Added - Support for FSS: Support Kerberos with NFSv3 in FSS

Author: Terraform Team Automation

examples/storage/fss/data_sources.tf

@@ -119,3 +119,16 @@ data "oci_file_storage_filesystem_snapshot_policies" "filesystem_snapshot_polici
   #id           = var.filesystem_snapshot_policy_id
   #state        = var.filesystem_snapshot_policy_state
 }
+
+
+# Gets a list of outbound connectors in a compartment and availability domain
+data "oci_file_storage_outbound_connectors" "outbound_connectors" {
+  #Required
+  availability_domain = data.oci_identity_availability_domain.ad.name
+  compartment_id      = var.compartment_ocid
+
+  #Optional
+  #display_name = var.outbound_connector_display_name
+  #id           = var.outbound_connector_id
+  #state        = var.outbound_connector_state
+}

examples/storage/fss/export.tf

@@ -36,3 +36,25 @@ resource "oci_file_storage_export" "my_export_fs2_mt1" {
   path           = var.export_path_fs2_mt1
 }
 
+resource "oci_file_storage_export" "my_krb_export_krbfs_krbmt" {
+  #Required
+  export_set_id  = oci_file_storage_export_set.my_krb_export_set.id
+  file_system_id = oci_file_storage_file_system.my_krb_file_system.id
+  path           = var.export_path_kfs_kmt
+
+  #Optional
+  export_options {
+    #Required
+    source = var.export_read_write_access_source
+    #Optional
+    access                           = "READ_WRITE"
+    allowed_auth                     = var.krb_export_export_options_allowed_auth
+    # anonymous_gid                  = var.export_export_options_anonymous_gid
+    # anonymous_uid                  = var.export_export_options_anonymous_uid
+    # identity_squash                = var.export_export_options_identity_squash
+    is_anonymous_access_allowed      = var.krb_export_export_options_is_anonymous_access_allowed
+    # require_privileged_source_port = var.export_export_options_require_privileged_source_port
+  }
+  is_idmap_groups_for_sys_auth = var.krb_export_is_idmap_groups_for_sys_auth
+}
+

examples/storage/fss/export_set.tf

@@ -21,3 +21,7 @@ resource "oci_file_storage_export_set" "my_export_set_2" {
   max_fs_stat_files = var.max_files
 }
 
+resource "oci_file_storage_export_set" "my_krb_export_set" {
+  # Required
+  mount_target_id = oci_file_storage_mount_target.my_krb_mount_target.id
+}

examples/storage/fss/file_system.tf

@@ -45,6 +45,22 @@ resource "oci_file_storage_file_system" "my_file_system_with_fs_snapshot_policy"
   #   "example-tag-namespace-all.example-tag" = "value"
   # }
 
+  freeform_tags = {
+    "Department" = "Accounting"
+  }
+}
+
+resource "oci_file_storage_file_system" "my_krb_file_system" {
+  #Required
+  availability_domain = data.oci_identity_availability_domain.ad.name
+  compartment_id      = var.compartment_ocid
+
+  #Optional
+  display_name = var.krb_file_system
+  # defined_tags = {
+  #   "example-tag-namespace-all.example-tag" = "value"
+  # }
+
   freeform_tags = {
     "Department" = "Accounting"
   }

examples/storage/fss/mount_target.tf

@@ -39,4 +39,44 @@ resource "oci_file_storage_mount_target" "my_mount_target_2" {
   nsg_ids = [oci_core_network_security_group.test_network_security_group.id]
 }
 
