diff --git a/CHANGELOG.md b/CHANGELOG.md
index 127ab791..533c4351 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
- Add `sdwan_tls_ssl_profile_policy_definition` resource and data source
- BREAKING CHANGE: Rename `timers_spf_initial_holf` attribute of `sdwan_cisco_ospf_feature_template` resource and data source to `timers_spf_initial_hold`
- Fix issue with setting an `omp_tag` match condition using a `sdwan_route_policy_definition` resource
+- Add `sdwan_tls_ssl_decryption_policy_definition` resource and data source
## 0.2.7
diff --git a/docs/data-sources/tls_ssl_decryption_policy_definition.md b/docs/data-sources/tls_ssl_decryption_policy_definition.md
new file mode 100644
index 00000000..fa949c31
--- /dev/null
+++ b/docs/data-sources/tls_ssl_decryption_policy_definition.md
@@ -0,0 +1,80 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "sdwan_tls_ssl_decryption_policy_definition Data Source - terraform-provider-sdwan"
+subcategory: "Security Policies"
+description: |-
+ This data source can read the TLS SSL Decryption Policy Definition .
+---
+
+# sdwan_tls_ssl_decryption_policy_definition (Data Source)
+
+This data source can read the TLS SSL Decryption Policy Definition .
+
+## Example Usage
+
+```terraform
+data "sdwan_tls_ssl_decryption_policy_definition" "example" {
+ id = "f6b2c44c-693c-4763-b010-895aa3d236bd"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `id` (String) The id of the object
+
+### Read-Only
+
+- `certificate_lifetime_in_days` (Number) Certificate Lifetime(in Days)
+- `certificate_revocation_status` (String) Certificate revocation status
+- `default_action` (String) Default action (applies when 'mode' set to 'security')
+- `description` (String) The description of the policy definition.
+- `ec_key_type` (String) EC Key Type
+- `expired_certificate` (String) Expired certificate action
+- `failure_mode` (String) Failure mode
+- `minimal_tls_version` (String) Minimal TLS Version
+- `mode` (String) The policy mode
+- `name` (String) The name of the policy definition.
+- `network_rules` (Attributes List) List of network rules (applies when 'mode' set to 'security') (see [below for nested schema](#nestedatt--network_rules))
+- `rsa_key_pair_modulus` (String) RSA key pair modules
+- `ssl_decryption_enabled` (String) SSL decryption enabled
+- `unknown_revocation_status` (String) Unknown revocation status action
+- `unsupported_cipher_suites` (String) Unsupported cipher suites action
+- `unsupported_protocol_versions` (String) Unsupported protocol versions action
+- `untrusted_certificate` (String) Untrusted certificate action
+- `url_rules` (Attributes List) List of url rules (applies when 'mode' set to 'security') (see [below for nested schema](#nestedatt--url_rules))
+- `use_default_ca_cert_bundle` (Boolean) Use default CA certificate bundle
+- `version` (Number) The version of the object
+
+
+### Nested Schema for `network_rules`
+
+Read-Only:
+
+- `base_action` (String) Rule base action
+- `rule_id` (Number) Rule ID
+- `rule_name` (String) Rule name
+- `rule_type` (String) Rule type
+- `source_and_destination_configuration` (Attributes List) List of network source / destination configuration (see [below for nested schema](#nestedatt--network_rules--source_and_destination_configuration))
+
+
+### Nested Schema for `network_rules.source_and_destination_configuration`
+
+Read-Only:
+
+- `option` (String) source / destination option
+- `value` (String) source / destination option target
+
+
+
+
+### Nested Schema for `url_rules`
+
+Read-Only:
+
+- `rule_name` (String) Country
+- `target_vpns` (List of String) List of VPN IDs
+- `tls_ssl_profile_policy_id` (String) TLS SSL Profile Policy ID
+- `tls_ssl_profile_version` (Number) TLS SSL Profile Policy version
diff --git a/docs/guides/changelog.md b/docs/guides/changelog.md
index 4e58792f..9c06565d 100644
--- a/docs/guides/changelog.md
+++ b/docs/guides/changelog.md
@@ -14,6 +14,7 @@ description: |-
- Add `sdwan_tls_ssl_profile_policy_definition` resource and data source
- BREAKING CHANGE: Rename `timers_spf_initial_holf` attribute of `sdwan_cisco_ospf_feature_template` resource and data source to `timers_spf_initial_hold`
- Fix issue with setting an `omp_tag` match condition using a `sdwan_route_policy_definition` resource
+- Add `sdwan_tls_ssl_decryption_policy_definition` resource and data source
## 0.2.7
diff --git a/docs/resources/tls_ssl_decryption_policy_definition.md b/docs/resources/tls_ssl_decryption_policy_definition.md
new file mode 100644
index 00000000..9dce8559
--- /dev/null
+++ b/docs/resources/tls_ssl_decryption_policy_definition.md
@@ -0,0 +1,135 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "sdwan_tls_ssl_decryption_policy_definition Resource - terraform-provider-sdwan"
+subcategory: "Security Policies"
+description: |-
+ This resource can manage a TLS SSL Decryption Policy Definition .
+---
+
+# sdwan_tls_ssl_decryption_policy_definition (Resource)
+
+This resource can manage a TLS SSL Decryption Policy Definition .
+
+## Example Usage
+
+```terraform
+resource "sdwan_tls_ssl_decryption_policy_definition" "example" {
+ name = "Example"
+ description = "My description"
+ mode = "security"
+ default_action = "noIntent"
+ network_rules = [
+ {
+ base_action = "doNotDecrypt"
+ rule_id = 4
+ rule_name = "Example"
+ rule_type = "sslDecryption"
+ source_and_destination_configuration = [
+ {
+ option = "destinationIp"
+ value = "10.0.0.0/12"
+ }
+ ]
+ }
+ ]
+ ssl_decryption_enabled = "true"
+ expired_certificate = "drop"
+ untrusted_certificate = "drop"
+ certificate_revocation_status = "none"
+ unknown_revocation_status = "drop"
+ unsupported_protocol_versions = "drop"
+ unsupported_cipher_suites = "drop"
+ failure_mode = "close"
+ rsa_key_pair_modulus = "2048"
+ ec_key_type = "P384"
+ certificate_lifetime_in_days = 1
+ minimal_tls_version = "TLSv1.2"
+ use_default_ca_cert_bundle = true
+}
+```
+
+
+## Schema
+
+### Required
+
+- `description` (String) The description of the policy definition.
+- `name` (String) The name of the policy definition.
