Added - Compute support for ZPR

Author: Gavin Foley

examples/compute/instance/instance.tf

@@ -153,6 +153,11 @@ resource "oci_core_instance" "test_instance" {
     "freeformkey${count.index}" = "freeformvalue${count.index}"
   }
 
+  security_attributes = {
+    "oracle-zpr.sensitivity.value" = "low"
+    "oracle-zpr.sensitivity.mode" = "enforce"
+  }
+
   preemptible_instance_config {
     preemption_action {
       type = "TERMINATE"

examples/compute/vnic/vnic.tf

@@ -94,6 +94,11 @@ resource "oci_core_instance" "test_instance" {
   create_vnic_details {
     subnet_id      = oci_core_subnet.test_subnet.id
     hostname_label = "testinstance"
+
+    security_attributes = {
+      "oracle-zpr.sensitivity.value" = "low"
+      "oracle-zpr.sensitivity.mode" = "enforce"
+    }
   }
 
   metadata = {

internal/integrationtest/core_instance_test.go

@@ -93,6 +93,7 @@ var (
 		"is_pv_encryption_in_transit_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`},
 		"launch_options":                      acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceLaunchOptionsRepresentation},
 		"metadata":                            acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"user_data": "abcd"}, Update: map[string]string{"user_data": "abcd", "volatile_data": "stringE"}},
+		"security_attributes":                 acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"test-namespace-20240722.test-attribute-20240822.value": "blue", "test-namespace-20240722.test-attribute-20240822.mode": "enforce"}},
 		"shape_config":                        acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceShapeConfigRepresentation},
 		"source_details":                      acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceSourceDetailsRepresentation},
 		"subnet_id":                           acctest.Representation{RepType: acctest.Required, Create: `${oci_core_subnet.test_subnet.id}`},
@@ -128,6 +129,7 @@ var (
 		"launch_options":                      acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceLaunchOptionsRepresentation},
 		"launch_volume_attachments":           acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceLaunchWithExistingVolumeAttachmentsIscsiRepresentation},
 		"metadata":                            acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"user_data": "abcd"}, Update: map[string]string{"user_data": "abcd", "volatile_data": "stringE"}},
+		"security_attributes":                 acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"test-namespace-20240722.test-attribute-20240822.value": "blue", "test-namespace-20240722.test-attribute-20240822.mode": "enforce"}},
 		"shape_config":                        acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceShapeConfigRepresentation},
 		"source_details":                      acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceSourceDetailsRepresentation},
 		"subnet_id":                           acctest.Representation{RepType: acctest.Required, Create: `${oci_core_subnet.test_subnet.id}`},
@@ -163,6 +165,7 @@ var (
 		"launch_options":                      acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceLaunchOptionsRepresentation},
 		"launch_volume_attachments":           acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceLaunchWithCreateVolumeAttachmentsIscsiRepresentation},
 		"metadata":                            acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"user_data": "abcd"}, Update: map[string]string{"user_data": "abcd", "volatile_data": "stringE"}},
+		"security_attributes":                 acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"test-namespace-20240722.test-attribute-20240822.value": "blue", "test-namespace-20240722.test-attribute-20240822.mode": "enforce"}},
 		"shape_config":                        acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceShapeConfigRepresentation},
 		"source_details":                      acctest.RepresentationGroup{RepType: acctest.Optional, Group: CoreInstanceSourceDetailsRepresentation},
 		"subnet_id":                           acctest.Representation{RepType: acctest.Required, Create: `${oci_core_subnet.test_subnet.id}`},
@@ -1006,7 +1009,9 @@ func TestCoreInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(resourceName, "launch_volume_attachments.0.volume_id"),
 				resource.TestCheckResourceAttr(resourceName, "metadata.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "region"),
-				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "1"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.value", "blue"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.mode", "enforce"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "VM.Standard2.1"),
 				resource.TestCheckResourceAttr(resourceName, "shape_config.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "shape_config.0.ocpus", "1"),
@@ -1126,7 +1131,9 @@ func TestCoreInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "launch_volume_attachments.0.launch_create_volume_details.0.vpus_per_gb", "50"),
 				resource.TestCheckResourceAttr(resourceName, "metadata.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "region"),
-				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "1"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.value", "blue"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.mode", "enforce"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "VM.Standard2.1"),
 				resource.TestCheckResourceAttr(resourceName, "shape_config.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "shape_config.0.ocpus", "1"),
@@ -1565,7 +1572,9 @@ func TestCoreInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(datasourceName, "instances.0.launch_options.0.remote_data_volume_type", "PARAVIRTUALIZED"),
 				resource.TestCheckResourceAttr(datasourceName, "instances.0.metadata.%", "2"),
 				resource.TestCheckResourceAttrSet(datasourceName, "instances.0.region"),
-				resource.TestCheckResourceAttr(datasourceName, "instances.0.security_attributes.%", "1"),
+				resource.TestCheckResourceAttr(datasourceName, "instances.0.security_attributes.%", "2"),
+				resource.TestCheckResourceAttr(resourceName, "instances.0.security_attributes.test-namespace-20240722.test-attribute-20240822.value", "blue"),
+				resource.TestCheckResourceAttr(resourceName, "instances.0.security_attributes.test-namespace-20240722.test-attribute-20240822.mode", "enforce"),
 				resource.TestCheckResourceAttrSet(datasourceName, "instances.0.security_attributes_state"),
 				resource.TestCheckResourceAttr(datasourceName, "instances.0.shape", "VM.Standard2.1"),
 				resource.TestCheckResourceAttr(datasourceName, "instances.0.shape_config.#", "1"),
@@ -1626,7 +1635,9 @@ func TestCoreInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(singularDatasourceName, "launch_options.0.remote_data_volume_type", "PARAVIRTUALIZED"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "metadata.%", "2"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "region"),
-				resource.TestCheckResourceAttr(singularDatasourceName, "security_attributes.%", "1"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "security_attributes.%", "2"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.value", "blue"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.mode", "enforce"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "security_attributes_state"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "shape", "VM.Standard2.1"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "shape_config.#", "1"),

