feat(CIS): Add support for managed and custom lists (IBM-Cloud#6310)

* feat(CIS): Add support for managed and custom lists

* fix typo

* add custom list

* add custom list example

* add get custom list items

* add list items

* add acceptance test for data files

* add acceptance test for resource files

* sync go sdk version

* add example

* add documentation

* Update cis_custom_list_items.html.markdown

* Update cis_custom_list_items.html.markdown

* Update cis_custom_list_items.html.markdown

* Update cis_custom_lists.html.markdown

* Update cis_managed_lists.html.markdown

* Update cis_custom_list.html.markdown

* Update cis_custom_list_items.copy.markdown

* fix error toolchain issue

* fix name issue

---------

Co-authored-by: austinmama <[email protected]>

Author: arjunchauhanibm

examples/ibm-cis/main.tf

@@ -855,4 +855,42 @@ data ibm_cis_origin_certificates "test" {
   cis_id    = ibm_cis.instance.id
   domain_id = ibm_cis_domain.example.id
   certificate_id = "25392180178235735583993116186144990011711092749"
-}
+}
+
+# Get Managed lists
+data ibm_cis_managed_lists managed_lists {
+    cis_id    = ibm_cis.instance.id
+}
+
+# Get custom lists
+data ibm_cis_custom_lists custom_lists {
+    cis_id    = ibm_cis.instance.id
+    list_id   = ibm_cis.lists.list_id 
+}
+
+# create custom list
+resource ibm_cis_custom_list custom_list {
+    cis_id    = ibm_cis.instance.id
+    kind = var.list.kind
+    name = var.list.name
+    description = var.list.description
+}
+
+# Get custom list items
+data ibm_cis_custom_list_items custom_list_items {
+    cis_id    = ibm_cis.instance.id
+    list_id   = ibm_cis.lists.list_id 
+    item_id   = ibm_cis.lists.item.item_id
+}
+
+# Create custom list items
+resource ibm_cis_custom_list_items items {
+    cis_id    = ibm_cis.instance.id
+    list_id   = ibm_cis.lists.list_id 
+    items {
+        ip = var.ip1
+    }
+    items {
+        ip = var.ip2
+    }
+}

ibm/conns/config.go

@@ -52,6 +52,7 @@ import (
 	cisglbhealthcheckv1 "github.com/IBM/networking-go-sdk/globalloadbalancermonitorv1"
 	cisglbpoolv0 "github.com/IBM/networking-go-sdk/globalloadbalancerpoolsv0"
 	cisglbv1 "github.com/IBM/networking-go-sdk/globalloadbalancerv1"
+	cislistsapiv1 "github.com/IBM/networking-go-sdk/listsapiv1"
 	cislogpushjobsapiv1 "github.com/IBM/networking-go-sdk/logpushjobsapiv1"
 	cismtlsv1 "github.com/IBM/networking-go-sdk/mtlsv1"
 	cispagerulev1 "github.com/IBM/networking-go-sdk/pageruleapiv1"
@@ -296,6 +297,7 @@ type ClientSession interface {
 	CisLockdownClientSession() (*cislockdownv1.ZoneLockdownV1, error)
 	CisRangeAppClientSession() (*cisrangeappv1.RangeApplicationsV1, error)
 	CisWAFRuleClientSession() (*ciswafrulev1.WafRulesApiV1, error)
+	CisListsSession() (*cislistsapiv1.ListsApiV1, error)
 	IAMIdentityV1API() (*iamidentity.IamIdentityV1, error)
 	IBMCloudShellV1() (*ibmcloudshellv1.IBMCloudShellV1, error)
 	ResourceManagerV2API() (*resourcemanager.ResourceManagerV2, error)
@@ -550,6 +552,11 @@ type clientSession struct {
 	// CIS WAF rule service options
 	cisWAFRuleErr    error
 	cisWAFRuleClient *ciswafrulev1.WafRulesApiV1
+
+	// CIS LISTS
+	cisListsClient *cislistsapiv1.ListsApiV1
+	cisListsErr    error
+
 	// IAM Identity Option
 	iamIdentityErr error
 	iamIdentityAPI *iamidentity.IamIdentityV1
@@ -1149,6 +1156,14 @@ func (sess clientSession) CisOrigAuthSession() (*cisoriginpull.AuthenticatedOrig
 	return sess.cisOriginAuthClient.Clone(), nil
 }
 