+
+### Optional
+
+- `certificate_lifetime_in_days` (Number) Certificate Lifetime(in Days)
+- `certificate_revocation_status` (String) Certificate revocation status
+ - Choices: `ocsp`, `none`
+- `default_action` (String) Default action (applies when 'mode' set to 'security')
+ - Choices: `noIntent`, `doNotDecrypt`, `decrypt`
+- `ec_key_type` (String) EC Key Type
+ - Choices: `P256`, `P384`, `P521`
+- `expired_certificate` (String) Expired certificate action
+ - Choices: `drop`, `decrypt`
+- `failure_mode` (String) Failure mode
+ - Choices: `open`, `close`
+- `minimal_tls_version` (String) Minimal TLS Version
+ - Choices: `TLSv1.0`, `TLSv1.1`, `TLSv1.2`
+- `mode` (String) The policy mode
+ - Choices: `security`, `unified`
+- `network_rules` (Attributes List) List of network rules (applies when 'mode' set to 'security') (see [below for nested schema](#nestedatt--network_rules))
+- `rsa_key_pair_modulus` (String) RSA key pair modules
+ - Choices: `1024`, `2048`, `4096`
+- `ssl_decryption_enabled` (String) SSL decryption enabled
+- `unknown_revocation_status` (String) Unknown revocation status action
+ - Choices: `drop`, `decrypt`
+- `unsupported_cipher_suites` (String) Unsupported cipher suites action
+ - Choices: `drop`, `no-decrypt`
+- `unsupported_protocol_versions` (String) Unsupported protocol versions action
+ - Choices: `drop`, `no-decrypt`
+- `untrusted_certificate` (String) Untrusted certificate action
+ - Choices: `drop`, `decrypt`
+- `url_rules` (Attributes List) List of url rules (applies when 'mode' set to 'security') (see [below for nested schema](#nestedatt--url_rules))
+- `use_default_ca_cert_bundle` (Boolean) Use default CA certificate bundle
+
+### Read-Only
+
+- `id` (String) The id of the object
+- `version` (Number) The version of the object
+
+
+### Nested Schema for `network_rules`
+
+Optional:
+
+- `base_action` (String) Rule base action
+ - Choices: `noIntent`, `doNotDecrypt`, `decrypt`
+- `rule_id` (Number) Rule ID
+- `rule_name` (String) Rule name
+- `rule_type` (String) Rule type
+- `source_and_destination_configuration` (Attributes List) List of network source / destination configuration (see [below for nested schema](#nestedatt--network_rules--source_and_destination_configuration))
+
+
+### Nested Schema for `network_rules.source_and_destination_configuration`
+
+Optional:
+
+- `option` (String) source / destination option
+ - Choices: `sourceIp`, `sourcePort`, `destinationVpn`, `destinationIp`, `destinationPort`
+- `value` (String) source / destination option target
+
+
+
+
+### Nested Schema for `url_rules`
+
+Optional:
+
+- `rule_name` (String) Country
+- `target_vpns` (List of String) List of VPN IDs
+- `tls_ssl_profile_policy_id` (String) TLS SSL Profile Policy ID
+- `tls_ssl_profile_version` (Number) TLS SSL Profile Policy version
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import sdwan_tls_ssl_decryption_policy_definition.example "f6b2c44c-693c-4763-b010-895aa3d236bd"
+```
diff --git a/examples/data-sources/sdwan_tls_ssl_decryption_policy_definition/data-source.tf b/examples/data-sources/sdwan_tls_ssl_decryption_policy_definition/data-source.tf
new file mode 100644
index 00000000..c0622ea2
--- /dev/null
+++ b/examples/data-sources/sdwan_tls_ssl_decryption_policy_definition/data-source.tf
@@ -0,0 +1,3 @@
+data "sdwan_tls_ssl_decryption_policy_definition" "example" {
+ id = "f6b2c44c-693c-4763-b010-895aa3d236bd"
+}
diff --git a/examples/resources/sdwan_tls_ssl_decryption_policy_definition/import.sh b/examples/resources/sdwan_tls_ssl_decryption_policy_definition/import.sh
new file mode 100644
index 00000000..209650f4
--- /dev/null
+++ b/examples/resources/sdwan_tls_ssl_decryption_policy_definition/import.sh
@@ -0,0 +1 @@
+terraform import sdwan_tls_ssl_decryption_policy_definition.example "f6b2c44c-693c-4763-b010-895aa3d236bd"
diff --git a/examples/resources/sdwan_tls_ssl_decryption_policy_definition/resource.tf b/examples/resources/sdwan_tls_ssl_decryption_policy_definition/resource.tf
new file mode 100644
index 00000000..27ee5bbc
--- /dev/null
+++ b/examples/resources/sdwan_tls_ssl_decryption_policy_definition/resource.tf
@@ -0,0 +1,33 @@
+resource "sdwan_tls_ssl_decryption_policy_definition" "example" {
+ name = "Example"
+ description = "My description"
+ mode = "security"
+ default_action = "noIntent"
+ network_rules = [
+ {
+ base_action = "doNotDecrypt"
+ rule_id = 4
+ rule_name = "Example"
+ rule_type = "sslDecryption"
+ source_and_destination_configuration = [
+ {
+ option = "destinationIp"
+ value = "10.0.0.0/12"
+ }
+ ]
+ }
+ ]
+ ssl_decryption_enabled = "true"
+ expired_certificate = "drop"
+ untrusted_certificate = "drop"
+ certificate_revocation_status = "none"
+ unknown_revocation_status = "drop"
+ unsupported_protocol_versions = "drop"
+ unsupported_cipher_suites = "drop"
+ failure_mode = "close"
+ rsa_key_pair_modulus = "2048"
+ ec_key_type = "P384"
+ certificate_lifetime_in_days = 1
+ minimal_tls_version = "TLSv1.2"
+ use_default_ca_cert_bundle = true
+}
diff --git a/gen/definitions/generic/tls_ssl_decryption_policy_definition.yml b/gen/definitions/generic/tls_ssl_decryption_policy_definition.yml
new file mode 100644
index 00000000..f595d148
--- /dev/null
+++ b/gen/definitions/generic/tls_ssl_decryption_policy_definition.yml
@@ -0,0 +1,192 @@
+name: TLS SSL Decryption Policy Definition
+rest_endpoint: /template/policy/definition/ssldecryption/
+has_version: true
+id_attribute: definitionId
+doc_category: Security Policies
+attributes:
+ - model_name: type
+ type: String
+ value: sslDecryption
+ - model_name: name
+ tf_name: name
+ type: String
+ mandatory: true
+ description: The name of the policy definition.
+ example: Example
+ - model_name: description
+ tf_name: description
+ type: String
+ mandatory: true
+ description: The description of the policy definition.
