Adding export options to export for bettter access control

Author: parweza

docs/examples/storage/fss/data_sources.tf

@@ -6,7 +6,7 @@ data "oci_identity_availability_domains" "ADs" {
 # Gets the list of file systems in the compartment
 data "oci_file_storage_file_systems" "file_systems" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
 
   #Optional fields. Used by the service to filter the results when returning data to the client.
@@ -18,7 +18,7 @@ data "oci_file_storage_file_systems" "file_systems" {
 # Gets the list of mount targets in the compartment
 data "oci_file_storage_mount_targets" "mount_targets" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
 
   #Optional fields. Used by the service to filter the results when returning data to the client.
@@ -53,7 +53,7 @@ data "oci_file_storage_snapshots" "snapshots" {
 # Gets a list of export sets in a compartment and availability domain
 data "oci_file_storage_export_sets" "export_sets" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
 
   #Optional fields. Used by the service to filter the results when returning data to the client.

docs/examples/storage/fss/export.tf

@@ -3,6 +3,15 @@ resource "oci_file_storage_export" "my_export_fs1_mt1" {
 	export_set_id = "${oci_file_storage_export_set.my_export_set_1.id}"
 	file_system_id = "${oci_file_storage_file_system.my_fs_1.id}"
 	path = "${var.export_path_fs1_mt1}"
+
+	export_options = [
+		{
+			source = "0.0.0.0/0"
+			access = "READ_ONLY"
+			identity_squash = "NONE"
+			require_privileged_source_port = false
+		}
+	]
 }
 
 resource "oci_file_storage_export" "my_export_fs1_mt2" {

docs/examples/storage/fss/file_system.tf

@@ -1,6 +1,6 @@
 resource "oci_file_storage_file_system" "my_fs_1" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
 
   #Optional
@@ -9,7 +9,7 @@ resource "oci_file_storage_file_system" "my_fs_1" {
 
 resource "oci_file_storage_file_system" "my_fs_2" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
 
   #Optional

docs/examples/storage/fss/instance.tf

@@ -1,13 +1,13 @@
 resource "oci_core_instance" "my_instance" {
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
   display_name = "my instance with FSS access"
   hostname_label = "myinstance"
   image = "${var.instance_image_ocid[var.region]}"
   shape = "${var.instance_shape}"
   subnet_id = "${oci_core_subnet.my_subnet.id}"
   metadata {
-    ssh_authorized_keys = "${file(var.ssh_public_key)}"
+    ssh_authorized_keys = "${var.ssh_public_key}"
   }
   timeouts {
     create = "60m"
@@ -23,7 +23,7 @@ resource "null_resource" "mount_fss_on_instance" {
       timeout = "15m"
       host = "${oci_core_instance.my_instance.public_ip}"
       user = "opc"
-      private_key = "${file(var.ssh_private_key)}"
+      private_key = "${var.ssh_private_key}"
     }
     inline = [
       "sudo yum -y install nfs-utils > nfs-utils-install.log",

docs/examples/storage/fss/mount_target.tf

@@ -1,6 +1,6 @@
 resource "oci_file_storage_mount_target" "my_mount_target_1" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
   subnet_id = "${oci_core_subnet.my_subnet.id}"
 
@@ -10,7 +10,7 @@ resource "oci_file_storage_mount_target" "my_mount_target_1" {
 
 resource "oci_file_storage_mount_target" "my_mount_target_2" {
   #Required
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   compartment_id = "${var.compartment_ocid}"
   subnet_id = "${oci_core_subnet.my_subnet.id}"
 

docs/examples/storage/fss/network.tf

@@ -23,7 +23,7 @@ resource "oci_core_route_table" "my_route_table" {
 }
 
 resource "oci_core_subnet" "my_subnet" {
-  availability_domain = "${var.availability_domain}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
   cidr_block = "${var.my_subnet_cidr}"
   display_name = "mysubnet"
   dns_label = "mysubnet"

docs/examples/storage/fss/variables.tf

@@ -14,6 +14,11 @@ variable "api_public_key" {
   default = "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4fGHcxbEs3VaWoKaGUiPHGZ5ILiOXCcWN4nOgLr6CSzUjtgjmN3aA6rsT2mYiD+M5EecDbEUMectUhNtLl5LPABN9kpjuR0zxCJXvYYQiCBtdjb1/YxrZI9T/9Jtd+cTabCahJHR/cR8jFmvO4cKJCa/0+Y00zvktrqniHIn3edGAKC4Ttlwj/1NqT0ZVePMXg3rWHPsIW6ONfdn6FNfMet8Qa8K3C9xVvzImlYx8PQBy/44Ilu5T3A+puwb2QMeZnQZGDALOY4MvrBTTA1TdjFpg1NChj2rGYzreysqlnKFu+1qg64wel39kHkppz4Fv2vaLXF9qIeDjeo3G4sHQIDAQAB-----END PUBLIC KEY-----"
 }
 