internal/integrationtest/core_vnic_attachment_resource_test.go

@@ -155,6 +155,8 @@ func (s *ResourceCoreVnicAttachmentTestSuite) TestAccResourceCoreVnicAttachment_
 					resource.TestCheckResourceAttr(s.ResourceName, "create_vnic_details.0.nsg_ids.#", "2"),
 					resource.TestCheckResourceAttrSet(s.VnicResourceName, "private_ip_address"),
 					resource.TestCheckResourceAttr(s.VnicResourceName, "security_attributes.%", "2"),
+					resource.TestCheckResourceAttr(s.VnicResourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.value", "blue"),
+					resource.TestCheckResourceAttr(s.VnicResourceName, "security_attributes.test-namespace-20240722.test-attribute-20240822.mode", "enforce"),
 					// @SDK 1/2018: Since we don't assign a public IP to this vnic, we will get a response from server
 					// without a public_ip_address. Old SDK would have set it to empty, but new SDK will set it to nil.
 					// Commenting out until we have a better way of handling this.
@@ -164,7 +166,7 @@ func (s *ResourceCoreVnicAttachmentTestSuite) TestAccResourceCoreVnicAttachment_
 					func(ts *terraform.State) (err error) {
 						newId, err := acctest.FromInstanceState(ts, s.ResourceName, "id")
 						if newId != vaId {
-							return fmt.Errorf("Expected same ocid, got different.")
+							return fmt.Errorf("Expected same ocid (%s), got different (%s).", vaId, newId)
 						}
 						return err
 					},

internal/service/core/core_instance_data_source.go

@@ -179,7 +179,9 @@ func (s *CoreInstanceDataSourceCrud) SetData() error {
 		s.D.Set("region", *s.Res.Region)
 	}
 
-	s.D.Set("security_attributes", s.Res.SecurityAttributes)
+	if s.Res.SecurityAttributes != nil {
+		s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+	}
 
 	s.D.Set("security_attributes_state", s.Res.SecurityAttributesState)
 

internal/service/core/core_instance_resource.go

@@ -1315,7 +1315,7 @@ func (s *CoreInstanceResourceCrud) Create() error {
 	}
 
 	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
-		request.SecurityAttributes = securityAttributes.(map[string]map[string]interface{})
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
 	}
 
 	if shape, ok := s.D.GetOkExists("shape"); ok {
@@ -1514,7 +1514,7 @@ func (s *CoreInstanceResourceCrud) Update() error {
 	}
 
 	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
-		request.SecurityAttributes = securityAttributes.(map[string]map[string]interface{})
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
 	}
 
 	s.Res = &response.Instance
@@ -1717,7 +1717,9 @@ func (s *CoreInstanceResourceCrud) SetData() error {
 		s.D.Set("region", *s.Res.Region)
 	}
 
-	s.D.Set("security_attributes", s.Res.SecurityAttributes)
+	if s.Res.SecurityAttributes != nil {
+		s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+	}
 
 	s.D.Set("security_attributes_state", s.Res.SecurityAttributesState)
 
@@ -1890,7 +1892,7 @@ func (s *CoreInstanceResourceCrud) mapToCreateVnicDetailsInstance(fieldKeyFormat
 	}
 
 	if securityAttributes, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "security_attributes")); ok {
-		result.SecurityAttributes = securityAttributes.(map[string]map[string]interface{})
+		result.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
 	}
 
 	if skipSourceDestCheck, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "skip_source_dest_check")); ok {
@@ -1968,7 +1970,9 @@ func CreateVnicDetailsToMap(obj *oci_core.Vnic, createVnicDetails map[string]int
 		result["private_ip"] = string(*obj.PrivateIp)
 	}
 