+resource "oci_file_storage_mount_target" "my_krb_mount_target" {
+  #Required
+  availability_domain = data.oci_identity_availability_domain.ad.name
+  compartment_id      = var.compartment_ocid
+  subnet_id           = oci_core_subnet.my_subnet.id
+
+  #Optional
+  # defined_tags   = map(oci_identity_tag_namespace.tag-namespace1.name.oci_identity_tag.tag1.name, var.mount_target_defined_tags_value)
+  display_name   = var.krb_mount_target_display_name
+  # freeform_tags  = {
+  #  "Department" = "Accounting"
+  # }
+  hostname_label = var.krb_mount_target_hostname_label
+  idmap_type     = "LDAP"
+  kerberos {
+    #Required
+    kerberos_realm = var.krb_mount_target_kerberos_kerberos_realm
+
+    #Optional
+    backup_key_tab_secret_version  = var.krb_mount_target_kerberos_backup_key_tab_secret_version
+    current_key_tab_secret_version = var.krb_mount_target_kerberos_current_key_tab_secret_version
+    is_kerberos_enabled            = var.krb_mount_target_krb_enabled
+    key_tab_secret_id              = oci_vault_secret.krb_keytab_secret.id
+  }
+  ldap_idmap {
+    #Required
+    group_search_base = var.krb_mount_target_group_name
+    user_search_base  = var.krb_mount_target_user_name
+
+    #Optional
+    cache_lifetime_seconds          = var.krb_mount_target_ldap_idmap_cache_lifetime_seconds
+    cache_refresh_interval_seconds  = var.krb_mount_target_ldap_idmap_cache_refresh_interval_seconds
+    negative_cache_lifetime_seconds = var.krb_mount_target_ldap_idmap_negative_cache_lifetime_seconds
+    outbound_connector1id           = oci_file_storage_outbound_connector.my_ldap_outbound_connector.id
+    # outbound_connector2id         = oci_file_storage_outbound_connector.test_outbound_connector2.id
+    schema_type                     = "RFC2307"
+  }
+  nsg_ids = [oci_core_network_security_group.test_network_security_group.id]
+}
+
 # Use export_set.tf config to update the size for a mount target

examples/storage/fss/outbound_connector.tf

@@ -0,0 +1,21 @@
+// Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+resource "oci_file_storage_outbound_connector" "my_ldap_outbound_connector" {
+  #Required
+  availability_domain     = data.oci_identity_availability_domain.ad.name
+  bind_distinguished_name = var.ldap_outbound_connector_bind_distinguished_name
+  compartment_id          = var.compartment_ocid
+  connector_type          = "LDAPBIND"
+  endpoints {
+    #Required
+    hostname = var.ldap_outbound_connector_endpoints_hostname
+    port     = var.ldap_outbound_connector_endpoints_port
+  }
+  #Optional
+  #defined_tags           = map(oci_identity_tag_namespace.tag-namespace1.name.oci_identity_tag.tag1.name, var.outbound_connector_defined_tags_value)
+  display_name            = var.ldap_outbound_connector_display_name
+  #freeform_tags          = var.outbound_connector_freeform_tags
+  password_secret_id      = oci_vault_secret.krb_ldap_pwd_secret.id
+  password_secret_version = var.ldap_outbound_connector_password_secret_version
+}

examples/storage/fss/variables.tf

@@ -174,3 +174,116 @@ variable "filesystem_snapshot_policy_schedules_time_zone" {
 variable "filesystem_snapshot_policy_state" {
   default = "ACTIVE"
 }
+
+
+variable "krb_mount_target_display_name" {
+  default = "my_krb_mount_target"
+}
+
+variable "krb_mount_target_hostname_label" {
+  default = "hostnamelabel"
+}
+
+variable "krb_mount_target_kerberos_kerberos_realm" {
+  default = "kerberos.realm.com"
+}
+
+variable "krb_mount_target_kerberos_backup_key_tab_secret_version" {
+  default = 0
+}
+
+variable "krb_mount_target_kerberos_current_key_tab_secret_version" {
+  default = 1
+}
+
+variable "krb_mount_target_krb_enabled" {
+  default = "true"
+}
+
+variable "krb_mount_target_group_name" {
+  default = "group_name"
+}
+
+variable "krb_mount_target_user_name" {
+  default = "user_name"
+}
+
+variable "krb_mount_target_ldap_idmap_cache_lifetime_seconds" {
+  default = 300
+}
+
+variable "krb_mount_target_ldap_idmap_cache_refresh_interval_seconds" {
+  default = 300
+}
+
+variable "krb_mount_target_ldap_idmap_negative_cache_lifetime_seconds" {
+  default = 300
+}
+
+variable "ldap_outbound_connector_display_name" {
+  default = "my_ldap_outbound_connector"
+}
+
+variable "ldap_outbound_connector_bind_distinguished_name" {
+  default = "bindDistinguishedName"
+}
+
+variable "ldap_outbound_connector_endpoints_hostname" {
+  default = "hostname"
+}
+
+variable "ldap_outbound_connector_endpoints_port" {
+  default = 1080
+}
+
+variable "ldap_outbound_connector_password_secret_version" {
+  default = 1
+}
+
+variable "krb_vault_display_name" {
+  default = "my_krb_vault"
+}
+
+variable "krb_vault_type" {
+  default = "DEFAULT"
+}
+
+variable "krb_key_display_name" {
+  default = "my_krb_key"
+}
+
+variable "krb_key_shape_algorithm" {
+  default = "AES"
+}
+
+variable "krb_key_shape_length" {
+  default = "16"
+}
+
+variable "krb_keytab_content" {
+  default = "BQIAAAClAAIAI0FEMkNBTkFSWS5QSFhERVZQQ0FOUy5PUkFDTEVWQ04uQ09NAANuZnMARmtlcmJlcm9zLWFwaS1jYW5hcnktbW91bnQtdGFyZ2V0LTEuYWQyY2FuYXJ5LnBoeGRldnBjYW5zLm9yYWNsZXZjbi5jb20AAAABYgMUPgIAEgAgIvKmyzN+v/xsEQpwSzwxfFCEwtbV5ozYkk8VAmx9NhQAAAAC"
+}
+
+variable "krb_ldap_pwd_content" {
+  default = "dGVzdHB3ZAo="
+}
+
+variable "export_path_kfs_kmt" {
+  default = "/myfsspaths/kfs/path1"
+}
+
+variable "krb_file_system" {
+  default = "my_krb_file_system"
+}
+
+variable "krb_export_export_options_allowed_auth" {
+  default = ["KRB5"]
+}
+
+variable "krb_export_export_options_is_anonymous_access_allowed" {
+  default = "true"
+}
+
+variable "krb_export_is_idmap_groups_for_sys_auth" {
+  default = "false"
+}

