feat(lb): add ips_edge_services field (#3178)

* feat(lb): add ips_edge_services field

* fix

* lint

* support acl from frontend resource too

* fix

Author: yfodil

docs/data-sources/lb_acls.md

@@ -54,4 +54,5 @@ In addition to all arguments above, the following attributes are exported:
         - `http_filter` - The HTTP filter to match.
         - `http_filter_value` - The possible values to match for a given HTTP filter.
         - `http_filter_option` - A list of possible values for the HTTP filter based on the HTTP header.
-        - `invert` -  The condition will be of type "unless" if invert is set to `true`
+        - `invert` - The condition will be of type "unless" if invert is set to `true`
+        - `ips_edge_services` - Defines whether Edge Services IPs should be matched.

docs/resources/lb_acl.md

@@ -53,9 +53,11 @@ The following arguments are supported:
 
         - `code`  - (Optional) The HTTP redirect code to use. Valid values are `301`, `302`, `303`, `307` and `308`.
 
-- `match` - (Required) The ACL match rule. At least `ip_subnet` or `http_filter` and `http_filter_value` are required.
+- `match` - (Required) The ACL match rule. At least `ip_subnet` or `ips_edge_services` or `http_filter` and `http_filter_value` are required.
 
-    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match.
+    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match. Only one of `ip_subnet` and `ips_edge_services` should be specified.
+
+    - `ips_edge_services` - (Optional) Defines whether Edge Services IPs should be matched. Only one of `ip_subnet` and `ips_edge_services` should be specified.
 
     - `http_filter` - (Optional) The HTTP filter to match. This filter is supported only if your backend protocol has an HTTP forward protocol.
       It extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).

docs/resources/lb_frontend.md

@@ -191,9 +191,11 @@ The following arguments are supported:
 
         - `code`  - (Optional) The HTTP redirect code to use. Valid values are `301`, `302`, `303`, `307` and `308`.
 
-- `match` - (Required) The ACL match rule. At least `ip_subnet` or `http_filter` and `http_filter_value` are required.
+- `match` - (Required) The ACL match rule. At least `ip_subnet` or `ips_edge_services` or `http_filter` and `http_filter_value` are required.
 
-    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match.
+    - `ip_subnet` - (Optional) A list of IPs, or CIDR v4/v6 addresses of the session client, to match. Only one of `ip_subnet` and `ips_edge_services` should be specified.
+
+    - `ips_edge_services` - (Optional) Defines whether Edge Services IPs should be matched. Only one of `ip_subnet` and `ips_edge_services` should be specified.
 
     - `http_filter` - (Optional) The HTTP filter to match. This filter is supported only if your backend protocol has an HTTP forward protocol.
        It extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).
@@ -205,7 +207,7 @@ The following arguments are supported:
     - `http_filter_option` - (Optional) If you have `http_filter` at `http_header_match`, you can use this field to filter on the HTTP header's value.
 
     - `invert` - (Optional) If set to `true`, the condition will be of type "unless".
-  
+
 - `external_acls` - (Defaults to `false`) A boolean to specify whether to use [lb_acl](../resources/lb_acl.md).
   If `external_acls` is set to `true`, `acl` can not be set directly in the Load Balancer frontend.
 

internal/services/lb/acl.go

@@ -136,6 +136,11 @@ func ResourceACL() *schema.Resource {
 							Optional:    true,
 							Description: `If set to true, the condition will be of type "unless"`,
 						},
+						"ips_edge_services": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: `Defines whether Edge Services IPs should be matched`,
+						},
 					},
 				},
 			},
@@ -169,7 +174,7 @@ func resourceLbACLCreate(ctx context.Context, d *schema.ResourceData, m any) dia
 		FrontendID:  frontID,
 		Name:        d.Get("name").(string),
 		Action:      expandLbACLAction(d.Get("action")),
-		Match:       expandLbACLMatch(d.Get("match")),
+		Match:       expandLbACLMatch(d, d.Get("match"), 0),
 		Index:       int32(d.Get("index").(int)),
 		Description: d.Get("description").(string),
 	}
@@ -231,7 +236,7 @@ func resourceLbACLUpdate(ctx context.Context, d *schema.ResourceData, m any) dia
 		Name:        d.Get("name").(string),
 		Action:      expandLbACLAction(d.Get("action")),
 		Index:       int32(d.Get("index").(int)),
-		Match:       expandLbACLMatch(d.Get("match")),
+		Match:       expandLbACLMatch(d, d.Get("match"), 0),
 		Description: types.ExpandUpdatedStringPtr(d.Get("description")),
 	}
 

