feat(lb): add lb acl (#1948)

* feat(lb): add lb acl

* tests & doc

* fix frontend resource

* update cassette

* update cassettes

* add description

---------

Co-authored-by: jaime Bernabe <[email protected]>

Author: yfodil

docs/resources/lb_acl.md

@@ -0,0 +1,84 @@
+---
+subcategory: "Load Balancers"
+page_title: "Scaleway: scaleway_lb_acl"
+---
+
+# scaleway_lb_acl
+
+Creates and manages Scaleway Load-Balancer ACLs. For more information, see [the documentation](https://www.scaleway.com/en/developers/api/load-balancer/zoned-api/#path-acls).
+
+## Examples Usage
+
+### Basic
+
+```hcl
+resource "scaleway_lb_acl" "acl01" {
+  frontend_id  = scaleway_lb_frontend.frt01.id
+  name         = "acl01"
+  description  = "Exclude well-known IPs"
+  index        = 0
+  # Allow downstream requests from: 192.168.0.1, 192.168.0.2 or 192.168.10.0/24
+  action {
+    type = "allow"
+  }
+  match {
+    ip_subnet = ["192.168.0.1", "192.168.0.2", "192.168.10.0/24"]
+  }
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+- `frontend_id` - (Required) The load-balancer Frontend ID to attach the ACL to.
+
+- `name` - (Optional) The ACL name. If not provided it will be randomly generated.
+
+- `description` - (Optional) The ACL description.
+
+- `index` - (Required) The Priority of this ACL (ACLs are applied in ascending order, 0 is the first ACL executed).
+
+- `action` - (Required) Action to undertake when an ACL filter matches.
+
+    - `type` - (Required) The action type. Possible values are: `allow` or `deny` or `redirect`.
+
+    - `redirect` - (Optional) Redirect parameters when using an ACL with `redirect` action.
+
+        - `type`  - (Optional) The redirect type. Possible values are: `location` or `scheme`.
+
+        - `target`  - (Optional) An URL can be used in case of a location redirect (e.g. `https://scaleway.com` will redirect to this same URL). A scheme name (e.g. `https`, `http`, `ftp`, `git`) will replace the request's original scheme.
+
+        - `code`  - (Optional) The HTTP redirect code to use. Valid values are `301`, `302`, `303`, `307` and `308`.
+
+- `match` - (Required) The ACL match rule. At least `ip_subnet` or `http_filter` and `http_filter_value` are required.
+
+    - `ip_subnet` - (Optional) A list of IPs or CIDR v4/v6 addresses of the client of the session to match.
+
+    - `http_filter` - (Optional) The HTTP filter to match. This filter is supported only if your backend protocol has an HTTP forward protocol.
+      It extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).
+      Possible values are: `acl_http_filter_none`, `path_begin`, `path_end`, `http_header_match` or `regex`.
+
+    - `http_filter_value` - (Optional) A list of possible values to match for the given HTTP filter.
+      Keep in mind that in the case of `http_header_match` the HTTP header field name is case-insensitive.
+
+    - `http_value_option` - (Optional) If you have `http_filter` at `http_header_match`, you can use this field to filter on the HTTP header's value.
+
+    - `invert` - (Optional) If set to `true`, the condition will be of type "unless".
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `id` - The ID of the load-balancer ACL.
+
+~> **Important:** Load-Balancers ACLs' IDs are [zoned](../guides/regions_and_zones.md#resource-ids), which means they are of the form `{zone}/{id}`, e.g. `fr-par-1/11111111-1111-1111-1111-111111111111`
+
+
+## Import
+
+Load-Balancer ACL can be imported using the `{zone}/{id}`, e.g.
+
+```bash
+$ terraform import scaleway_lb_acl.acl01 fr-par-1/11111111-1111-1111-1111-111111111111
+```

docs/resources/lb_frontend.md

@@ -201,6 +201,9 @@ The following arguments are supported:
     - `http_value_option` - (Optional) If you have `http_filter` at `http_header_match`, you can use this field to filter on the HTTP header's value.
 
     - `invert` - (Optional) If set to `true`, the condition will be of type "unless".
+  
+- `external_acls` - (Defaults to `false`) A boolean to specify whether to use [lb_acl](../resources/lb_acl.md).
+  If `external_acls` is set to `true`, `acl` can not be set directly in the lb frontend.
 
