[CC-4083] IP Allowlist Feature for Consul Cluster

[Achooo]

🛠️ Description

• Adding a new field ip_allowlist to the hcp_consul_cluster resource to support IP Allowlisting - a Block List (list of objects).
• Validation Rules:
  • No duplicate CIDR allowed
  • Maximum of 3 IP Allowlist entries allowed
  • Max length of 255 characters for the description field

🏗️ Acceptance tests

• Are there any feature flags that are required to use this functionality?
• Have you added an acceptance test for the functionality being added?
• Have you run the acceptance tests on this branch?

Output from acceptance testing:

~/Github/HashiCorp/terraform-provider-hcp CC-4083/ip-allowlist* ⇡ 16m 2s
❯ make testacc TESTARGS='-run=TestAccConsulCluster'
==> Checking that code complies with gofmt requirements...
golangci-lint run --config ./golangci-config.yml 
TF_ACC=1 go test ./internal/... -v -run=TestAccConsulCluster -timeout 210m
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-hcp/internal/clients    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-hcp/internal/consul     (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-hcp/internal/input      (cached) [no tests to run]
=== RUN   TestAccConsulCluster
--- PASS: TestAccConsulCluster (1421.46s)
PASS
ok      github.com/hashicorp/terraform-provider-hcp/internal/provider   1421.972s
...

End to End Tests (int)

Resource CREATE

1. Generate the provider locally with make dev in root of repo
2. Make a test folder test/
3. In test folder, create a main.tf with following :

locals {
  hvn_region = "us-west-2"
  cluster_id = "consul-tf-cluster"
  hvn_id     = "consul-tf-hvn"
}

terraform {
  required_providers {
    hcp = {
      source  = "localhost/providers/hcp"
      version = "0.0.1"
    }
  }
}

resource "hcp_hvn" "main" {
  hvn_id         = local.hvn_id
  cloud_provider = "aws"
  region         = local.hvn_region
  cidr_block     = "172.25.32.0/20"
}

resource "hcp_consul_cluster" "main" {
  cluster_id      = local.cluster_id
  hvn_id          = hcp_hvn.main.hvn_id
  public_endpoint = true
  tier            = "development"

  ip_allowlist {
    address     = "192.163.1.0/24"
    description = "this is an IPV4 address"
  }
}

4. Run terraform init
5. Run terraform apply
6. Results: tf apply logs

Datasource (READ ONLY)

1. Modify main.tf with the following:

data hcp_consul_cluster "test" {
    cluster_id = local.cluster_id
}

output "verify_allowlist_output" {
    description = "output of the ALLOWLIST"
    value = data.hcp_consul_cluster.test.ip_allowlist
}

2. run terraform apply
3. Results:

Resource UPDATE

1. Modify the hcp_consul_cluster resource:

resource "hcp_consul_cluster" "main" {
  cluster_id      = local.cluster_id
  hvn_id          = hcp_hvn.main.hvn_id
  public_endpoint = true
  tier            = "development"

  ip_allowlist {
    address     = "160.20.10.0/24"
    description = " modified!"
  }
}

2. Run terraform apply
3. Results: tf update logs

The data source output we added in the step before now shows the updated `ip_allowlist`

Validation

No more than 3 CIDRs

Description Length

Invalid CIDR

[Achooo]

Updating the go SDK (hashicorp/hcp-sdk-go#164) added this field. Had to fix this test

[Achooo]

Created this helper function that creates the hcp_consul_cluster for the tests cases.

[Achooo]

I'm happy to move all these tests in their own TestAccConsulCluster_IPAllowlist function, but this is likely going to increase CI time as resources need to be created for the tests to run. If we prefer clarity, that makes sense. I was reading this contributing guide and it seemed to prefer minimal resource creation.

[Achooo]

These could be added into the buildAllowlist validations to remove the code in this file.

However, these validations are pretty neat for terraform plan

In contrast, the duplicates will only be checked when the actual apply runs:

[bcmdarroch]

I think the more ideal user experience would be to check for duplicates at the plan stage as well. Unless that's something only the backend can validate?

