Added - Support for Opensearch - ZPR security attribute support

Author: jmashalk

examples/opensearch/opensearch_cluster/main.tf

@@ -174,4 +174,9 @@ data "oci_opensearch_opensearch_clusters" "test_opensearch_clusters" {
   display_name = var.opensearch_cluster_display_name
   #  id           = var.opensearch_cluster_id
   #  state        = var.opensearch_cluster_state
+}
+
+data "oci_certificates_management_certificates" "existing" {
+  compartment_id = var.compartment_id
+  name   = "Tersi-Certificate-DND"
 }

internal/integrationtest/opensearch_opensearch_cluster_test.go

@@ -69,6 +69,12 @@ func (s *OpensearchOpensearchClusterDataSourceCrud) SetData() error {
 
 	s.D.Set("availability_domains", s.Res.AvailabilityDomains)
 
+	if s.Res.CertificateConfig != nil {
+		s.D.Set("certificate_config", []interface{}{CertificateConfigToMap(s.Res.CertificateConfig)})
+	} else {
+		s.D.Set("certificate_config", nil)
+	}
+
 	if s.Res.CompartmentId != nil {
 		s.D.Set("compartment_id", *s.Res.CompartmentId)
 	}
@@ -147,6 +153,10 @@ func (s *OpensearchOpensearchClusterDataSourceCrud) SetData() error {
 
 	s.D.Set("master_node_host_type", s.Res.MasterNodeHostType)
 
+	if s.Res.NsgId != nil {
+		s.D.Set("nsg_id", *s.Res.NsgId)
+	}
+
 	if s.Res.OpendashboardFqdn != nil {
 		s.D.Set("opendashboard_fqdn", *s.Res.OpendashboardFqdn)
 	}
@@ -215,6 +225,12 @@ func (s *OpensearchOpensearchClusterDataSourceCrud) SetData() error {
 		s.D.Set("search_node_storage_gb", *s.Res.SearchNodeStorageGB)
 	}
 
+	if s.Res.SecurityAttributes != nil {
+		s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+	} else {
+		s.D.Set("security_attributes", nil)
+	}
+
 	if s.Res.SecurityMasterUserName != nil {
 		s.D.Set("security_master_user_name", *s.Res.SecurityMasterUserName)
 	}

internal/service/opensearch/opensearch_opensearch_cluster_data_source.go

@@ -120,6 +120,43 @@ func OpensearchOpensearchClusterResource() *schema.Resource {
 				ForceNew: true,
 			},
 
+			"certificate_config": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				MaxItems: 1,
+				MinItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						// Required
+
+						// Optional
+						"cluster_certificate_mode": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
+						"dashboard_certificate_mode": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
+						"open_search_api_certificate_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
+						"open_search_dashboard_certificate_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
+
+						// Computed
+					},
+				},
+			},
+
 			// Optional
 			"data_node_host_bare_metal_shape": {
 				Type:     schema.TypeString,
@@ -200,6 +237,12 @@ func OpensearchOpensearchClusterResource() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"nsg_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+			},
 			"opendashboard_node_host_shape": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -300,6 +343,13 @@ func OpensearchOpensearchClusterResource() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"security_attributes": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Computed: true,
+				Default:  nil,
+				Elem:     schema.TypeString,
+			},
 			"security_master_user_name": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -573,6 +623,17 @@ func (s *OpensearchOpensearchClusterResourceCrud) DeletedTarget() []string {
 func (s *OpensearchOpensearchClusterResourceCrud) Create() error {
 	request := oci_opensearch.CreateOpensearchClusterRequest{}
 
+	if certificateConfig, ok := s.D.GetOkExists("certificate_config"); ok {
+		if tmpList := certificateConfig.([]interface{}); len(tmpList) > 0 {
+			fieldKeyFormat := fmt.Sprintf("%s.%d.%%s", "certificate_config", 0)
+			tmp, err := s.mapToCertificateConfig(fieldKeyFormat)
+			if err != nil {
+				return err
+			}
+			request.CertificateConfig = &tmp
+		}
+	}
+
 	if compartmentId, ok := s.D.GetOkExists("compartment_id"); ok {
 		tmp := compartmentId.(string)
 		request.CompartmentId = &tmp
@@ -682,6 +743,11 @@ func (s *OpensearchOpensearchClusterResourceCrud) Create() error {
 		request.MasterNodeHostType = oci_opensearch.MasterNodeHostTypeEnum(masterNodeHostType.(string))
 	}
 
