fix(clb): [123456789] support config iap (#2978)

* clb support config iap * add changelog * update --------- Co-authored-by: mikatong <[email protected]>
tencentcloudstack · Nov 27, 2024 · bfbff72 · bfbff72
1 parent 1c3eaa0
commit bfbff72
Show file tree

Hide file tree

Showing 5 changed files with 163 additions and 1 deletion.
diff --git a/.changelog/2978.txt b/.changelog/2978.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_clb_listener_rule: support param `oauth`
+```
diff --git a/tencentcloud/services/clb/resource_tc_clb_listener_rule.go b/tencentcloud/services/clb/resource_tc_clb_listener_rule.go
@@ -185,6 +185,29 @@ func ResourceTencentCloudClbListenerRule() *schema.Resource {
 				Computed:    true,
 				Description: "Whether to enable QUIC. Note: QUIC can be enabled only for HTTPS domain names.",
 			},
+			"oauth": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Computed:    true,
+				MaxItems:    1,
+				Description: "OAuth configuration information.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"oauth_enable": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Computed:    true,
+							Description: "Enable or disable authentication. True: Enabled; False: Disabled.",
+						},
+						"oauth_failure_status": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Computed:    true,
+							Description: "After all IAPs fail, the request is rejected or released. BYPASS: PASS; REJECT: Reject.",
+						},
+					},
+				},
+			},
 			//computed
 			"rule_id": {
 				Type:        schema.TypeString,
@@ -384,6 +407,41 @@ func resourceTencentCloudClbListenerRuleCreate(d *schema.ResourceData, meta inte
 			return err
 		}
 	}
+
+	if dMap, ok := helper.InterfacesHeadMap(d, "oauth"); ok {
+		modifyRuleRequest := clb.NewModifyRuleRequest()
+		modifyRuleRequest.ListenerId = helper.String(listenerId)
+		modifyRuleRequest.LoadBalancerId = helper.String(clbId)
+		modifyRuleRequest.LocationId = helper.String(locationId)
+		oauth := &clb.OAuth{}
+		if v, ok := dMap["oauth_enable"]; ok {
+			oauth.OAuthEnable = helper.Bool(v.(bool))
+		}
+		if v, ok := dMap["oauth_failure_status"]; ok {
+			oauth.OAuthFailureStatus = helper.String(v.(string))
+		}
+		modifyRuleRequest.OAuth = oauth
+		err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+			response, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseClbClient().ModifyRule(modifyRuleRequest)
+			if e != nil {
+				return tccommon.RetryError(e)
+			} else {
+				log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n",
+					logId, request.GetAction(), request.ToJsonString(), response.ToJsonString())
+				requestId := *response.Response.RequestId
+				retryErr := waitForTaskFinish(requestId, meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseClbClient())
+				if retryErr != nil {
+					return resource.NonRetryableError(errors.WithStack(retryErr))
+				}
+			}
+			return nil
+		})
+		if err != nil {
+			log.Printf("[CRITAL]%s update CLB listener rule failed, reason:%+v", logId, err)
+			return err
+		}
+	}
+
 	return resourceTencentCloudClbListenerRuleRead(d, meta)
 }
 
@@ -493,6 +551,16 @@ func resourceTencentCloudClbListenerRuleRead(d *schema.ResourceData, meta interf
 			_ = d.Set("certificate_ca_id", instance.Certificate.CertCaId)
 		}
 	}
+	if instance.OAuth != nil {
+		oath := make(map[string]interface{})
+		if instance.OAuth.OAuthEnable != nil {
+			oath["oauth_enable"] = instance.OAuth.OAuthEnable
+		}
+		if instance.OAuth.OAuthFailureStatus != nil {
+			oath["oauth_failure_status"] = instance.OAuth.OAuthFailureStatus
+		}
+		_ = d.Set("oauth", []interface{}{oath})
+	}
 
 	return nil
 }
@@ -547,6 +615,19 @@ func resourceTencentCloudClbListenerRuleUpdate(d *schema.ResourceData, meta inte
 		url = d.Get("url").(string)
 		request.Url = helper.String(url)
 	}
+	if d.HasChange("oauth") {
+		changed = true
+		if dMap, ok := helper.InterfacesHeadMap(d, "oauth"); ok {
+			oauth := &clb.OAuth{}
+			if v, ok := dMap["oauth_enable"]; ok {
+				oauth.OAuthEnable = helper.Bool(v.(bool))
+			}
+			if v, ok := dMap["oauth_failure_status"]; ok {
+				oauth.OAuthFailureStatus = helper.String(v.(string))
+			}
+			request.OAuth = oauth
+		}
+	}
 
 	if d.HasChange("forward_type") {
 		changed = true

diff --git a/tencentcloud/services/clb/resource_tc_clb_listener_rule_test.go b/tencentcloud/services/clb/resource_tc_clb_listener_rule_test.go
@@ -118,6 +118,44 @@ func TestAccTencentCloudClbListenerRuleResource_full(t *testing.T) {
 	})
 }
 
