feat(lb): add ips_edge_services field

Author: yfodil

docs/resources/lb_acl.md

@@ -53,9 +53,11 @@ The following arguments are supported:
 
         - `code`  - (Optional) The HTTP redirect code to use. Valid values are `301`, `302`, `303`, `307` and `308`.
 
-- `match` - (Required) The ACL match rule. At least `ip_subnet` or `http_filter` and `http_filter_value` are required.
+- `match` - (Required) The ACL match rule. At least `ip_subnet` or `ips_edge_services` or `http_filter` and `http_filter_value` are required.
 
-    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match.
+    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match. Only one of `ip_subnet` and `ips_edge_services` should be specified.
+
+    - `ips_edge_services` - (Optional) Defines whether Edge Services IPs should be matched. Only one of `ip_subnet` and `ips_edge_services` should be specified.
 
     - `http_filter` - (Optional) The HTTP filter to match. This filter is supported only if your backend protocol has an HTTP forward protocol.
       It extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).

docs/resources/lb_frontend.md

@@ -191,9 +191,11 @@ The following arguments are supported:
 
         - `code`  - (Optional) The HTTP redirect code to use. Valid values are `301`, `302`, `303`, `307` and `308`.
 
-- `match` - (Required) The ACL match rule. At least `ip_subnet` or `http_filter` and `http_filter_value` are required.
+- `match` - (Required) The ACL match rule. At least `ip_subnet` or `ips_edge_services` or `http_filter` and `http_filter_value` are required.
 
-    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match.
+    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match. Only one of `ip_subnet` and `ips_edge_services` should be specified.
+
+    - `ips_edge_services` - (Optional) Defines whether Edge Services IPs should be matched. Only one of `ip_subnet` and `ips_edge_services` should be specified.
 
     - `http_filter` - (Optional) The HTTP filter to match. This filter is supported only if your backend protocol has an HTTP forward protocol.
        It extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).
@@ -205,7 +207,7 @@ The following arguments are supported:
     - `http_filter_option` - (Optional) If you have `http_filter` at `http_header_match`, you can use this field to filter on the HTTP header's value.
 
     - `invert` - (Optional) If set to `true`, the condition will be of type "unless".
-  
+
 - `external_acls` - (Defaults to `false`) A boolean to specify whether to use [lb_acl](../resources/lb_acl.md).
   If `external_acls` is set to `true`, `acl` can not be set directly in the Load Balancer frontend.
 

internal/services/lb/acl.go

@@ -110,6 +110,7 @@ func ResourceACL() *schema.Resource {
 							Optional:         true,
 							Description:      "A list of IPs or CIDR v4/v6 addresses of the client of the session to match",
 							DiffSuppressFunc: diffSuppressFunc32SubnetMask,
+							ConflictsWith:    []string{"ips_edge_services"},
 						},
 						"http_filter": {
 							Type:             schema.TypeString,
@@ -136,6 +137,12 @@ func ResourceACL() *schema.Resource {
 							Optional:    true,
 							Description: `If set to true, the condition will be of type "unless"`,
 						},
+						"ips_edge_services": {
+							Type:          schema.TypeBool,
+							Optional:      true,
+							Description:   `Defines whether Edge Services IPs should be matched`,
+							ConflictsWith: []string{"ip_subnet"},
+						},
 					},
 				},
 			},
@@ -169,7 +176,7 @@ func resourceLbACLCreate(ctx context.Context, d *schema.ResourceData, m any) dia
 		FrontendID:  frontID,
 		Name:        d.Get("name").(string),
 		Action:      expandLbACLAction(d.Get("action")),
-		Match:       expandLbACLMatch(d.Get("match")),
+		Match:       expandLbACLMatch(d, d.Get("match")),
 		Index:       int32(d.Get("index").(int)),
 		Description: d.Get("description").(string),
 	}
@@ -231,7 +238,7 @@ func resourceLbACLUpdate(ctx context.Context, d *schema.ResourceData, m any) dia
 		Name:        d.Get("name").(string),
 		Action:      expandLbACLAction(d.Get("action")),
 		Index:       int32(d.Get("index").(int)),
-		Match:       expandLbACLMatch(d.Get("match")),
+		Match:       expandLbACLMatch(d, d.Get("match")),
 		Description: types.ExpandUpdatedStringPtr(d.Get("description")),
 	}
 

