added support for cos retention

updated based on comment

updated based on comment

Set the attribute level based on comment

Revert "Set the attribute level based on comment"

This reverts commit e189b957e76fc1cbc79a3cad5f0f84e5a6804e19.

Set the attribute level based on comment

Author: testpod-source-p

examples/ibm-cos-bucket/README.md

@@ -121,3 +121,7 @@ data "ibm_cos_bucket" "standard-ams03" {
 | expire_ruleid | Unique identifier for the rule. | `string` | no
 | expire_days | Specifies the number of days when the specific expire rule action takes effect. | `int` | yes
 | expire_prefix | Specifies a prefix filter to apply to only a subset of objects with names that match the prefix. | `string` | no
+| default | Specifies a default retention period to apply in all objects in the bucket. | `int` | yes
+| maximum | Specifies maximum duration of time an object can be kept unmodified in the bucket. | `int` | yes
+| minimum | Specifies minimum duration of time an object must be kept unmodified in the bucket. | `int` | yes
+| permanent | Specifies a permanent retention status either enable or disable for a bucket. | `bool` | no

examples/ibm-cos-bucket/main.tf

@@ -56,4 +56,10 @@ resource "ibm_cos_bucket" "lifecycle_rule_cos" {
     days    = var.expire_days
     prefix  = var.expire_prefix
   }
-}
+  retention_rule {
+    default = var.default_retention
+    maximum = var.maximum_retention
+    minimum = var.minimum_retention
+    permanent = false
+  }
+}

examples/ibm-cos-bucket/variables.tf

@@ -40,4 +40,16 @@ variable "expire_days" {
 
 variable "expire_prefix" {
   default = ""
+}
+
+variable "default_retention" {
+  default = "0"
+}
+
+variable "minimum_retention" {
+  default = "0"
+}
+
+variable "maximum_retention" {
+  default = "1"
 }

ibm/data_source_ibm_cos_bucket.go

@@ -186,6 +186,44 @@ func dataSourceIBMCosBucket() *schema.Resource {
 					},
 				},
 			},
+			"retention_rule": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				MaxItems:    1000,
+				Description: "A retention policy is enabled at the IBM Cloud Object Storage bucket level. Minimum, maximum and default retention period are defined by this policy and apply to all objects in the bucket.",
+				ForceNew:    true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"default": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							ValidateFunc: validateAllowedRangeInt(0, 365243),
+							Description:  "If an object is stored in the bucket without specifying a custom retention period.",
+							ForceNew:     false,
+						},
+						"maximum": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							ValidateFunc: validateAllowedRangeInt(0, 365243),
+							Description:  "Maximum duration of time an object can be kept unmodified in the bucket.",
+							ForceNew:     false,
+						},
+						"minimum": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							ValidateFunc: validateAllowedRangeInt(0, 365243),
+							Description:  "Minimum duration of time an object must be kept unmodified in the bucket",
+							ForceNew:     false,
+						},
+						"permanent": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Default:     false,
+							Description: "Enable or disable the permanent retention policy on the bucket",
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -347,6 +385,20 @@ func dataSourceIBMCosBucketRead(d *schema.ResourceData, meta interface{}) error
 		}
 	}
 
+	// Read the retention policy
+	retentionInput := &s3.GetBucketProtectionConfigurationInput{
+		Bucket: aws.String(bucketName),
+	}
+	retentionptr, err := s3Client.GetBucketProtectionConfiguration(retentionInput)
+
+	if err != nil && bucketPtr != nil && bucketPtr.Firewall != nil && !strings.Contains(err.Error(), "AccessDenied: Access Denied") {
+		return err
+	}
+
+	if retentionptr != nil {
+		d.Set("retention_rule", retentionRuleGet(retentionptr.ProtectionConfiguration))
+	}
+
 	return nil
 }
 