+ example: My description
+ - model_name: mode
+ tf_name: mode
+ type: String
+ enum_values: [security, unified]
+ description: The policy mode
+ example: security
+ - model_name: type
+ data_path: [definition, defaultAction]
+ tf_name: default_action
+ type: String
+ enum_values: [noIntent, doNotDecrypt, decrypt]
+ description: Default action (applies when 'mode' set to 'security')
+ example: noIntent
+ - model_name: sequences
+ data_path: [definition]
+ type: List
+ tf_name: network_rules
+ description: List of network rules (applies when 'mode' set to 'security')
+ attributes:
+ - model_name: baseAction
+ type: String
+ tf_name: base_action
+ description: Rule base action
+ enum_values: [noIntent, doNotDecrypt, decrypt]
+ example: doNotDecrypt
+ - model_name: sequenceId
+ type: Int64
+ tf_name: rule_id
+ description: Rule ID
+ example: 4
+ - model_name: sequenceName
+ type: String
+ tf_name: rule_name
+ description: Rule name
+ example: Example
+ - model_name: sequenceType
+ type: String
+ tf_name: rule_type
+ description: Rule type
+ example: sslDecryption
+ - model_name: entries
+ data_path: [match]
+ type: List
+ tf_name: source_and_destination_configuration
+ description: List of network source / destination configuration
+ attributes:
+ - model_name: field
+ type: String
+ tf_name: option
+ description: source / destination option
+ enum_values: [sourceIp, sourcePort, destinationVpn, destinationIp, destinationPort]
+ example: destinationIp
+ - model_name: value
+ type: String
+ tf_name: value
+ description: source / destination option target
+ example: 10.0.0.0/12
+ - model_name: profiles
+ data_path: [definition]
+ tf_name: url_rules
+ type: List
+ description: List of url rules (applies when 'mode' set to 'security')
+ exclude_test: true
+ attributes:
+ - model_name: name
+ tf_name: rule_name
+ type: String
+ description: Country
+ example: Example
+ - model_name: vpn
+ tf_name: target_vpns
+ type: StringList
+ description: List of VPN IDs
+ example: 1
+ - model_name: ref
+ tf_name: tls_ssl_profile_policy_id
+ type: String
+ description: TLS SSL Profile Policy ID
+ example: 2d8cbc1b-f969-4999-a0bd-f77a070ba5f7
+ - tf_name: tls_ssl_profile_version
+ tf_only: true
+ type: Version
+ description: TLS SSL Profile Policy version
+ - model_name: sslEnable
+ data_path: [definition, settings]
+ tf_name: ssl_decryption_enabled
+ type: String
+ description: SSL decryption enabled
+ example: "true"
+ - model_name: expiredCertificate
+ data_path: [definition, settings]
+ tf_name: expired_certificate
+ type: String
+ enum_values: [drop, decrypt]
+ description: Expired certificate action
+ example: "drop"
+ - model_name: untrustedCertificate
+ data_path: [definition, settings]
+ tf_name: untrusted_certificate
+ type: String
+ enum_values: [drop, decrypt]
+ description: Untrusted certificate action
+ example: "drop"
+ - model_name: certificateRevocationStatus
+ data_path: [definition, settings]
+ tf_name: certificate_revocation_status
+ type: String
+ enum_values: [ocsp, none]
+ description: Certificate revocation status
+ example: "none"
+ - model_name: unknownStatus
+ data_path: [definition, settings]
+ tf_name: unknown_revocation_status
+ type: String
+ enum_values: [drop, decrypt]
+ description: Unknown revocation status action
+ example: "drop"
+ - model_name: unsupportedProtocolVersions
+ data_path: [definition, settings]
+ tf_name: unsupported_protocol_versions
+ type: String
+ enum_values: [drop, no-decrypt]
+ description: Unsupported protocol versions action
+ example: "drop"
+ - model_name: unsupportedCipherSuites
+ data_path: [definition, settings]
+ tf_name: unsupported_cipher_suites
+ type: String
+ enum_values: [drop, no-decrypt]
+ description: Unsupported cipher suites action
+ example: "drop"
+ - model_name: failureMode
+ data_path: [definition, settings]
+ tf_name: failure_mode
+ type: String
+ enum_values: [open, close]
+ description: Failure mode
+ example: "close"
+ - model_name: keyModulus
+ data_path: [definition, settings]
+ tf_name: rsa_key_pair_modulus
+ type: String
+ enum_values: ["1024", "2048", "4096"]
+ description: RSA key pair modules
+ example: "2048"
+ - model_name: eckeyType
+ data_path: [definition, settings]
+ tf_name: ec_key_type
+ type: String
+ enum_values: [P256, P384, P521]
+ description: EC Key Type
+ example: "P384"
+ - model_name: certificateLifetime
+ data_path: [definition, settings]
+ tf_name: certificate_lifetime_in_days
+ type: Int64
+ description: Certificate Lifetime(in Days)
+ example: 1
+ - model_name: minTlsVer
+ data_path: [definition, settings]
+ tf_name: minimal_tls_version
+ type: String
+ enum_values: [TLSv1.0, TLSv1.1, TLSv1.2]
+ description: Minimal TLS Version
+ example: "TLSv1.2"
+ - model_name: default
+ data_path: [definition, settings, caCertBundle]
+ tf_name: use_default_ca_cert_bundle
+ type: Bool
+ description: Use default CA certificate bundle
+ example: true
\ No newline at end of file
diff --git a/internal/provider/data_source_sdwan_tls_ssl_decryption_policy_definition.go b/internal/provider/data_source_sdwan_tls_ssl_decryption_policy_definition.go
new file mode 100644
index 00000000..8680002f
--- /dev/null
+++ b/internal/provider/data_source_sdwan_tls_ssl_decryption_policy_definition.go
@@ -0,0 +1,234 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Mozilla Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://mozilla.org/MPL/2.0/
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: MPL-2.0
+
+// Code generated by "gen/generator.go"; DO NOT EDIT.
+
+package provider
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/hashicorp/terraform-plugin-framework/datasource"
+ "github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+ "github.com/hashicorp/terraform-plugin-log/tflog"
+ "github.com/netascode/go-sdwan"
+)
+
+// Ensure the implementation satisfies the expected interfaces.
+var (
+ _ datasource.DataSource = &TLSSSLDecryptionPolicyDefinitionDataSource{}
+ _ datasource.DataSourceWithConfigure = &TLSSSLDecryptionPolicyDefinitionDataSource{}
+)
+
+func NewTLSSSLDecryptionPolicyDefinitionDataSource() datasource.DataSource {
+ return &TLSSSLDecryptionPolicyDefinitionDataSource{}
+}
+
+type TLSSSLDecryptionPolicyDefinitionDataSource struct {
+ client *sdwan.Client
+}
+
+func (d *TLSSSLDecryptionPolicyDefinitionDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+ resp.TypeName = req.ProviderTypeName + "_tls_ssl_decryption_policy_definition"
+}
+
+func (d *TLSSSLDecryptionPolicyDefinitionDataSource) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+ resp.Schema = schema.Schema{
+ // This description is used by the documentation generator and the language server.