 ## Attributes Reference
 

scaleway/helpers_lb.go

@@ -65,11 +65,17 @@ func flattenLbACL(acl *lbSDK.ACL) interface{} {
 func expandLbACL(i interface{}) *lbSDK.ACL {
 	rawRule := i.(map[string]interface{})
 	acl := &lbSDK.ACL{
-		Name:   rawRule["name"].(string),
-		Match:  expandLbACLMatch(rawRule["match"]),
-		Action: expandLbACLAction(rawRule["action"]),
+		Name:        rawRule["name"].(string),
+		Description: rawRule["description"].(string),
+		Match:       expandLbACLMatch(rawRule["match"]),
+		Action:      expandLbACLAction(rawRule["action"]),
+		CreatedAt:   expandTimePtr(rawRule["created_at"]),
+		UpdatedAt:   expandTimePtr(rawRule["updated_at"]),
 	}
 
+	if rawRule["index"] != nil {
+		acl.Index = int32(rawRule["index"].(int))
+	}
 	// remove http filter values if we do not pass any http filter
 	if acl.Match.HTTPFilter == "" || acl.Match.HTTPFilter == lbSDK.ACLHTTPFilterACLHTTPFilterNone {
 		acl.Match.HTTPFilter = lbSDK.ACLHTTPFilterACLHTTPFilterNone

scaleway/provider.go

@@ -126,6 +126,7 @@ func Provider(config *ProviderConfig) plugin.ProviderFunc {
 				"scaleway_k8s_cluster":                         resourceScalewayK8SCluster(),
 				"scaleway_k8s_pool":                            resourceScalewayK8SPool(),
 				"scaleway_lb":                                  resourceScalewayLb(),
+				"scaleway_lb_acl":                              resourceScalewayLbACL(),
 				"scaleway_lb_ip":                               resourceScalewayLbIP(),
 				"scaleway_lb_backend":                          resourceScalewayLbBackend(),
 				"scaleway_lb_certificate":                      resourceScalewayLbCertificate(),

