NSOF-5929 trusted_network: introduce resource and data-source

Author: hod-alpert

docs/data-sources/trusted_network.md

@@ -0,0 +1,76 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "pfptmeta_trusted_network Data Source - terraform-provider-pfptmeta"
+subcategory: "Device Management"
+description: |-
+  The trusted networks feature is a mechanism for auto-disconnecting from Proofpoint NaaS when the device is on a trusted network, such as corporate environment. The moment the device leaves the trusted network, it auto-reconnects to the Proofpoint NaaS.
+    A user can still forcefully connect the device to the Proofpoint NaaS when on a trusted network, by clicking Connect in the Proofpoint Agent UI.
+  Proofpoint Agent tries to detect if a trusted network is available, before re-connecting to a network (re-connect occurs if the device was connected to the Proofpoint NaaS and then switched networks).
+    A trusted network is defined according to one of the following criteria:
+    - DNS resolution of a hostname: When a specific hostname is resolved to an IP address that is within the defined IP range.
+    - External IP address of the device: When the device external IP address is within the specified IP address range.
+---
+
+# pfptmeta_trusted_network (Data Source)
+
+The trusted networks feature is a mechanism for auto-disconnecting from Proofpoint NaaS when the device is on a trusted network, such as corporate environment. The moment the device leaves the trusted network, it auto-reconnects to the Proofpoint NaaS.
+  A user can still forcefully connect the device to the Proofpoint NaaS when on a trusted network, by clicking Connect in the Proofpoint Agent UI.
+
+  Proofpoint Agent tries to detect if a trusted network is available, before re-connecting to a network (re-connect occurs if the device was connected to the Proofpoint NaaS and then switched networks).
+  A trusted network is defined according to one of the following criteria:
+  - DNS resolution of a hostname: When a specific hostname is resolved to an IP address that is within the defined IP range.
+  - External IP address of the device: When the device external IP address is within the specified IP address range.
+
+## Example Usage
+
+```terraform
+data "pfptmeta_trusted_network" "network" {
+  id = "tn-123abc"
+}
+
+output "network" {
+  value = data.pfptmeta_trusted_network.network
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **id** (String) The ID of this resource.
+
+### Read-Only
+
+- **apply_to_entities** (List of String) Entities (users, groups or network elements) to be allowed to use trusted networks.
+- **apply_to_org** (Boolean) Indicates whether this trusted network setting applies to the entire org. Note: This attribute overrides `apply_to_entities`.
+- **criteria** (List of Object) (see [below for nested schema](#nestedatt--criteria))
+- **description** (String)
+- **enabled** (Boolean)
+- **exempt_entities** (List of String) Entities (users, groups or network elements) which are not allowed to use trusted networks.
+- **name** (String)
+
+<a id="nestedatt--criteria"></a>
+### Nested Schema for `criteria`
+
+Read-Only:
+
+- **external_ip_config** (List of Object) (see [below for nested schema](#nestedobjatt--criteria--external_ip_config))
+- **resolved_address_config** (List of Object) (see [below for nested schema](#nestedobjatt--criteria--resolved_address_config))
+- **type** (String)
+
+<a id="nestedobjatt--criteria--external_ip_config"></a>
+### Nested Schema for `criteria.external_ip_config`
+
+Read-Only:
+
+- **addresses_ranges** (List of String)
+
+
+<a id="nestedobjatt--criteria--resolved_address_config"></a>
+### Nested Schema for `criteria.resolved_address_config`
+
+Read-Only:
+
+- **addresses_ranges** (List of String)
+- **hostname** (String)