+ MarkdownDescription: "This data source can read the TLS SSL Decryption Policy Definition .",
+
+ Attributes: map[string]schema.Attribute{
+ "id": schema.StringAttribute{
+ MarkdownDescription: "The id of the object",
+ Required: true,
+ },
+ "version": schema.Int64Attribute{
+ MarkdownDescription: "The version of the object",
+ Computed: true,
+ },
+ "name": schema.StringAttribute{
+ MarkdownDescription: "The name of the policy definition.",
+ Computed: true,
+ },
+ "description": schema.StringAttribute{
+ MarkdownDescription: "The description of the policy definition.",
+ Computed: true,
+ },
+ "mode": schema.StringAttribute{
+ MarkdownDescription: "The policy mode",
+ Computed: true,
+ },
+ "default_action": schema.StringAttribute{
+ MarkdownDescription: "Default action (applies when 'mode' set to 'security')",
+ Computed: true,
+ },
+ "network_rules": schema.ListNestedAttribute{
+ MarkdownDescription: "List of network rules (applies when 'mode' set to 'security')",
+ Computed: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "base_action": schema.StringAttribute{
+ MarkdownDescription: "Rule base action",
+ Computed: true,
+ },
+ "rule_id": schema.Int64Attribute{
+ MarkdownDescription: "Rule ID",
+ Computed: true,
+ },
+ "rule_name": schema.StringAttribute{
+ MarkdownDescription: "Rule name",
+ Computed: true,
+ },
+ "rule_type": schema.StringAttribute{
+ MarkdownDescription: "Rule type",
+ Computed: true,
+ },
+ "source_and_destination_configuration": schema.ListNestedAttribute{
+ MarkdownDescription: "List of network source / destination configuration",
+ Computed: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "option": schema.StringAttribute{
+ MarkdownDescription: "source / destination option",
+ Computed: true,
+ },
+ "value": schema.StringAttribute{
+ MarkdownDescription: "source / destination option target",
+ Computed: true,
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "url_rules": schema.ListNestedAttribute{
+ MarkdownDescription: "List of url rules (applies when 'mode' set to 'security')",
+ Computed: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "rule_name": schema.StringAttribute{
+ MarkdownDescription: "Country",
+ Computed: true,
+ },
+ "target_vpns": schema.ListAttribute{
+ MarkdownDescription: "List of VPN IDs",
+ ElementType: types.StringType,
+ Computed: true,
+ },
+ "tls_ssl_profile_policy_id": schema.StringAttribute{
+ MarkdownDescription: "TLS SSL Profile Policy ID",
+ Computed: true,
+ },
+ "tls_ssl_profile_version": schema.Int64Attribute{
+ MarkdownDescription: "TLS SSL Profile Policy version",
+ Computed: true,
+ },
+ },
+ },
+ },
+ "ssl_decryption_enabled": schema.StringAttribute{
+ MarkdownDescription: "SSL decryption enabled",
+ Computed: true,
+ },
+ "expired_certificate": schema.StringAttribute{
+ MarkdownDescription: "Expired certificate action",
+ Computed: true,
+ },
+ "untrusted_certificate": schema.StringAttribute{
+ MarkdownDescription: "Untrusted certificate action",
+ Computed: true,
+ },
+ "certificate_revocation_status": schema.StringAttribute{
+ MarkdownDescription: "Certificate revocation status",
+ Computed: true,
+ },
+ "unknown_revocation_status": schema.StringAttribute{
+ MarkdownDescription: "Unknown revocation status action",
+ Computed: true,
+ },
+ "unsupported_protocol_versions": schema.StringAttribute{
+ MarkdownDescription: "Unsupported protocol versions action",
+ Computed: true,
+ },
+ "unsupported_cipher_suites": schema.StringAttribute{
+ MarkdownDescription: "Unsupported cipher suites action",
+ Computed: true,
+ },
+ "failure_mode": schema.StringAttribute{
+ MarkdownDescription: "Failure mode",
+ Computed: true,
+ },
+ "rsa_key_pair_modulus": schema.StringAttribute{
+ MarkdownDescription: "RSA key pair modules",
+ Computed: true,
+ },
+ "ec_key_type": schema.StringAttribute{
+ MarkdownDescription: "EC Key Type",
+ Computed: true,
+ },
+ "certificate_lifetime_in_days": schema.Int64Attribute{
+ MarkdownDescription: "Certificate Lifetime(in Days)",
+ Computed: true,
+ },
+ "minimal_tls_version": schema.StringAttribute{
+ MarkdownDescription: "Minimal TLS Version",
+ Computed: true,
+ },
+ "use_default_ca_cert_bundle": schema.BoolAttribute{
+ MarkdownDescription: "Use default CA certificate bundle",
+ Computed: true,
+ },
+ },
+ }
+}
+
+func (d *TLSSSLDecryptionPolicyDefinitionDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, _ *datasource.ConfigureResponse) {
+ if req.ProviderData == nil {
+ return
+ }
+
+ d.client = req.ProviderData.(*SdwanProviderData).Client
+}
+
+func (d *TLSSSLDecryptionPolicyDefinitionDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
+ var config TLSSSLDecryptionPolicyDefinition
+
+ // Read config
+ diags := req.Config.Get(ctx, &config)
+ resp.Diagnostics.Append(diags...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Beginning Read", config.Id.String()))
+
+ res, err := d.client.Get("/template/policy/definition/ssldecryption/" + config.Id.ValueString())
+ if err != nil {
+ resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Failed to retrieve object, got error: %s", err))
+ return
+ }
+
+ config.fromBody(ctx, res)
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Read finished successfully", config.Id.ValueString()))
+
+ diags = resp.State.Set(ctx, &config)
+ resp.Diagnostics.Append(diags...)
+}
diff --git a/internal/provider/data_source_sdwan_tls_ssl_decryption_policy_definition_test.go b/internal/provider/data_source_sdwan_tls_ssl_decryption_policy_definition_test.go
new file mode 100644
index 00000000..2c021402
--- /dev/null
+++ b/internal/provider/data_source_sdwan_tls_ssl_decryption_policy_definition_test.go
@@ -0,0 +1,101 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Mozilla Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://mozilla.org/MPL/2.0/
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: MPL-2.0
+
+// Code generated by "gen/generator.go"; DO NOT EDIT.
+
+package provider
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccDataSourceSdwanTLSSSLDecryptionPolicyDefinition(t *testing.T) {
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccDataSourceSdwanTLSSSLDecryptionPolicyDefinitionConfig,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "name", "Example"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "description", "My description"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "mode", "security"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "default_action", "noIntent"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.base_action", "doNotDecrypt"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.rule_id", "4"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.rule_name", "Example"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.rule_type", "sslDecryption"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.source_and_destination_configuration.0.option", "destinationIp"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.source_and_destination_configuration.0.value", "10.0.0.0/12"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "ssl_decryption_enabled", "true"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "expired_certificate", "drop"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "untrusted_certificate", "drop"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "certificate_revocation_status", "none"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "unknown_revocation_status", "drop"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "unsupported_protocol_versions", "drop"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "unsupported_cipher_suites", "drop"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "failure_mode", "close"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "rsa_key_pair_modulus", "2048"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "ec_key_type", "P384"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "certificate_lifetime_in_days", "1"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "minimal_tls_version", "TLSv1.2"),
+ resource.TestCheckResourceAttr("data.sdwan_tls_ssl_decryption_policy_definition.test", "use_default_ca_cert_bundle", "true"),
+ ),
+ },
+ },
+ })
+}
+
+const testAccDataSourceSdwanTLSSSLDecryptionPolicyDefinitionConfig = `
+
+
+resource "sdwan_tls_ssl_decryption_policy_definition" "test" {
+ name = "Example"
+ description = "My description"
+ mode = "security"
+ default_action = "noIntent"
+ network_rules = [{
+ base_action = "doNotDecrypt"
+ rule_id = 4
+ rule_name = "Example"
+ rule_type = "sslDecryption"
+ source_and_destination_configuration = [{
+ option = "destinationIp"
+ value = "10.0.0.0/12"
+ }]
+ }]
+ ssl_decryption_enabled = "true"
+ expired_certificate = "drop"
+ untrusted_certificate = "drop"
+ certificate_revocation_status = "none"
+ unknown_revocation_status = "drop"
+ unsupported_protocol_versions = "drop"
+ unsupported_cipher_suites = "drop"
+ failure_mode = "close"
+ rsa_key_pair_modulus = "2048"
+ ec_key_type = "P384"
+ certificate_lifetime_in_days = 1
+ minimal_tls_version = "TLSv1.2"
+ use_default_ca_cert_bundle = true
+}
+
+data "sdwan_tls_ssl_decryption_policy_definition" "test" {
+ id = sdwan_tls_ssl_decryption_policy_definition.test.id
+}
+`
diff --git a/internal/provider/model_sdwan_tls_ssl_decryption_policy_definition.go b/internal/provider/model_sdwan_tls_ssl_decryption_policy_definition.go
new file mode 100644
index 00000000..4ce7e0c7
--- /dev/null
+++ b/internal/provider/model_sdwan_tls_ssl_decryption_policy_definition.go
@@ -0,0 +1,467 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Mozilla Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://mozilla.org/MPL/2.0/
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: MPL-2.0
+
+// Code generated by "gen/generator.go"; DO NOT EDIT.
+
+package provider
+
+import (
+ "context"
+
+ "github.com/CiscoDevNet/terraform-provider-sdwan/internal/provider/helpers"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+ "github.com/tidwall/gjson"
+ "github.com/tidwall/sjson"
+)
+
+type TLSSSLDecryptionPolicyDefinition struct {
+ Id types.String `tfsdk:"id"`
+ Version types.Int64 `tfsdk:"version"`
+ Name types.String `tfsdk:"name"`
+ Description types.String `tfsdk:"description"`
+ Mode types.String `tfsdk:"mode"`
+ DefaultAction types.String `tfsdk:"default_action"`
+ NetworkRules []TLSSSLDecryptionPolicyDefinitionNetworkRules `tfsdk:"network_rules"`
+ UrlRules []TLSSSLDecryptionPolicyDefinitionUrlRules `tfsdk:"url_rules"`
+ SslDecryptionEnabled types.String `tfsdk:"ssl_decryption_enabled"`
+ ExpiredCertificate types.String `tfsdk:"expired_certificate"`
+ UntrustedCertificate types.String `tfsdk:"untrusted_certificate"`
+ CertificateRevocationStatus types.String `tfsdk:"certificate_revocation_status"`
+ UnknownRevocationStatus types.String `tfsdk:"unknown_revocation_status"`
+ UnsupportedProtocolVersions types.String `tfsdk:"unsupported_protocol_versions"`
+ UnsupportedCipherSuites types.String `tfsdk:"unsupported_cipher_suites"`
+ FailureMode types.String `tfsdk:"failure_mode"`
+ RsaKeyPairModulus types.String `tfsdk:"rsa_key_pair_modulus"`
+ EcKeyType types.String `tfsdk:"ec_key_type"`
+ CertificateLifetimeInDays types.Int64 `tfsdk:"certificate_lifetime_in_days"`
+ MinimalTlsVersion types.String `tfsdk:"minimal_tls_version"`
+ UseDefaultCaCertBundle types.Bool `tfsdk:"use_default_ca_cert_bundle"`
+}
+
+type TLSSSLDecryptionPolicyDefinitionNetworkRules struct {
+ BaseAction types.String `tfsdk:"base_action"`
+ RuleId types.Int64 `tfsdk:"rule_id"`
+ RuleName types.String `tfsdk:"rule_name"`
+ RuleType types.String `tfsdk:"rule_type"`
+ SourceAndDestinationConfiguration []TLSSSLDecryptionPolicyDefinitionNetworkRulesSourceAndDestinationConfiguration `tfsdk:"source_and_destination_configuration"`
+}
+
+type TLSSSLDecryptionPolicyDefinitionUrlRules struct {
+ RuleName types.String `tfsdk:"rule_name"`
+ TargetVpns types.List `tfsdk:"target_vpns"`
+ TlsSslProfilePolicyId types.String `tfsdk:"tls_ssl_profile_policy_id"`
+ TlsSslProfileVersion types.Int64 `tfsdk:"tls_ssl_profile_version"`
+}
+
+type TLSSSLDecryptionPolicyDefinitionNetworkRulesSourceAndDestinationConfiguration struct {
+ Option types.String `tfsdk:"option"`
+ Value types.String `tfsdk:"value"`
+}
+
+func (data TLSSSLDecryptionPolicyDefinition) toBody(ctx context.Context) string {
+ body := ""
+ body, _ = sjson.Set(body, "type", "sslDecryption")
+ if !data.Name.IsNull() {
+ body, _ = sjson.Set(body, "name", data.Name.ValueString())
+ }
+ if !data.Description.IsNull() {
+ body, _ = sjson.Set(body, "description", data.Description.ValueString())
+ }
+ if !data.Mode.IsNull() {
+ body, _ = sjson.Set(body, "mode", data.Mode.ValueString())
+ }
+ if !data.DefaultAction.IsNull() {
+ body, _ = sjson.Set(body, "definition.defaultAction.type", data.DefaultAction.ValueString())
+ }
+ if len(data.NetworkRules) > 0 {
+ body, _ = sjson.Set(body, "definition.sequences", []interface{}{})
+ for _, item := range data.NetworkRules {
+ itemBody := ""
+ if !item.BaseAction.IsNull() {
+ itemBody, _ = sjson.Set(itemBody, "baseAction", item.BaseAction.ValueString())
+ }
+ if !item.RuleId.IsNull() {
+ itemBody, _ = sjson.Set(itemBody, "sequenceId", item.RuleId.ValueInt64())
+ }
+ if !item.RuleName.IsNull() {
+ itemBody, _ = sjson.Set(itemBody, "sequenceName", item.RuleName.ValueString())
+ }
+ if !item.RuleType.IsNull() {
+ itemBody, _ = sjson.Set(itemBody, "sequenceType", item.RuleType.ValueString())
+ }
+ if len(item.SourceAndDestinationConfiguration) > 0 {
+ itemBody, _ = sjson.Set(itemBody, "match.entries", []interface{}{})
+ for _, childItem := range item.SourceAndDestinationConfiguration {
+ itemChildBody := ""
+ if !childItem.Option.IsNull() {
+ itemChildBody, _ = sjson.Set(itemChildBody, "field", childItem.Option.ValueString())
+ }
+ if !childItem.Value.IsNull() {
+ itemChildBody, _ = sjson.Set(itemChildBody, "value", childItem.Value.ValueString())
+ }
+ itemBody, _ = sjson.SetRaw(itemBody, "match.entries.-1", itemChildBody)
+ }
+ }
+ body, _ = sjson.SetRaw(body, "definition.sequences.-1", itemBody)
+ }
+ }
+ if len(data.UrlRules) > 0 {
+ body, _ = sjson.Set(body, "definition.profiles", []interface{}{})
+ for _, item := range data.UrlRules {
+ itemBody := ""
+ if !item.RuleName.IsNull() {
+ itemBody, _ = sjson.Set(itemBody, "name", item.RuleName.ValueString())
+ }
+ if !item.TargetVpns.IsNull() {
+ var values []string
+ item.TargetVpns.ElementsAs(ctx, &values, false)
+ itemBody, _ = sjson.Set(itemBody, "vpn", values)
+ }
+ if !item.TlsSslProfilePolicyId.IsNull() {
+ itemBody, _ = sjson.Set(itemBody, "ref", item.TlsSslProfilePolicyId.ValueString())
+ }
+ body, _ = sjson.SetRaw(body, "definition.profiles.-1", itemBody)
+ }
+ }
+ if !data.SslDecryptionEnabled.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.sslEnable", data.SslDecryptionEnabled.ValueString())
+ }
+ if !data.ExpiredCertificate.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.expiredCertificate", data.ExpiredCertificate.ValueString())
+ }
+ if !data.UntrustedCertificate.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.untrustedCertificate", data.UntrustedCertificate.ValueString())
+ }
+ if !data.CertificateRevocationStatus.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.certificateRevocationStatus", data.CertificateRevocationStatus.ValueString())
+ }
+ if !data.UnknownRevocationStatus.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.unknownStatus", data.UnknownRevocationStatus.ValueString())
+ }
+ if !data.UnsupportedProtocolVersions.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.unsupportedProtocolVersions", data.UnsupportedProtocolVersions.ValueString())
+ }
+ if !data.UnsupportedCipherSuites.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.unsupportedCipherSuites", data.UnsupportedCipherSuites.ValueString())
+ }
+ if !data.FailureMode.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.failureMode", data.FailureMode.ValueString())
