Added - Support for HeatWave Service: Zerotrust Packet Routing (ZPR)

Author: MarkLeith

examples/mysql/main.tf

@@ -176,6 +176,9 @@ resource "oci_mysql_mysql_db_system" "test_mysql_db_system" {
     configuration = "DISABLED"
     port = "443"
   }
+
+  #Optional
+  security_attributes = {"oracle-zpr.sensitivity.value": "low", "oracle-zpr.sensitivity.mode": "enforce"}
 }
 
 data "oci_mysql_mysql_configurations" "test_mysql_configurations" {

examples/mysql/replica/main.tf

@@ -117,6 +117,9 @@ resource "oci_mysql_replica" "test_replica" {
     #mysql_version      = "8.1.0"
     nsg_ids            = [oci_core_network_security_group.test_network_security_group.id]
     shape_name         = "MySQL.VM.Standard.E3.4.64GB"
+
+    # Optional
+    security_attributes = {"oracle-zpr.sensitivity.value": "low", "oracle-zpr.sensitivity.mode": "enforce"}
   }
 }
 

internal/integrationtest/mysql_mysql_db_system_security_attributes_test.go

@@ -0,0 +1,90 @@
+// Copyright (c) 2017, 2025, Oracle and/or its affiliates. All rights reserved.
+
+package integrationtest
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+
+	"github.com/oracle/terraform-provider-oci/httpreplay"
+	"github.com/oracle/terraform-provider-oci/internal/acctest"
+	"github.com/oracle/terraform-provider-oci/internal/utils"
+)
+
+var (
+	mysqlDbSystemSecurityAttributes = map[string]interface{}{
+		// standard required properties
+		"admin_password":          acctest.Representation{RepType: acctest.Required, Create: `BEstrO0ng_#11`},
+		"admin_username":          acctest.Representation{RepType: acctest.Required, Create: `adminUser`},
+		"availability_domain":     acctest.Representation{RepType: acctest.Required, Create: `${data.oci_identity_availability_domains.test_availability_domains.availability_domains.0.name}`},
+		"compartment_id":          acctest.Representation{RepType: acctest.Required, Create: `${var.compartment_id}`},
+		"shape_name":              acctest.Representation{RepType: acctest.Required, Create: `MySQL.VM.Standard.E3.1.8GB`},
+		"subnet_id":               acctest.Representation{RepType: acctest.Required, Create: `${oci_core_subnet.test_subnet.id}`},
+		"data_storage_size_in_gb": acctest.Representation{RepType: acctest.Required, Create: `50`},
+
+		// use an easier to track display name
+		"display_name": acctest.Representation{RepType: acctest.Optional, Create: `TestDbSystemSecurityAttributes`},
+
+		// avoid wasting time setting up DBM when that's not what we're testing here
+		"database_management": acctest.Representation{RepType: acctest.Optional, Create: `DISABLED`},
+
+		// disable backup policy to avoid wasting even more time and resources
+		"backup_policy": acctest.RepresentationGroup{RepType: acctest.Required, Group: disabledBackupPolicy},
+
+		// create with the default SAs and then clear SAs on update
+		"security_attributes": acctest.Representation{RepType: acctest.Optional,
+			Create: map[string]string{"oracle-zpr.sensitivity.value": "low", "oracle-zpr.sensitivity.mode": "enforce"},
+			Update: map[string]string{}},
+	}
+)
+
+// issue-routing-tag: mysql/default
+func TestMysqlMysqlDbSystemResource_securityAttributes(t *testing.T) {
+	httpreplay.SetScenario("TestMysqlMysqlDbSystemResource_securityAttributes")
+	defer httpreplay.SaveScenario()
+
+	config := acctest.ProviderTestConfig()
+
+	compartmentId := utils.GetEnvSettingWithBlankDefault("compartment_ocid")
+	compartmentIdVariableStr := fmt.Sprintf("variable \"compartment_id\" { default = \"%s\" }\n", compartmentId)
+
+	resourceName := "oci_mysql_mysql_db_system.test_mysql_db_system"
+
+	var resId, resId2 string
+
+	acctest.ResourceTest(t, nil, []resource.TestStep{
+		// verify create results in a DBS with SA
+		{
+			Config: config + compartmentIdVariableStr + MysqlMysqlDbSystemResourceDependencies +
+				acctest.GenerateResourceFromRepresentationMap("oci_mysql_mysql_db_system", "test_mysql_db_system", acctest.Optional, acctest.Create, mysqlDbSystemSecurityAttributes),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
+
+				func(s *terraform.State) (err error) {
+					resId, err = acctest.FromInstanceState(s, resourceName, "id")
+					return err
+				},
+			),
+		},
+
+		// verify update results in the removal of SA
+		{
+			Config: config + compartmentIdVariableStr + MysqlMysqlDbSystemResourceDependencies +
+				acctest.GenerateResourceFromRepresentationMap("oci_mysql_mysql_db_system", "test_mysql_db_system", acctest.Optional, acctest.Update, mysqlDbSystemSecurityAttributes),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "0"),
+
+				func(s *terraform.State) (err error) {
+					resId2, err = acctest.FromInstanceState(s, resourceName, "id")
+					if resId != resId2 {
+						return fmt.Errorf("Resource recreated when it was supposed to be updated.")
+					}
+					return err
+				},
+			),
+		},
+	})
+}

