feat(CIS): Origin Post Quantum Encryption and Max HTTP Version (IBM-C…

…loud#5504)

* feat(CIS): Origin Post Quantum Encryption and Max HTTP Version

* add documentation

* fix dependencies

* update docs

* fix description

* incorporate review comments

* change description

go.mod

@@ -25,8 +25,8 @@ require (
 	github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta
 	github.com/IBM/keyprotect-go-client v0.14.0
 	github.com/IBM/logs-go-sdk v0.3.0
+	github.com/IBM/networking-go-sdk v0.49.0
 	github.com/IBM/logs-router-go-sdk v1.0.3
-	github.com/IBM/networking-go-sdk v0.48.0
 	github.com/IBM/platform-services-go-sdk v0.65.0
 	github.com/IBM/project-go-sdk v0.3.5
 	github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5

go.sum

@@ -172,8 +172,8 @@ github.com/IBM/logs-router-go-sdk v1.0.3 h1:VO64OpANNouxS/0kvUeBpENKWxYx3TYnoNzW
 github.com/IBM/logs-router-go-sdk v1.0.3/go.mod h1:tCN2vFgu5xG0ob9iJcxi5M4bJ6mWmu3nhmRPnvlwev0=
 github.com/IBM/mqcloud-go-sdk v0.1.0 h1:fWt4uisg5GbbsfNmAxx5/6c5gQIPM+VrEsTtnimELeA=
 github.com/IBM/mqcloud-go-sdk v0.1.0/go.mod h1:LesMQlKHXvdks4jqQLZH7HfATY5lvTzHuwQU5+y7b2g=
-github.com/IBM/networking-go-sdk v0.48.0 h1:CyClGO1FhugemuCRiJvXo03Nup6JbReu7MK4vH6ITZw=
-github.com/IBM/networking-go-sdk v0.48.0/go.mod h1:G9CKbmPE8gSLjN+ABh4hIZ1bMx076enl5Eekvj6zQnA=
+github.com/IBM/networking-go-sdk v0.49.0 h1:lPS34u3C0JVrbxH+Ulua76Nwl6Frv8BEfq6LRkyvOv0=
+github.com/IBM/networking-go-sdk v0.49.0/go.mod h1:G9CKbmPE8gSLjN+ABh4hIZ1bMx076enl5Eekvj6zQnA=
 github.com/IBM/platform-services-go-sdk v0.65.0 h1:SAk/Rsn2BLRmeU3z6YJm54TK23/9QJaOPjrjYNGBiPU=
 github.com/IBM/platform-services-go-sdk v0.65.0/go.mod h1:6rYd3stLSnotYmZlxclw45EJPaQuLmh5f7c+Mg7rOg4=
 github.com/IBM/project-go-sdk v0.3.5 h1:L+YClFUa14foS0B/hOOY9n7sIdsT5/XQicnXOyJSpyM=

ibm/service/cis/resource_ibm_cis_domain_settings.go

@@ -59,6 +59,8 @@ const (
 	cisDomainSettingsMobileRedirectStripURI          = "strip_uri"
 	cisDomainSettingsMaxUpload                       = "max_upload"
 	cisDomainSettingsCipher                          = "cipher"
+	cisDomainSettingsOriginMaxHTTPVersion            = "origin_max_http_version"
+	cisDomainSettingsOriginPostQuantumEncryption     = "origin_post_quantum_encryption"
 	// cisDomainSettingsONOFFValidatorID                = "on_off"
 	// cisDomainSettingsActiveDisableValidatorID        = "active_disable"
 	cisDomainSettingsSSLSettingValidatorID      = "ssl_setting"
@@ -349,6 +351,24 @@ func ResourceIBMCISSettings() *schema.Resource {
 						cisDomainSettingsCipherValidatorID),
 				},
 			},
+			cisDomainSettingsOriginMaxHTTPVersion: {
+				Type:        schema.TypeString,
+				Description: "Max HTTP version used to connect to the origin",
+				Optional:    true,
+				Computed:    true,
+				ValidateFunc: validate.InvokeValidator(
+					ibmCISDomainSettings,
+					cisDomainSettingsOriginMaxHTTPVersion),
+			},
+			cisDomainSettingsOriginPostQuantumEncryption: {
+				Type:        schema.TypeString,
+				Description: "Enables post-quantum cryptography to connect to the origin",
+				Optional:    true,
+				Computed:    true,
+				ValidateFunc: validate.InvokeValidator(
+					ibmCISDomainSettings,
+					cisDomainSettingsOriginPostQuantumEncryption),
+			},
 			cisDomainSettingsMinify: {
 				Type:        schema.TypeList,
 				Description: "Minify setting",
@@ -474,6 +494,7 @@ func ResourceIBMCISDomainSettingValidator() *validate.ResourceValidator {
 	challengeTTL := "300, 900, 1800, 2700, 3600, 7200, 10800, 14400, 28800, 57600, 86400, 604800, 2592000, 31536000"
 	maxUpload := "100, 125, 150, 175, 200, 225, 250, 275, 300, 325, 350, 375, 400, 425, 450, 475, 500"
 	cipher := "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA, AEAD-AES128-GCM-SHA256, AEAD-AES256-GCM-SHA384, AEAD-CHACHA20-POLY1305-SHA256"
+	quantumEncryption := "off, preferred, supported"
 
