Adding Security Attributes feature to Load Balancer Service

Author: Harshil Jhaveri

internal/integrationtest/load_balancer_load_balancer_test.go

@@ -54,6 +54,7 @@ var (
 
 		"freeform_tags":                acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
 		"is_private":                   acctest.Representation{RepType: acctest.Optional, Create: `false`},
+		"security_attributes":          acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"oracle-zpr.sa-test-lbaas.mode": "enforce", "oracle-zpr.sa-test-lbaas.value": "create-zpr-tersi-lbaas"}, Update: map[string]string{"oracle-zpr.sa-test-lbaas.value": "update-zpr-tersi-lbaas", "oracle-zpr.sa-test-lbaas.mode": "enforce"}},
 		"is_request_id_enabled":        acctest.Representation{RepType: acctest.Optional, Create: `true`, Update: `true`},
 		"request_id_header":            acctest.Representation{RepType: acctest.Optional, Create: ``, Update: `X-MyRequestB-Id`},
 		"is_delete_protection_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
@@ -145,13 +146,13 @@ var (
 			"test_network_security_group1", acctest.Required, acctest.Create, acctest.RepresentationCopyWithNewProperties(CoreNetworkSecurityGroupRepresentation, map[string]interface{}{
 				"vcn_id": acctest.Representation{RepType: acctest.Required, Create: `${oci_core_vcn.test_lb_vcn.id}`},
 			})) // +
-		// For laptop testing comment out this line
-		// Failure to do so results in
-		//     test_helpers.go:535: Step 1/7 error: Error running apply: exit status 1
-		//       [DEBUG] Using modified User-Agent: Terraform/0.12.31 HashiCorp-terraform-exec/0.14.0
-		//       Error: 404-NotAuthorizedOrNotFound, Authorization failed or requested resource not found.
-		//       Suggestion: Either the resource has been deleted or service Identity Tag Namespace need policy to access this resource.
-		// DefinedTagsDependencies
+	// For laptop testing comment out this line
+	// Failure to do so results in
+	//     test_helpers.go:535: Step 1/7 error: Error running apply: exit status 1
+	//       [DEBUG] Using modified User-Agent: Terraform/0.12.31 HashiCorp-terraform-exec/0.14.0
+	//       Error: 404-NotAuthorizedOrNotFound, Authorization failed or requested resource not found.
+	//       Suggestion: Either the resource has been deleted or service Identity Tag Namespace need policy to access this resource.
+	// DefinedTagsDependencies
 )
 
 // issue-routing-tag: load_balancer/default
@@ -211,6 +212,9 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "is_request_id_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "request_id_header", "X-Request-Id"),
 				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.oracle-zpr.sa-test-lbaas.value", "create-zpr-tersi-lbaas"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.oracle-zpr.sa-test-lbaas.mode", "enforce"),
 				resource.TestCheckResourceAttrSet(resourceName, "reserved_ips.0.id"),
 				resource.TestCheckResourceAttr(resourceName, "network_security_group_ids.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "100Mbps"),
@@ -247,6 +251,8 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "is_request_id_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "request_id_header", "X-Request-Id"),
 				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
+
 				resource.TestCheckResourceAttrSet(resourceName, "reserved_ips.0.id"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "100Mbps"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
@@ -276,7 +282,10 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "is_private", "false"),
 				resource.TestCheckResourceAttr(resourceName, "is_request_id_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "request_id_header", "X-MyRequestB-Id"),
-				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"), 
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"), 
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.oracle-zpr.sa-test-lbaas.value", "update-zpr-tersi-lbaas"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.oracle-zpr.sa-test-lbaas.mode", "enforce"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "400Mbps"),
 				resource.TestCheckResourceAttrSet(resourceName, "reserved_ips.0.id"),
 				resource.TestCheckResourceAttr(resourceName, "network_security_group_ids.#", "0"),
@@ -315,6 +324,7 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.is_private", "false"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.network_security_group_ids.#", "0"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.is_request_id_enabled", "true"),
+				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.security_attributes.%", "2"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.request_id_header", "X-MyRequestB-Id"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.shape", "400Mbps"),
 				resource.TestCheckResourceAttrSet(datasourceName, "load_balancers.0.state"),