internal/integrationtest/mysql_mysql_db_system_test.go

@@ -82,6 +82,7 @@ var (
 		"encrypt_data":            acctest.RepresentationGroup{RepType: acctest.Optional, Group: MysqlMysqlDbSystemEncryptDataRepresentation},
 		"lifecycle":               acctest.RepresentationGroup{RepType: acctest.Required, Group: ignoreDefinedTagsChangesForMysqlRepBasic},
 		"read_endpoint":           acctest.RepresentationGroup{RepType: acctest.Optional, Group: MysqlMysqlDbSystemReadEndpointRepresentation},
+		"security_attributes":     acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"oracle-zpr.sensitivity.value": "low", "oracle-zpr.sensitivity.mode": "enforce"}},
 	}
 
 	ignoreDefinedTagsChangesForMysqlRepBasic = map[string]interface{}{
@@ -244,6 +245,7 @@ func TestMysqlMysqlDbSystemResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "rest.0.configuration", "DISABLED"),
 				resource.TestCheckResourceAttr(resourceName, "secure_connections.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "secure_connections.0.certificate_generation_type", "SYSTEM"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
 				resource.TestCheckResourceAttr(resourceName, "encrypt_data.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "encrypt_data.0.key_generation_type", "SYSTEM"),
 				resource.TestCheckResourceAttrSet(resourceName, "shape_name"),
@@ -310,6 +312,7 @@ func TestMysqlMysqlDbSystemResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "rest.0.configuration", "DISABLED"),
 				resource.TestCheckResourceAttr(resourceName, "secure_connections.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "secure_connections.0.certificate_generation_type", "SYSTEM"),
+				resource.TestCheckResourceAttr(resourceName, "security_attributes.%", "2"),
 				resource.TestCheckResourceAttr(resourceName, "encrypt_data.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "encrypt_data.0.key_generation_type", "SYSTEM"),
 				resource.TestCheckResourceAttrSet(resourceName, "shape_name"),
@@ -438,6 +441,7 @@ func TestMysqlMysqlDbSystemResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(singularDatasourceName, "secure_connections.0.certificate_generation_type", "SYSTEM"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "encrypt_data.#", "1"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "encrypt_data.0.key_generation_type", "SYSTEM"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "security_attributes.%", "2"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "source.#", "1"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "source.0.source_type", "NONE"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "state"),