-	result["security_attributes"] = obj.SecurityAttributes
+	if obj.SecurityAttributes != nil {
+		result["security_attributes"] = tfresource.SecurityAttributesToMap(obj.SecurityAttributes)
+	}
 
 	if obj.SkipSourceDestCheck != nil {
 		result["skip_source_dest_check"] = bool(*obj.SkipSourceDestCheck)

internal/service/core/core_instances_data_source.go

@@ -242,7 +242,9 @@ func (s *CoreInstancesDataSourceCrud) SetData() error {
 			instance["region"] = *r.Region
 		}
 
-		instance["security_attributes"] = r.SecurityAttributes
+		if r.SecurityAttributes != nil {
+			instance["security_attributes"] = tfresource.SecurityAttributesToMap(r.SecurityAttributes)
+		}
 
 		instance["security_attributes_state"] = r.SecurityAttributesState
 

internal/service/core/core_vnic_attachment_resource.go

@@ -542,9 +542,8 @@ func (s *CoreVnicAttachmentResourceCrud) mapToCreateVnicDetails(fieldKeyFormat s
 		result.PrivateIp = &tmp
 	}
 
-	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
-		convertedAttributes := tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
-		result.SecurityAttributes = convertedAttributes
+	if securityAttributes, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "security_attributes")); ok {
+		result.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
 	}
 
 	if skipSourceDestCheck, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "skip_source_dest_check")); ok {
@@ -608,9 +607,8 @@ func (s *CoreVnicAttachmentResourceCrud) mapToUpdateVnicDetails(fieldKeyFormat s
 		result.SkipSourceDestCheck = &tmp
 	}
 
-	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
-		convertedAttributes := tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
-		result.SecurityAttributes = convertedAttributes
+	if securityAttributes, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "security_attributes")); ok {
+		result.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
 	}
 
 	return result, nil

website/docs/d/core_instance.html.markdown

@@ -179,7 +179,7 @@ The following attributes are exported:
 	For the us-phoenix-1 and us-ashburn-1 regions, `phx` and `iad` are returned, respectively. For all other regions, the full region name is returned.
 
 	Examples: `phx`, `eu-frankfurt-1` 
-* `security_attributes` - Security Attributes for this resource. This is unique to ZPR, and helps identify which resources are allowed to be accessed by what permission controls.  Example: `{"Oracle-DataSecurity-ZPR": {"MaxEgressCount": {"value":"42","mode":"audit"}}}` 
+* `security_attributes` - Security Attributes for this resource. This is unique to ZPR, and helps identify which resources are allowed to be accessed by what permission controls.  Example: `{"Oracle-DataSecurity-ZPR.MaxEgressCount.value": "42", "Oracle-DataSecurity-ZPR.MaxEgressCount.mode": "audit"}` 
 * `security_attributes_state` - The lifecycle state of the `securityAttributes`
 * `shape` - The shape of the instance. The shape determines the number of CPUs and the amount of memory allocated to the instance. You can enumerate all available shapes by calling [ListShapes](https://docs.cloud.oracle.com/iaas/api/#/en/iaas/latest/Shape/ListShapes). 
 * `shape_config` - The shape configuration for an instance. The shape configuration determines the resources allocated to an instance. 

website/docs/d/core_instances.html.markdown

@@ -194,7 +194,7 @@ The following attributes are exported:
 	For the us-phoenix-1 and us-ashburn-1 regions, `phx` and `iad` are returned, respectively. For all other regions, the full region name is returned.
 
 	Examples: `phx`, `eu-frankfurt-1` 
-* `security_attributes` - Security Attributes for this resource. This is unique to ZPR, and helps identify which resources are allowed to be accessed by what permission controls.  Example: `{"Oracle-DataSecurity-ZPR": {"MaxEgressCount": {"value":"42","mode":"audit"}}}` 
+* `security_attributes` - Security Attributes for this resource. This is unique to ZPR, and helps identify which resources are allowed to be accessed by what permission controls.  Example: `{"Oracle-DataSecurity-ZPR.MaxEgressCount.value": "42", "Oracle-DataSecurity-ZPR.MaxEgressCount.mode": "audit"}` 
 * `security_attributes_state` - The lifecycle state of the `securityAttributes`
 * `shape` - The shape of the instance. The shape determines the number of CPUs and the amount of memory allocated to the instance. You can enumerate all available shapes by calling [ListShapes](https://docs.cloud.oracle.com/iaas/api/#/en/iaas/latest/Shape/ListShapes). 
 * `shape_config` - The shape configuration for an instance. The shape configuration determines the resources allocated to an instance.