internal/service/load_balancer/load_balancer_load_balancer_resource.go

@@ -118,6 +118,12 @@ func LoadBalancerLoadBalancerResource() *schema.Resource {
 					},
 				},
 			},
+			"security_attributes": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
 			"shape_details": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -372,6 +378,11 @@ func (s *LoadBalancerLoadBalancerResourceCrud) Create() error {
 		}
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		convertedAttributes := tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+		request.SecurityAttributes = convertedAttributes
+	}
+
 	if shape, ok := s.D.GetOkExists("shape"); ok {
 		tmp := shape.(string)
 		request.ShapeName = &tmp
@@ -527,12 +538,14 @@ func (s *LoadBalancerLoadBalancerResourceCrud) Update() error {
 	request.LoadBalancerId = &tmp
 
 	if requestIdHeader, ok := s.D.GetOkExists("request_id_header"); ok {
-		if requestIdHeader != nil {
-			tmp := requestIdHeader.(string)
-			request.RequestIdHeader = &tmp
-		}
+		tmp := requestIdHeader.(string)
+		request.RequestIdHeader = &tmp
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		convertedAttributes := tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+		request.SecurityAttributes = convertedAttributes
+	}
 	request.RequestMetadata.RetryPolicy = tfresource.GetRetryPolicy(s.DisableNotFoundRetries, "load_balancer")
 
 	response, err := s.Client.UpdateLoadBalancer(context.Background(), request)
@@ -648,6 +661,8 @@ func (s *LoadBalancerLoadBalancerResourceCrud) SetData() error {
 		s.D.Set("request_id_header", *s.Res.RequestIdHeader)
 	}
 
+	s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+
 	if s.Res.ShapeName != nil {
 		s.D.Set("shape", *s.Res.ShapeName)
 	}

internal/service/load_balancer/load_balancer_load_balancers_data_source.go

@@ -171,6 +171,9 @@ func (s *LoadBalancerLoadBalancersDataSourceCrud) SetData() error {
 			loadBalancer["request_id_header"] = *r.RequestIdHeader
 		}
 
+		if r.SecurityAttributes != nil {
+			loadBalancer["security_attributes"] = tfresource.SecurityAttributesToMap(r.SecurityAttributes)
+		}
 		if r.ShapeName != nil {
 			loadBalancer["shape"] = *r.ShapeName
 		}

website/docs/d/load_balancer_load_balancers.html.markdown

@@ -121,6 +121,7 @@ The following attributes are exported:
 			* `name` - The name can be one of these values: `FORWARD_TO_BACKENDSET`
 		* `condition` - A routing rule to evaluate defined conditions against the incoming HTTP request and perform an action. 
 		* `name` - A unique name for the routing policy rule. Avoid entering confidential information. 
+* `security_attributes` - Extended Defined tags for ZPR for this resource. Each key is predefined and scoped to a namespace.  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value":"42","mode":"audit", "usagetype" : "zpr"}}}` 
 * `shape` - A template that determines the total pre-provisioned bandwidth (ingress plus egress). To get a list of available shapes, use the [ListShapes](https://docs.cloud.oracle.com/iaas/api/#/en/loadbalancer/20170115/LoadBalancerShape/ListShapes) operation.  Example: `100Mbps` 
 * `shape_details` - The configuration details to update load balancer to a different shape. 
 	* `maximum_bandwidth_in_mbps` - Bandwidth in Mbps that determines the maximum bandwidth (ingress plus egress) that the load balancer can achieve. This bandwidth cannot be always guaranteed. For a guaranteed bandwidth use the minimumBandwidthInMbps parameter.