 	validateSchema := make([]validate.ValidateSchema, 0)
 	validateSchema = append(validateSchema,
@@ -727,6 +748,20 @@ func ResourceIBMCISDomainSettingValidator() *validate.ResourceValidator {
 			Type:                       validate.TypeString,
 			Required:                   true,
 			AllowedValues:              cipher})
+	validateSchema = append(validateSchema,
+		validate.ValidateSchema{
+			Identifier:                 cisDomainSettingsOriginMaxHTTPVersion,
+			ValidateFunctionIdentifier: validate.ValidateAllowedStringValue,
+			Type:                       validate.TypeString,
+			Required:                   true,
+			AllowedValues:              "1,2"})
+	validateSchema = append(validateSchema,
+		validate.ValidateSchema{
+			Identifier:                 cisDomainSettingsOriginPostQuantumEncryption,
+			ValidateFunctionIdentifier: validate.ValidateAllowedStringValue,
+			Type:                       validate.TypeString,
+			Required:                   true,
+			AllowedValues:              quantumEncryption})
 	ibmCISDomainSettingResourceValidator := validate.ResourceValidator{
 		ResourceName: ibmCISDomainSettings,
 		Schema:       validateSchema}
@@ -765,6 +800,8 @@ var settingsList = []string{
 	cisDomainSettingsMobileRedirect,
 	cisDomainSettingsMaxUpload,
 	cisDomainSettingsCipher,
+	cisDomainSettingsOriginMaxHTTPVersion,
+	cisDomainSettingsOriginPostQuantumEncryption,
 }
 
 func resourceCISSettingsUpdate(d *schema.ResourceData, meta interface{}) error {
@@ -1015,6 +1052,22 @@ func resourceCISSettingsUpdate(d *schema.ResourceData, meta interface{}) error {
 					_, resp, err = cisClient.UpdateCiphers(opt)
 				}
 			}
+		case cisDomainSettingsOriginMaxHTTPVersion:
+			if d.HasChange(item) {
+				if v, ok := d.GetOk(item); ok {
+					opt := cisClient.NewUpdateOriginMaxHttpVersionOptions()
+					opt.SetValue(v.(string))
+					_, resp, err = cisClient.UpdateOriginMaxHttpVersion(opt)
+				}
+			}
+		case cisDomainSettingsOriginPostQuantumEncryption:
+			if d.HasChange(item) {
+				if v, ok := d.GetOk(item); ok {
+					opt := cisClient.NewUpdateOriginPostQuantumEncryptionOptions()
+					opt.SetValue(v.(string))
+					_, resp, err = cisClient.UpdateOriginPostQuantumEncryption(opt)
+				}
+			}
 		case cisDomainSettingsMinify:
 			if d.HasChange(item) {
 				if v, ok := d.GetOk(item); ok {
@@ -1360,6 +1413,23 @@ func resourceCISSettingsRead(d *schema.ResourceData, meta interface{}) error {
 			settingResponse = resp
 			settingErr = err
 
+		case cisDomainSettingsOriginMaxHTTPVersion:
+			opt := cisClient.NewGetOriginMaxHttpVersionOptions()
+			result, resp, err := cisClient.GetOriginMaxHttpVersion(opt)
+			if err == nil {
+				d.Set(cisDomainSettingsOriginMaxHTTPVersion, result.Result.Value)
+			}
+			settingResponse = resp
+			settingErr = err
+		case cisDomainSettingsOriginPostQuantumEncryption:
+			opt := cisClient.NewGetOriginPostQuantumEncryptionOptions()
+			result, resp, err := cisClient.GetOriginPostQuantumEncryption(opt)
+			if err == nil {
+				d.Set(cisDomainSettingsOriginPostQuantumEncryption, result.Result.Value)
+			}
+			settingResponse = resp
+			settingErr = err
+
 		case cisDomainSettingsMinify:
 			opt := cisClient.NewGetMinifyOptions()
 			result, resp, err := cisClient.GetMinify(opt)

website/docs/r/cis_domain_settings.html.markdown

@@ -13,6 +13,7 @@ Customize the IBM Cloud Internet Services domain settings. For more information,
 ## Example usage 1
 