+# Choose an Availability Domain
+variable "AD" {
+  default = "1"
+}
+
 variable "my_vcn-cidr" {
   default = "10.0.0.0/16"
 }

docs/file_storage/exports.md

@@ -6,6 +6,13 @@
 
 The following attributes are exported:
 
+* `export_options` - Policies that apply to NFS requests made through this export. `exportOptions` contains a sequential list of `ClientOptions`. Each `ClientOptions` item defines the export options that are applied to a specified set of clients.  For each NFS request, the first `ClientOptions` option in the list whose `source` attribute matches the source IP address of the request is applied.  If a client source IP address does not match the `source` property of any `ClientOptions` in the list, then the export will be invisible to that client. This export will not be returned by `MOUNTPROC_EXPORT` calls made by the client and any attempt to mount or access the file system through this export will result in an error.  **Exports without defined `ClientOptions` are invisible to all clients.**  If one export is invisible to a particular client, associated file systems may still be accessible through other exports on the same or different mount targets. To completely deny client access to a file system, be sure that the client source IP address is not included in any export for any mount target associated with the file system. 
+	* `access` - Type of access to grant clients using the file system through this export. If unspecified defaults to `READ_ONLY`. 
+	* `anonymous_gid` - GID value to remap to when squashing a client GID (see identitySquash for more details.) If unspecified defaults to `65534`. 
+	* `anonymous_uid` - UID value to remap to when squashing a client UID (see identitySquash for more details.) If unspecified, defaults to `65534`. 
+	* `identity_squash` - Used when clients accessing the file system through this export have their UID and GID remapped to 'anonymousUid' and 'anonymousGid'. If `ALL`, all users and groups are remapped; if `ROOT`, only the root user and group (UID/GID 0) are remapped; if `NONE`, no remapping is done. If unspecified, defaults to `ROOT`. 
+	* `require_privileged_source_port` - If `true`, clients accessing the file system through this export must connect from a privileged source port. If unspecified, defaults to `true`. 
+	* `source` - Clients these options should apply to. Must be a either single IPv4 address or single IPv4 CIDR block.  **Note:** Access will also be limited by any applicable VCN security rules and the ability to route IP packets to the mount target. Mount targets do not have Internet-routable IP addresses. 
 * `export_set_id` - The OCID of this export's export set.
 * `file_system_id` - The OCID of this export's file system.
 * `id` - The OCID of this export.
@@ -22,16 +29,30 @@ file system.
 
 The following arguments are supported:
 
+* `export_options` - (Optional) Export options for the new export. If left unspecified, defaults to:         [          {             "source" : "0.0.0.0/0",             "requirePrivilegedSourcePort" : false,             "access" : "READ_WRITE",             "identitySquash" : "NONE"           }        ]    **Note:** Mount targets do not have Internet-routable IP   addresses.  Therefore they will not be reachable from the   Internet, even if an associated `ClientOptions` item has   a source of `0.0.0.0/0`.    **If set to the empty array then the export will not be   visible to any clients.**    The export's `exportOptions` can be changed after creation   using the `UpdateExport` operation. 
+	* `access` - (Optional) Type of access to grant clients using the file system through this export. If unspecified defaults to `READ_ONLY`. 
+	* `anonymous_gid` - (Optional) GID value to remap to when squashing a client GID (see identitySquash for more details.) If unspecified defaults to `65534`. 
+	* `anonymous_uid` - (Optional) UID value to remap to when squashing a client UID (see identitySquash for more details.) If unspecified, defaults to `65534`. 
+	* `identity_squash` - (Optional) Used when clients accessing the file system through this export have their UID and GID remapped to 'anonymousUid' and 'anonymousGid'. If `ALL`, all users and groups are remapped; if `ROOT`, only the root user and group (UID/GID 0) are remapped; if `NONE`, no remapping is done. If unspecified, defaults to `ROOT`. 
+	* `require_privileged_source_port` - (Optional) If `true`, clients accessing the file system through this export must connect from a privileged source port. If unspecified, defaults to `true`. 
+	* `source` - (Required) Clients these options should apply to. Must be a either single IPv4 address or single IPv4 CIDR block.  **Note:** Access will also be limited by any applicable VCN security rules and the ability to route IP packets to the mount target. Mount targets do not have Internet-routable IP addresses. 
 * `export_set_id` - (Required) The OCID of this export's export set.
 * `file_system_id` - (Required) The OCID of this export's file system.
 * `path` - (Required) Path used to access the associated file system.  Avoid entering confidential information.  Example: `/mediafiles` 
 