+// CIS Lists
+func (sess clientSession) CisListsSession() (*cislistsapiv1.ListsApiV1, error) {
+	if sess.cisListsErr != nil {
+		return sess.cisListsClient, sess.cisListsErr
+	}
+	return sess.cisListsClient.Clone(), nil
+}
+
 // IAM Identity Session
 func (sess clientSession) IAMIdentityV1API() (*iamidentity.IamIdentityV1, error) {
 	return sess.iamIdentityAPI, sess.iamIdentityErr
@@ -3165,6 +3180,27 @@ func (c *Config) ClientSession() (interface{}, error) {
 		})
 	}
 
+	// IBM Network CIS Lists
+	cisListsOpt := &cislistsapiv1.ListsApiV1Options{
+		URL:           cisEndPoint,
+		Crn:           core.StringPtr(""),
+		Authenticator: authenticator,
+		ItemID:        core.StringPtr(""),
+		ListID:        core.StringPtr(""),
+		OperationID:   core.StringPtr(""),
+	}
+	session.cisListsClient, session.cisListsErr = cislistsapiv1.NewListsApiV1(cisListsOpt)
+	if session.cisListsErr != nil {
+		session.cisListsErr = fmt.Errorf("[ERROR] Error occured while configuring CIS Lists : %s",
+			session.cisListsErr)
+	}
+	if session.cisListsClient != nil && session.cisListsClient.Service != nil {
+		session.cisListsClient.Service.EnableRetries(c.RetryCount, c.RetryDelay)
+		session.cisListsClient.SetDefaultHeaders(gohttp.Header{
+			"X-Original-User-Agent": {fmt.Sprintf("terraform-provider-ibm/%s", version.Version)},
+		})
+	}
+
 	// IAM IDENTITY Service
 	// iamIdenityURL := fmt.Sprintf("https://%s.iam.cloud.ibm.com/v1", c.Region)
 	iamIdenityURL := iamidentity.DefaultServiceURL

ibm/provider/provider.go

@@ -343,6 +343,9 @@ func Provider() *schema.Provider {
 			"ibm_cis_filters":                               cis.DataSourceIBMCISFilters(),
 			"ibm_cis_firewall_rules":                        cis.DataSourceIBMCISFirewallRules(),
 			"ibm_cis_origin_certificates":                   cis.DataSourceIBMCISOriginCertificateOrder(),
+			"ibm_cis_managed_lists":                         cis.DataSourceIBMCISManagedLists(),
+			"ibm_cis_custom_lists":                          cis.DataSourceIBMCISCustomLists(),
+			"ibm_cis_custom_list_items":                     cis.DataSourceIBMCISCustomListItems(),
 			"ibm_cloudant":                                  cloudant.DataSourceIBMCloudant(),
 			"ibm_cloudant_database":                         cloudant.DataSourceIBMCloudantDatabase(),
 			"ibm_database":                                  database.DataSourceIBMDatabaseInstance(),
@@ -1179,6 +1182,8 @@ func Provider() *schema.Provider {
 			"ibm_cis_ruleset_entrypoint_version":      cis.ResourceIBMCISRulesetEntryPointVersion(),
 			"ibm_cis_advanced_certificate_pack_order": cis.ResourceIBMCISAdvancedCertificatePackOrder(),
 			"ibm_cis_origin_certificate_order":        cis.ResourceIBMCISOriginCertificateOrder(),
+			"ibm_cis_custom_list":                     cis.ResourceIBMCISCustomList(),
+			"ibm_cis_custom_list_items":               cis.ResourceIBMCISCustomListItems(),
 