internal/services/lb/acl_test.go

@@ -54,7 +54,7 @@ func TestAccAcl_Basic(t *testing.T) {
 							ip_subnet = ["192.168.0.1", "192.168.0.2", "192.168.10.0/24"]
 							http_filter = "acl_http_filter_none"
 							http_filter_value = []
-							invert = "true"
+							invert = true
 						}
 					}
 				`,
@@ -127,6 +127,114 @@ func TestAccAcl_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter", "acl_http_filter_none"),
 					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter_value.#", "0"),
 					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.invert", "false"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ips_edge_services", "false"),
+				),
+			},
+			{
+				Config: `
+					resource scaleway_lb_ip ip01 {}
+					resource scaleway_lb lb01 {
+						ip_id = scaleway_lb_ip.ip01.id
+						name = "test-lb-acl"
+						type = "lb-s"
+					}
+					resource scaleway_lb_backend bkd01 {
+						lb_id = scaleway_lb.lb01.id
+						forward_protocol = "http"
+						forward_port = 80
+						proxy_protocol = "none"
+					}
+					resource scaleway_lb_frontend frt01 {
+						lb_id = scaleway_lb.lb01.id
+						backend_id = scaleway_lb_backend.bkd01.id
+						name = "tf-test"
+						inbound_port = 80
+						timeout_client = "30s"
+						external_acls = true
+					}
+					resource scaleway_lb_acl acl01 {
+						frontend_id = scaleway_lb_frontend.frt01.id
+						name = "updated-test-acl-basic"
+						description = "updated description"
+						index = 3
+						action {
+							type = "deny"
+						}
+						match {
+							http_filter = "acl_http_filter_none"
+							http_filter_value = []
+							ips_edge_services = true
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					isACLPresent(tt, "scaleway_lb_acl.acl01"),
+					resource.TestCheckResourceAttrPair(
+						"scaleway_lb_acl.acl01", "frontend_id",
+						"scaleway_lb_frontend.frt01", "id"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "name", "updated-test-acl-basic"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "description", "updated description"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "index", "3"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "action.0.type", "deny"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.0", "0.0.0.0/0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter", "acl_http_filter_none"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter_value.#", "0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.invert", "false"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ips_edge_services", "true"),
+				),
+			},
+			{
+				Config: `
+					resource scaleway_lb_ip ip01 {}
+					resource scaleway_lb lb01 {
+						ip_id = scaleway_lb_ip.ip01.id
+						name = "test-lb-acl"
+						type = "lb-s"
+					}
+					resource scaleway_lb_backend bkd01 {
+						lb_id = scaleway_lb.lb01.id
+						forward_protocol = "http"
+						forward_port = 80
+						proxy_protocol = "none"
+					}
+					resource scaleway_lb_frontend frt01 {
+						lb_id = scaleway_lb.lb01.id
+						backend_id = scaleway_lb_backend.bkd01.id
+						name = "tf-test"
+						inbound_port = 80
+						timeout_client = "30s"
+						external_acls = true
+					}
+					resource scaleway_lb_acl acl01 {
+						frontend_id = scaleway_lb_frontend.frt01.id
+						name = "updated-test-acl-basic"
+						description = "updated description"
+						index = 3
+						action {
+							type = "deny"
+						}
+						match {
+							http_filter = "acl_http_filter_none"
+							http_filter_value = []
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					isACLPresent(tt, "scaleway_lb_acl.acl01"),
+					resource.TestCheckResourceAttrPair(
+						"scaleway_lb_acl.acl01", "frontend_id",
+						"scaleway_lb_frontend.frt01", "id"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "name", "updated-test-acl-basic"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "description", "updated description"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "index", "3"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "action.0.type", "deny"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.0", "0.0.0.0/0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter", "acl_http_filter_none"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter_value.#", "0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.invert", "false"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ips_edge_services", "false"),
 				),
 			},
 			{

internal/services/lb/frontend.go

@@ -382,7 +382,7 @@ func resourceLbFrontendUpdateACL(ctx context.Context, d *schema.ResourceData, lb
 	}
 
 	// convert state acl and sanitize them a bit
-	newACL := expandsLBACLs(d.Get("acl"))
+	newACL := expandsLBACLs(d, d.Get("acl"))
 
 	// loop
 	for index, stateACL := range newACL {
@@ -441,12 +441,12 @@ func resourceLbFrontendUpdateACL(ctx context.Context, d *schema.ResourceData, lb
 	return nil
 }
 
-func expandsLBACLs(raw any) []*lbSDK.ACL {
-	d := raw.([]any)
+func expandsLBACLs(d *schema.ResourceData, raw any) []*lbSDK.ACL {
+	r := raw.([]any)
 	newACL := make([]*lbSDK.ACL, 0)
 
-	for _, rawACL := range d {
-		newACL = append(newACL, expandLbACL(rawACL))
+	for _, rawACL := range r {
+		newACL = append(newACL, expandLbACL(d, rawACL))
 	}
 
 	return newACL