feat(lb): add private network resource (#3153)

- add tests
- add docs and cassettes
- manage PN attachments externally
- use zone from returned LB response
- add checks

Author: yfodil

docs/resources/lb.md

@@ -109,6 +109,8 @@ The following arguments are supported:
     - `private_network_id` - (Required) The ID of the Private Network to attach to.
     - ~> **Important:** Updates to `private_network` will recreate the attachment.
     - `ipam_ids` - (Optional) IPAM ID of a pre-reserved IP address to assign to the Load Balancer on this Private Network.
+- `external_private_networks` - (Defaults to `false`) A boolean to specify whether to use [lb_private_network](../resources/lb_private_network.md).
+  If `external_private_networks` is set to `true`, `private_network` can not be set directly in the Load Balancer.
 - `ssl_compatibility_level` - (Optional) Enforces minimal SSL version (in SSL/TLS offloading context). Please check [possible values](https://www.scaleway.com/en/developers/api/load-balancer/zoned-api/#path-load-balancer-create-a-load-balancer).
 - `zone` - (Defaults to [provider](../index.md#zone) `zone`) The [zone](../guides/regions_and_zones.md#zones) of the Load Balancer.
 - `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the Project the Load Balancer is associated with.

docs/resources/lb_private_network.md

@@ -0,0 +1,72 @@
+---
+subcategory: "Load Balancers"
+page_title: "Scaleway: scaleway_lb_private_network"
+---
+
+# Resource: scaleway_lb_private_network
+
+Creates and manages Scaleway Load Balancer Private Network attachments.
+
+For more information, see the [main documentation](https://www.scaleway.com/en/docs/load-balancer/how-to/use-with-private-network/).
+
+## Example Usage
+
+### Basic
+
+```terraform
+resource "scaleway_vpc" "vpc01" {
+  name = "my vpc"
+}
+
+resource "scaleway_vpc_private_network" "pn01" {
+  vpc_id = scaleway_vpc.vpc01.id
+  ipv4_subnet {
+    subnet = "172.16.32.0/22"
+  }
+}
+
+resource "scaleway_ipam_ip" "ip01" {
+  address = "172.16.32.7"
+  source {
+    private_network_id = scaleway_vpc_private_network.pn01.id
+  }
+}
+
+resource "scaleway_lb" "lb01" {
+  name = "test-lb-private-network"
+  type = "LB-S"
+}
+
+resource "scaleway_lb_private_network" "lbpn01" {
+  lb_id              = scaleway_lb.lb01.id
+  private_network_id = scaleway_vpc_private_network.pn01.id
+  ipam_ip_ids        = [scaleway_ipam_ip.ip01.id]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `zone` - (Defaults to [provider](../index.md#zone) `zone`) The [zone](../guides/regions_and_zones.md#zones) in which the Private Network should be attached.
+- `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the Project the Private Network attachment is associated with.
+- `lb_id` - (Required) The load-balancer ID to attach the private network to.
+- `private_network_id` - (Required) The private network ID to attach.
+- `ipam_ip_ids` - (Required) The IPAM ID of a pre-reserved IP address to assign to the Load Balancer on this Private Network.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `id` - The ID of the Private Network attachment, which is of the form `{zone}/{lb-id}/{private-network-id}` e.g. `fr-par-1/11111111-1111-1111-1111-111111111111/11111111-1111-1111-1111-111111111111`
+- `status` - The status of the Private Network attachment.
+- `created_at` -  The date and time of the creation of the Private Network attachment (RFC 3339 format).
+- `updated_at` -  The date and time of the last update of the Private Network attachment (RFC 3339 format).
+
+## Import
+
+Private Network attachments can be imported using `{zone}/{lb-id}/{private-network-id}`, e.g.
+
+```bash
+terraform import scaleway_lb_private_network.lbpn01 fr-par-1/11111111-1111-1111-1111-111111111111/11111111-1111-1111-1111-111111111111
+```

internal/services/baremetal/testdata/server-with-ipam-private-network.cassette.yaml