examples/storage/fss/vault_secret.tf

@@ -0,0 +1,68 @@
+// Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+resource "oci_kms_vault" "krb_test_vault" {
+  compartment_id = var.compartment_ocid
+  display_name = var.krb_vault_display_name
+  vault_type   = var.krb_vault_type
+}
+
+resource "oci_kms_key" "krb_test_key" {
+  #Required
+  compartment_id      = var.compartment_ocid
+  display_name        = var.krb_key_display_name
+  management_endpoint = oci_kms_vault.krb_test_vault.management_endpoint
+  key_shape {
+    #Required
+    algorithm = var.krb_key_shape_algorithm
+    length    = var.krb_key_shape_length
+  }
+}
+
+resource "random_string" "random_keytab_name" {
+  length  = 10
+  special = false
+  upper   = false
+  keepers = {
+    kms_key_id = oci_kms_key.krb_test_key.id
+  }
+}
+
+resource "random_string" "random_ldap_pwd_name" {
+  length  = 10
+  special = false
+  upper   = false
+  keepers = {
+    kms_key_id = oci_kms_key.krb_test_key.id
+  }
+}
+
+resource "oci_vault_secret" "krb_keytab_secret" {
+  #Required
+  compartment_id = var.compartment_ocid
+  secret_content {
+    #Required
+    content_type = "BASE64"
+    #Optional
+    content = var.krb_keytab_content
+    stage   = "CURRENT"
+  }
+  key_id = oci_kms_key.krb_test_key.id
+  secret_name = "my_keytab_${random_string.random_keytab_name.result}"
+  vault_id    = oci_kms_vault.krb_test_vault.id
+}
+
+resource "oci_vault_secret" "krb_ldap_pwd_secret" {
+  #Required
+  compartment_id = var.compartment_ocid
+  secret_content {
+    #Required
+    content_type = "BASE64"
+    #Optional
+    content = var.krb_ldap_pwd_content
+    stage   = "CURRENT"
+  }
+  key_id = oci_kms_key.krb_test_key.id
+  secret_name = "my_ldap_pwd_${random_string.random_ldap_pwd_name.result}"
+  vault_id    = oci_kms_vault.krb_test_vault.id
+}