 
 ### Update Operation
-
+Updates the specified export's information.
 
 The following arguments support updates:
-* NO arguments in this resource support updates
+* `export_options` - Export options for the new export. If left unspecified, defaults to:         [          {             "source" : "0.0.0.0/0",             "requirePrivilegedSourcePort" : false,             "access" : "READ_WRITE",             "identitySquash" : "NONE"           }        ]    **Note:** Mount targets do not have Internet-routable IP   addresses.  Therefore they will not be reachable from the   Internet, even if an associated `ClientOptions` item has   a source of `0.0.0.0/0`.    **If set to the empty array then the export will not be   visible to any clients.**    The export's `exportOptions` can be changed after creation   using the `UpdateExport` operation. 
+	* `access` - Type of access to grant clients using the file system through this export. If unspecified defaults to `READ_ONLY`. 
+	* `anonymous_gid` - GID value to remap to when squashing a client GID (see identitySquash for more details.) If unspecified defaults to `65534`. 
+	* `anonymous_uid` - UID value to remap to when squashing a client UID (see identitySquash for more details.) If unspecified, defaults to `65534`. 
+	* `identity_squash` - Used when clients accessing the file system through this export have their UID and GID remapped to 'anonymousUid' and 'anonymousGid'. If `ALL`, all users and groups are remapped; if `ROOT`, only the root user and group (UID/GID 0) are remapped; if `NONE`, no remapping is done. If unspecified, defaults to `ROOT`. 
+	* `require_privileged_source_port` - If `true`, clients accessing the file system through this export must connect from a privileged source port. If unspecified, defaults to `true`. 
+	* `source` - Clients these options should apply to. Must be a either single IPv4 address or single IPv4 CIDR block.  **Note:** Access will also be limited by any applicable VCN security rules and the ability to route IP packets to the mount target. Mount targets do not have Internet-routable IP addresses. 
+
 
 ** IMPORTANT **
 Any change to a property that does not support update will force the destruction and recreation of the resource with the new property values
@@ -41,9 +62,22 @@ Any change to a property that does not support update will force the destruction
 ```hcl
 resource "oci_file_storage_export" "test_export" {
 	#Required
-	export_set_id = "${oci_file_storage_mount_target.test_mount_target.export_set_id}"
+	export_set_id = "${oci_file_storage_export_set.test_export_set.id}"
 	file_system_id = "${oci_file_storage_file_system.test_file_system.id}"
 	path = "${var.export_path}"
+
+	#Optional
+	export_options {
+		#Required
+		source = "${var.export_export_options_source}"
+
+		#Optional
+		access = "${var.export_export_options_access}"
+		anonymous_gid = "${var.export_export_options_anonymous_gid}"
+		anonymous_uid = "${var.export_export_options_anonymous_uid}"
+		identity_squash = "${var.export_export_options_identity_squash}"
+		require_privileged_source_port = "${var.export_export_options_require_privileged_source_port}"
+	}
 }
 ```
 
@@ -83,4 +117,4 @@ data "oci_file_storage_exports" "test_exports" {
 	id = "${var.export_id}"
 	state = "${var.export_state}"
 }
-```
+```

docs/file_storage/file_systems.md

@@ -10,7 +10,7 @@ The following attributes are exported:
 * `compartment_id` - The OCID of the compartment that contains the file system.
 * `display_name` - A user-friendly name. It does not have to be unique, and it is changeable. Avoid entering confidential information.  Example: `My file system` 
 * `id` - The OCID of the file system.
-* `metered_bytes` - The number of bytes consumed by the file system, including any snapshots. This number reflects the metered size of the file system and is updated asynchronously with respect to updates to the file system.  
+* `metered_bytes` - The number of bytes consumed by the file system, including any snapshots. This number reflects the metered size of the file system and is updated asynchronously with respect to updates to the file system. 
 * `state` - The current state of the file system.
 * `time_created` - The date and time the file system was created, expressed in [RFC 3339](https://tools.ietf.org/rfc/rfc3339) timestamp format.  Example: `2016-08-25T21:10:29.600Z` 
 
@@ -112,4 +112,4 @@ data "oci_file_storage_file_systems" "test_file_systems" {
 	id = "${var.file_system_id}"
 	state = "${var.file_system_state}"
 }
-```
+```

docs/file_storage/mount_targets.md

@@ -31,10 +31,10 @@ Mount targets have one or more private IP addresses that you can
 provide as the host portion of remote target parameters in
 client mount commands. These private IP addresses are listed
 in the privateIpIds property of the mount target and are highly available. Mount
-targets also consume additional IP addresses in their subnet. 
+targets also consume additional IP addresses in their subnet.
 Do not use /30 or smaller subnets for mount target creation because they
-do not have sufficient available IP addresses. 
-Allow at least three IP addresses for each mount target. 
+do not have sufficient available IP addresses.
+Allow at least three IP addresses for each mount target.
 
 For information about access control and compartments, see
 [Overview of the IAM
@@ -127,4 +127,4 @@ data "oci_file_storage_mount_targets" "test_mount_targets" {
 	id = "${var.mount_target_id}"
 	state = "${var.mount_target_state}"
 }
-```
+```