+func TestAccTencentCloudClbListenerRuleResource_oauth(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			tcacctest.AccPreCheck(t)
+			tcacctest.AccStepSetRegion(t, "ap-jakarta")
+		},
+		Providers:    tcacctest.AccProviders,
+		CheckDestroy: testAccCheckClbListenerRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccClbListenerRule_oauth,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckClbListenerRuleExists("tencentcloud_clb_listener_rule.rule_oauth"),
+					resource.TestCheckResourceAttr("tencentcloud_clb_listener_rule.rule_oauth", "oauth.#", "1"),
+					resource.TestCheckResourceAttr("tencentcloud_clb_listener_rule.rule_oauth", "oauth.0.oauth_enable", "true"),
+					resource.TestCheckResourceAttr("tencentcloud_clb_listener_rule.rule_oauth", "oauth.0.oauth_failure_status", "REJECT"),
+				),
+			},
+			{
+				Config: testAccClbListenerRule_oauthUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckClbListenerRuleExists("tencentcloud_clb_listener_rule.rule_oauth"),
+					resource.TestCheckResourceAttr("tencentcloud_clb_listener_rule.rule_oauth", "oauth.#", "1"),
+					resource.TestCheckResourceAttr("tencentcloud_clb_listener_rule.rule_oauth", "oauth.0.oauth_enable", "false"),
+					resource.TestCheckResourceAttr("tencentcloud_clb_listener_rule.rule_oauth", "oauth.0.oauth_failure_status", "BYPASS"),
+				),
+			},
+			{
+				ResourceName:      "tencentcloud_clb_listener_rule.rule_oauth",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckClbListenerRuleDestroy(s *terraform.State) error {
 	logId := tccommon.GetLogId(tccommon.ContextNil)
 	ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
@@ -296,3 +334,37 @@ resource "tencentcloud_clb_listener_rule" "rule_full" {
   certificate_id             = "%s"
 }
 `
+
+const testAccClbListenerRule_oauth = `
+resource "tencentcloud_clb_listener_rule" "rule_oauth" {
+  clb_id              = "lb-az5cm2h7"
+  listener_id         = "lbl-egzxfxgj"
+  domain              = "abc.com"
+  url                 = "/"
+  session_expire_time = 30
+  scheduler           = "WRR"
+  target_type         = "TARGETGROUP"
+  forward_type        = "HTTPS"
+  oauth {
+    oauth_enable = true
+    oauth_failure_status = "REJECT"
+  }
+}
+`
+
+const testAccClbListenerRule_oauthUpdate = `
+resource "tencentcloud_clb_listener_rule" "rule_oauth" {
+  clb_id              = "lb-az5cm2h7"
+  listener_id         = "lbl-egzxfxgj"
+  domain              = "abc.com"
+  url                 = "/"
+  session_expire_time = 30
+  scheduler           = "WRR"
+  target_type         = "TARGETGROUP"
+  forward_type        = "HTTPS"
+  oauth {
+    oauth_enable = false
+    oauth_failure_status = "BYPASS"
+  }
+}
+`
diff --git a/tencentcloud/services/clb/service_tencentcloud_clb.go b/tencentcloud/services/clb/service_tencentcloud_clb.go
@@ -2451,7 +2451,7 @@ func waitTaskReady(ctx context.Context, client *clb.Client, reqeustId string) er
 		} else if status == 1 {
 			return resource.NonRetryableError(fmt.Errorf("Task[%s] failed", reqeustId))
 		} else {
-			return resource.RetryableError(fmt.Errorf("Task[%s] status: %s", reqeustId, status))
+			return resource.RetryableError(fmt.Errorf("Task[%s] status: %d", reqeustId, status))
 		}
 	})
 	if err != nil {

diff --git a/website/docs/r/clb_listener_rule.html.markdown b/website/docs/r/clb_listener_rule.html.markdown
@@ -83,11 +83,17 @@ The following arguments are supported:
 * `health_check_type` - (Optional, String) Type of health check. Valid value is `CUSTOM`, `PING`, `TCP`, `HTTP`, `HTTPS`, `GRPC`, `GRPCS`.
 * `health_check_unhealth_num` - (Optional, Int) Unhealthy threshold of health check, and the default is `3`. If the unhealthy result is returned 3 consecutive times, indicates that the forwarding is abnormal. The value range is [2-10].  NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
 * `http2_switch` - (Optional, Bool) Indicate to apply HTTP2.0 protocol or not.
+* `oauth` - (Optional, List) OAuth configuration information.
 * `quic` - (Optional, Bool) Whether to enable QUIC. Note: QUIC can be enabled only for HTTPS domain names.
 * `scheduler` - (Optional, String) Scheduling method of the CLB listener rules. Valid values: `WRR`, `IP HASH`, `LEAST_CONN`. The default is `WRR`.  NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
 * `session_expire_time` - (Optional, Int) Time of session persistence within the CLB listener. NOTES: Available when scheduler is specified as `WRR`, and not available when listener protocol is `TCP_SSL`.  NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
 * `target_type` - (Optional, String, ForceNew) Backend target type. Valid values: `NODE`, `TARGETGROUP`. `NODE` means to bind ordinary nodes, `TARGETGROUP` means to bind target group.
 
+The `oauth` object supports the following:
+
+* `oauth_enable` - (Optional, Bool) Enable or disable authentication. True: Enabled; False: Disabled.
+* `oauth_failure_status` - (Optional, String) After all IAPs fail, the request is rejected or released. BYPASS: PASS; REJECT: Reject.
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported: