Added - Support for ZPR security attribute for Functions

Author: marvin659

examples/functions/main.tf

@@ -90,6 +90,11 @@ resource "oci_functions_application" "test_application" {
     is_enabled = var.application_trace_config.is_enabled
   }
   shape = var.application_shape
+
+  security_attributes = {
+    "oracle-zpr.sensitivity.value" = "low"
+    "oracle-zpr.sensitivity.mode" = "enforce"
+  }
 }
 
 data "oci_functions_applications" "test_applications" {

internal/integrationtest/functions_application_test.go

@@ -46,6 +46,9 @@ var (
 		"name":   acctest.Representation{RepType: acctest.Required, Create: `id`},
 		"values": acctest.Representation{RepType: acctest.Required, Create: []string{`${oci_functions_application.test_application.id}`}},
 	}
+	ignoreFunctionsApplicationDefinedTagsChangesRepresentation = map[string]interface{}{
+		"ignore_changes": acctest.Representation{RepType: acctest.Required, Create: []string{`defined_tags`}},
+	}
 
 	applicationDisplayName = utils.RandomString(1, utils.CharsetWithoutDigits) + utils.RandomString(13, utils.Charset)
 
@@ -58,9 +61,11 @@ var (
 		"freeform_tags":              acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
 		"image_policy_config":        acctest.RepresentationGroup{RepType: acctest.Optional, Group: FunctionsApplicationImagePolicyConfigRepresentation},
 		"network_security_group_ids": acctest.Representation{RepType: acctest.Optional, Create: []string{`${oci_core_network_security_group.test_network_security_group1.id}`}, Update: []string{`${oci_core_network_security_group.test_network_security_group2.id}`}},
+		"security_attributes":        acctest.Representation{RepType: acctest.Optional, Create: map[string]map[string]map[string]string{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}, Update: map[string]map[string]map[string]string{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}},
 		"shape":                      acctest.Representation{RepType: acctest.Optional, Create: `GENERIC_X86`},
 		"syslog_url":                 acctest.Representation{RepType: acctest.Optional, Create: `tcp://syslog.test:80`, Update: `tcp://syslog2.test:80`},
 		"trace_config":               acctest.RepresentationGroup{RepType: acctest.Optional, Group: FunctionsApplicationTraceConfigRepresentation},
+		"lifecycle":                  acctest.RepresentationGroup{RepType: acctest.Required, Group: ignoreFunctionsApplicationDefinedTagsChangesRepresentation},
 	}
 	FunctionsApplicationImagePolicyConfigRepresentation = map[string]interface{}{
 		"is_policy_enabled": acctest.Representation{RepType: acctest.Required, Create: `false`, Update: `true`},

internal/service/functions/functions_application_data_source.go

@@ -90,6 +90,8 @@ func (s *FunctionsApplicationDataSourceCrud) SetData() error {
 		s.D.Set("image_policy_config", nil)
 	}
 
+	s.D.Set("security_attributes", s.Res.SecurityAttributes)
+
 	s.D.Set("shape", s.Res.Shape)
 
 	s.D.Set("state", s.Res.LifecycleState)

internal/service/functions/functions_application_resource.go

@@ -116,6 +116,12 @@ func FunctionsApplicationResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"security_attributes": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
 			"shape": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -293,6 +299,10 @@ func (s *FunctionsApplicationResourceCrud) Create() error {
 		}
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	if shape, ok := s.D.GetOkExists("shape"); ok {
 		request.Shape = oci_functions.CreateApplicationDetailsShapeEnum(shape.(string))
 	}
@@ -410,6 +420,10 @@ func (s *FunctionsApplicationResourceCrud) Update() error {
 		}
 	}
 
+	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
+		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+	}
+
 	if syslogUrl, ok := s.D.GetOkExists("syslog_url"); ok {
 		tmp := syslogUrl.(string)
 		request.SyslogUrl = &tmp
@@ -478,6 +492,8 @@ func (s *FunctionsApplicationResourceCrud) SetData() error {
 	}
 	s.D.Set("network_security_group_ids", schema.NewSet(tfresource.LiteralTypeHashCodeForSets, networkSecurityGroupIds))
 
+	s.D.Set("security_attributes", s.Res.SecurityAttributes)
+
 	s.D.Set("shape", s.Res.Shape)
 
 	s.D.Set("state", s.Res.LifecycleState)

internal/service/functions/functions_applications_data_source.go

@@ -141,6 +141,8 @@ func (s *FunctionsApplicationsDataSourceCrud) SetData() error {
 			application["image_policy_config"] = nil
 		}
 