@@ -226,3 +226,12 @@ func customizeDiffAssignFlexibleIPv6(_ context.Context, diff *schema.ResourceDif
 
 	return nil
 }
+
+func ResourceLBPrivateNetworkParseID(resourceID string) (zone scw.Zone, lbID string, pnID string, err error) {
+	idParts := strings.Split(resourceID, "/")
+	if len(idParts) != 3 {
+		return "", "", "", fmt.Errorf("can't parse user resource id: %s", resourceID)
+	}
+
+	return scw.Zone(idParts[0]), idParts[1], idParts[2], nil
+}

internal/services/lb/helpers_lb.go

@@ -107,11 +107,13 @@ func ResourceLb() *schema.Resource {
 				Deprecated:  "The resource ip will be destroyed by it's own resource. Please set this to `false`",
 			},
 			"private_network": {
-				Type:        schema.TypeSet,
-				Optional:    true,
-				MaxItems:    8,
-				Set:         lbPrivateNetworkSetHash,
-				Description: "List of private network to connect with your load balancer",
+				Type:          schema.TypeSet,
+				Optional:      true,
+				Computed:      true,
+				MaxItems:      8,
+				Set:           lbPrivateNetworkSetHash,
+				ConflictsWith: []string{"external_private_networks"},
+				Description:   "List of private network to connect with your load balancer",
 				DiffSuppressFunc: func(k, oldValue, newValue string, _ *schema.ResourceData) bool {
 					// Check if the key is for the 'private_network_id' attribute
 					if strings.HasSuffix(k, "private_network_id") {
@@ -168,6 +170,13 @@ func ResourceLb() *schema.Resource {
 					},
 				},
 			},
+			"external_private_networks": {
+				Type:          schema.TypeBool,
+				Optional:      true,
+				Default:       false,
+				Description:   "This boolean determines if private network attachments should be managed externally through the `scaleway_lb_private_network` resource. When set, `private_network` must not be configured in this resource",
+				ConflictsWith: []string{"private_network"},
+			},
 			"ssl_compatibility_level": {
 				Type:             schema.TypeString,
 				Optional:         true,
@@ -265,22 +274,24 @@ func resourceLbCreate(ctx context.Context, d *schema.ResourceData, m any) diag.D
 		return diag.FromErr(err)
 	}
 
-	// attach private network
-	pnConfigs, pnExist := d.GetOk("private_network")
-	if pnExist {
-		pnConfigs, err := expandPrivateNetworks(pnConfigs)
-		if err != nil {
-			return diag.FromErr(err)
-		}
+	if !d.Get("external_private_networks").(bool) {
+		// attach private network
+		pnConfigs, pnExist := d.GetOk("private_network")
+		if pnExist {
+			pnConfigs, err := expandPrivateNetworks(pnConfigs)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 
-		_, err = attachLBPrivateNetworks(ctx, lbAPI, zone, pnConfigs, lb.ID, d.Timeout(schema.TimeoutCreate))
-		if err != nil {
-			return diag.FromErr(err)
-		}
+			_, err = attachLBPrivateNetworks(ctx, lbAPI, zone, pnConfigs, lb.ID, d.Timeout(schema.TimeoutCreate))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 
-		_, err = waitForLB(ctx, lbAPI, zone, lb.ID, d.Timeout(schema.TimeoutCreate))
-		if err != nil {
-			return diag.FromErr(err)
+			_, err = waitForLB(ctx, lbAPI, zone, lb.ID, d.Timeout(schema.TimeoutCreate))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 	}
 
@@ -352,7 +363,12 @@ func resourceLbRead(ctx context.Context, d *schema.ResourceData, m any) diag.Dia
 		return diag.FromErr(err)
 	}
 
-	_ = d.Set("private_network", flattenPrivateNetworkConfigs(privateNetworks))
+	external := d.Get("external_private_networks").(bool)
+	if !external {
+		_ = d.Set("private_network", flattenPrivateNetworkConfigs(privateNetworks))
+	} else {
+		_ = d.Set("private_network", schema.NewSet(lbPrivateNetworkSetHash, []any{}))
+	}
 
 	privateNetworkIDs := make([]string, 0, len(privateNetworks))
 	for _, pn := range privateNetworks {
@@ -521,7 +537,8 @@ func resourceLbUpdate(ctx context.Context, d *schema.ResourceData, m any) diag.D
 	////
 	// Attach / Detach Private Networks
 	////
-	if d.HasChange("private_network") {
+	external := d.Get("external_private_networks").(bool)
+	if !external && d.HasChange("private_network") {
 		// check current lb stability state
 		_, err = waitForLB(ctx, lbAPI, zone, ID, d.Timeout(schema.TimeoutUpdate))
 		if err != nil {