From 7af8ebb26f49c9354c2ee26c5ad7a49d7f08ce71 Mon Sep 17 00:00:00 2001 From: Shizhao Liu Date: Fri, 10 Nov 2023 22:39:48 +0000 Subject: [PATCH] Impelemnt policy_lb_client_ssl_profile resource Signed-off-by: Shizhao Liu --- nsxt/provider.go | 1 + ...ource_nsxt_policy_lb_client_ssl_profile.go | 210 ++++++++++++++++++ ..._nsxt_policy_lb_client_ssl_profile_test.go | 203 +++++++++++++++++ ...policy_lb_client_ssl_profile.html.markdown | 67 ++++++ 4 files changed, 481 insertions(+) create mode 100644 nsxt/resource_nsxt_policy_lb_client_ssl_profile.go create mode 100644 nsxt/resource_nsxt_policy_lb_client_ssl_profile_test.go create mode 100644 website/docs/r/policy_lb_client_ssl_profile.html.markdown diff --git a/nsxt/provider.go b/nsxt/provider.go index d740a2050..53b8bdff4 100644 --- a/nsxt/provider.go +++ b/nsxt/provider.go @@ -432,6 +432,7 @@ func Provider() *schema.Provider { "nsxt_policy_host_transport_node": resourceNsxtPolicyHostTransportNode(), "nsxt_edge_high_availability_profile": resourceNsxtEdgeHighAvailabilityProfile(), "nsxt_policy_host_transport_node_collection": resourceNsxtPolicyHostTransportNodeCollection(), + "nsxt_policy_lb_client_ssl_profile": resourceNsxtPolicyLBClientSslProfile(), }, ConfigureFunc: providerConfigure, diff --git a/nsxt/resource_nsxt_policy_lb_client_ssl_profile.go b/nsxt/resource_nsxt_policy_lb_client_ssl_profile.go new file mode 100644 index 000000000..64bf40e85 --- /dev/null +++ b/nsxt/resource_nsxt_policy_lb_client_ssl_profile.go @@ -0,0 +1,210 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "log" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model" +) + +var lBClientSslProfileCipherGroupLabelValues = []string{ + model.LBClientSslProfile_CIPHER_GROUP_LABEL_HIGH_COMPATIBILITY, + model.LBClientSslProfile_CIPHER_GROUP_LABEL_HIGH_SECURITY, + model.LBClientSslProfile_CIPHER_GROUP_LABEL_CUSTOM, + model.LBClientSslProfile_CIPHER_GROUP_LABEL_BALANCED, +} + +func resourceNsxtPolicyLBClientSslProfile() *schema.Resource { + return &schema.Resource{ + Create: resourceNsxtPolicyLBClientSslProfileCreate, + Read: resourceNsxtPolicyLBClientSslProfileRead, + Update: resourceNsxtPolicyLBClientSslProfileUpdate, + Delete: resourceNsxtPolicyLBClientSslProfileDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Schema: map[string]*schema.Schema{ + "nsx_id": getNsxIDSchema(), + "path": getPathSchema(), + "display_name": getDisplayNameSchema(), + "description": getDescriptionSchema(), + "revision": getRevisionSchema(), + "tag": getTagsSchema(), + "cipher_group_label": { + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(lBClientSslProfileCipherGroupLabelValues, false), + Optional: true, + Default: model.LBClientSslProfile_CIPHER_GROUP_LABEL_BALANCED, + Description: "A label of cipher group which is mostly consumed by GUI. Default value is BALANCED.", + }, + "ciphers": getSSLCiphersSchema(), + "is_fips": { + Type: schema.TypeBool, + Computed: true, + Description: "This flag is set to true when all the ciphers and protocols are FIPS compliant. It is set to false when one of the ciphers or protocols are not FIPS compliant.", + }, + "is_secure": getIsSecureSchema(), + "prefer_server_ciphers": { + Type: schema.TypeBool, + Optional: true, + Default: true, + Description: "During SSL handshake as part of the SSL client Hello client sends an ordered list of ciphers that it can support (or prefers) and typically server selects the first one from the top of that list it can also support. For Perfect Forward Secrecy(PFS), server could override the client's preference.", + }, + "protocols": getSSLProtocolsSchema(), + "session_cache_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: true, + Description: "If set to true, SSL session caching allows SSL client and server to reuse previously negotiated security parameters avoiding the expensive public key operation during handshake.", + }, + "session_cache_timeout": { + Type: schema.TypeInt, + Optional: true, + Default: 300, + Description: "Session cache timeout specifies how long the SSL session parameters are held on to and can be reused. Default value is 300.", + }, + }, + } +} + +func resourceNsxtPolicyLBClientSslProfileExists(id string, connector client.Connector, isGlobalManager bool) (bool, error) { + var err error + client := infra.NewLbClientSslProfilesClient(connector) + _, err = client.Get(id) + if err == nil { + return true, nil + } + + if isNotFoundError(err) { + return false, nil + } + + return false, logAPIError("Error retrieving resource", err) +} + +func resourceNsxtPolicyLBClientSslProfilePatch(d *schema.ResourceData, m interface{}, id string) error { + connector := getPolicyConnector(m) + + displayName := d.Get("display_name").