+	if nsgId, ok := s.D.GetOkExists("nsg_id"); ok {
+		tmp := nsgId.(string)
+		request.NsgId = &tmp
+	}
+
 	if opendashboardNodeCount, ok := s.D.GetOkExists("opendashboard_node_count"); ok {
 		tmp := opendashboardNodeCount.(int)
 		request.OpendashboardNodeCount = &tmp
@@ -755,6 +821,10 @@ func (s *OpensearchOpensearchClusterResourceCrud) Create() error {
 		request.SearchNodeStorageGB = &tmp
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	if securityMasterUserName, ok := s.D.GetOkExists("security_master_user_name"); ok {
 		tmp := securityMasterUserName.(string)
 		request.SecurityMasterUserName = &tmp
@@ -1038,6 +1108,19 @@ func (s *OpensearchOpensearchClusterResourceCrud) Update() error {
 
 	request := oci_opensearch.UpdateOpensearchClusterRequest{}
 
+	if certificateConfig, ok := s.D.GetOkExists("certificate_config"); ok {
+		if tmpList := certificateConfig.([]interface{}); len(tmpList) > 0 {
+			fieldKeyFormat := fmt.Sprintf("%s.%d.%%s", "certificate_config", 0)
+			tmp, err := s.mapToCertificateConfig(fieldKeyFormat)
+			if err != nil {
+				return err
+			}
+			request.CertificateConfig = &tmp
+		}
+	} else {
+		request.CertificateConfig = nil
+	}
+
 	if definedTags, ok := s.D.GetOkExists("defined_tags"); ok {
 		convertedDefinedTags, err := tfresource.MapToDefinedTags(definedTags.(map[string]interface{}))
 		if err != nil {
@@ -1093,6 +1176,12 @@ func (s *OpensearchOpensearchClusterResourceCrud) Update() error {
 		}
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	} else {
+		request.SecurityAttributes = nil
+	}
+
 	if securityMasterUserName, ok := s.D.GetOkExists("security_master_user_name"); ok {
 		tmp := securityMasterUserName.(string)
 		request.SecurityMasterUserName = &tmp
@@ -1157,6 +1246,12 @@ func (s *OpensearchOpensearchClusterResourceCrud) Delete() error {
 func (s *OpensearchOpensearchClusterResourceCrud) SetData() error {
 	s.D.Set("availability_domains", s.Res.AvailabilityDomains)
 
+	if s.Res.CertificateConfig != nil {
+		s.D.Set("certificate_config", []interface{}{CertificateConfigToMap(s.Res.CertificateConfig)})
+	} else {
+		s.D.Set("certificate_config", nil)
+	}
+
 	if s.Res.CompartmentId != nil {
 		s.D.Set("compartment_id", *s.Res.CompartmentId)
 	}
@@ -1235,6 +1330,10 @@ func (s *OpensearchOpensearchClusterResourceCrud) SetData() error {
 
 	s.D.Set("master_node_host_type", s.Res.MasterNodeHostType)
 
+	if s.Res.NsgId != nil {
+		s.D.Set("nsg_id", *s.Res.NsgId)
+	}
+
 	if s.Res.OpendashboardFqdn != nil {
 		s.D.Set("opendashboard_fqdn", *s.Res.OpendashboardFqdn)
 	}
@@ -1303,6 +1402,10 @@ func (s *OpensearchOpensearchClusterResourceCrud) SetData() error {
 		s.D.Set("search_node_storage_gb", *s.Res.SearchNodeStorageGB)
 	}
 