+ }
+ if !data.RsaKeyPairModulus.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.keyModulus", data.RsaKeyPairModulus.ValueString())
+ }
+ if !data.EcKeyType.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.eckeyType", data.EcKeyType.ValueString())
+ }
+ if !data.CertificateLifetimeInDays.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.certificateLifetime", data.CertificateLifetimeInDays.ValueInt64())
+ }
+ if !data.MinimalTlsVersion.IsNull() {
+ body, _ = sjson.Set(body, "definition.settings.minTlsVer", data.MinimalTlsVersion.ValueString())
+ }
+ if !data.UseDefaultCaCertBundle.IsNull() {
+ if false && data.UseDefaultCaCertBundle.ValueBool() {
+ body, _ = sjson.Set(body, "definition.settings.caCertBundle.default", "")
+ } else {
+ body, _ = sjson.Set(body, "definition.settings.caCertBundle.default", data.UseDefaultCaCertBundle.ValueBool())
+ }
+ }
+ return body
+}
+
+func (data *TLSSSLDecryptionPolicyDefinition) fromBody(ctx context.Context, res gjson.Result) {
+ state := *data
+ if value := res.Get("name"); value.Exists() {
+ data.Name = types.StringValue(value.String())
+ } else {
+ data.Name = types.StringNull()
+ }
+ if value := res.Get("description"); value.Exists() {
+ data.Description = types.StringValue(value.String())
+ } else {
+ data.Description = types.StringNull()
+ }
+ if value := res.Get("mode"); value.Exists() {
+ data.Mode = types.StringValue(value.String())
+ } else {
+ data.Mode = types.StringNull()
+ }
+ if value := res.Get("definition.defaultAction.type"); value.Exists() {
+ data.DefaultAction = types.StringValue(value.String())
+ } else {
+ data.DefaultAction = types.StringNull()
+ }
+ if value := res.Get("definition.sequences"); value.Exists() {
+ data.NetworkRules = make([]TLSSSLDecryptionPolicyDefinitionNetworkRules, 0)
+ value.ForEach(func(k, v gjson.Result) bool {
+ item := TLSSSLDecryptionPolicyDefinitionNetworkRules{}
+ if cValue := v.Get("baseAction"); cValue.Exists() {
+ item.BaseAction = types.StringValue(cValue.String())
+ } else {
+ item.BaseAction = types.StringNull()
+ }
+ if cValue := v.Get("sequenceId"); cValue.Exists() {
+ item.RuleId = types.Int64Value(cValue.Int())
+ } else {
+ item.RuleId = types.Int64Null()
+ }
+ if cValue := v.Get("sequenceName"); cValue.Exists() {
+ item.RuleName = types.StringValue(cValue.String())
+ } else {
+ item.RuleName = types.StringNull()
+ }
+ if cValue := v.Get("sequenceType"); cValue.Exists() {
+ item.RuleType = types.StringValue(cValue.String())
+ } else {
+ item.RuleType = types.StringNull()
+ }
+ if cValue := v.Get("match.entries"); cValue.Exists() {
+ item.SourceAndDestinationConfiguration = make([]TLSSSLDecryptionPolicyDefinitionNetworkRulesSourceAndDestinationConfiguration, 0)
+ cValue.ForEach(func(ck, cv gjson.Result) bool {
+ cItem := TLSSSLDecryptionPolicyDefinitionNetworkRulesSourceAndDestinationConfiguration{}
+ if ccValue := cv.Get("field"); ccValue.Exists() {
+ cItem.Option = types.StringValue(ccValue.String())
+ } else {
+ cItem.Option = types.StringNull()
+ }
+ if ccValue := cv.Get("value"); ccValue.Exists() {
+ cItem.Value = types.StringValue(ccValue.String())
+ } else {
+ cItem.Value = types.StringNull()
+ }
+ item.SourceAndDestinationConfiguration = append(item.SourceAndDestinationConfiguration, cItem)
+ return true
+ })
+ }
+ data.NetworkRules = append(data.NetworkRules, item)
+ return true
+ })
+ }
+ if value := res.Get("definition.profiles"); value.Exists() {
+ data.UrlRules = make([]TLSSSLDecryptionPolicyDefinitionUrlRules, 0)
+ value.ForEach(func(k, v gjson.Result) bool {
+ item := TLSSSLDecryptionPolicyDefinitionUrlRules{}
+ if cValue := v.Get("name"); cValue.Exists() {
+ item.RuleName = types.StringValue(cValue.String())
+ } else {
+ item.RuleName = types.StringNull()
+ }
+ if cValue := v.Get("vpn"); cValue.Exists() {
+ item.TargetVpns = helpers.GetStringList(cValue.Array())
+ } else {
+ item.TargetVpns = types.ListNull(types.StringType)
+ }
+ if cValue := v.Get("ref"); cValue.Exists() {
+ item.TlsSslProfilePolicyId = types.StringValue(cValue.String())
+ } else {
+ item.TlsSslProfilePolicyId = types.StringNull()
+ }
+ data.UrlRules = append(data.UrlRules, item)
+ return true
+ })
+ }
+ if value := res.Get("definition.settings.sslEnable"); value.Exists() {
+ data.SslDecryptionEnabled = types.StringValue(value.String())
+ } else {
+ data.SslDecryptionEnabled = types.StringNull()
+ }
+ if value := res.Get("definition.settings.expiredCertificate"); value.Exists() {
+ data.ExpiredCertificate = types.StringValue(value.String())
+ } else {
+ data.ExpiredCertificate = types.StringNull()
+ }
+ if value := res.Get("definition.settings.untrustedCertificate"); value.Exists() {
+ data.UntrustedCertificate = types.StringValue(value.String())
+ } else {
+ data.UntrustedCertificate = types.StringNull()
+ }
+ if value := res.Get("definition.settings.certificateRevocationStatus"); value.Exists() {
+ data.CertificateRevocationStatus = types.StringValue(value.String())
+ } else {
+ data.CertificateRevocationStatus = types.StringNull()
+ }
+ if value := res.Get("definition.settings.unknownStatus"); value.Exists() {
+ data.UnknownRevocationStatus = types.StringValue(value.String())
+ } else {
+ data.UnknownRevocationStatus = types.StringNull()
+ }
+ if value := res.Get("definition.settings.unsupportedProtocolVersions"); value.Exists() {
+ data.UnsupportedProtocolVersions = types.StringValue(value.String())
+ } else {
+ data.UnsupportedProtocolVersions = types.StringNull()
+ }
+ if value := res.Get("definition.settings.unsupportedCipherSuites"); value.Exists() {
+ data.UnsupportedCipherSuites = types.StringValue(value.String())
+ } else {
+ data.UnsupportedCipherSuites = types.StringNull()
+ }
+ if value := res.Get("definition.settings.failureMode"); value.Exists() {
+ data.FailureMode = types.StringValue(value.String())
+ } else {
+ data.FailureMode = types.StringNull()
+ }
+ if value := res.Get("definition.settings.keyModulus"); value.Exists() {
+ data.RsaKeyPairModulus = types.StringValue(value.String())
+ } else {
+ data.RsaKeyPairModulus = types.StringNull()
+ }
+ if value := res.Get("definition.settings.eckeyType"); value.Exists() {