ibm/resource_ibm_cos_bucket.go

@@ -250,6 +250,44 @@ func resourceIBMCOS() *schema.Resource {
 					},
 				},
 			},
+			"retention_rule": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				MaxItems:    1000,
+				Description: "A retention policy is enabled at the IBM Cloud Object Storage bucket level. Minimum, maximum and default retention period are defined by this policy and apply to all objects in the bucket.",
+				ForceNew:    true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"default": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							ValidateFunc: validateAllowedRangeInt(0, 365243),
+							Description:  "If an object is stored in the bucket without specifying a custom retention period.",
+							ForceNew:     false,
+						},
+						"maximum": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							ValidateFunc: validateAllowedRangeInt(0, 365243),
+							Description:  "Maximum duration of time an object can be kept unmodified in the bucket.",
+							ForceNew:     false,
+						},
+						"minimum": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							ValidateFunc: validateAllowedRangeInt(0, 365243),
+							Description:  "Minimum duration of time an object must be kept unmodified in the bucket",
+							ForceNew:     false,
+						},
+						"permanent": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Default:     false,
+							Description: "Enable or disable the permanent retention policy on the bucket",
+						},
+					},
+				},
+			},
 			"force_delete": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -359,46 +397,45 @@ func expireRuleList(expireList []interface{}) []*s3.LifecycleRule {
 }
 
 func resourceIBMCOSUpdate(d *schema.ResourceData, meta interface{}) error {
+	var s3Conf *aws.Config
+	rsConClient, err := meta.(ClientSession).BluemixSession()
+	if err != nil {
+		return err
+	}
+	bucketName := parseBucketId(d.Id(), "bucketName")
+	serviceID := parseBucketId(d.Id(), "serviceID")
+	endpointType := parseBucketId(d.Id(), "endpointType")
+	apiEndpoint, apiEndpointPrivate := selectCosApi(parseBucketId(d.Id(), "apiType"), parseBucketId(d.Id(), "bLocation"))
+	if endpointType == "private" {
+		apiEndpoint = apiEndpointPrivate
+	}
+	authEndpoint, err := rsConClient.Config.EndpointLocator.IAMEndpoint()
+	if err != nil {
+		return err
+	}
+	authEndpointPath := fmt.Sprintf("%s%s", authEndpoint, "/identity/token")
+	apiKey := rsConClient.Config.BluemixAPIKey
+	if apiKey != "" {
+		s3Conf = aws.NewConfig().WithEndpoint(envFallBack([]string{"IBMCLOUD_COS_ENDPOINT"}, apiEndpoint)).WithCredentials(ibmiam.NewStaticCredentials(aws.NewConfig(), authEndpointPath, apiKey, serviceID)).WithS3ForcePathStyle(true)
+	}
+	iamAccessToken := rsConClient.Config.IAMAccessToken
+	if iamAccessToken != "" {
+		initFunc := func() (*token.Token, error) {
+			return &token.Token{
+				AccessToken:  rsConClient.Config.IAMAccessToken,
+				RefreshToken: rsConClient.Config.IAMRefreshToken,
+				TokenType:    "Bearer",
+				ExpiresIn:    int64((time.Hour * 248).Seconds()) * -1,
+				Expiration:   time.Now().Add(-1 * time.Hour).Unix(),
+			}, nil
+		}
+		s3Conf = aws.NewConfig().WithEndpoint(envFallBack([]string{"IBMCLOUD_COS_ENDPOINT"}, apiEndpoint)).WithCredentials(ibmiam.NewCustomInitFuncCredentials(aws.NewConfig(), initFunc, authEndpointPath, serviceID)).WithS3ForcePathStyle(true)
+	}
+	s3Sess := session.Must(session.NewSession())
+	s3Client := s3.New(s3Sess, s3Conf)
 