docs/resources/trusted_network.md

@@ -0,0 +1,91 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "pfptmeta_trusted_network Resource - terraform-provider-pfptmeta"
+subcategory: "Device Management"
+description: |-
+  The trusted networks feature is a mechanism for auto-disconnecting from Proofpoint NaaS when the device is on a trusted network, such as corporate environment. The moment the device leaves the trusted network, it auto-reconnects to the Proofpoint NaaS.
+    A user can still forcefully connect the device to the Proofpoint NaaS when on a trusted network, by clicking Connect in the Proofpoint Agent UI.
+  Proofpoint Agent tries to detect if a trusted network is available, before re-connecting to a network (re-connect occurs if the device was connected to the Proofpoint NaaS and then switched networks).
+    A trusted network is defined according to one of the following criteria:
+    - DNS resolution of a hostname: When a specific hostname is resolved to an IP address that is within the defined IP range.
+    - External IP address of the device: When the device external IP address is within the specified IP address range.
+---
+
+# pfptmeta_trusted_network (Resource)
+
+The trusted networks feature is a mechanism for auto-disconnecting from Proofpoint NaaS when the device is on a trusted network, such as corporate environment. The moment the device leaves the trusted network, it auto-reconnects to the Proofpoint NaaS.
+  A user can still forcefully connect the device to the Proofpoint NaaS when on a trusted network, by clicking Connect in the Proofpoint Agent UI.
+
+  Proofpoint Agent tries to detect if a trusted network is available, before re-connecting to a network (re-connect occurs if the device was connected to the Proofpoint NaaS and then switched networks).
+  A trusted network is defined according to one of the following criteria:
+  - DNS resolution of a hostname: When a specific hostname is resolved to an IP address that is within the defined IP range.
+  - External IP address of the device: When the device external IP address is within the specified IP address range.
+
+## Example Usage
+
+```terraform
+resource "pfptmeta_trusted_network" "network" {
+  name         = "trusted network name"
+  description  = "trusted network description"
+  apply_to_org = true
+  criteria {
+    external_ip_config {
+      addresses_ranges = ["192.1.0.0/16"]
+    }
+  }
+  criteria {
+    resolved_address_config {
+      addresses_ranges = ["192.1.0.0/16"]
+      hostname         = "office.address.com"
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **criteria** (Block List, Min: 1) (see [below for nested schema](#nestedblock--criteria))
+- **name** (String)
+
+### Optional
+
+- **apply_to_entities** (List of String) Entities (users, groups or network elements) to be allowed to use trusted networks.
+- **apply_to_org** (Boolean) Indicates whether this trusted network setting applies to the entire org. Note: This attribute overrides `apply_to_entities`.
+- **description** (String)
+- **enabled** (Boolean)
+- **exempt_entities** (List of String) Entities (users, groups or network elements) which are not allowed to use trusted networks.
+
+### Read-Only
+
+- **id** (String) The ID of this resource.
+
+<a id="nestedblock--criteria"></a>
+### Nested Schema for `criteria`
+
+Optional:
+
+- **external_ip_config** (Block List, Max: 1) Specified IP address range to compare with the device's external IP for the network to be trusted. (see [below for nested schema](#nestedblock--criteria--external_ip_config))
+- **resolved_address_config** (Block List, Max: 1) A hostname and specified IP address range in which the hostname must be resolved for the network to be trusted. (see [below for nested schema](#nestedblock--criteria--resolved_address_config))
+
+Read-Only:
+
+- **type** (String)
+
+<a id="nestedblock--criteria--external_ip_config"></a>
+### Nested Schema for `criteria.external_ip_config`
+
+Required:
+
+- **addresses_ranges** (List of String)
+
+
+<a id="nestedblock--criteria--resolved_address_config"></a>
+### Nested Schema for `criteria.resolved_address_config`
+
+Required:
+
+- **addresses_ranges** (List of String)
+- **hostname** (String)

examples/data-sources/pfptmeta_trusted_network/data-source.tf

@@ -0,0 +1,7 @@
+data "pfptmeta_trusted_network" "network" {
+  id = "tn-123abc"
+}
+
+output "network" {
+  value = data.pfptmeta_trusted_network.network
+}

examples/resources/pfptmeta_trusted_network/resource.tf

@@ -0,0 +1,16 @@
+resource "pfptmeta_trusted_network" "network" {
+  name         = "trusted network name"
+  description  = "trusted network description"
+  apply_to_org = true
+  criteria {
+    external_ip_config {
+      addresses_ranges = ["192.1.0.0/16"]
+    }
+  }
+  criteria {
+    resolved_address_config {
+      addresses_ranges = ["192.1.0.0/16"]
+      hostname         = "office.address.com"
+    }
+  }
+}

