ovh · amstuta · May 21, 2024 · May 20, 2024
@@ -56,6 +56,11 @@ func resourceIpLoadbalancingTcpFrontend() *schema.Resource {
 				Optional: true,
 				ForceNew: false,
 			},
+			"denied_source": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 			"disabled": {
 				Type:     schema.TypeBool,
 				Default:  false,
@@ -95,6 +100,7 @@ func resourceIpLoadbalancingTcpFrontendCreate(d *schema.ResourceData, meta inter
 	config := meta.(*Config)
 
 	allowedSources, _ := helpers.StringsFromSchema(d, "allowed_source")
+	deniedSources, _ := helpers.StringsFromSchema(d, "denied_source")
 	dedicatedIpFo, _ := helpers.StringsFromSchema(d, "dedicated_ipfo")
 
 	for _, s := range allowedSources {
@@ -103,6 +109,12 @@ func resourceIpLoadbalancingTcpFrontendCreate(d *schema.ResourceData, meta inter
 		}
 	}
 
+	for _, s := range deniedSources {
+		if err := helpers.ValidateIpBlock(s); err != nil {
+			return fmt.Errorf("Error validating `denied_source` value: %s", err)
+		}
+	}
+
 	for _, s := range dedicatedIpFo {
 		if err := helpers.ValidateIpBlock(s); err != nil {
 			return fmt.Errorf("Error validating `dedicated_ipfo` value: %s", err)
@@ -114,6 +126,7 @@ func resourceIpLoadbalancingTcpFrontendCreate(d *schema.ResourceData, meta inter
 		Zone:          d.Get("zone").(string),
 		AllowedSource: allowedSources,
 		DedicatedIpFo: dedicatedIpFo,
+		DeniedSource:  deniedSources,
 		Disabled:      d.Get("disabled").(bool),
 		Ssl:           d.Get("ssl").(bool),
 		DisplayName:   d.Get("display_name").(string),
@@ -151,6 +164,9 @@ func resourceIpLoadbalancingTcpFrontendRead(d *schema.ResourceData, meta interfa
 	allowedSources := make([]string, 0)
 	allowedSources = append(allowedSources, r.AllowedSource...)
 
+	deniedSources := make([]string, 0)
+	deniedSources = append(deniedSources, r.DeniedSource...)
+
 	dedicatedIpFos := make([]string, 0)
 	dedicatedIpFos = append(dedicatedIpFos, r.DedicatedIpFo...)
 
@@ -163,6 +179,7 @@ func resourceIpLoadbalancingTcpFrontendRead(d *schema.ResourceData, meta interfa
 	d.Set("ssl", r.Ssl)
 	d.Set("zone", r.Zone)
 	d.Set("allowed_source", allowedSources)
+	d.Set("denied_source", deniedSources)
 
 	return nil
 }
@@ -173,6 +190,7 @@ func resourceIpLoadbalancingTcpFrontendUpdate(d *schema.ResourceData, meta inter
 	endpoint := fmt.Sprintf("/ipLoadbalancing/%s/tcp/frontend/%s", service, d.Id())
 
 	allowedSources, _ := helpers.StringsFromSchema(d, "allowed_source")
+	deniedSources, _ := helpers.StringsFromSchema(d, "denied_source")
 	dedicatedIpFo, _ := helpers.StringsFromSchema(d, "dedicated_ipfo")
 
 	for _, s := range allowedSources {
@@ -181,6 +199,12 @@ func resourceIpLoadbalancingTcpFrontendUpdate(d *schema.ResourceData, meta inter
 		}
 	}
 
+	for _, s := range deniedSources {
+		if err := helpers.ValidateIpBlock(s); err != nil {
+			return fmt.Errorf("Error validating `denied_source` value: %s", err)
+		}
+	}
+
 	for _, s := range dedicatedIpFo {
 		if err := helpers.ValidateIpBlock(s); err != nil {
 			return fmt.Errorf("Error validating `dedicated_ipfo` value: %s", err)
@@ -192,6 +216,7 @@ func resourceIpLoadbalancingTcpFrontendUpdate(d *schema.ResourceData, meta inter
 		Zone:          d.Get("zone").(string),
 		AllowedSource: allowedSources,
 		DedicatedIpFo: dedicatedIpFo,
+		DeniedSource:  deniedSources,
 		Disabled:      d.Get("disabled").(bool),
 		Ssl:           d.Get("ssl").(bool),
 		DisplayName:   d.Get("display_name").(string),