 	//// Update  the lifecycle (Archive or Expire)
 	if d.HasChange("archive_rule") || d.HasChange("expire_rule") {
-		var s3Conf *aws.Config
-		rsConClient, err := meta.(ClientSession).BluemixSession()
-		if err != nil {
-			return err
-		}
-		bucketName := parseBucketId(d.Id(), "bucketName")
-		serviceID := parseBucketId(d.Id(), "serviceID")
-		endpointType := parseBucketId(d.Id(), "endpointType")
-		apiEndpoint, apiEndpointPrivate := selectCosApi(parseBucketId(d.Id(), "apiType"), parseBucketId(d.Id(), "bLocation"))
-		if endpointType == "private" {
-			apiEndpoint = apiEndpointPrivate
-		}
-		authEndpoint, err := rsConClient.Config.EndpointLocator.IAMEndpoint()
-		if err != nil {
-			return err
-		}
-		authEndpointPath := fmt.Sprintf("%s%s", authEndpoint, "/identity/token")
-		apiKey := rsConClient.Config.BluemixAPIKey
-		if apiKey != "" {
-			s3Conf = aws.NewConfig().WithEndpoint(envFallBack([]string{"IBMCLOUD_COS_ENDPOINT"}, apiEndpoint)).WithCredentials(ibmiam.NewStaticCredentials(aws.NewConfig(), authEndpointPath, apiKey, serviceID)).WithS3ForcePathStyle(true)
-		}
-		iamAccessToken := rsConClient.Config.IAMAccessToken
-		if iamAccessToken != "" && apiKey == "" {
-			initFunc := func() (*token.Token, error) {
-				return &token.Token{
-					AccessToken:  rsConClient.Config.IAMAccessToken,
-					RefreshToken: rsConClient.Config.IAMRefreshToken,
-					TokenType:    "Bearer",
-					ExpiresIn:    int64((time.Hour * 248).Seconds()) * -1,
-					Expiration:   time.Now().Add(-1 * time.Hour).Unix(),
-				}, nil
-			}
-			s3Conf = aws.NewConfig().WithEndpoint(envFallBack([]string{"IBMCLOUD_COS_ENDPOINT"}, apiEndpoint)).WithCredentials(ibmiam.NewCustomInitFuncCredentials(aws.NewConfig(), initFunc, authEndpointPath, serviceID)).WithS3ForcePathStyle(true)
-		}
-		s3Sess := session.Must(session.NewSession())
-		s3Client := s3.New(s3Sess, s3Conf)
-
 		var archive, archive_ok = d.GetOk("archive_rule")
 		var expire, expire_ok = d.GetOk("expire_rule")
 		var rules []*s3.LifecycleRule
@@ -434,11 +471,65 @@ func resourceIBMCOSUpdate(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	//// Update  the Retention policy
+	if d.HasChange("retention_rule") {
+		var defaultretention, minretention, maxretention int64
+		var permanentretention bool
+		if retention, ok := d.GetOk("retention_rule"); ok {
+			retentionList := retention.([]interface{})
+			if len(retentionList) > 1 {
+				return fmt.Errorf("Can not more than 1 retention policy")
+			}
+			for _, l := range retentionList {
+				retentionMap, _ := l.(map[string]interface{})
+				//Default Days
+				if defaultretentionSet, exist := retentionMap["default"]; exist {
+					defaultdays := int64(defaultretentionSet.(int))
+					defaultretention = defaultdays
+				}
+				//Maximum Days
+				if maxretentionSet, exist := retentionMap["maximum"]; exist {
+					maxdays := int64(maxretentionSet.(int))
+					maxretention = maxdays
+				}
+				//Minimum Days
+				if minretentionSet, exist := retentionMap["minimum"]; exist {
+					mindays := int64(minretentionSet.(int))
+					minretention = mindays
+				}
+				//Permanent Retention Enable/Disable
+				if permanentretentionSet, exist := retentionMap["permanent"]; exist {
+					permanentretention = permanentretentionSet.(bool)
+				}
+			}
+			// PUT BUCKET PROTECTION CONFIGURATION
+			pInput := &s3.PutBucketProtectionConfigurationInput{
+				Bucket: aws.String(bucketName),
+				ProtectionConfiguration: &s3.ProtectionConfiguration{
+					DefaultRetention: &s3.BucketProtectionDefaultRetention{
+						Days: aws.Int64(defaultretention),
+					},
+					MaximumRetention: &s3.BucketProtectionMaximumRetention{
+						Days: aws.Int64(maxretention),
+					},
+					MinimumRetention: &s3.BucketProtectionMinimumRetention{
+						Days: aws.Int64(minretention),
+					},
+					Status:                   aws.String("Retention"),
+					EnablePermanentRetention: aws.Bool(permanentretention),
+				},
+			}
+			_, err := s3Client.PutBucketProtectionConfiguration(pInput)
+			if err != nil {
+				return fmt.Errorf("failed to update the retention rule on COS bucket %s, %v", bucketName, err)
+			}
+		}
+	}
+
 	sess, err := meta.(ClientSession).CosConfigV1API()
 	if err != nil {
 		return err
 	}
-	endpointType := parseBucketId(d.Id(), "endpointType")
 	if endpointType == "private" {
 		sess.SetServiceURL("https://config.private.cloud-object-storage.cloud.ibm.com/v1")
 	}
@@ -447,7 +538,7 @@ func resourceIBMCOSUpdate(d *schema.ResourceData, meta interface{}) error {
 	updateBucketConfigOptions := &resourceconfigurationv1.UpdateBucketConfigOptions{}
 