internal/client/trusted_network.go

@@ -0,0 +1,156 @@
+package client
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"io/ioutil"
+	"net/http"
+)
+
+const trustedNetworkEndpoint = "v1/trusted_networks"
+
+type ExternalIpConfig struct {
+	AddressesRanges []string `json:"addresses_ranges"`
+}
+
+func newExternalIPConfig(input interface{}) *ExternalIpConfig {
+	newExternalIpConfig := &ExternalIpConfig{}
+	inputList := input.([]interface{})
+	if len(inputList) == 0 {
+		return nil
+	}
+	externalIpConfig := inputList[0].(map[string]interface{})
+	addressesRanges := externalIpConfig["addresses_ranges"].([]interface{})
+	newExternalIpConfig.AddressesRanges = make([]string, len(addressesRanges))
+	for j, address := range addressesRanges {
+		newExternalIpConfig.AddressesRanges[j] = address.(string)
+	}
+	return newExternalIpConfig
+}
+
+type ResolvedAddressConfig struct {
+	AddressesRanges []string `json:"addresses_ranges"`
+	Hostname        string   `json:"hostname"`
+}
+
+func newResolvedAddressConfig(input interface{}) *ResolvedAddressConfig {
+	newResolvedAddressConfig := &ResolvedAddressConfig{}
+	inputList := input.([]interface{})
+	if len(inputList) == 0 {
+		return nil
+	}
+	resolvedAddressConfig := inputList[0].(map[string]interface{})
+	addressesRanges := resolvedAddressConfig["addresses_ranges"].([]interface{})
+	newResolvedAddressConfig.AddressesRanges = make([]string, len(addressesRanges))
+	for j, address := range addressesRanges {
+		newResolvedAddressConfig.AddressesRanges[j] = address.(string)
+	}
+	newResolvedAddressConfig.Hostname = resolvedAddressConfig["hostname"].(string)
+	return newResolvedAddressConfig
+}
+
+type Criteria struct {
+	ExternalIpConfig      *ExternalIpConfig      `json:"external_ip_config,omitempty"`
+	ResolvedAddressConfig *ResolvedAddressConfig `json:"resolved_address_config,omitempty"`
+	Type                  string                 `json:"type,omitempty"`
+}
+
+func newCriteria(d *schema.ResourceData) []Criteria {
+	c := d.Get("criteria").([]interface{})
+	res := make([]Criteria, len(c))
+	for i, criteria := range c {
+		newCriteria := Criteria{}
+		criteria := criteria.(map[string]interface{})
+		if externalIpConfig, ok := criteria["external_ip_config"]; ok {
+			newCriteria.ExternalIpConfig = newExternalIPConfig(externalIpConfig)
+		}
+		if resolvedAddressConfig, ok := criteria["resolved_address_config"]; ok {
+			newCriteria.ResolvedAddressConfig = newResolvedAddressConfig(resolvedAddressConfig)
+		}
+		res[i] = newCriteria
+	}
+	return res
+}
+
+type TrustedNetwork struct {
+	ID              string     `json:"id,omitempty"`
+	Name            string     `json:"name,omitempty"`
+	Description     string     `json:"description"`
+	Enabled         bool       `json:"enabled"`
+	ApplyToOrg      bool       `json:"apply_to_org"`
+	ApplyToEntities []string   `json:"apply_to_entities"`
+	ExemptEntities  []string   `json:"exempt_entities"`
+	Criteria        []Criteria `json:"criteria"`
+}
+
+func NewTrustedNetwork(d *schema.ResourceData) *TrustedNetwork {
+	res := &TrustedNetwork{}
+	if d.HasChange("name") {
+		res.Name = d.Get("name").(string)
+	}
+	res.Description = d.Get("description").(string)
+	res.Enabled = d.Get("enabled").(bool)
+	res.ApplyToOrg = d.Get("apply_to_org").(bool)
+	res.ApplyToEntities = ConfigToStringSlice("apply_to_entities", d)
+	res.ExemptEntities = ConfigToStringSlice("exempt_entities", d)
+	res.Criteria = newCriteria(d)
+	return res
+}
+
+func parseTrustedNetwork(resp *http.Response) (*TrustedNetwork, error) {
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	e := &TrustedNetwork{}
+	err = json.Unmarshal(body, e)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse trusted network response: %v", err)
+	}
+	return e, nil
+}
+
+func CreateTrustedNetwork(ctx context.Context, c *Client, e *TrustedNetwork) (*TrustedNetwork, error) {
+	url := fmt.Sprintf("%s/%s", c.BaseURL, trustedNetworkEndpoint)
+	body, err := json.Marshal(e)
+	if err != nil {
+		return nil, fmt.Errorf("could not convert trusted network to json: %v", err)
+	}
+	resp, err := c.Post(ctx, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	return parseTrustedNetwork(resp)
+}
+
+func GetTrustedNetwork(ctx context.Context, c *Client, eID string) (*TrustedNetwork, error) {
+	url := fmt.Sprintf("%s/%s/%s", c.BaseURL, trustedNetworkEndpoint, eID)
+	resp, err := c.Get(ctx, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	return parseTrustedNetwork(resp)
+}
+
+func UpdateTrustedNetwork(ctx context.Context, c *Client, eID string, e *TrustedNetwork) (*TrustedNetwork, error) {
+	url := fmt.Sprintf("%s/%s/%s", c.BaseURL, trustedNetworkEndpoint, eID)
+	body, err := json.Marshal(e)
+	if err != nil {
+		return nil, fmt.Errorf("could not convert trusted network to json: %v", err)
+	}
+	resp, err := c.Patch(ctx, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	return parseTrustedNetwork(resp)
+}
+
+func DeleteTrustedNetwork(ctx context.Context, c *Client, mID string) (*TrustedNetwork, error) {
+	url := fmt.Sprintf("%s/%s/%s", c.BaseURL, trustedNetworkEndpoint, mID)
+	resp, err := c.Delete(ctx, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	return parseTrustedNetwork(resp)
+}