[IAM]: identitiy_acl_v3 resource (#2617)

[IAM]: identitiy_acl_v3 resource

Summary of the Pull Request
New resource to manage domain acl.
PR Checklist

 Refers to: #2613, #2614
 Tests added/passed.
 Documentation updated.
 Schema updated.
 Release notes added.

Acceptance Steps Performed
=== RUN   TestAccIdentitACL_basic
=== PAUSE TestAccIdentitACL_basic
=== CONT  TestAccIdentitACL_basic
--- PASS: TestAccIdentitACL_basic (40.08s)
=== RUN   TestAccIdentitACL_apiAccess
=== PAUSE TestAccIdentitACL_apiAccess
=== CONT  TestAccIdentitACL_apiAccess
--- PASS: TestAccIdentitACL_apiAccess (39.76s)
PASS

Process finished with the exit code 0

Reviewed-by: Anton Sidelnikov

docs/resources/identity_acl_v3.md

@@ -0,0 +1,71 @@
+---
+subcategory: "Identity and Access Management (IAM)"
+layout: "opentelekomcloud"
+page_title: "OpenTelekomCloud: opentelekomcloud_identity_acl_v3"
+sidebar_current: "docs-opentelekomcloud-resource-identity-acl-v3"
+description: |-
+  Manages a IAM ACL resource within OpenTelekomCloud.
+---
+
+Up-to-date reference of API arguments for IAM agency you can get at
+[documentation portal](https://docs.otc.t-systems.com/identity-access-management/api-ref/apis/security_settings/index.html)
+
+
+# opentelekomcloud_identity_acl_v3
+
+Manages an ACL resource within OpenTelekomCloud IAM service. The ACL allows user access only from specified IP address
+ranges and IPv4 CIDR blocks. The ACL takes effect for IAM users under the Domain account rather than the account itself.
+
+-> **NOTE:** You *must* have admin privileges to use this resource.
+
+## Example Usage
+
+```hcl
+resource "opentelekomcloud_identity_acl_v3" "acl" {
+  type = "console"
+
+  ip_cidrs {
+    cidr        = "159.138.39.192/32"
+    description = "This is a test ip address"
+  }
+  ip_ranges {
+    range       = "0.0.0.0-255.255.255.0"
+    description = "This is a test ip range"
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `type` - (Required, String, ForceNew) Specifies the ACL is created through the Console or API.
+  Valid values are **console** and **api**. Changing this parameter will create a new ACL.
+
+* `ip_cidrs` - (Optional, List) Specifies the IPv4 CIDR blocks from which console access or api access is allowed.
+  The `ip_cidrs` cannot repeat. The [object](#ip_cidrs_object) structure is documented below.
+
+* `ip_ranges` - (Optional, List) Specifies the IP address ranges from which console access or api access is allowed.
+  The `ip_ranges` cannot repeat. The [object](#ip_ranges_object) structure is documented below.
+
+-> **NOTE:** Up to 200 `ip_cidrs` and `ip_ranges` can be created in total for each access method.
+
+<a name="ip_cidrs_object"></a>
+The `ip_cidrs` block supports:
+
+* `cidr` - (Required, String) Specifies the IPv4 CIDR block, for example, **192.168.0.0/24**.
+
+* `description` - (Optional, String) Specifies a description about an IPv4 CIDR block.
+
+<a name="ip_ranges_object"></a>
+The `ip_ranges` block supports:
+
+* `range` - (Required, String) Specifies the Ip address range, for example, **0.0.0.0-255.255.255.0**.
+
+* `description` - (Optional, String) Specifies a description about an IP address range.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The ID of identity ACL.

docs/resources/identity_agency_v3.md

@@ -4,7 +4,7 @@ layout: "opentelekomcloud"
 page_title: "OpenTelekomCloud: opentelekomcloud_identity_agency_v3"
 sidebar_current: "docs-opentelekomcloud-resource-identity-agency-v3"
 description: |-
-  Manages a IAM Cgency resource within OpenTelekomCloud.
+  Manages a IAM Agency resource within OpenTelekomCloud.
 ---
 
 Up-to-date reference of API arguments for IAM agency you can get at

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240801130950-23309befdfdf
+	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240814110433-fcf1ec13262f
 	github.com/unknwon/com v1.0.1
 	golang.org/x/crypto v0.21.0
 	golang.org/x/sync v0.1.0

go.sum

@@ -156,8 +156,8 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLA
 github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce h1:RPclfga2SEJmgMmz2k+Mg7cowZ8yv4Trqw9UsJby758=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240801130950-23309befdfdf h1:KTZjJ8tU4jxZQfQ+iy87ZMdtWIiWgrjGwL6IgHunF7k=
-github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240801130950-23309befdfdf/go.mod h1:M1F6OfSRZRzAmAFKQqSLClX952at5hx5rHe4UTEykgg=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240814110433-fcf1ec13262f h1:b/9yMTUDUybpkcsFKFVGZlOhsFB+JSnXshZmtCMFBbQ=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240814110433-fcf1ec13262f/go.mod h1:M1F6OfSRZRzAmAFKQqSLClX952at5hx5rHe4UTEykgg=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

opentelekomcloud/acceptance/iam/resource_opentelekomcloud_identity_acl_v3_test.go

@@ -0,0 +1,160 @@
+package acceptance
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/opentelekomcloud/gophertelekomcloud/openstack/identity/v3.0/acl"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/acceptance/common"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/cfg"
+)
+
+func getIdentitACLResourceFunc(c *cfg.Config, state *terraform.ResourceState) (interface{}, error) {
+	client, err := c.IdentityV30Client()
+	if err != nil {
+		return nil, fmt.Errorf("error creating IAM client: %s", err)
+	}
+
+	switch state.Primary.Attributes["type"] {
+	case "console":
+		v, err := acl.ConsoleACLPolicyGet(client, state.Primary.ID)
+		if err != nil {
+			return nil, err
+		}
+		if len(v.AllowAddressNetmasks) == 0 && len(v.AllowIPRanges) == 1 &&
+			v.AllowIPRanges[0].IPRange == "0.0.0.0-255.255.255.255" {
+			return nil, fmt.Errorf("identity ACL for console access <%s> not exists", state.Primary.ID)
+		}
+		return v, nil
+	case "api":
+		v, err := acl.APIACLPolicyGet(client, state.Primary.ID)
+		if err != nil {
+			return nil, err
+		}
+		if len(v.AllowAddressNetmasks) == 0 && len(v.AllowIPRanges) == 1 &&
+			v.AllowIPRanges[0].IPRange == "0.0.0.0-255.255.255.255" {
+			return nil, fmt.Errorf("identity ACL for console access <%s> not exists", state.Primary.ID)
+		}
+		return v, nil
+	}
+	return nil, nil
+}
+
+func TestAccIdentitACL_basic(t *testing.T) {
+	var object acl.ACLPolicy
+	resourceName := "opentelekomcloud_identity_acl_v3.test"
+
+	rc := common.InitResourceCheck(
+		resourceName,
+		&object,
+		getIdentitACLResourceFunc,
+	)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			common.TestAccPreCheck(t)
+			common.TestAccPreCheckAdminOnly(t)
+		},
+		ProviderFactories: common.TestAccProviderFactories,
+		CheckDestroy:      rc.CheckResourceDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityACL_basic("console"),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceName, "type", "console"),
+					resource.TestCheckResourceAttr(resourceName, "ip_ranges.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "ip_cidrs.#", "1"),
+				),
+			},
+			{
+				Config: testAccIdentityACL_update("console"),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceName, "type", "console"),
+					resource.TestCheckResourceAttr(resourceName, "ip_ranges.#", "2"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccIdentitACL_apiAccess(t *testing.T) {
+	var object acl.ACLPolicy
+	resourceName := "opentelekomcloud_identity_acl_v3.test"
+
+	rc := common.InitResourceCheck(
+		resourceName,
+		&object,
+		getIdentitACLResourceFunc,
+	)
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			common.TestAccPreCheck(t)
+			common.TestAccPreCheckAdminOnly(t)
+		},
+		ProviderFactories: common.TestAccProviderFactories,
+		CheckDestroy:      rc.CheckResourceDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityACL_basic("api"),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceName, "type", "api"),
+					resource.TestCheckResourceAttr(resourceName, "ip_ranges.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "ip_cidrs.#", "1"),
+				),
+			},
+			{
+				Config: testAccIdentityACL_update("api"),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceName, "type", "api"),
+					resource.TestCheckResourceAttr(resourceName, "ip_ranges.#", "2"),
+				),
+			},
+		},
+	})
+}
+
+func testAccIdentityACL_basic(aclType string) string {
+	return fmt.Sprintf(`
+resource "opentelekomcloud_identity_acl_v3" "test" {
+  type = "%[1]s"
+
+  ip_ranges {
+    range       = "172.16.0.0-172.16.255.255"
+    description = "This is a basic ip range for %[1]s access"
+  }
+
+  ip_cidrs {
+    cidr        = "192.168.0.1/32"
+    description = "This is a basic ip address for %[1]s access"
+  }
+}
+`, aclType)
+}
+
+func testAccIdentityACL_update(aclType string) string {
+	return fmt.Sprintf(`
+resource "opentelekomcloud_identity_acl_v3" "test" {
+  type = "%[1]s"
+
+  ip_ranges {
+    range       = "172.16.0.0-172.16.255.255"
+    description = "This is a update ip range 1 for %[1]s access"
+  }
+  ip_ranges {
+    range       = "192.168.0.0-192.168.255.255"
+    description = "This is a update ip range 2 for %[1]s access"
+  }
+
+  ip_cidrs {
+    cidr        = "192.168.0.1/32"
+    description = "This is a update ip address for %[1]s access"
+  }
+}
+`, aclType)
+}