 	//BucketName
-	bucketName := d.Get("bucket_name").(string)
+	bucketName = d.Get("bucket_name").(string)
 	updateBucketConfigOptions.Bucket = &bucketName
 
 	if d.HasChange("allowed_ip") {
@@ -673,6 +764,19 @@ func resourceIBMCOSRead(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	retentionInput := &s3.GetBucketProtectionConfigurationInput{
+		Bucket: aws.String(bucketName),
+	}
+	retentionptr, err := s3Client.GetBucketProtectionConfiguration(retentionInput)
+
+	if err != nil && bucketPtr != nil && bucketPtr.Firewall != nil && !strings.Contains(err.Error(), "AccessDenied: Access Denied") {
+		return err
+	}
+
+	if retentionptr != nil {
+		d.Set("retention_rule", retentionRuleGet(retentionptr.ProtectionConfiguration))
+	}
+
 	return nil
 }
 

ibm/resource_ibm_cos_bucket_test.go

@@ -258,6 +258,35 @@ func TestAccIBMCosBucket_Expire(t *testing.T) {
 	})
 }
 
+func TestAccIBMCosBucket_Retention(t *testing.T) {
+
+	cosServiceName := fmt.Sprintf("cos_instance_%d", acctest.RandIntRange(10, 100))
+	bucketName := fmt.Sprintf("terraform%d", acctest.RandIntRange(10, 100))
+	bucketRegion := "jp-tok"
+	bucketClass := "standard"
+	bucketRegionType := "region_location"
+	default_retention := 0
+	maximum_retention := 1
+	minimum_retention := 0
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIBMCosBucketDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccCheckIBMCosBucket_retention(cosServiceName, bucketName, bucketRegionType, bucketRegion, bucketClass, default_retention, maximum_retention, minimum_retention),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMCosBucketExists("ibm_resource_instance.instance", "ibm_cos_bucket.bucket", bucketRegionType, bucketRegion, bucketName),
+					resource.TestCheckResourceAttr("ibm_cos_bucket.bucket", "bucket_name", bucketName),
+					resource.TestCheckResourceAttr("ibm_cos_bucket.bucket", "storage_class", bucketClass),
+					resource.TestCheckResourceAttr("ibm_cos_bucket.bucket", "region_location", bucketRegion),
+					resource.TestCheckResourceAttr("ibm_cos_bucket.bucket", "retention_rule.#", "1"),
+				),
+			},
+		},
+	})
+}
 func TestAccIBMCosBucket_Smart_Type(t *testing.T) {
 	serviceName := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
 	bucketName := fmt.Sprintf("terraform%d", acctest.RandIntRange(10, 100))
@@ -840,3 +869,33 @@ func testAccCheckIBMCosBucket_update_archive_expire(cosServiceName string, bucke
 	}
 	`, cosServiceName, bucketName, region, storageClass)
 }
+
+func testAccCheckIBMCosBucket_retention(cosServiceName string, bucketName string, regiontype string, region string, storageClass string, default_retention int, maximum_retention int, minimum_retention int) string {
+
+	return fmt.Sprintf(`
+	data "ibm_resource_group" "cos_group" {
+		name = "Default"
+	}
+
+	resource "ibm_resource_instance" "instance" {
+		name              = "%s"
+		service           = "cloud-object-storage"
+		plan              = "standard"
+		location          = "global"
+		resource_group_id = data.ibm_resource_group.cos_group.id
+	}
+
+	resource "ibm_cos_bucket" "bucket" {
+		bucket_name           = "%s"
+		resource_instance_id  = ibm_resource_instance.instance.id
+	    region_location       = "%s"
+		storage_class         = "%s"
+		retention_rule {
+			default = %d
+			maximum = %d
+			minimum = %d
+			permanent = false
+		}
+	}
+	`, cosServiceName, bucketName, region, storageClass, default_retention, maximum_retention, minimum_retention)
+}