[Achooo]

See this comment for discussion on this. I can't add a validateFunc for the schema type (schema.TypeList not supported) to check for duplicates on all items

[Achooo]

Let me know if you prefer another existing pattern to verify on plan, as I'm new to this repo!

[Achooo]

For any updates:

• Detect changes in ip_allowlist
• if changes, buildIPAllowlist() to validate there are no duplicates. This will return an empty list if there are no ip_allowlist entries, and otherwise a list with consul model objects that the API
• Send update request

[Achooo]

For creates:

• Get ip_allowlistvalue
  -buildIPAllowlist() to validate there are no duplicates in the entries. This will also return an empty list if there are no ip_allowlist entries, and otherwise a list with consul model objects that the API expects.
• Send create request

[Achooo]

Updates seem to be failing with the following errors from the consul service backend.

 Error: error updating Consul cluster (test-202302101209): [PATCH /consul/2021-02-04/organizations/{cluster.location.organization_id}/projects/{cluster.location.project_id}/clusters/{cluster.id}][400] Update default  &{Code:3 Details:[] Error:only the following fields can be updated at this time: [consul_version config.capacity_config.size] Message:only the following fields can be updated at this time: [consul_version config.capacity_config.size]}

I think the ip_allowlist field needs to be allowed for updates.

Edit: backend fix in the works, this client code remains 👍🏽

Ready to review, but I will update the test output and screenshots once fixed on the backend side.

[Achooo]

Validation (validators.go) occurs first , so this should be valid (no error). I omitted handling it, but happy to do it if this feels like bad practice.

[Achooo]

Use a hashmap to validate duplicates. See the following comment on why I went with this approach:

https://github.com/hashicorp/terraform-provider-hcp/pull/455/files#r1102997970

Alternatives discussed in that comment:

• use schema.TypeSet for the ip_allowlist field
• don't do validation ( backend does it)

[loshz]

this function is only used to check for duplicates, right?

[Achooo]

Removed duplicate logic now, but it also converts the ip_allowlist from a terraform list (type []interface{}) to a model that can be used by the consul client.

Used across a few operations so it's nice to have it

[Achooo]

This part in func setConsulClusterResourceData(...) is used for the read operation. See this line - nothing else is needed for read.

It's also used in to read the created/updated cluster once the API request is completed.

CC @loshz

[JolisaBrownHashiCorp]

Could it be worthwhile to include an IPV6 address in the test case objects? Or do we currently only support IPV4 addresses?

[Achooo]

Sure I can do that, I believe they are allowed. I checked the original RFC for this feature, but it's not explicit. Maybe @loshz can confirm?

[Achooo]

Hmm looks like creation fails with IPV6...

[Achooo]

@JolisaBrownHashiCorp We've confirmed that IPV6 is disallowed. I've added a validation to inform the user if they try to use one in this commit: 75ddd6a

[JolisaBrownHashiCorp]

Awesome. @Achooo Thanks for following up! May I ask what your slack handle is? I'm getting a deletion error when attempting to run the test suite and would like to inbox you the logs to discuss.

[Achooo]

Sure thing, it's @ashvitha, I've sent you a DM :)

[Achooo]

I had to change to a STANDARD. This update test was failing with the following error:

 Error: error updating Consul cluster (test-202302131304): [PATCH /consul/2021-02-04/organizations/{cluster.location.organization_id}/projects/{cluster.location.project_id}/clusters/{cluster.id}][400] Update default  &{Code:3 Details:[] Error:Development tier clusters only have one size and cannot be changed. Message:Development tier clusters only have one size and cannot be changed.}

Development clusters cannot change sizes

[loshz]

Looking great! Have left a few minor comments/nits.

Planning to test this locally asap and report back.

[loshz]

Do we need the nil NetworkConfig check here too?

[loshz]

Very minor nit:

Suggested change

	IPAllowList := make([]*consulmodels.HashicorpCloudConsul20210204CidrRange, len(cidrs))
	ipAllowList := make([]*consulmodels.HashicorpCloudConsul20210204CidrRange, len(cidrs))

[loshz]

All of the E2E tests work for me on remote-dev. I was able to successfully create and update a cluster with an IP Allowlist, as well as load an existing cluster as a data source.

[loshz]

Solid work, Ash! 👍