internal/integrationtest/mysql_replica_test.go

@@ -66,8 +66,9 @@ var (
 		"configuration_id": acctest.Representation{RepType: acctest.Optional, Create: `${oci_mysql_mysql_db_system.test_mysql_db_system.configuration_id}`},
 		// TODO: fix unsupported versions
 		//"mysql_version":    acctest.Representation{RepType: acctest.Optional, Create: `8.0.35`, Update: `8.1.0`},
-		"nsg_ids":    acctest.Representation{RepType: acctest.Optional, Create: []string{`${oci_core_network_security_group.test_network_security_group.id}`}},
-		"shape_name": acctest.Representation{RepType: acctest.Optional, Create: `${oci_mysql_mysql_db_system.test_mysql_db_system.shape_name}`},
+		"nsg_ids":             acctest.Representation{RepType: acctest.Optional, Create: []string{`${oci_core_network_security_group.test_network_security_group.id}`}},
+		"security_attributes": acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"oracle-zpr.sensitivity.value": "low", "oracle-zpr.sensitivity.mode": "enforce"}},
+		"shape_name":          acctest.Representation{RepType: acctest.Optional, Create: `${oci_mysql_mysql_db_system.test_mysql_db_system.shape_name}`},
 	}
 
 	ignoreDefinedTagsChangesForMysqlReplica = map[string]interface{}{
@@ -166,6 +167,7 @@ func TestMysqlReplicaResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(resourceName, "replica_overrides.0.configuration_id"),
 				// TODO: fix unsupported versions
 				//resource.TestCheckResourceAttr(resourceName, "replica_overrides.0.mysql_version", "8.0.35"),
+				resource.TestCheckResourceAttr(resourceName, "replica_overrides.0.security_attributes.%", "2"),
 				resource.TestCheckResourceAttrSet(resourceName, "replica_overrides.0.shape_name"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
@@ -204,6 +206,7 @@ func TestMysqlReplicaResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(resourceName, "replica_overrides.0.configuration_id"),
 				// TODO: fix unsupported versions
 				//resource.TestCheckResourceAttr(resourceName, "replica_overrides.0.mysql_version", "8.1.0"),
+				resource.TestCheckResourceAttr(resourceName, "replica_overrides.0.security_attributes.%", "2"),
 				resource.TestCheckResourceAttrSet(resourceName, "replica_overrides.0.shape_name"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
@@ -251,6 +254,7 @@ func TestMysqlReplicaResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(datasourceName, "replicas.0.replica_overrides.0.configuration_id"),
 				// TODO: fix unsupported versions
 				//resource.TestCheckResourceAttr(datasourceName, "replicas.0.replica_overrides.0.mysql_version", "8.1.0"),
+				resource.TestCheckResourceAttr(datasourceName, "replicas.0.replica_overrides.0.security_attributes.%", "2"),
 				resource.TestCheckResourceAttrSet(datasourceName, "replicas.0.replica_overrides.0.shape_name"),
 				resource.TestCheckResourceAttrSet(datasourceName, "replicas.0.shape_name"),
 				resource.TestCheckResourceAttrSet(datasourceName, "replicas.0.state"),
@@ -282,6 +286,7 @@ func TestMysqlReplicaResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(singularDatasourceName, "replica_overrides.#", "1"),
 				// TODO: fix unsupported versions
 				//resource.TestCheckResourceAttr(singularDatasourceName, "replica_overrides.0.mysql_version", "8.1.0"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "replica_overrides.0.security_attributes.%", "2"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "secure_connections.#", "1"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "shape_name"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "state"),

internal/service/mysql/mysql_mysql_backup_resource.go

@@ -597,6 +597,11 @@ func MysqlMysqlBackupResource() *schema.Resource {
 								},
 							},
 						},
+						"security_attributes": {
+							Type:     schema.TypeMap,
+							Computed: true,
+							Elem:     schema.TypeString,
+						},
 						"shape_name": {
 							Type:     schema.TypeString,
 							Computed: true,
@@ -1414,6 +1419,8 @@ func DbSystemSnapshotToMap(obj *oci_mysql.DbSystemSnapshot, datasource bool) map
 		result["secure_connections"] = []interface{}{SecureConnectionDetailsToMap(obj.SecureConnections)}
 	}
 
+	result["security_attributes"] = obj.SecurityAttributes
+
 	if obj.ShapeName != nil {
 		result["shape_name"] = string(*obj.ShapeName)
 	}

internal/service/mysql/mysql_mysql_db_system_data_source.go

@@ -226,6 +226,10 @@ func (s *MysqlMysqlDbSystemDataSourceCrud) SetData() error {
 		s.D.Set("secure_connections", nil)
 	}
 