+	if s.Res.SecurityAttributes != nil {
+		s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+	}
+
 	if s.Res.SecurityMasterUserName != nil {
 		s.D.Set("security_master_user_name", *s.Res.SecurityMasterUserName)
 	}
@@ -1423,6 +1526,11 @@ func (s *OpensearchOpensearchClusterResourceCrud) UpgradeOpenSearchCluster() err
 		tmp := originalClusterDisplayName.(string)
 		request.OriginalClusterDisplayName = &tmp
 	}
+
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	if systemTags, ok := s.D.GetOkExists("system_tags"); ok {
 		convertedSystemTags, err := tfresource.MapToSystemTags(systemTags.(map[string]interface{}))
 		if err != nil {
@@ -1596,6 +1704,48 @@ func (s *OpensearchOpensearchClusterResourceCrud) mapToCreateMaintenanceDetails(
 	return result, nil
 }
 
+func (s *OpensearchOpensearchClusterResourceCrud) mapToCertificateConfig(fieldKeyFormat string) (oci_opensearch.CertificateConfig, error) {
+	result := oci_opensearch.CertificateConfig{}
+
+	if clusterCertificateMode, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "cluster_certificate_mode")); ok {
+		result.ClusterCertificateMode = oci_opensearch.CertificateModeEnum(clusterCertificateMode.(string))
+	}
+
+	if dashboardCertificateMode, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "dashboard_certificate_mode")); ok {
+		result.DashboardCertificateMode = oci_opensearch.CertificateModeEnum(dashboardCertificateMode.(string))
+	}
+
+	if openSearchApiCertificateId, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "open_search_api_certificate_id")); ok {
+		tmp := openSearchApiCertificateId.(string)
+		result.OpenSearchApiCertificateId = &tmp
+	}
+
+	if openSearchDashboardCertificateId, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "open_search_dashboard_certificate_id")); ok {
+		tmp := openSearchDashboardCertificateId.(string)
+		result.OpenSearchDashboardCertificateId = &tmp
+	}
+
+	return result, nil
+}
+
+func CertificateConfigToMap(obj *oci_opensearch.CertificateConfig) map[string]interface{} {
+	result := map[string]interface{}{}
+
+	result["cluster_certificate_mode"] = string(obj.ClusterCertificateMode)
+
+	result["dashboard_certificate_mode"] = string(obj.DashboardCertificateMode)
+
+	if obj.OpenSearchApiCertificateId != nil {
+		result["open_search_api_certificate_id"] = string(*obj.OpenSearchApiCertificateId)
+	}
+
+	if obj.OpenSearchDashboardCertificateId != nil {
+		result["open_search_dashboard_certificate_id"] = string(*obj.OpenSearchDashboardCertificateId)
+	}
+
+	return result
+}
+
 func (s *OpensearchOpensearchClusterResourceCrud) mapToUpdateMaintenanceDetails(fieldKeyFormat string) (oci_opensearch.UpdateMaintenanceDetails, error) {
 	result := oci_opensearch.UpdateMaintenanceDetails{}
 
@@ -1664,6 +1814,12 @@ func OpensearchClusterSummaryToMap(obj oci_opensearch.OpensearchClusterSummary)
 		result["outbound_cluster_config"] = []interface{}{OutboundClusterConfigToMap(obj.OutboundClusterConfig)}
 	}
 
+	if obj.SecurityAttributes != nil {
+		result["security_attributes"] = tfresource.SecurityAttributesToMap(obj.SecurityAttributes)
+	} else {
+		result["security_attributes"] = nil
+	}
+
 	result["security_mode"] = string(obj.SecurityMode)
 
 	if obj.SoftwareVersion != nil {

internal/service/opensearch/opensearch_opensearch_cluster_resource.go

@@ -47,6 +47,12 @@ The following arguments are supported:
 The following attributes are exported:
 