 			"ibm_cloudant":                                  cloudant.ResourceIBMCloudant(),
 			"ibm_cloudant_database":                         cloudant.ResourceIBMCloudantDatabase(),
@@ -1969,6 +1974,8 @@ func Validator() validate.ValidatorDict {
 				"ibm_cis_ruleset_version_detach":               cis.ResourceIBMCISRulesetVersionDetachValidator(),
 				"ibm_cis_advanced_certificate_pack_order":      cis.ResourceIBMCISAdvancedCertificatePackOrderValidator(),
 				"ibm_cis_origin_certificate_order":             cis.ResourceIBMCISOriginCertificateOrderValidator(),
+				"ibm_cis_custom_list":                          cis.ResourceIBMCISCustomListValidator(),
+				"ibm_cis_custom_list_items":                    cis.ResourceIBMCISCustomListItemsValidator(),
 				"ibm_container_cluster":                        kubernetes.ResourceIBMContainerClusterValidator(),
 				"ibm_container_worker_pool":                    kubernetes.ResourceIBMContainerWorkerPoolValidator(),
 				"ibm_container_vpc_worker_pool":                kubernetes.ResourceIBMContainerVPCWorkerPoolValidator(),
@@ -2302,6 +2309,9 @@ func Validator() validate.ValidatorDict {
 				"ibm_cis_waf_rules":                   cis.DataSourceIBMCISWAFRulesValidator(),
 				"ibm_cis_logpush_jobs":                cis.DataSourceIBMCISLogPushJobsValidator(),
 				"ibm_cis_origin_certificates":         cis.DataIBMCISOriginCertificateOrderValidator(),
+				"ibm_cis_managed_lists":               cis.DataSourceIBMCISManagedListsValidator(),
+				"ibm_cis_custom_lists":                cis.DataSourceIBMCISCustomListsValidator(),
+				"ibm_cis_custom_list_items":           cis.DataSourceIBMCISCustomListItemsValidator(),
 
 				"ibm_config_aggregator_configurations": configurationaggregator.DataSourceIbmConfigAggregatorValidator(),
 				"ibm_cos_bucket":                       cos.DataSourceIBMCosBucketValidator(),

