[Feat.] New resource HSS host protection opentelekomcloud_hss_host_protection_v5

docs/resources/hss_host_group_v5.md

@@ -7,6 +7,9 @@ description: |-
   Manages an HSS host group Service resource within OpenTelekomCloud.
 ---
 
+Up-to-date reference of API arguments for HSS host group you can get at
+[documentation portal](https://docs.otc.t-systems.com/host-security-service/api-ref/api_description/server_management/creating_a_server_group.html#addhostsgroup).
+
 # opentelekomcloud_hss_host_group_v5
 
 Manages an HSS host group resource within OpenTelekomCloud.

docs/resources/hss_host_protection_v5.md

@@ -0,0 +1,112 @@
+---
+subcategory: "Host Security Service (HSS)"
+layout: "opentelekomcloud"
+page_title: "OpenTelekomCloud: opentelekomcloud_hss_host_protection_v5"
+sidebar_current: "docs-opentelekomcloud-resource-hss-host-protection-v5"
+description: |-
+  Manages an HSS host protection Service resource within OpenTelekomCloud.
+---
+
+Up-to-date reference of API arguments for HSS host protection you can get at
+[documentation portal](https://docs.otc.t-systems.com/host-security-service/api-ref/api_description/server_management/changing_the_protection_status.html).
+
+# opentelekomcloud_hss_host_protection_v5
+
+Manages an HSS host protection resource within OpenTelekomCloud.
+
+## Example Usage
+
+```hcl
+variable "host_id" {}
+
+resource "opentelekomcloud_hss_host_protection_v5" "pro" {
+  host_id                = var.host_id
+  version                = "hss.version.premium"
+  charging_mode          = "on_demand"
+  is_wait_host_available = true
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+* `host_id` - (Required, String, ForceNew) Specifies the host ID for the host protection.
+  Changing this parameter will create a new resource.
+
+  -> Before using host protection, it is necessary to ensure that the agent status of the host is `online`.
+
+* `version` - (Required, String) Specifies the protection version enabled by the host.
+  The valid values are as follows:
+  + `hss.version.enterprise`: Enterprise version.
+  + `hss.version.premium`: Ultimate version.
+
+* `charging_mode` - (Required, String) Specifies the charging mode for host protection.
+  The valid values are as follows:
+  + `on_demand`: The pay-per-use billing mode.
+
+* `resource_id` - (Optional, String) Specifies Instance ID for host protection.
+
+* `is_wait_host_available` - (Optional, Bool) Specifies whether to wait for the host agent status to become `online`.
+  The value can be `true` or `false`. Defaults to `false`.
+
+  -> If this field is set to `true`, the program will wait for a maximum of `30` minutes until the host's agent status
+  becomes `online`, and then enable host protection.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The resource ID same as `host_id`.
+
+* `host_name` - The host name.
+
+* `host_status` - The host status. The value can be `ACTIVE`, `SHUTOFF`, `BUILDING`, or `ERROR`.
+
+* `private_ip` - The private IP address of the host.
+
+* `agent_id` - The agent ID installed on the host.
+
+* `agent_status` - The agent status of the host. The value can be `installed`, `not_installed`, `online`,
+  `offline`, `install_failed`, or `installing`.
+
+* `os_type` - The operating system type of the host. The value can be `Linux` or `Windows`.
+
+* `status` - The protection status of the host. The value can be `closed` or `opened`.
+
+* `detect_result` - The security detection result of the host. The value can be `undetected`, `clean`, `risk`,
+  or `scanning`.
+
+* `asset_value` - The asset importance. The value can be `important`, `common`, or `test`.
+
+* `region` - The region to which the HSS host protection resource belongs.
+
+
+## Timeouts
+
+This resource provides the following timeouts configuration options:
+
+* `create` - Default is 30 minutes.
+
+## Import
+
+The host protection can be imported using the `id`, e.g.
+
+```bash
+$ terraform import opentelekomcloud_hss_host_protection_v5.pro <id>
+```
+
+Note that the imported state may not be identical to your resource definition, due to some attributes missing from the
+API response, security or some other reason. The missing attributes include: `resource_id`, `is_wait_host_available`.
+It is generally recommended running `terraform plan` after importing a resource.
+You can then decide if changes should be applied to the resource, or the resource definition
+should be updated to align with the resource. Also, you can ignore changes as below.
+
+```hcl
+resource "opentelekomcloud_hss_host_protection_v5" "pro" {
+  lifecycle {
+    ignore_changes = [
+      quota_id, is_wait_host_available,
+    ]
+  }
+}
+```