opentelekomcloud/common/validators.go

@@ -393,3 +393,37 @@ func ValidateEmail(v interface{}, k string) (ws []string, errors []error) {
 	}
 	return
 }
+
+func ValidateIPRange(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+	ipAddresses := strings.Split(value, "-")
+	if len(ipAddresses) != 2 {
+		errors = append(errors, fmt.Errorf(
+			"%q must be a valid network IP address range, such as 0.0.0.0-255.255.255.0, but got %q", k, value))
+		return
+	}
+	for _, address := range ipAddresses {
+		ipnet := net.ParseIP(address)
+		if ipnet == nil || address != ipnet.String() {
+			errors = append(errors, fmt.Errorf("%q must contains valid network IP address, got %q", k, address))
+		}
+	}
+	if len(errors) == 0 {
+		if ipAddresses[0] == ipAddresses[1] {
+			errors = append(errors, fmt.Errorf("Two network IP address of %q cannot equal, got %q", k, value))
+		}
+		startAddress := strings.Split(ipAddresses[0], ".")
+		endAddress := strings.Split(ipAddresses[1], ".")
+		for i := 0; i < len(startAddress); i++ {
+			if startAddress[i] > endAddress[i] {
+				errors = append(errors, fmt.Errorf(
+					"%q starting IP address cannot be greater than the ending IP address, got %q", k, value))
+				return
+			} else if startAddress[i] < endAddress[i] {
+				return
+			}
+		}
+	}
+
+	return
+}

opentelekomcloud/provider.go

@@ -438,6 +438,7 @@ func Provider() *schema.Provider {
 			"opentelekomcloud_fw_policy_v2":                              fw.ResourceFWPolicyV2(),
 			"opentelekomcloud_fw_rule_v2":                                fw.ResourceFWRuleV2(),
 			"opentelekomcloud_gaussdb_mysql_instance_v3":                 gaussdb.ResourceGaussDBInstanceV3(),
+			"opentelekomcloud_identity_acl_v3":                           iam.ResourceIdentityAclV3(),
 			"opentelekomcloud_identity_agency_v3":                        iam.ResourceIdentityAgencyV3(),
 			"opentelekomcloud_identity_credential_v3":                    iam.ResourceIdentityCredentialV3(),
 			"opentelekomcloud_identity_group_v3":                         iam.ResourceIdentityGroupV3(),