GCE, for use with Target HTTPS and Target SSL Proxies. For more information see +[the official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies) +and +[API](https://cloud.google.com/compute/docs/reference/rest/beta/sslPolicies). + +## Example Usage + +```hcl +resource "google_compute_ssl_policy" "prod-ssl-policy" { + name = "production-ssl-policy" + profile = "MODERN" +} + +resource "google_compute_ssl_policy" "nonprod-ssl-policy" { + name = "nonprod-ssl-policy" + profile = "MODERN" + min_tls_version = "TLS_1_2" +} + +resource "google_compute_ssl_policy" "custom-ssl-policy" { + name = "custom-ssl-policy" + min_tls_version = "TLS_1_2" + profile = "CUSTOM" + custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) A unique name for the resource, required by GCE. + Changing this forces a new resource to be created. + +- - - + +* `description` - (Optional) Description of this subnetwork. Changing this forces a new resource to be created. + +* `project` - (Optional) The ID of the project in which the resource belongs. If it + is not provided, the provider project is used. + +* `min_tls_version` - (Optional) The minimum TLS version to support. Must be one of `TLS_1_0`, `TLS_1_1`, or `TLS_1_2`. + Default is `TLS_1_0`. + +* `profile` - (Optional) The Google-curated SSL profile to use. Must be one of `COMPATIBLE`, `MODERN`, + `RESTRICTED`, or `CUSTOM`. See the + [official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies#profilefeaturesupport) + for information on what cipher suites each profile provides. If `CUSTOM` is used, the `custom_features` attribute + **must be set**. Default is `COMPATIBLE`. + +* `custom_features` - (Required with `CUSTOM` profile) The specific encryption ciphers to use. See the + [official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies#profilefeaturesupport) + for which ciphers are available to use. **Note**: this argument *must* be present when using the `CUSTOM` profile. + This argument *must not* be present when using any other profile. + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are +exported: + +* `enabled_features` - The set of enabled encryption ciphers as a result of the policy config + +* `fingerprint` - Fingerprint of this resource. + +* `self_link` - The URI of the created resource. + +## Import + +SSL Policies can be imported using the GCP canonical `name` of the Policy. For example, an SSL Policy named `production-ssl-policy` + would be imported by running: + +```bash +$ terraform import google_compute_ssl_policy.my-policy production-ssl-policy +``` diff --git a/website/google.erb b/website/google.erb index f5807d93187..d86bd3a1401 100644 --- a/website/google.erb +++ b/website/google.erb @@ -44,6 +44,9 @@