Merge pull request #516 from F5Networks/devel_23062021

updated as3 resource to fix tenant_filter issue
F5Networks · Jun 22, 2021 · 263a63f · 263a63f
2 parents a8f8916 + c4e72d6
commit 263a63f
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 3 deletions.
diff --git a/bigip/resource_bigip_as3.go b/bigip/resource_bigip_as3.go
@@ -169,6 +169,10 @@ func resourceBigipAs3Create(d *schema.ResourceData, meta interface{}) error {
 	tenantList, _, applicationList := client.GetTenantList(as3Json)
 	tenantCount := strings.Split(tenantList, ",")
 	if tenantFilter != "" {
+		log.Printf("[DEBUG] tenantFilter:%+v", tenantFilter)
+		if !contains(tenantCount, tenantFilter) {
+			return fmt.Errorf("tenant_filter: (%s) not exist in as3_json provided ", tenantFilter)
+		}
 		tenantList = tenantFilter
 	}
 	_ = d.Set("tenant_list", tenantList)
@@ -253,7 +257,11 @@ func resourceBigipAs3Exists(d *schema.ResourceData, meta interface{}) (bool, err
 	applicationList := d.Get("application_list").(string)
 	tenantFilter := d.Get("tenant_filter").(string)
 	if tenantFilter != "" {
-		name = tenantFilter
+		if !contains(strings.Split(name, ","), tenantFilter) {
+			log.Printf("[WARNING]tenant_filter: (%s) not exist in as3_json provided ", tenantFilter)
+		} else {
+			name = tenantFilter
+		}
 	}
 	as3Resp, err := client.GetAs3(name, applicationList)
 	if err != nil {
@@ -299,7 +307,11 @@ func resourceBigipAs3Update(d *schema.ResourceData, meta interface{}) error {
 			}
 		}
 	} else {
-		tenantList = tenantFilter
+		if !contains(strings.Split(tenantList, ","), tenantFilter) {
+			log.Printf("[WARNING]tenant_filter: (%s) not exist in as3_json provided ", tenantFilter)
+		} else {
+			tenantList = tenantFilter
+		}
 	}
 	strTrimSpace, err := client.AddTeemAgent(as3Json)
 	if err != nil {
@@ -343,3 +355,12 @@ func resourceBigipAs3Delete(d *schema.ResourceData, meta interface{}) error {
 	d.SetId("")
 	return nil
 }
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if v == str {
+			return true
+		}
+	}
+	return false
+}
diff --git a/bigip/version.go b/bigip/version.go
@@ -1,4 +1,4 @@
 package bigip
 
 // ProviderVersion is set at build-time in the release process
-var ProviderVersion = "1.9.0"
+var ProviderVersion = "1.10.0"
diff --git a/website/docs/r/bigip_ltm_profile_client_ssl.html.markdown b/website/docs/r/bigip_ltm_profile_client_ssl.html.markdown
@@ -70,3 +70,11 @@ There can be only one SSL profile with this setting enabled.
 * `ssl_forward_proxy` - (Optional) Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
 
 * `ssl_forward_proxy_bypass` - (Optional) Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
+
+* `ssl_c3d` (Optional) Enables or disables SSL client certificate constrained delegation. The default option is disabled. Conversely, you can specify enabled to use the SSL client certificate constrained delegation.
+
+* `c3d_client_fallback_cert` (Optional) Specifies the client certificate to use in SSL client certificate constrained delegation. This certificate will be used if client does not provide a cert during the SSL handshake. The default value is none.
+
+* `c3d_drop_unknown_ocsp_status` (Optional) Specifies the BIG-IP action when the OCSP responder returns unknown status. The default value is drop, which causes the onnection to be dropped. Conversely, you can specify ignore, which causes the connection to ignore the unknown status and continue.
+
+* `c3d_ocsp` (Optional) Specifies the SSL client certificate constrained delegation OCSP object that the BIG-IP SSL should use to connect to the OCSP responder and check the client certificate status.
diff --git a/website/docs/r/bigip_ltm_profile_server_ssl.html.markdown b/website/docs/r/bigip_ltm_profile_server_ssl.html.markdown
@@ -69,3 +69,37 @@ There can be only one SSL profile with this setting enabled.
 * `ssl_forward_proxy` - (Optional) Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
 
 * `ssl_forward_proxy_bypass` - (Optional) Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled. 
+
+* `ssl_c3d` (Optional) Enables or disables SSL forward proxy bypass on receiving
+ handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
+
+* `c3d_ca_cert` (Optional) Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
+
+* `c3d_ca_key` (Optional) Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
+
+* `c3d-ca-passphrase` (Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.
+
+* `c3d-cert-extension-custom-oids` (Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
+
+* `c3d_cert_extension_includes` (Optional) Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
+
+	    basic-constraints
+		  Basic constraints are used to indicate whether the certificate belongs
+      to a CA.
+
+	    extended-key-usage
+		  Extended Key Usage is used, typically on a leaf certificate, to 
+      indicate the purpose of the public key contained in the certificate.
+
+	    key-usage
+		  Key Usage provides a bitmap specifying the cryptographic operations 
+      which may be performed using the public key contained in the 
+      certificate; for example, it could indicate that the key should be 
+      used for signature but not for encipherment.
+
+	    subject-alternative-name
+		  Subject Alternative Name allows identities to be bound to the subject
+      of the certificate. These identities may be included in addition to 
+      or in place of the identity in the subject field of the certificate.
+
+* `c3d-cert-lifespan` Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.