website/docs/r/load_balancer_load_balancer.html.markdown

@@ -64,6 +64,7 @@ resource "oci_load_balancer_load_balancer" "test_load_balancer" {
 		#Optional
 		id = var.load_balancer_reserved_ips_id
 	}
+	security_attributes = var.load_balancer_security_attributes
 	shape_details {
 		#Required
 		maximum_bandwidth_in_mbps = var.load_balancer_shape_details_maximum_bandwidth_in_mbps
@@ -142,6 +143,7 @@ The following arguments are supported:
 		Reserved IPs will not be deleted when the Load balancer is deleted. They will be unattached from the Load balancer.
 
 		Example: "ocid1.publicip.oc1.phx.unique_ID" Ocid of the pre-created public IP that should be attached to this load balancer. The public IP will be attached to a private IP. **Note** If public IP resource is present in the config, the terraform plan will throw `After applying this step and refreshing, the plan was not empty` error, and `private_ip_id` needs to be added as an input argument to the public IP resource block or ignore from its lifecycle as shown in [examples](https://terraform-provider-oci/blob/507acd0ed6517dbca2fbcfb8100874929c8fd8e1/examples/load_balancer/lb_full/lb_full.tf#L133) to resolve this error.
+* `security_attributes` - (Optional) (Updatable) Extended Defined tags for ZPR for this resource. Each key is predefined and scoped to a namespace.  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value":"42","mode":"audit", "usagetype" : "zpr"}}}` 
 * `shape` - (Required) (Updatable) A template that determines the total pre-provisioned bandwidth (ingress plus egress). To get a list of available shapes, use the [ListShapes](https://docs.cloud.oracle.com/iaas/api/#/en/loadbalancer/20170115/LoadBalancerShape/ListShapes) operation.  Example: `flexible` NOTE: After May 2023, Fixed shapes - 10Mbps, 100Mbps, 400Mbps, 8000Mbps would be deprecated and only shape allowed would be `Flexible` *Note: When updating shape for a load balancer, all existing connections to the load balancer will be reset during the update process. Also `10Mbps-Micro` shape cannot be updated to any other shape nor can any other shape be updated to `10Mbps-Micro`.
 * `shape_details` - (Optional) (Updatable) The configuration details to create load balancer using Flexible shape. This is required only if shapeName is `Flexible`. 
 	* `maximum_bandwidth_in_mbps` - (Required) (Updatable) Bandwidth in Mbps that determines the maximum bandwidth (ingress plus egress) that the load balancer can achieve. This bandwidth cannot be always guaranteed. For a guaranteed bandwidth use the minimumBandwidthInMbps parameter.
@@ -283,6 +285,7 @@ The following attributes are exported:
 			* `name` - The name can be one of these values: `FORWARD_TO_BACKENDSET`
 		* `condition` - A routing rule to evaluate defined conditions against the incoming HTTP request and perform an action. 
 		* `name` - A unique name for the routing policy rule. Avoid entering confidential information. 
+* `security_attributes` - Extended Defined tags for ZPR for this resource. Each key is predefined and scoped to a namespace.  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value":"42","mode":"audit", "usagetype" : "zpr"}}}` 
 * `shape` - A template that determines the total pre-provisioned bandwidth (ingress plus egress). To get a list of available shapes, use the [ListShapes](https://docs.cloud.oracle.com/iaas/api/#/en/loadbalancer/20170115/LoadBalancerShape/ListShapes) operation.  Example: `100Mbps` 
 * `shape_details` - The configuration details to update load balancer to a different shape. 
 	* `maximum_bandwidth_in_mbps` - Bandwidth in Mbps that determines the maximum bandwidth (ingress plus egress) that the load balancer can achieve. This bandwidth cannot be always guaranteed. For a guaranteed bandwidth use the minimumBandwidthInMbps parameter.