+		application["security_attributes"] = r.SecurityAttributes
+
 		application["shape"] = r.Shape
 
 		application["state"] = r.LifecycleState

website/docs/d/functions_application.html.markdown

@@ -45,6 +45,7 @@ The following attributes are exported:
 	* `key_details` - A list of KMS key details.
 		* `kms_key_id` - The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the KMS key that will be used to verify the image signature. 
 * `network_security_group_ids` - The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the Network Security Groups to add the application to. 
+* `security_attributes` - Security attributes for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}`
 * `shape` - Valid values are `GENERIC_X86`, `GENERIC_ARM` and `GENERIC_X86_ARM`. Default is `GENERIC_X86`. Setting this to `GENERIC_X86`, will run the functions in the application on X86 processor architecture. Setting this to `GENERIC_ARM`, will run the functions in the application on ARM processor architecture. When set to `GENERIC_X86_ARM`, functions in the application are run on either X86 or ARM processor architecture. Accepted values are: `GENERIC_X86`, `GENERIC_ARM`, `GENERIC_X86_ARM` 
 * `state` - The current state of the application. 
 * `subnet_ids` - The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the subnets in which to run functions in the application. 

website/docs/d/functions_applications.html.markdown

@@ -55,6 +55,7 @@ The following attributes are exported:
 * `freeform_tags` - Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Department": "Finance"}` 
 * `id` - The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the application. 
 * `network_security_group_ids` - The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the Network Security Groups to add the application to.
+* `security_attributes` - Security attributes for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}`
 * `image_policy_config` - Define the image signature verification policy for an application.
     * `is_policy_enabled` - Define if image signature verification policy is enabled for the application. 
     * `key_details` - A list of KMS key details.

website/docs/r/functions_application.html.markdown

@@ -38,6 +38,7 @@ resource "oci_functions_application" "test_application" {
 			kms_key_id = oci_kms_key.test_key.id
 		}
 	}
+	security_attributes = var.application_security_attributes
 	shape = var.application_shape
 	syslog_url = var.application_syslog_url
 	trace_config {
@@ -60,11 +61,12 @@ The following arguments are supported:
 * `defined_tags` - (Optional) (Updatable) Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Operations.CostCenter": "42"}` 
 * `display_name` - (Required) The display name of the application. The display name must be unique within the compartment containing the application. Avoid entering confidential information. 
 * `freeform_tags` - (Optional) (Updatable) Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Department": "Finance"}`
-* `network_security_group_ids` - (Optional) (Updatable) The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the Network Security Groups to add the application to.
 * `image_policy_config` - (Optional) (Updatable) Define the image signature verification policy for an application.
-    * `is_policy_enabled` - (Required) (Updatable) Define if image signature verification policy is enabled for the application. 
+    * `is_policy_enabled` - (Required) (Updatable) Define if image signature verification policy is enabled for the application.
     * `key_details` - (Optional) (Updatable) A list of KMS key details.
-        * `kms_key_id` - (Required) (Updatable) The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the KMS key that will be used to verify the image signature. 
+        * `kms_key_id` - (Required) (Updatable) The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the KMS key that will be used to verify the image signature.
+* `network_security_group_ids` - (Optional) (Updatable) The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the Network Security Groups to add the application to.
+* `security_attributes` - (Optional) (Updatable) Security attributes for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}`
 * `shape` - (Optional) Valid values are `GENERIC_X86`, `GENERIC_ARM` and `GENERIC_X86_ARM`. Default is `GENERIC_X86`. Setting this to `GENERIC_X86`, will run the functions in the application on X86 processor architecture. Setting this to `GENERIC_ARM`, will run the functions in the application on ARM processor architecture. When set to `GENERIC_X86_ARM`, functions in the application are run on either X86 or ARM processor architecture. Accepted values are: `GENERIC_X86`, `GENERIC_ARM`, `GENERIC_X86_ARM`
 * `subnet_ids` - (Required) The [OCID](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)s of the subnets in which to run functions in the application. 
 * `syslog_url` - (Optional) (Updatable) A syslog URL to which to send all function logs. Supports tcp, udp, and tcp+tls. The syslog URL must be reachable from all of the subnets configured for the application. Note: If you enable the Oracle Cloud Infrastructure Logging service for this application, the syslogUrl value is ignored. Function logs are sent to the Oracle Cloud Infrastructure Logging service, and not to the syslog URL.  Example: `tcp://logserver.myserver:1234`