(string) + description := d.Get("description").(string) + tags := getPolicyTagsFromSchema(d) + cipherGroupLabel := d.Get("cipher_group_label").(string) + ciphers := getStringListFromSchemaSet(d, "ciphers") + preferServerCiphers := d.Get("prefer_server_ciphers").(bool) + protocols := getStringListFromSchemaSet(d, "protocols") + sessionCacheEnabled := d.Get("session_cache_enabled").(bool) + sessionCacheTimeout := int64(d.Get("session_cache_timeout").(int)) + + obj := model.LBClientSslProfile{ + DisplayName: &displayName, + Description: &description, + Tags: tags, + CipherGroupLabel: &cipherGroupLabel, + Ciphers: ciphers, + PreferServerCiphers: &preferServerCiphers, + Protocols: protocols, + SessionCacheEnabled: &sessionCacheEnabled, + SessionCacheTimeout: &sessionCacheTimeout, + } + + log.Printf("[INFO] Patching LBClientSslProfile with ID %s", id) + + client := infra.NewLbClientSslProfilesClient(connector) + return client.Patch(id, obj) +} + +func resourceNsxtPolicyLBClientSslProfileCreate(d *schema.ResourceData, m interface{}) error { + + // Initialize resource Id and verify this ID is not yet used + id, err := getOrGenerateID(d, m, resourceNsxtPolicyLBClientSslProfileExists) + if err != nil { + return err + } + + err = resourceNsxtPolicyLBClientSslProfilePatch(d, m, id) + if err != nil { + return handleCreateError("LBClientSslProfile", id, err) + } + + d.SetId(id) + d.Set("nsx_id", id) + + return resourceNsxtPolicyLBClientSslProfileRead(d, m) +} + +func resourceNsxtPolicyLBClientSslProfileRead(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + id := d.Id() + if id == "" { + return fmt.Errorf("Error obtaining LBClientSslProfile ID") + } + + var obj model.LBClientSslProfile + client := infra.NewLbClientSslProfilesClient(connector) + var err error + obj, err = client.Get(id) + if err != nil { + return handleReadError(d, "LBClientSslProfile", id, err) + } + + d.Set("display_name", obj.DisplayName) + d.Set("description", obj.Description) + setPolicyTagsInSchema(d, obj.Tags) + d.Set("nsx_id", id) + d.Set("path", obj.Path) + d.Set("revision", obj.Revision) + + d.Set("cipher_group_label", obj.CipherGroupLabel) + d.Set("ciphers", obj.Ciphers) + d.Set("is_fips", obj.IsFips) + d.Set("is_secure", obj.IsSecure) + d.Set("prefer_server_ciphers", obj.PreferServerCiphers) + d.Set("protocols", obj.Protocols) + d.Set("session_cache_enabled", obj.SessionCacheEnabled) + d.Set("session_cache_timeout", obj.SessionCacheTimeout) + + return nil +} + +func resourceNsxtPolicyLBClientSslProfileUpdate(d *schema.ResourceData, m interface{}) error { + + id := d.Id() + if id == "" { + return fmt.Errorf("Error obtaining LBClientSslProfile ID") + } + + err := resourceNsxtPolicyLBClientSslProfilePatch(d, m, id) + if err != nil { + return handleUpdateError("LBClientSslProfile", id, err) + } + + return resourceNsxtPolicyLBClientSslProfileRead(d, m) +} + +func resourceNsxtPolicyLBClientSslProfileDelete(d *schema.ResourceData, m interface{}) error { + id := d.Id() + if id == "" { + return fmt.Errorf("Error obtaining LBClientSslProfile ID") + } + + forceParam := true + connector := getPolicyConnector(m) + var err error + client := infra.NewLbClientSslProfilesClient(connector) + err = client.Delete(id, &forceParam) + + if err != nil { + return handleDeleteError("LBClientSslProfile", id, err) + } + + return nil +} diff --git a/nsxt/resource_nsxt_policy_lb_client_ssl_profile_test.go b/nsxt/resource_nsxt_policy_lb_client_ssl_profile_test.go new file mode 100644 index 000000000..91b3a3088 --- /dev/null +++ b/nsxt/resource_nsxt_policy_lb_client_ssl_profile_test.go @@ -0,0 +1,203 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +var accTestPolicyLBClientSslProfileCreateAttributes = map[string]string{ + "display_name": getAccTestResourceName(), + "description": "terraform created", + "cipher_group_label": "CUSTOM", + "ciphers": "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "prefer_server_ciphers": "true", + "protocols": "TLS_V1_2", + "session_cache_enabled": "true", + "session_cache_timeout": "2", +} + +var accTestPolicyLBClientSslProfileUpdateAttributes = map[string]string{ + "display_name": getAccTestResourceName(), + "description": "terraform updated", + "cipher_group_label": "CUSTOM", + "ciphers": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "prefer_server_ciphers": "false", + "protocols": "TLS_V1_1", + "session_cache_enabled": "false", + "session_cache_timeout": "5", +} + +func TestAccResourceNsxtPolicyLBClientSslProfile_basic(t *testing.T) { + testResourceName := "nsxt_policy_lb_client_ssl_profile.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t); testAccOnlyLocalManager(t) }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicyLBClientSslProfileCheckDestroy(state, accTestPolicyLBClientSslProfileUpdateAttributes["display_name"]) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicyLBClientSslProfileTemplate(true), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicyLBClientSslProfileExists(accTestPolicyLBClientSslProfileCreateAttributes["display_name"], testResourceName), + resource.TestCheckResourceAttr(testResourceName, "display_name", accTestPolicyLBClientSslProfileCreateAttributes["display_name"]), + resource.TestCheckResourceAttr(testResourceName, "description", accTestPolicyLBClientSslProfileCreateAttributes["description"]), + resource.TestCheckResourceAttr(testResourceName, "cipher_group_label", accTestPolicyLBClientSslProfileCreateAttributes["cipher_group_label"]), + resource.TestCheckResourceAttr(testResourceName, "ciphers.0", accTestPolicyLBClientSslProfileCreateAttributes["ciphers"]), + resource.TestCheckResourceAttrSet(testResourceName, "is_fips"), + resource.TestCheckResourceAttrSet(testResourceName, "is_secure"), + resource.TestCheckResourceAttr(testResourceName, "prefer_server_ciphers", accTestPolicyLBClientSslProfileCreateAttributes["prefer_server_ciphers"]), + resource.TestCheckResourceAttr(testResourceName, "protocols.0", accTestPolicyLBClientSslProfileCreateAttributes["protocols"]), + resource.TestCheckResourceAttr(testResourceName, "session_cache_enabled", accTestPolicyLBClientSslProfileCreateAttributes["session_cache_enabled"]), + resource.TestCheckResourceAttr(testResourceName, "session_cache_timeout", accTestPolicyLBClientSslProfileCreateAttributes["session_cache_timeout"]), + + resource.TestCheckResourceAttrSet(testResourceName, "nsx_id"), + resource.TestCheckResourceAttrSet(testResourceName, "path"), + resource.TestCheckResourceAttrSet(testResourceName, "revision"), + resource.TestCheckResourceAttr(testResourceName, "tag.#", "1"), + ), + }, + { + Config: testAccNsxtPolicyLBClientSslProfileTemplate(false), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicyLBClientSslProfileExists(accTestPolicyLBClientSslProfileUpdateAttributes["display_name"], testResourceName), + resource.TestCheckResourceAttr(testResourceName, "display_name", accTestPolicyLBClientSslProfileUpdateAttributes["display_name"]), + resource.TestCheckResourceAttr(testResourceName, "description", accTestPolicyLBClientSslProfileUpdateAttributes["description"]), + resource.TestCheckResourceAttr(testResourceName, "cipher_group_label", accTestPolicyLBClientSslProfileUpdateAttributes["cipher_group_label"]), + resource.TestCheckResourceAttr(testResourceName, "ciphers.0", accTestPolicyLBClientSslProfileUpdateAttributes["ciphers"]), + resource.TestCheckResourceAttrSet(testResourceName, "is_fips"), + resource.TestCheckResourceAttrSet(testResourceName, "is_secure"), + resource.TestCheckResourceAttr(testResourceName, "prefer_server_ciphers", accTestPolicyLBClientSslProfileUpdateAttributes["prefer_server_ciphers"]), + resource.TestCheckResourceAttr(testResourceName, "protocols.0", accTestPolicyLBClientSslProfileUpdateAttributes["protocols"]), + resource.TestCheckResourceAttr(testResourceName, "session_cache_enabled", accTestPolicyLBClientSslProfileUpdateAttributes["session_cache_enabled"]), + resource.TestCheckResourceAttr(testResourceName, "session_cache_timeout", accTestPolicyLBClientSslProfileUpdateAttributes["session_cache_timeout"]), + + resource.TestCheckResourceAttrSet(testResourceName, "nsx_id"), + resource.TestCheckResourceAttrSet(testResourceName, "path"), + resource.TestCheckResourceAttrSet(testResourceName, "revision"), + resource.TestCheckResourceAttr(testResourceName, "tag.