ENG-14351: Fix invalid TLS option check (#561)

* Fix invalid TLS options

* Fix docs

* Change conf_auth test to validate all repo_tls options

* Address PR review comment

cyral/internal/repository/confauth/constants.go

@@ -1,11 +1,45 @@
 package confauth
 
-const (
-	resourceName = "cyral_repository_conf_auth"
+import "github.com/cyralinc/terraform-provider-cyral/cyral/utils"
 
-	DefaultClientTLS    = "disable"
-	DefaultRepoTLS      = "disable"
+const (
+	resourceName        = "cyral_repository_conf_auth"
 	AccessTokenAuthType = "ACCESS_TOKEN"
 	AwsIAMAuthType      = "AWS_IAM"
 	DefaultAuthType     = AccessTokenAuthType
 )
+
+const (
+	TLSEnable              = TLSType("enable")
+	TLSEnableAndVerifyCert = TLSType("enableAndVerifyCert")
+	TLSDisable             = TLSType("disable")
+)
+
+type TLSType string
+
+func ClientTLSTypes() []TLSType {
+	return []TLSType{
+		TLSEnable,
+		TLSDisable,
+	}
+}
+
+func ClientTLSTypesAsString() []string {
+	return utils.ToSliceOfString[TLSType](ClientTLSTypes(), func(t TLSType) string {
+		return string(t)
+	})
+}
+
+func RepoTLSTypes() []TLSType {
+	return []TLSType{
+		TLSEnable,
+		TLSEnableAndVerifyCert,
+		TLSDisable,
+	}
+}
+
+func RepoTLSTypesAsString() []string {
+	return utils.ToSliceOfString[TLSType](RepoTLSTypes(), func(t TLSType) string {
+		return string(t)
+	})
+}

cyral/internal/repository/confauth/model.go

@@ -1,8 +1,6 @@
 package confauth
 
 import (
-	"errors"
-
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -26,21 +24,9 @@ func (data RepositoryConfAuthData) WriteToSchema(d *schema.ResourceData) error {
 	}
 
 	d.Set("allow_native_auth", data.AllowNativeAuth)
-
-	if err := data.isClientTLSValid(); err != nil {
-		panic(err)
-	}
-
 	d.Set("client_tls", data.ClientTLS)
-
 	d.Set("identity_provider", data.IdentityProvider)
-
-	if err := data.isRepoTLSValid(); err != nil {
-		panic(err)
-	}
-
 	d.Set("repo_tls", data.RepoTLS)
-
 	d.Set("auth_type", data.AuthType)
 
 	return nil
@@ -61,20 +47,6 @@ func (data *RepositoryConfAuthData) ReadFromSchema(d *schema.ResourceData) error
 	return nil
 }
 
-func (data RepositoryConfAuthData) isClientTLSValid() error {
-	if !(data.ClientTLS == "enable" || data.ClientTLS == "disable" || data.ClientTLS == "enabledAndVerifyCertificate") {
-		return errors.New("invalid option to client_tls")
-	}
-	return nil
-}
-
-func (data RepositoryConfAuthData) isRepoTLSValid() error {
-	if !(data.RepoTLS == "enable" || data.RepoTLS == "disable" || data.RepoTLS == "enabledAndVerifyCertificate") {
-		return errors.New("invalid option to repo_tls")
-	}
-	return nil
-}
-
 type CreateRepositoryConfAuthResponse struct{}
 
 func (data CreateRepositoryConfAuthResponse) WriteToSchema(d *schema.ResourceData) error {

cyral/internal/repository/confauth/resource.go

@@ -104,10 +104,13 @@ func repositoryConfAuthResourceSchemaV0() *schema.Resource {
 				Optional:    true,
 			},
 			"client_tls": {
-				Description: fmt.Sprintf("Is the repo Client using TLS? Default is %q.", DefaultClientTLS),
-				Type:        schema.TypeString,
-				Optional:    true,
-				Default:     DefaultClientTLS,
+				Description: fmt.Sprintf(
+					"Specifies whether the sidecar will require TLS communication with clients."+
+						" Defaults to `%s`. List of supported values: %s", TLSDisable, utils.SupportedValuesAsMarkdown(ClientTLSTypesAsString())),
+				Type:         schema.TypeString,
+				Optional:     true,
+				Default:      TLSDisable,
+				ValidateFunc: validation.StringInSlice(append(ClientTLSTypesAsString(), ""), false),
 			},
 			"identity_provider": {
 				Description: fmt.Sprintf(
@@ -127,10 +130,13 @@ func repositoryConfAuthResourceSchemaV0() *schema.Resource {
 				Optional: true,
 			},
 			"repo_tls": {
-				Description: fmt.Sprintf("Is TLS enabled for the repository? Default is %q.", DefaultRepoTLS),
-				Type:        schema.TypeString,
-				Optional:    true,
-				Default:     DefaultRepoTLS,
+				Description: fmt.Sprintf(
+					"Specifies whether the sidecar will communicate with the repository using TLS."+
+						" Defaults to `%s`. List of supported values: %s", TLSDisable, utils.SupportedValuesAsMarkdown(RepoTLSTypesAsString())),
+				Type:         schema.TypeString,
+				Optional:     true,
+				Default:      TLSDisable,
+				ValidateFunc: validation.StringInSlice(append(RepoTLSTypesAsString(), ""), false),
 			},
 			"auth_type": {
 				Description: fmt.Sprintf("Authentication type for this repository. **Note**: `%s` is currently "+