scaleway/resource_lb_acl.go

@@ -0,0 +1,267 @@
+package scaleway
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	lbSDK "github.com/scaleway/scaleway-sdk-go/api/lb/v1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+)
+
+func resourceScalewayLbACL() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceScalewayLbACLCreate,
+		ReadContext:   resourceScalewayLbACLRead,
+		UpdateContext: resourceScalewayLbACLUpdate,
+		DeleteContext: resourceScalewayLbACLDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Timeouts: &schema.ResourceTimeout{
+			Default: schema.DefaultTimeout(defaultLbLbTimeout),
+		},
+		SchemaVersion: 1,
+		Schema: map[string]*schema.Schema{
+			"frontend_id": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validationUUIDorUUIDWithLocality(),
+				Description:  "The frontend ID on which the ACL is applied",
+			},
+			"name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "The ACL name",
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Description of the ACL",
+			},
+			"index": {
+				Type:         schema.TypeInt,
+				Description:  "The priority of the ACL. (ACLs are applied in ascending order, 0 is the first ACL executed)",
+				Required:     true,
+				ValidateFunc: validation.IntAtLeast(0),
+			},
+			"action": {
+				Type:        schema.TypeList,
+				Required:    true,
+				Description: "Action to undertake when an ACL filter matches",
+				MaxItems:    1,
+				MinItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"type": {
+							Type:     schema.TypeString,
+							Required: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								lbSDK.ACLActionTypeAllow.String(),
+								lbSDK.ACLActionTypeDeny.String(),
+								lbSDK.ACLActionTypeRedirect.String(),
+							}, false),
+							Description: "The action type",
+						},
+						"redirect": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: "Redirect parameters when using an ACL with `redirect` action",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"type": {
+										Type:     schema.TypeString,
+										Optional: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											lbSDK.ACLActionRedirectRedirectTypeLocation.String(),
+											lbSDK.ACLActionRedirectRedirectTypeScheme.String(),
+										}, false),
+										Description: "The redirect type",
+									},
+									"target": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "An URL can be used in case of a location redirect ",
+									},
+									"code": {
+										Type:        schema.TypeInt,
+										Optional:    true,
+										Description: "The HTTP redirect code to use",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"match": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				MaxItems:    1,
+				MinItems:    1,
+				Description: "The ACL match rule",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"ip_subnet": {
+							Type: schema.TypeList,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							Optional:    true,
+							Description: "A list of IPs or CIDR v4/v6 addresses of the client of the session to match",
+						},
+						"http_filter": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  lbSDK.ACLHTTPFilterACLHTTPFilterNone.String(),
+							ValidateFunc: validation.StringInSlice([]string{
+								lbSDK.ACLHTTPFilterACLHTTPFilterNone.String(),
+								lbSDK.ACLHTTPFilterPathBegin.String(),
+								lbSDK.ACLHTTPFilterPathEnd.String(),
+								lbSDK.ACLHTTPFilterRegex.String(),
+								lbSDK.ACLHTTPFilterHTTPHeaderMatch.String(),
+							}, false),
+							Description: "The HTTP filter to match",
+						},
+						"http_filter_value": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: "A list of possible values to match for the given HTTP filter",
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+						"http_filter_option": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "You can use this field with http_header_match acl type to set the header name to filter",
+						},
+						"invert": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: `If set to true, the condition will be of type "unless"`,
+						},
+					},
+				},
+			},
+			"created_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date and time of ACL's creation (RFC 3339 format)",
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date and time of ACL's update (RFC 3339 format)",
+			},
+		},
+	}
+}
+
+func resourceScalewayLbACLCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	lbAPI, _, err := lbAPIWithZone(d, meta)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	frontZone, frontID, err := parseZonedID(d.Get("frontend_id").(string))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	req := &lbSDK.ZonedAPICreateACLRequest{
+		Zone:        frontZone,
+		FrontendID:  frontID,
+		Name:        d.Get("name").(string),
+		Action:      expandLbACLAction(d.Get("action")),
+		Match:       expandLbACLMatch(d.Get("match")),
+		Index:       int32(d.Get("index").(int)),
+		Description: d.Get("description").(string),
+	}
+
+	res, err := lbAPI.CreateACL(req, scw.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(newZonedIDString(frontZone, res.ID))
+
+	return resourceScalewayLbACLRead(ctx, d, meta)
+}
+
+func resourceScalewayLbACLRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	lbAPI, zone, ID, err := lbAPIWithZoneAndID(meta, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	acl, err := lbAPI.GetACL(&lbSDK.ZonedAPIGetACLRequest{
+		Zone:  zone,
+		ACLID: ID,
+	}, scw.WithContext(ctx))
+	if err != nil {
+		if is404Error(err) {
+			d.SetId("")
+			return nil
+		}
+		return diag.FromErr(err)
+	}
+
+	_ = d.Set("frontend_id", newZonedIDString(zone, acl.Frontend.ID))
+	_ = d.Set("name", acl.Name)
+	_ = d.Set("description", acl.Description)
+	_ = d.Set("index", int(acl.Index))
+	_ = d.Set("created_at", flattenTime(acl.CreatedAt))
+	_ = d.Set("updated_at", flattenTime(acl.UpdatedAt))
+	_ = d.Set("action", flattenLbACLAction(acl.Action))
+
+	if acl.Match != nil {
+		_ = d.Set("match", flattenLbACLMatch(acl.Match))
+	}
+
+	return nil
+}
+
+func resourceScalewayLbACLUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	lbAPI, zone, ID, err := lbAPIWithZoneAndID(meta, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	req := &lbSDK.ZonedAPIUpdateACLRequest{
+		Zone:        zone,
+		ACLID:       ID,
+		Name:        d.Get("name").(string),
+		Action:      expandLbACLAction(d.Get("action")),
+		Index:       int32(d.Get("index").(int)),
+		Match:       expandLbACLMatch(d.Get("match")),
+		Description: expandUpdatedStringPtr(d.Get("description")),
+	}
+
+	_, err = lbAPI.UpdateACL(req, scw.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return resourceScalewayLbACLRead(ctx, d, meta)
+}
+
+func resourceScalewayLbACLDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	lbAPI, zone, ID, err := lbAPIWithZoneAndID(meta, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = lbAPI.DeleteACL(&lbSDK.ZonedAPIDeleteACLRequest{
+		Zone:  zone,
+		ACLID: ID,
+	}, scw.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}