+ data.EcKeyType = types.StringValue(value.String())
+ } else {
+ data.EcKeyType = types.StringNull()
+ }
+ if value := res.Get("definition.settings.certificateLifetime"); value.Exists() {
+ data.CertificateLifetimeInDays = types.Int64Value(value.Int())
+ } else {
+ data.CertificateLifetimeInDays = types.Int64Null()
+ }
+ if value := res.Get("definition.settings.minTlsVer"); value.Exists() {
+ data.MinimalTlsVersion = types.StringValue(value.String())
+ } else {
+ data.MinimalTlsVersion = types.StringNull()
+ }
+ if value := res.Get("definition.settings.caCertBundle.default"); value.Exists() {
+ if false && value.String() == "" {
+ data.UseDefaultCaCertBundle = types.BoolValue(true)
+ } else {
+ data.UseDefaultCaCertBundle = types.BoolValue(value.Bool())
+ }
+ } else {
+ data.UseDefaultCaCertBundle = types.BoolNull()
+ }
+ data.updateVersions(ctx, &state)
+}
+
+func (data *TLSSSLDecryptionPolicyDefinition) hasChanges(ctx context.Context, state *TLSSSLDecryptionPolicyDefinition) bool {
+ hasChanges := false
+ if !data.Name.Equal(state.Name) {
+ hasChanges = true
+ }
+ if !data.Description.Equal(state.Description) {
+ hasChanges = true
+ }
+ if !data.Mode.Equal(state.Mode) {
+ hasChanges = true
+ }
+ if !data.DefaultAction.Equal(state.DefaultAction) {
+ hasChanges = true
+ }
+ if len(data.NetworkRules) != len(state.NetworkRules) {
+ hasChanges = true
+ } else {
+ for i := range data.NetworkRules {
+ if !data.NetworkRules[i].BaseAction.Equal(state.NetworkRules[i].BaseAction) {
+ hasChanges = true
+ }
+ if !data.NetworkRules[i].RuleId.Equal(state.NetworkRules[i].RuleId) {
+ hasChanges = true
+ }
+ if !data.NetworkRules[i].RuleName.Equal(state.NetworkRules[i].RuleName) {
+ hasChanges = true
+ }
+ if !data.NetworkRules[i].RuleType.Equal(state.NetworkRules[i].RuleType) {
+ hasChanges = true
+ }
+ if len(data.NetworkRules[i].SourceAndDestinationConfiguration) != len(state.NetworkRules[i].SourceAndDestinationConfiguration) {
+ hasChanges = true
+ } else {
+ for ii := range data.NetworkRules[i].SourceAndDestinationConfiguration {
+ if !data.NetworkRules[i].SourceAndDestinationConfiguration[ii].Option.Equal(state.NetworkRules[i].SourceAndDestinationConfiguration[ii].Option) {
+ hasChanges = true
+ }
+ if !data.NetworkRules[i].SourceAndDestinationConfiguration[ii].Value.Equal(state.NetworkRules[i].SourceAndDestinationConfiguration[ii].Value) {
+ hasChanges = true
+ }
+ }
+ }
+ }
+ }
+ if len(data.UrlRules) != len(state.UrlRules) {
+ hasChanges = true
+ } else {
+ for i := range data.UrlRules {
+ if !data.UrlRules[i].RuleName.Equal(state.UrlRules[i].RuleName) {
+ hasChanges = true
+ }
+ if !data.UrlRules[i].TargetVpns.Equal(state.UrlRules[i].TargetVpns) {
+ hasChanges = true
+ }
+ if !data.UrlRules[i].TlsSslProfilePolicyId.Equal(state.UrlRules[i].TlsSslProfilePolicyId) {
+ hasChanges = true
+ }
+ }
+ }
+ if !data.SslDecryptionEnabled.Equal(state.SslDecryptionEnabled) {
+ hasChanges = true
+ }
+ if !data.ExpiredCertificate.Equal(state.ExpiredCertificate) {
+ hasChanges = true
+ }
+ if !data.UntrustedCertificate.Equal(state.UntrustedCertificate) {
+ hasChanges = true
+ }
+ if !data.CertificateRevocationStatus.Equal(state.CertificateRevocationStatus) {
+ hasChanges = true
+ }
+ if !data.UnknownRevocationStatus.Equal(state.UnknownRevocationStatus) {
+ hasChanges = true
+ }
+ if !data.UnsupportedProtocolVersions.Equal(state.UnsupportedProtocolVersions) {
+ hasChanges = true
+ }
+ if !data.UnsupportedCipherSuites.Equal(state.UnsupportedCipherSuites) {
+ hasChanges = true
+ }
+ if !data.FailureMode.Equal(state.FailureMode) {
+ hasChanges = true
+ }
+ if !data.RsaKeyPairModulus.Equal(state.RsaKeyPairModulus) {
+ hasChanges = true
+ }
+ if !data.EcKeyType.Equal(state.EcKeyType) {
+ hasChanges = true
+ }
+ if !data.CertificateLifetimeInDays.Equal(state.CertificateLifetimeInDays) {
+ hasChanges = true
+ }
+ if !data.MinimalTlsVersion.Equal(state.MinimalTlsVersion) {
+ hasChanges = true
+ }
+ if !data.UseDefaultCaCertBundle.Equal(state.UseDefaultCaCertBundle) {
+ hasChanges = true
+ }
+ return hasChanges
+}
+
+func (data *TLSSSLDecryptionPolicyDefinition) updateVersions(ctx context.Context, state *TLSSSLDecryptionPolicyDefinition) {
+ for i := range data.UrlRules {
+ dataKeys := [...]string{}
+ stateIndex := -1
+ for j := range state.UrlRules {
+ stateKeys := [...]string{}
+ if dataKeys == stateKeys {
+ stateIndex = j
+ break
+ }
+ }
+ if stateIndex > -1 {
+ data.UrlRules[i].TlsSslProfileVersion = state.UrlRules[stateIndex].TlsSslProfileVersion
+ } else {
+ data.UrlRules[i].TlsSslProfileVersion = types.Int64Null()
+ }
+ }
+}
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
index 5eec455e..11cf70df 100644
--- a/internal/provider/provider.go
+++ b/internal/provider/provider.go
@@ -306,6 +306,7 @@ func (p *SdwanProvider) Resources(ctx context.Context) []func() resource.Resourc
NewSLAClassPolicyObjectResource,
NewStandardCommunityListPolicyObjectResource,
NewTLOCListPolicyObjectResource,
+ NewTLSSSLDecryptionPolicyDefinitionResource,
NewTLSSSLProfilePolicyDefinitionResource,
NewTrafficDataPolicyDefinitionResource,
NewURLFilteringPolicyDefinitionResource,
@@ -384,6 +385,7 @@ func (p *SdwanProvider) DataSources(ctx context.Context) []func() datasource.Dat
NewSLAClassPolicyObjectDataSource,
NewStandardCommunityListPolicyObjectDataSource,
NewTLOCListPolicyObjectDataSource,
+ NewTLSSSLDecryptionPolicyDefinitionDataSource,
NewTLSSSLProfilePolicyDefinitionDataSource,
NewTrafficDataPolicyDefinitionDataSource,
NewURLFilteringPolicyDefinitionDataSource,
diff --git a/internal/provider/resource_sdwan_tls_ssl_decryption_policy_definition.go b/internal/provider/resource_sdwan_tls_ssl_decryption_policy_definition.go
new file mode 100644
index 00000000..87d9c725
--- /dev/null
+++ b/internal/provider/resource_sdwan_tls_ssl_decryption_policy_definition.go
@@ -0,0 +1,389 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Mozilla Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://mozilla.org/MPL/2.0/
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: MPL-2.0
+
+// Code generated by "gen/generator.go"; DO NOT EDIT.