cyral/internal/repository/confauth/resource_test.go

@@ -29,26 +29,26 @@ func repositoryConfAuthDependencyConfig() string {
 func initialRepositoryConfAuthConfig() auth.RepositoryConfAuthData {
 	return auth.RepositoryConfAuthData{
 		AllowNativeAuth: false,
-		ClientTLS:       "disable",
-		RepoTLS:         "enable",
+		ClientTLS:       string(auth.TLSDisable),
+		RepoTLS:         string(auth.TLSEnable),
 		AuthType:        "ACCESS_TOKEN",
 	}
 }
 
 func update1RepositoryConfAuthConfig() auth.RepositoryConfAuthData {
 	return auth.RepositoryConfAuthData{
 		AllowNativeAuth: true,
-		ClientTLS:       "enable",
-		RepoTLS:         "disable",
+		ClientTLS:       string(auth.TLSEnable),
+		RepoTLS:         string(auth.TLSDisable),
 		AuthType:        "AWS_IAM",
 	}
 }
 
 func update2RepositoryConfAuthConfig() auth.RepositoryConfAuthData {
 	return auth.RepositoryConfAuthData{
 		AllowNativeAuth: false,
-		ClientTLS:       "enable",
-		RepoTLS:         "disable",
+		ClientTLS:       string(auth.TLSEnable),
+		RepoTLS:         string(auth.TLSEnableAndVerifyCert),
 		AuthType:        "ACCESS_TOKEN",
 	}
 }
@@ -69,8 +69,8 @@ func repositoryConfAuthMinimalConfigTest(resName string) resource.TestStep {
 		Check: setupRepositoryConfAuthCheck(
 			resName,
 			auth.RepositoryConfAuthData{
-				ClientTLS: auth.DefaultClientTLS,
-				RepoTLS:   auth.DefaultRepoTLS,
+				ClientTLS: string(auth.TLSDisable),
+				RepoTLS:   string(auth.TLSDisable),
 				AuthType:  auth.DefaultAuthType,
 			},
 		),

docs/resources/repository_conf_auth.md

@@ -30,15 +30,20 @@ resource "cyral_repository_conf_auth" "some_resource_name" {
 -   `auth_type` (String) Authentication type for this repository. **Note**: `AWS_IAM` is currently only supported by `mongodb` repo type. List of supported values:
     -   `ACCESS_TOKEN`
     -   `AWS_IAM`
--   `client_tls` (String) Is the repo Client using TLS? Default is "disable".
+-   `client_tls` (String) Specifies whether the sidecar will require TLS communication with clients. Defaults to `disable`. List of supported values:
+    -   `enable`
+    -   `disable`
 -   `identity_provider` (String) The semantics of this field changed in control planes `v4.13` and later. See how it should be configured depending on your control plane version:
     -   `v4.12` and below:
         -   Provide the ID (Alias) of the identity provider integration to allow user authentication using an IdP.
     -   `v4.13` and later:
         -   If not supplied, then end-user authentication is disabled.
         -   If end-user authentication with Cyral Access Token is desired, then set to `ACCESS_TOKEN` or any other non-empty string.
         -   If end-user authentication with AWS IAM is desired, then this must be the ID of an AWS IAM integration, and the `auth_type` attribute must be set to `AWS_IAM`.
--   `repo_tls` (String) Is TLS enabled for the repository? Default is "disable".
+-   `repo_tls` (String) Specifies whether the sidecar will communicate with the repository using TLS. Defaults to `disable`. List of supported values:
+    -   `enable`
+    -   `enableAndVerifyCert`
+    -   `disable`
 
 ### Read-Only
 

docs/resources/repository_network_access_policy.md

@@ -4,8 +4,7 @@ page_title: "cyral_repository_network_access_policy Resource - terraform-provide
 subcategory: ""
 description: |-
     Manages the network access policy of a repository. Network access policies are also known as the Network Shield https://cyral.com/docs/manage-repositories/network-shield/. This feature is supported for the following repository types:
-      - sqlserver
-      - oracle
+    sqlserveroracle
     -> Note If you also use the resource cyral_repository_conf_auth for the same repository, create a depends_on relationship from this resource to the cyral_repository_conf_auth to avoid errors when running terraform destroy.
 ---