internal/services/lb/acl_test.go

@@ -54,7 +54,7 @@ func TestAccAcl_Basic(t *testing.T) {
 							ip_subnet = ["192.168.0.1", "192.168.0.2", "192.168.10.0/24"]
 							http_filter = "acl_http_filter_none"
 							http_filter_value = []
-							invert = "true"
+							invert = true
 						}
 					}
 				`,
@@ -127,6 +127,114 @@ func TestAccAcl_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter", "acl_http_filter_none"),
 					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter_value.#", "0"),
 					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.invert", "false"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ips_edge_services", "false"),
+				),
+			},
+			{
+				Config: `
+					resource scaleway_lb_ip ip01 {}
+					resource scaleway_lb lb01 {
+						ip_id = scaleway_lb_ip.ip01.id
+						name = "test-lb-acl"
+						type = "lb-s"
+					}
+					resource scaleway_lb_backend bkd01 {
+						lb_id = scaleway_lb.lb01.id
+						forward_protocol = "http"
+						forward_port = 80
+						proxy_protocol = "none"
+					}
+					resource scaleway_lb_frontend frt01 {
+						lb_id = scaleway_lb.lb01.id
+						backend_id = scaleway_lb_backend.bkd01.id
+						name = "tf-test"
+						inbound_port = 80
+						timeout_client = "30s"
+						external_acls = true
+					}
+					resource scaleway_lb_acl acl01 {
+						frontend_id = scaleway_lb_frontend.frt01.id
+						name = "updated-test-acl-basic"
+						description = "updated description"
+						index = 3
+						action {
+							type = "deny"
+						}
+						match {
+							http_filter = "acl_http_filter_none"
+							http_filter_value = []
+							ips_edge_services = true
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					isACLPresent(tt, "scaleway_lb_acl.acl01"),
+					resource.TestCheckResourceAttrPair(
+						"scaleway_lb_acl.acl01", "frontend_id",
+						"scaleway_lb_frontend.frt01", "id"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "name", "updated-test-acl-basic"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "description", "updated description"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "index", "3"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "action.0.type", "deny"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.0", "0.0.0.0/0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter", "acl_http_filter_none"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter_value.#", "0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.invert", "false"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ips_edge_services", "true"),
+				),
+			},
+			{
+				Config: `
+					resource scaleway_lb_ip ip01 {}
+					resource scaleway_lb lb01 {
+						ip_id = scaleway_lb_ip.ip01.id
+						name = "test-lb-acl"
+						type = "lb-s"
+					}
+					resource scaleway_lb_backend bkd01 {
+						lb_id = scaleway_lb.lb01.id
+						forward_protocol = "http"
+						forward_port = 80
+						proxy_protocol = "none"
+					}
+					resource scaleway_lb_frontend frt01 {
+						lb_id = scaleway_lb.lb01.id
+						backend_id = scaleway_lb_backend.bkd01.id
+						name = "tf-test"
+						inbound_port = 80
+						timeout_client = "30s"
+						external_acls = true
+					}
+					resource scaleway_lb_acl acl01 {
+						frontend_id = scaleway_lb_frontend.frt01.id
+						name = "updated-test-acl-basic"
+						description = "updated description"
+						index = 3
+						action {
+							type = "deny"
+						}
+						match {
+							http_filter = "acl_http_filter_none"
+							http_filter_value = []
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					isACLPresent(tt, "scaleway_lb_acl.acl01"),
+					resource.TestCheckResourceAttrPair(
+						"scaleway_lb_acl.acl01", "frontend_id",
+						"scaleway_lb_frontend.frt01", "id"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "name", "updated-test-acl-basic"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "description", "updated description"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "index", "3"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "action.0.type", "deny"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ip_subnet.0", "0.0.0.0/0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter", "acl_http_filter_none"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.http_filter_value.#", "0"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.invert", "false"),
+					resource.TestCheckResourceAttr("scaleway_lb_acl.acl01", "match.0.ips_edge_services", "false"),
 				),
 			},
 			{

internal/services/lb/acls_data_source.go

@@ -82,6 +82,10 @@ func DataSourceACLs() *schema.Resource {
 										Computed: true,
 										Type:     schema.TypeBool,
 									},
+									"ips_edge_services": {
+										Computed: true,
+										Type:     schema.TypeBool,
+									},
 								},
 							},
 						},

internal/services/lb/frontend.go

@@ -189,6 +189,11 @@ func ResourceFrontend() *schema.Resource {
 										Optional:    true,
 										Description: `If set to true, the condition will be of type "unless"`,
 									},
+									"ips_edge_services": {
+										Type:        schema.TypeBool,
+										Optional:    true,
+										Description: `Defines whether Edge Services IPs should be matched`,
+									},
 								},
 							},
 						},
@@ -382,7 +387,7 @@ func resourceLbFrontendUpdateACL(ctx context.Context, d *schema.ResourceData, lb
 	}
 
 	// convert state acl and sanitize them a bit
-	newACL := expandsLBACLs(d.Get("acl"))
+	newACL := expandsLBACLs(d, d.Get("acl"))
 
 	// loop
 	for index, stateACL := range newACL {
@@ -441,12 +446,12 @@ func resourceLbFrontendUpdateACL(ctx context.Context, d *schema.ResourceData, lb
 	return nil
 }
 
-func expandsLBACLs(raw any) []*lbSDK.ACL {
-	d := raw.([]any)
+func expandsLBACLs(d *schema.ResourceData, raw any) []*lbSDK.ACL {
+	r := raw.([]any)
 	newACL := make([]*lbSDK.ACL, 0)
 
-	for _, rawACL := range d {
-		newACL = append(newACL, expandLbACL(rawACL))
+	for index, rawACL := range r {
+		newACL = append(newACL, expandLbACL(d, rawACL, index))
 	}
 
 	return newACL