#", "1"), + ), + }, + { + Config: testAccNsxtPolicyLBClientSslProfileMinimalistic(), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicyLBClientSslProfileExists(accTestPolicyLBClientSslProfileCreateAttributes["display_name"], testResourceName), + resource.TestCheckResourceAttr(testResourceName, "description", ""), + resource.TestCheckResourceAttrSet(testResourceName, "nsx_id"), + resource.TestCheckResourceAttrSet(testResourceName, "path"), + resource.TestCheckResourceAttrSet(testResourceName, "revision"), + resource.TestCheckResourceAttr(testResourceName, "tag.#", "0"), + ), + }, + }, + }) +} + +func TestAccResourceNsxtPolicyLBClientSslProfile_importBasic(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_lb_client_ssl_profile.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t); testAccOnlyLocalManager(t) }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicyLBClientSslProfileCheckDestroy(state, name) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicyLBClientSslProfileMinimalistic(), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccNsxtPolicyLBClientSslProfileExists(displayName string, resourceName string) resource.TestCheckFunc { + return func(state *terraform.State) error { + + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + + rs, ok := state.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Policy LBClientSslProfile resource %s not found in resources", resourceName) + } + + resourceID := rs.Primary.ID + if resourceID == "" { + return fmt.Errorf("Policy LBClientSslProfile resource ID not set in resources") + } + + exists, err := resourceNsxtPolicyLBClientSslProfileExists(resourceID, connector, testAccIsGlobalManager()) + if err != nil { + return err + } + if !exists { + return fmt.Errorf("Policy LBClientSslProfile %s does not exist", resourceID) + } + + return nil + } +} + +func testAccNsxtPolicyLBClientSslProfileCheckDestroy(state *terraform.State, displayName string) error { + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + for _, rs := range state.RootModule().Resources { + + if rs.Type != "nsxt_policy_lb_client_ssl_profile" { + continue + } + + resourceID := rs.Primary.Attributes["id"] + exists, err := resourceNsxtPolicyLBClientSslProfileExists(resourceID, connector, testAccIsGlobalManager()) + if err == nil { + return err + } + + if exists { + return fmt.Errorf("Policy LBClientSslProfile %s still exists", displayName) + } + } + return nil +} + +func testAccNsxtPolicyLBClientSslProfileTemplate(createFlow bool) string { + var attrMap map[string]string + if createFlow { + attrMap = accTestPolicyLBClientSslProfileCreateAttributes + } else { + attrMap = accTestPolicyLBClientSslProfileUpdateAttributes + } + return fmt.Sprintf(` + resource "nsxt_policy_lb_client_ssl_profile" "test" { + display_name = "%s" + description = "%s" + cipher_group_label = "%s" + ciphers = ["%s"] + prefer_server_ciphers = %s + protocols = ["%s"] + session_cache_enabled = %s + session_cache_timeout = %s + tag { + scope = "scope1" + tag = "tag1" + } + }`, attrMap["display_name"], attrMap["description"], attrMap["cipher_group_label"], attrMap["ciphers"], attrMap["prefer_server_ciphers"], attrMap["protocols"], attrMap["session_cache_enabled"], attrMap["session_cache_timeout"]) +} + +func testAccNsxtPolicyLBClientSslProfileMinimalistic() string { + return fmt.Sprintf(` + resource "nsxt_policy_lb_client_ssl_profile" "test" { + display_name = "%s" + }`, accTestPolicyLBClientSslProfileUpdateAttributes["display_name"]) +} diff --git a/website/docs/r/policy_lb_client_ssl_profile.html.markdown b/website/docs/r/policy_lb_client_ssl_profile.html.markdown new file mode 100644 index 000000000..3839a48cc --- /dev/null +++ b/website/docs/r/policy_lb_client_ssl_profile.html.markdown @@ -0,0 +1,67 @@ +--- +subcategory: "Load Balancer" +layout: "nsxt" +page_title: "NSXT: nsxt_policy_lb_client_ssl_profile" +description: A resource to configure a LB Client SSL Profile. +--- + +# nsxt_policy_lb_client_ssl_profile + +This resource provides a method for the management of a LBClientSslProfile. + +This resource is applicable to NSX Global Manager, NSX Policy Manager and VMC. + +## Example Usage + +```hcl +resource "nsxt_policy_lb_client_ssl_profile" "test" { + display_name = "test" + description = "Terraform provisioned LBClientSslProfile" + cipher_group_label = "HIGH_COMPATIBILITY" + ciphers = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" + is_fips = true + is_secure = true + prefer_server_ciphers = true + protocols = "TLS_V1_2" + session_cache_enabled = true + session_cache_timeout = 2 +} +``` + +## Argument Reference + +The following arguments are supported: + +* `display_name` - (Required) Display name of the resource. +* `description` - (Optional) Description of the resource. +* `tag` - (Optional) A list of scope + tag pairs to associate with this resource. +* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource. +* `cipher_group_label` - (Optional) A label of cipher group which is mostly consumed by GUI. The server will populate this field when returing the resource. Ignored on PUT and POST. Possible values are: `BALANCED`, `HIGH_SECURITY`, `HIGH_COMPATIBILITY` and `CUSTOM`. +* `ciphers` - (Optional) Supported SSL cipher list to client side. Possible values are: `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDH_RSA_WITH_AES_256_CBC_SHA `, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`,`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_RSA_WITH_AES_128_CBC_SHA256`,`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`,`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256`,`TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDH_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256`,`TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384` +* `is_fips` - (Optional) This flag is set to true when all the ciphers and protocols are FIPS compliant. It is set to false when one of the ciphers or protocols are not FIPS compliant. Read-only property, its value will be decided automatically based on the result of applying this configuration. +* `is_secure` - (Optional) This flag is set to true when all the ciphers and protocols are secure. It is set to false when one of the ciphers or protocols is insecure. Read-only property, its value will be decided automatically based on the result of applying this configuration. +* `prefer_server_ciphers` - (Optional) During SSL handshake as part of the SSL client Hello client sends an ordered list of ciphers that it can support (or prefers) and typically server selects the first one from the top of that list it can also support. For Perfect Forward Secrecy(PFS), server could override the client's preference. Default is `true`. +* `protocols` - (Optional) Protocols used by the LB Client SSL profile. SSL versions TLS1.1 and TLS1.2 are supported and enabled by default. SSLv2, SSLv3, and TLS1.0 are supported, but disabled by default. Possible values are:`SSL_V2`, `SSL_V3`, `TLS_V1`, `TLS_V1_1`, `TLS_V1_2`, SSL versions TLS1.1 and TLS1.2 are supported and enabled by default. SSLv2, SSLv3, and TLS1.0 are supported, but disabled by default. +* `session_cache_enabled` - (Optional) SSL session caching allows SSL client and server to reuse previously negotiated security parameters avoiding the expensive public key operation during handshake. Default is `true`. +* `session_cache_timeout` - (Optional) Session cache timeout specifies how long the SSL session parameters are held on to and can be reused. format: int64, default is `300`. + + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `id` - ID of the resource. +* `revision` - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging. +* `path` - The NSX path of the policy resource. + +## Importing + +An existing object can be [imported][docs-import] into this resource, via the following command: + +[docs-import]: https://www.terraform.io/cli/import + +``` +terraform import nsxt_policy_lb_client_ssl_profile.test UUID +``` + +The above command imports LBClientSslProfile named `test` with the NSX ID `UUID`.