ibm/service/cis/data_source_ibm_cis_custom_list_items.go

@@ -0,0 +1,184 @@
+// Copyright IBM Corp. 2025 All Rights Reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package cis
+
+import (
+	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns"
+	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex"
+	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/validate"
+	"github.com/IBM/go-sdk-core/v5/core"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+const (
+	CISCustomListItems          = "ibm_cis_custom_list_items"
+	CISCustomListItemID         = "item_id"
+	CISCustomListItemsOutput    = "items"
+	CISCustomListItemIp         = "ip"
+	CISCustomListItemHostname   = "hostname"
+	CISCustomListItemASN        = "asn"
+	CISCustomListItemComment    = "comment"
+	CISCustomListItemCreatedOn  = "created_on"
+	CISCustomListItemModifiedOn = "modified_on"
+)
+
+func DataSourceIBMCISCustomListItems() *schema.Resource {
+	return &schema.Resource{
+		Read: DataSourceIBMCISCustomListItemsRead,
+		Schema: map[string]*schema.Schema{
+			cisID: {
+				Type:        schema.TypeString,
+				Description: "CIS instance crn",
+				Required:    true,
+				ValidateFunc: validate.InvokeDataSourceValidator(
+					"ibm_cis_ruleset_versions",
+					"cis_id"),
+			},
+			CISCustomListID: {
+				Type:        schema.TypeString,
+				Description: "Custom List ID",
+				Required:    true,
+			},
+			CISCustomListItemID: {
+				Type:        schema.TypeString,
+				Description: "Custom List Item ID",
+				Optional:    true,
+			},
+			CISCustomListItemsOutput: {
+				Type:        schema.TypeSet,
+				Computed:    true,
+				Description: "Container for response information.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						CISCustomListItemID: {
+							Type:        schema.TypeString,
+							Description: "Custom List Item ID",
+							Computed:    true,
+						},
+						CISCustomListItemIp: {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "IP address of the item",
+						},
+						CISCustomListItemHostname: {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Hostname of the item",
+						},
+						CISCustomListItemASN: {
+							Type:        schema.TypeInt,
+							Description: "ASN of the item",
+							Computed:    true,
+						},
+						CISCustomListItemComment: {
+							Type:        schema.TypeString,
+							Description: "Item comment",
+							Computed:    true,
+						},
+						CISCustomListItemCreatedOn: {
+							Type:        schema.TypeString,
+							Description: "Item Create date",
+							Computed:    true,
+						},
+						CISCustomListItemModifiedOn: {
+							Type:        schema.TypeString,
+							Description: "Item last modified date",
+							Computed:    true,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func DataSourceIBMCISCustomListItemsValidator() *validate.ResourceValidator {
+
+	validateSchema := make([]validate.ValidateSchema, 0)
+
+	validateSchema = append(validateSchema,
+		validate.ValidateSchema{
+			Identifier:                 "cis_id",
+			ValidateFunctionIdentifier: validate.ValidateCloudData,
+			Type:                       validate.TypeString,
+			CloudDataType:              "resource_instance",
+			CloudDataRange:             []string{"service:internet-svcs"},
+			Required:                   true})
+
+	IBMCISCustomListsValidator := validate.ResourceValidator{
+		ResourceName: CISCustomListItems,
+		Schema:       validateSchema}
+	return &IBMCISCustomListsValidator
+}
+
+func DataSourceIBMCISCustomListItemsRead(d *schema.ResourceData, meta interface{}) error {
+	sess, err := meta.(conns.ClientSession).CisListsSession()
+	if err != nil {
+		return err
+	}
+	crn := d.Get(cisID).(string)
+	sess.Crn = core.StringPtr(crn)
+
+	listId := d.Get(CISCustomListID).(string)
+	sess.ListID = core.StringPtr(listId)
+
+	itemId := d.Get(CISCustomListItemID).(string)
+
+	listItemList := make([]map[string]interface{}, 0)
+	if itemId != "" {
+		sess.ItemID = core.StringPtr(itemId)
+		opt := sess.NewGetListItemOptions()
+		result, resp, err := sess.GetListItem(opt)
+
+		if err != nil {
+			flex.FmtErrorf("[WARN] Get Custom List Item failed: %v\n", resp)
+			return err
+		}
+
+		itemObj := result.Result
+		itemOutput := map[string]interface{}{}
+		itemOutput[CISCustomListItemID] = itemObj.ID
+		itemOutput[CISCustomListItemIp] = itemObj.Ip
+		itemOutput[CISCustomListItemHostname] = itemObj.Hostname
+		itemOutput[CISCustomListItemASN] = itemObj.Asn
+		itemOutput[CISCustomListItemComment] = itemObj.Comment
+		itemOutput[CISCustomListItemCreatedOn] = itemObj.CreatedOn
+		itemOutput[CISCustomListItemModifiedOn] = itemObj.ModifiedOn
+		listItemList = append(listItemList, itemOutput)
+
+	} else {
+		opt := sess.NewGetListItemsOptions()
+		result, resp, err := sess.GetListItems(opt)
+
+		if err != nil {
+			flex.FmtErrorf("[WARN] List Custom Lists failed: %v\n", resp)
+			return err
+		}
+
+		for _, itemObj := range result.Result {
+			itemOutput := map[string]interface{}{}
+			itemOutput[CISCustomListItemID] = itemObj.ID
+			itemOutput[CISCustomListItemIp] = itemObj.Ip
+			itemOutput[CISCustomListItemHostname] = itemObj.Hostname
+			itemOutput[CISCustomListItemASN] = itemObj.Asn
+			itemOutput[CISCustomListItemComment] = itemObj.Comment
+			itemOutput[CISCustomListItemCreatedOn] = itemObj.CreatedOn
+			itemOutput[CISCustomListItemModifiedOn] = itemObj.ModifiedOn
+			listItemList = append(listItemList, itemOutput)
+		}
+
+	}
+
+	d.Set(CISCustomListID, listId)
+	d.Set(CISCustomListItemID, itemId)
+	d.SetId(dataSourceCISCustomListItemsCheckID(d))
+	d.Set(CISCustomListItemsOutput, listItemList)
+	d.Set(cisID, crn)
+
+	return nil
+}
+
+func dataSourceCISCustomListItemsCheckID(d *schema.ResourceData) string {
+	return "custom_list_item" + ":" + d.Get(CISCustomListID).(string) + ":" + d.Get(cisID).(string)
+}

ibm/service/cis/data_source_ibm_cis_custom_list_items_test.go

@@ -0,0 +1,41 @@
+// Copyright IBM Corp. 2025 All Rights Reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package cis_test
+
+import (
+	"fmt"
+	"testing"
+
+	acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccIBMCisCustomListItemsDataSource_Basic(t *testing.T) {
+	name := "data.ibm_cis_custom_list_items.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { acc.TestAccPreCheckCis(t) },
+		Providers: acc.TestAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCisCustomListItemsDataSource_basic("test"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(name, "items.#"),
+				),
+			},
+		},
+	})
+}
+func testAccCheckCisCustomListItemsDataSource_basic(id string) string {
+	return testAccCheckIBMCisDomainDataSourceConfigBasic1() + fmt.Sprintf(`
+	data ibm_cis_custom_lists custom_lists {
+    	cis_id = data.ibm_cis.cis.id
+	}
+
+	data "ibm_cis_custom_list_items" "%[1]s" {
+		cis_id = data.ibm_cis.cis.id
+		list_id = data.ibm_cis_custom_lists.custom_lists.lists[0].list_id
+	  }
+`, id)
+}