 * `availability_domains` - The availability domains to distribute the cluser nodes across.
+	* `retention_in_days` - Specifies how long backup copy should remain on Storage in days
+* `certificate_config` - Custom certificate config for customer provided certs.
+	* `cluster_certificate_mode` - Specifies whether the certificate to be used in cluster is managed by OpenSearch or Oracle Cloud Infrastructure Certificates service.
+	* `dashboard_certificate_mode` - Specifies whether the certificate to be used in dashboard is managed by OpenSearch or Oracle Cloud Infrastructure Certificates service.
+	* `open_search_api_certificate_id` - certificate to be used for OpenSearch cluster api communication
+	* `open_search_dashboard_certificate_id` - certificate to be used for OpenSearch dashboard api communication
 * `compartment_id` - The OCID of the compartment where the cluster is located.
 * `data_node_count` - The number of data nodes configured for the cluster.
 * `data_node_host_bare_metal_shape` - The bare metal shape for the cluster's data nodes.
@@ -73,6 +79,7 @@ The following attributes are exported:
 * `master_node_host_ocpu_count` - The number of OCPUs configured for cluster's master nodes.
 * `master_node_host_shape` - The node shape for the cluster's master nodes.
 * `master_node_host_type` - The instance type for the cluster's master nodes.
+* `nsg_id` - The OCID of the NSG where the private endpoint vnic will be attached.
 * `opendashboard_fqdn` - The fully qualified domain name (FQDN) for the cluster's OpenSearch Dashboard API endpoint.
 * `opendashboard_node_count` - The number of OpenSearch Dashboard nodes configured for the cluster.
 * `opendashboard_node_host_memory_gb` - The amount of memory in GB, for the cluster's OpenSearch Dashboard nodes.
@@ -99,6 +106,7 @@ The following attributes are exported:
 * `search_node_host_shape` - The node shape for the cluster's search nodes.
 * `search_node_host_type` - The instance type for the cluster's search nodes.
 * `search_node_storage_gb` - The amount of storage in GB, to configure per node for the cluster's search nodes.
+* `security_attributes` - Security attributes for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}` 
 * `security_master_user_name` - The name of the master user that are used to manage security config
 * `security_master_user_password_hash` - The password hash of the master user that are used to manage security config
 * `security_mode` - The security mode of the cluster.

website/docs/d/opensearch_opensearch_cluster.html.markdown

@@ -61,6 +61,11 @@ The following attributes are exported:
 The following attributes are exported:
 
 * `availability_domains` - The availability domains to distribute the cluser nodes across.
+* `certificate_config` - Custom certificate config for customer provided certs.
+	* `cluster_certificate_mode` - Specifies whether the certificate to be used in cluster is managed by OpenSearch or Oracle Cloud Infrastructure Certificates service.
+	* `dashboard_certificate_mode` - Specifies whether the certificate to be used in dashboard is managed by OpenSearch or Oracle Cloud Infrastructure Certificates service.
+	* `open_search_api_certificate_id` - certificate to be used for OpenSearch cluster api communication
+	* `open_search_dashboard_certificate_id` - certificate to be used for OpenSearch dashboard api communication
 * `compartment_id` - The OCID of the compartment where the cluster is located.
 * `data_node_count` - The number of data nodes configured for the cluster.
 * `data_node_host_bare_metal_shape` - The bare metal shape for the cluster's data nodes.
@@ -87,6 +92,7 @@ The following attributes are exported:
 * `master_node_host_ocpu_count` - The number of OCPUs configured for cluster's master nodes.
 * `master_node_host_shape` - The node shape for the cluster's master nodes.
 * `master_node_host_type` - The instance type for the cluster's master nodes.
+* `nsg_id` - The OCID of the NSG where the private endpoint vnic will be attached.
 * `opendashboard_fqdn` - The fully qualified domain name (FQDN) for the cluster's OpenSearch Dashboard API endpoint.
 * `opendashboard_node_count` - The number of OpenSearch Dashboard nodes configured for the cluster.
 * `opendashboard_node_host_memory_gb` - The amount of memory in GB, for the cluster's OpenSearch Dashboard nodes.
@@ -113,6 +119,7 @@ The following attributes are exported:
 * `search_node_host_shape` - The node shape for the cluster's search nodes.
 * `search_node_host_type` - The instance type for the cluster's search nodes.
 * `search_node_storage_gb` - The amount of storage in GB, to configure per node for the cluster's search nodes.
+* `security_attributes` - Security attributes for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}` 
 * `security_master_user_name` - The name of the master user that are used to manage security config
 * `security_master_user_password_hash` - The password hash of the master user that are used to manage security config
 * `security_mode` - The security mode of the cluster.