internal/integrationtest/file_storage_export_test.go

@@ -42,17 +42,20 @@ var (
 	}
 
 	FileStorageExportRepresentation = map[string]interface{}{
-		"export_set_id":  acctest.Representation{RepType: acctest.Required, Create: `${oci_file_storage_export_set.test_export_set.id}`},
-		"file_system_id": acctest.Representation{RepType: acctest.Required, Create: `${oci_file_storage_file_system.test_file_system.id}`},
-		"path":           acctest.Representation{RepType: acctest.Required, Create: `/files-5`},
-		"export_options": acctest.RepresentationGroup{RepType: acctest.Optional, Group: FileStorageExportExportOptionsRepresentation},
+		"export_set_id":                acctest.Representation{RepType: acctest.Required, Create: `${oci_file_storage_export_set.test_export_set.id}`},
+		"file_system_id":               acctest.Representation{RepType: acctest.Required, Create: `${oci_file_storage_file_system.test_file_system.id}`},
+		"path":                         acctest.Representation{RepType: acctest.Required, Create: `/files-5`},
+		"export_options":               acctest.RepresentationGroup{RepType: acctest.Optional, Group: FileStorageExportExportOptionsRepresentation},
+		"is_idmap_groups_for_sys_auth": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
 	}
 	FileStorageExportExportOptionsRepresentation = map[string]interface{}{
 		"source":                         acctest.Representation{RepType: acctest.Required, Create: `0.0.0.0/0`},
 		"access":                         acctest.Representation{RepType: acctest.Optional, Create: `READ_WRITE`, Update: `READ_ONLY`},
+		"allowed_auth":                   acctest.Representation{RepType: acctest.Optional, Create: []string{`SYS`}, Update: []string{`KRB5`}},
 		"anonymous_gid":                  acctest.Representation{RepType: acctest.Optional, Create: `10`, Update: `11`},
 		"anonymous_uid":                  acctest.Representation{RepType: acctest.Optional, Create: `10`, Update: `11`},
 		"identity_squash":                acctest.Representation{RepType: acctest.Optional, Create: `NONE`, Update: `ALL`},
+		"is_anonymous_access_allowed":    acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
 		"require_privileged_source_port": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
 	}
 
@@ -110,14 +113,18 @@ func TestFileStorageExportResource_basic(t *testing.T) {
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttr(resourceName, "export_options.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.access", "READ_WRITE"),
+				resource.TestCheckResourceAttr(resourceName, "export_options.0.allowed_auth.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "export_options.0.allowed_auth.0", "SYS"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.anonymous_gid", "10"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.anonymous_uid", "10"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.identity_squash", "NONE"),
+				resource.TestCheckResourceAttr(resourceName, "export_options.0.is_anonymous_access_allowed", "false"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.require_privileged_source_port", "false"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.source", "0.0.0.0/0"),
 				resource.TestCheckResourceAttrSet(resourceName, "export_set_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "file_system_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttr(resourceName, "is_idmap_groups_for_sys_auth", "false"),
 				resource.TestCheckResourceAttr(resourceName, "path", "/files-5"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
@@ -141,14 +148,18 @@ func TestFileStorageExportResource_basic(t *testing.T) {
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttr(resourceName, "export_options.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.access", "READ_ONLY"),
+				resource.TestCheckResourceAttr(resourceName, "export_options.0.allowed_auth.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "export_options.0.allowed_auth.0", "KRB5"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.anonymous_gid", "11"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.anonymous_uid", "11"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.identity_squash", "ALL"),
+				resource.TestCheckResourceAttr(resourceName, "export_options.0.is_anonymous_access_allowed", "true"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.require_privileged_source_port", "true"),
 				resource.TestCheckResourceAttr(resourceName, "export_options.0.source", "0.0.0.0/0"),
 				resource.TestCheckResourceAttrSet(resourceName, "export_set_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "file_system_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttr(resourceName, "is_idmap_groups_for_sys_auth", "true"),
 				resource.TestCheckResourceAttr(resourceName, "path", "/files-5"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
@@ -175,6 +186,7 @@ func TestFileStorageExportResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(datasourceName, "exports.0.export_set_id"),
 				resource.TestCheckResourceAttrSet(datasourceName, "exports.0.file_system_id"),
 				resource.TestCheckResourceAttrSet(datasourceName, "exports.0.id"),
+				resource.TestCheckResourceAttr(datasourceName, "exports.0.is_idmap_groups_for_sys_auth", "true"),
 				resource.TestCheckResourceAttr(datasourceName, "exports.0.path", "/files-5"),
 				resource.TestCheckResourceAttr(datasourceName, "exports.0.state", "ACTIVE"),
 				resource.TestCheckResourceAttrSet(datasourceName, "exports.0.time_created"),