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20241112162134-960efd8ff98a
 	github.com/unknwon/com v1.0.1
-	golang.org/x/crypto v0.21.0
+	golang.org/x/crypto v0.23.0
 	golang.org/x/sync v0.1.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -61,8 +61,8 @@ require (
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
 	github.com/zclconf/go-cty v1.12.1 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.3 // indirect

go.sum

@@ -205,8 +205,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -242,16 +242,16 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=

opentelekomcloud/acceptance/hss/resource_opentelekomcloud_hss_host_protection_v5_test.go

@@ -0,0 +1,167 @@
+package hss
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	golangsdk "github.com/opentelekomcloud/gophertelekomcloud"
+	"github.com/opentelekomcloud/gophertelekomcloud/openstack/hss/v5/host"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/acceptance/common"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/acceptance/env"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/cfg"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/services/hss"
+)
+
+func getHostProtectionFunc(conf *cfg.Config, state *terraform.ResourceState) (interface{}, error) {
+	client, err := conf.HssV5Client(env.OS_REGION_NAME)
+	if err != nil {
+		return nil, fmt.Errorf("error creating HSS v5 client: %s", err)
+	}
+	hostList, err := host.ListHost(client, host.ListHostOpts{HostID: state.Primary.ID})
+	if err != nil {
+		return nil, fmt.Errorf("error querying OpenTelekomCloud HSS hosts: %s", err)
+	}
+	if len(hostList) == 0 || hostList[0].ProtectStatus == string(hss.ProtectStatusClosed) {
+		return nil, golangsdk.ErrDefault404{}
+	}
+	return hostList[0], nil
+}
+
+func TestAccHostProtection_basic(t *testing.T) {
+	var (
+		h     *host.HostGroupResp
+		rName = "opentelekomcloud_hss_host_protection_v5.protection"
+		name  = fmt.Sprintf("hss-acc-api%s", acctest.RandString(5))
+	)
+
+	rc := common.InitResourceCheck(
+		rName,
+		&h,
+		getHostProtectionFunc,
+	)
+
+	// Because after closing the protection, the ECS instance will automatically switch to free basic protection,
+	// so avoid CheckDestroy here.
+	// lintignore:AT001
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			common.TestAccPreCheck(t)
+		},
+		ProviderFactories: common.TestAccProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccHostProtection_basic(name),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(rName, "version", "hss.version.premium"),
+					resource.TestCheckResourceAttr(rName, "charging_mode", "on_demand"),
+					resource.TestCheckResourceAttrSet(rName, "host_name"),
+					resource.TestCheckResourceAttrSet(rName, "private_ip"),
+					resource.TestCheckResourceAttrSet(rName, "agent_id"),
+					resource.TestCheckResourceAttrSet(rName, "agent_status"),
+					resource.TestCheckResourceAttrSet(rName, "os_type"),
+					resource.TestCheckResourceAttrSet(rName, "status"),
+					resource.TestCheckResourceAttrSet(rName, "detect_result"),
+					resource.TestCheckResourceAttrSet(rName, "asset_value"),
+				),
+			},
+			{
+				Config: testAccHostProtection_update(name),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(rName, "version", "hss.version.enterprise"),
+					resource.TestCheckResourceAttr(rName, "charging_mode", "on_demand"),
+					resource.TestCheckResourceAttrSet(rName, "host_name"),
+					resource.TestCheckResourceAttrSet(rName, "private_ip"),
+					resource.TestCheckResourceAttrSet(rName, "agent_id"),
+					resource.TestCheckResourceAttrSet(rName, "agent_status"),
+					resource.TestCheckResourceAttrSet(rName, "os_type"),
+					resource.TestCheckResourceAttrSet(rName, "status"),
+					resource.TestCheckResourceAttrSet(rName, "detect_result"),
+					resource.TestCheckResourceAttrSet(rName, "asset_value"),
+				),
+			},
+			{
+				ResourceName:      rName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"quota_id", "is_wait_host_available",
+				},
+			},
+		},
+	})
+}
+
+func testAccHostProtection_base(name string) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "opentelekomcloud_compute_instance_v2" "instance" {
+  name              = "%[2]s"
+  description       = "my_desc"
+  availability_zone = "%[3]s"
+
+  image_name = "Standard_Debian_11_latest"
+  flavor_id  = "s3.large.2"
+
+  metadata = {
+    foo = "bar"
+  }
+  network {
+    uuid = data.opentelekomcloud_vpc_subnet_v1.shared_subnet.network_id
+  }
+
+  tags = {
+    hss = "acc-test"
+  }
+
+  user_data = <<-EOF
+    #!/bin/bash
+    curl -O 'https://hss-agent-podlb.eu-de.otc.t-systems.com:10180/package/agent/linux/x86/hostguard.x86_64.deb'
+    echo 'MASTER_IP=hss-agent-podlb.eu-de.otc.t-systems.com:10180' > hostguard_setup_config.conf
+    echo 'SLAVE_IP=hss-agent-slave.eu-de.otc-tsi.de:10180' >> hostguard_setup_config.conf
+    echo 'ORG_ID=' >> hostguard_setup_config.conf
+    dpkg -i hostguard.x86_64.deb
+    rm -f hostguard_setup_config.conf
+    rm -f hostguard.x86_64.deb
+  EOF
+
+  stop_before_destroy = true
+}
+
+resource "opentelekomcloud_hss_host_group_v5" "group" {
+  name     = "%[2]s"
+  host_ids = [opentelekomcloud_compute_instance_v2.instance.id]
+}
+
+`, common.DataSourceSubnet, name, env.OS_AVAILABILITY_ZONE)
+}
+
+func testAccHostProtection_basic(name string) string {
+	return fmt.Sprintf(`
+%s
+
+resource "opentelekomcloud_hss_host_protection_v5" "protection" {
+  host_id                = opentelekomcloud_compute_instance_v2.instance.id
+  version                = "hss.version.premium"
+  charging_mode          = "on_demand"
+  is_wait_host_available = true
+}
+`, testAccHostProtection_base(name))
+}
+
+func testAccHostProtection_update(name string) string {
+	return fmt.Sprintf(`
+%s
+
+resource "opentelekomcloud_hss_host_protection_v5" "protection" {
+  host_id       = opentelekomcloud_compute_instance_v2.instance.id
+  version       = "hss.version.enterprise"
+  charging_mode = "on_demand"
+}
+`, testAccHostProtection_base(name))
+}