 ---
+
 ```terraform
 resource "ibm_cis_domain_settings" "test_domain_settings" {
   cis_id    = data.ibm_cis.cis.id
@@ -45,6 +46,8 @@ resource "ibm_cis_domain_settings" "test_domain_settings" {
   challenge_ttl               = 31536000
   max_upload                  = 300
   cipher                      = ["AES128-SHA256"]
+  origin_max_http_version     = "1"
+  origin_post_quantum_encryption = "off"
   minify {
     css  = "off"
     js   = "off"
@@ -70,13 +73,17 @@ resource "ibm_cis_domain_settings" "test" {
   waf             = "on"
   ssl             = "full"
   min_tls_version = "1.2"
+  origin_max_http_version     = "2"
+  origin_post_quantum_encryption = "supported"
 }
 ```
+
 ---
 
 ## Example usage 2 : For TLS v1.3
 
 ---
+
 ```terraform
 resource "ibm_cis_domain_settings" "test_domain_settings" {
   cis_id    = data.ibm_cis.cis.id
@@ -109,6 +116,8 @@ resource "ibm_cis_domain_settings" "test_domain_settings" {
   challenge_ttl               = 31536000
   max_upload                  = 300
   cipher                      = []
+  origin_max_http_version     = "1"
+  origin_post_quantum_encryption = "off"
   minify {
     css  = "off"
     js   = "off"
@@ -134,19 +143,23 @@ resource "ibm_cis_domain_settings" "test" {
   waf             = "on"
   ssl             = "full"
   min_tls_version = "1.3"
+  origin_max_http_version     = "2"
+  origin_post_quantum_encryption = "supported"
 }
 ```
+
 ---
 
 ## Argument reference
-Review the argument references that you can specify for your resource. 
+
+Review the argument references that you can specify for your resource.
 
 - `always_use_https` - (Optional, String) Supported values are `off` and `on`.
 - `automatic_https_rewrites` - (Optional, String) Enable HTTPS rewrites. Allowed values are `off` and `on`.
 - `browser_check` - (Optional, String) Enable a client browser check to look for common HTTP headers that are used by malicious users. If HTTP headers are found,  access to your website is blocked. Supported values are `off` and `on`.
 - `brotli` - (Optional, String) Supported values are `off` and `on`.
 - `challenge_ttl` - (Optional, String) Challenge TTL values are `300`, `900`, `1800`, `2700`, `3600`, `7200`, `10800`, `14400`, `28800`, `57600`, `86400`, `604800`, `2592000`, and `31536000`.
-- `cipher` - (Optional, List) Cipher setting values are  `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`,`ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA`. To use default cipher value, pass empty list `[]`. 
+- `cipher` - (Optional, List) Cipher setting values are  `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`,`ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA`. To use default cipher value, pass empty list `[]`.
 - `cis_id` - (Required, String) The ID of the IBM Cloud Internet Services instance.
 - `cname_flattening` - (Optional, String) Supported values are `flatten_at_root`, `flatten_all`, and `flatten_none`.
 - `domain_id` - (Required, String) The ID of the domain that you want to customize.
@@ -189,12 +202,15 @@ Review the argument references that you can specify for your resource.
 - `true_client_ip_header` - (Optional, String) Supported values are `off` and `on`.
 - `waf` - (Optional, String) Enable a web application firewall (WAF). Supported values are `off` and `on`.
 - `websockets` - (Optional, String) Supported values are `off` and `on`.
+- `origin_max_http_version` - (Optional, String) Sets the highest HTTP version to use with origin. Supported values are `1` and `2`.
+- `origin_post_quantum_encryption` - (Optional, String) Wheather to use post-quantum key agreement algorithms when connecting to the origin. Supported values are `off`, `preferred` and `supported`.
 
-**Note**
+### Note
 
 Extra settings are not implemented in this version of the provider.
- 
+
 ## Attribute reference
-In addition to all argument reference list, you can access the following attribute reference after your resource is created.
+
+In addition to the argument reference list, you can access the following attribute reference after your resource is created.
 
 - `certificate_status` - (String)  The value is displayed as `none`, `initializing`, `authorizing`, or `active`.