+	if s.Res.SecurityAttributes != nil {
+		s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+	}
+
 	if s.Res.ShapeName != nil {
 		s.D.Set("shape_name", *s.Res.ShapeName)
 	}

internal/service/mysql/mysql_mysql_db_system_resource.go

@@ -487,6 +487,12 @@ func MysqlMysqlDbSystemResource() *schema.Resource {
 					},
 				},
 			},
+			"security_attributes": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
 			"source": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -1274,6 +1280,10 @@ func (s *MysqlMysqlDbSystemResourceCrud) Create() error {
 		}
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	if shapeName, ok := s.D.GetOkExists("shape_name"); ok {
 		tmp := shapeName.(string)
 		request.ShapeName = &tmp
@@ -1510,6 +1520,10 @@ func (s *MysqlMysqlDbSystemResourceCrud) Update() error {
 		}
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok && s.D.HasChange("security_attributes") {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	if shapeName, ok := s.D.GetOkExists("shape_name"); ok && s.D.HasChange("shape_name") {
 		tmp := shapeName.(string)
 		request.ShapeName = &tmp
@@ -1702,6 +1716,8 @@ func (s *MysqlMysqlDbSystemResourceCrud) SetData() error {
 		s.D.Set("secure_connections", nil)
 	}
 
+	s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+
 	if s.Res.ShapeName != nil {
 		s.D.Set("shape_name", *s.Res.ShapeName)
 	}

internal/service/mysql/mysql_replica_data_source.go

@@ -145,6 +145,8 @@ func (s *MysqlReplicaDataSourceCrud) SetData() error {
 		s.D.Set("secure_connections", nil)
 	}
 
+	s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+
 	if s.Res.ShapeName != nil {
 		s.D.Set("shape_name", *s.Res.ShapeName)
 	}

internal/service/mysql/mysql_replica_resource.go

@@ -96,6 +96,12 @@ func MysqlReplicaResource() *schema.Resource {
 								Type: schema.TypeString,
 							},
 						},
+						"security_attributes": {
+							Type:     schema.TypeMap,
+							Optional: true,
+							Computed: true,
+							Elem:     schema.TypeString,
+						},
 						"shape_name": {
 							Type:     schema.TypeString,
 							Optional: true,
@@ -194,6 +200,11 @@ func MysqlReplicaResource() *schema.Resource {
 					},
 				},
 			},
+			"security_attributes": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
 			"shape_name": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -521,6 +532,8 @@ func (s *MysqlReplicaResourceCrud) SetData() error {
 		s.D.Set("secure_connections", nil)
 	}
 
+	s.D.Set("security_attributes", tfresource.SecurityAttributesToMap(s.Res.SecurityAttributes))
+
 	if s.Res.ShapeName != nil {
 		s.D.Set("shape_name", *s.Res.ShapeName)
 	}
@@ -567,6 +580,11 @@ func (s *MysqlReplicaResourceCrud) mapToReplicaOverrides(fieldKeyFormat string)
 		}
 	}
 
+	securityAttributesField := fmt.Sprintf(fieldKeyFormat, "security_attributes")
+	if securityAttributes, ok := s.D.GetOkExists(securityAttributesField); ok && s.D.HasChange(securityAttributesField) {
+		result.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	shapeNameField := fmt.Sprintf(fieldKeyFormat, "shape_name")
 	if shapeName, ok := s.D.GetOkExists(shapeNameField); ok && s.D.HasChange(shapeNameField) {
 		tmp := shapeName.(string)
@@ -597,6 +615,10 @@ func ReplicaOverridesToMap(obj *oci_mysql.ReplicaOverrides, datasource bool) map
 		result["nsg_ids"] = schema.NewSet(tfresource.LiteralTypeHashCodeForSets, nsgIds)
 	}
 
+	if obj.SecurityAttributes != nil {
+		result["security_attributes"] = tfresource.SecurityAttributesToMap(obj.SecurityAttributes)
+	}
+
 	if obj.ShapeName != nil {
 		result["shape_name"] = string(*obj.ShapeName)
 	}