opentelekomcloud/provider.go

@@ -464,6 +464,7 @@ func Provider() *schema.Provider {
 			"opentelekomcloud_fw_rule_v2":                                fw.ResourceFWRuleV2(),
 			"opentelekomcloud_gaussdb_mysql_instance_v3":                 gaussdb.ResourceGaussDBInstanceV3(),
 			"opentelekomcloud_hss_host_group_v5":                         hss.ResourceHostGroup(),
+			"opentelekomcloud_hss_host_protection_v5":                    hss.ResourceHostProtection(),
 			"opentelekomcloud_identity_acl_v3":                           iam.ResourceIdentityAclV3(),
 			"opentelekomcloud_identity_agency_v3":                        iam.ResourceIdentityAgencyV3(),
 			"opentelekomcloud_identity_credential_v3":                    iam.ResourceIdentityCredentialV3(),

opentelekomcloud/services/hss/common.go

@@ -11,3 +11,9 @@ const (
 	ProtectStatusClosed ProtectStatus = "closed"
 	ProtectStatusOpened ProtectStatus = "opened"
 )
+
+const (
+	protectionVersionNull         string = "hss.version.null"
+	hostAgentStatusOnline         string = "online"
+	getProtectionHostNeedRetryMsg string = "The host cannot be found temporarily, please try again later."
+)

opentelekomcloud/services/hss/resource_opentelekomcloud_hss_host_group_v5.go

@@ -51,9 +51,7 @@ func ResourceHostGroup() *schema.Resource {
 			},
 			"region": {
 				Type:     schema.TypeString,
-				Optional: true,
 				Computed: true,
-				ForceNew: true,
 			},
 			"risk_host_num": {
 				Type:     schema.TypeInt,