@@ -86,6 +86,8 @@ func TestAccIpLoadbalancingTcpFrontend_basic(t *testing.T) {
 						"ovh_iploadbalancing_tcp_frontend.testfrontend", "disabled", "true"),
 					resource.TestCheckResourceAttr(
 						"ovh_iploadbalancing_tcp_frontend.testfrontend", "allowed_source.#", "0"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "denied_source.#", "0"),
 				),
 			},
 			{
@@ -101,6 +103,25 @@ func TestAccIpLoadbalancingTcpFrontend_basic(t *testing.T) {
 						"ovh_iploadbalancing_tcp_frontend.testfrontend", "disabled", "false"),
 					resource.TestCheckResourceAttr(
 						"ovh_iploadbalancing_tcp_frontend.testfrontend", "allowed_source.#", "1"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "denied_source.#", "0"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(testAccCheckOvhIpLoadbalancingTcpFrontendConfig_denied_source, iplb, test_prefix),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "display_name", test_prefix),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "ssl", "false"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "port", "22280,22443"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "disabled", "false"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "allowed_source.#", "0"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "denied_source.#", "1"),
 				),
 			},
 			{
@@ -116,6 +137,8 @@ func TestAccIpLoadbalancingTcpFrontend_basic(t *testing.T) {
 						"ovh_iploadbalancing_tcp_frontend.testfrontend", "disabled", "true"),
 					resource.TestCheckResourceAttr(
 						"ovh_iploadbalancing_tcp_frontend.testfrontend", "allowed_source.#", "0"),
+					resource.TestCheckResourceAttr(
+						"ovh_iploadbalancing_tcp_frontend.testfrontend", "denied_source.#", "0"),
 				),
 			},
 		},
@@ -162,6 +185,16 @@ resource "ovh_iploadbalancing_tcp_frontend" "testfrontend" {
 }
 `
 
+const testAccCheckOvhIpLoadbalancingTcpFrontendConfig_denied_source = `
+resource "ovh_iploadbalancing_tcp_frontend" "testfrontend" {
+   service_name   = "%s"
+   display_name   = "%s"
+   zone           = "all"
+   port           = "22280,22443"
+   denied_source  = ["8.8.8.8/32"]
+}
+`
+
 const testAccCheckOvhIpLoadbalancingTcpFrontendConfig_withfarm = `
 data "ovh_iploadbalancing" "iplb" {
   service_name = "%s"

@@ -499,6 +499,7 @@ type IpLoadbalancingTcpFrontend struct {
 	DedicatedIpFo []string `json:"dedicatedIpfo"`
 	DefaultFarmId *int     `json:"defaultFarmId,omitempty"`
 	DefaultSslId  *int     `json:"defaultSslId,omitempty"`
+	DeniedSource  []string `json:"deniedSource"`
 	Disabled      bool     `json:"disabled"`
 	Ssl           bool     `json:"ssl"`
 	DisplayName   string   `json:"displayName"`

@@ -41,6 +41,7 @@ The following arguments are supported:
    and/or 'range'. Each port must be in the [1;49151] range
 * `zone` - (Required) Zone where the frontend will be defined (ie. `gra`, `bhs` also supports `all`)
 * `allowed_source` - Restrict IP Load Balancing access to these ip block. No restriction if null. List of IP blocks.
+* `denied_source` - Deny IP Load Balancing access to these ip block. No restriction if null. You cannot specify both `allowed_source` and `denied_source` at the same time. List of IP blocks.
 * `dedicated_ipfo` - Only attach frontend on these ip. No restriction if null. List of Ip blocks.
 * `default_farm_id` - Default TCP Farm of your frontend
 * `default_ssl_id` - Default ssl served to your customer
@@ -55,6 +56,7 @@ The following attributes are exported:
 * `id` - Id of your frontend
 * `display_name` - See Argument Reference above.
 * `allowed_source` - See Argument Reference above.
+* `denied_source` - See Argument Reference above.
 * `dedicated_ipfo` - See Argument Reference above.
 * `default_farm_id` - See Argument Reference above.
 * `default_ssl_id` - See Argument Reference above.