+
+package provider
+
+import (
+ "context"
+ "fmt"
+ "strings"
+ "sync"
+
+ "github.com/CiscoDevNet/terraform-provider-sdwan/internal/provider/helpers"
+ "github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+ "github.com/hashicorp/terraform-plugin-framework/path"
+ "github.com/hashicorp/terraform-plugin-framework/resource"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+ "github.com/hashicorp/terraform-plugin-framework/schema/validator"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+ "github.com/hashicorp/terraform-plugin-log/tflog"
+ "github.com/netascode/go-sdwan"
+)
+
+// Ensure provider defined types fully satisfy framework interfaces
+var _ resource.Resource = &TLSSSLDecryptionPolicyDefinitionResource{}
+var _ resource.ResourceWithImportState = &TLSSSLDecryptionPolicyDefinitionResource{}
+
+func NewTLSSSLDecryptionPolicyDefinitionResource() resource.Resource {
+ return &TLSSSLDecryptionPolicyDefinitionResource{}
+}
+
+type TLSSSLDecryptionPolicyDefinitionResource struct {
+ client *sdwan.Client
+ updateMutex *sync.Mutex
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+ resp.TypeName = req.ProviderTypeName + "_tls_ssl_decryption_policy_definition"
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
+ resp.Schema = schema.Schema{
+ // This description is used by the documentation generator and the language server.
+ MarkdownDescription: helpers.NewAttributeDescription("This resource can manage a TLS SSL Decryption Policy Definition .").String,
+
+ Attributes: map[string]schema.Attribute{
+ "id": schema.StringAttribute{
+ MarkdownDescription: "The id of the object",
+ Computed: true,
+ PlanModifiers: []planmodifier.String{
+ stringplanmodifier.UseStateForUnknown(),
+ },
+ },
+ "version": schema.Int64Attribute{
+ MarkdownDescription: "The version of the object",
+ Computed: true,
+ },
+ "name": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("The name of the policy definition.").String,
+ Required: true,
+ },
+ "description": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("The description of the policy definition.").String,
+ Required: true,
+ },
+ "mode": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("The policy mode").AddStringEnumDescription("security", "unified").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("security", "unified"),
+ },
+ },
+ "default_action": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Default action (applies when 'mode' set to 'security')").AddStringEnumDescription("noIntent", "doNotDecrypt", "decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("noIntent", "doNotDecrypt", "decrypt"),
+ },
+ },
+ "network_rules": schema.ListNestedAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("List of network rules (applies when 'mode' set to 'security')").String,
+ Optional: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "base_action": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Rule base action").AddStringEnumDescription("noIntent", "doNotDecrypt", "decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("noIntent", "doNotDecrypt", "decrypt"),
+ },
+ },
+ "rule_id": schema.Int64Attribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Rule ID").String,
+ Optional: true,
+ },
+ "rule_name": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Rule name").String,
+ Optional: true,
+ },
+ "rule_type": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Rule type").String,
+ Optional: true,
+ },
+ "source_and_destination_configuration": schema.ListNestedAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("List of network source / destination configuration").String,
+ Optional: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "option": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("source / destination option").AddStringEnumDescription("sourceIp", "sourcePort", "destinationVpn", "destinationIp", "destinationPort").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("sourceIp", "sourcePort", "destinationVpn", "destinationIp", "destinationPort"),
+ },
+ },
+ "value": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("source / destination option target").String,
+ Optional: true,
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "url_rules": schema.ListNestedAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("List of url rules (applies when 'mode' set to 'security')").String,
+ Optional: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "rule_name": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Country").String,
+ Optional: true,
+ },
+ "target_vpns": schema.ListAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("List of VPN IDs").String,
+ ElementType: types.StringType,
+ Optional: true,
+ },
+ "tls_ssl_profile_policy_id": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("TLS SSL Profile Policy ID").String,
+ Optional: true,
+ },
+ "tls_ssl_profile_version": schema.Int64Attribute{
+ MarkdownDescription: helpers.NewAttributeDescription("TLS SSL Profile Policy version").String,
+ Optional: true,
+ },
+ },
+ },
+ },
+ "ssl_decryption_enabled": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("SSL decryption enabled").String,
+ Optional: true,
+ },
+ "expired_certificate": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Expired certificate action").AddStringEnumDescription("drop", "decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("drop", "decrypt"),
+ },
+ },
+ "untrusted_certificate": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Untrusted certificate action").AddStringEnumDescription("drop", "decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("drop", "decrypt"),
+ },
+ },
+ "certificate_revocation_status": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Certificate revocation status").AddStringEnumDescription("ocsp", "none").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("ocsp", "none"),
+ },
+ },
+ "unknown_revocation_status": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Unknown revocation status action").AddStringEnumDescription("drop", "decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("drop", "decrypt"),
+ },
+ },
+ "unsupported_protocol_versions": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Unsupported protocol versions action").AddStringEnumDescription("drop", "no-decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("drop", "no-decrypt"),
+ },
+ },
+ "unsupported_cipher_suites": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Unsupported cipher suites action").AddStringEnumDescription("drop", "no-decrypt").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("drop", "no-decrypt"),
+ },
+ },
+ "failure_mode": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Failure mode").AddStringEnumDescription("open", "close").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("open", "close"),
+ },
+ },
+ "rsa_key_pair_modulus": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("RSA key pair modules").AddStringEnumDescription("1024", "2048", "4096").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("1024", "2048", "4096"),
+ },
+ },
+ "ec_key_type": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("EC Key Type").AddStringEnumDescription("P256", "P384", "P521").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("P256", "P384", "P521"),
+ },
+ },
+ "certificate_lifetime_in_days": schema.Int64Attribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Certificate Lifetime(in Days)").String,
+ Optional: true,
+ },
+ "minimal_tls_version": schema.StringAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Minimal TLS Version").AddStringEnumDescription("TLSv1.0", "TLSv1.1", "TLSv1.2").String,
+ Optional: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf("TLSv1.0", "TLSv1.1", "TLSv1.2"),
+ },
+ },
+ "use_default_ca_cert_bundle": schema.BoolAttribute{
+ MarkdownDescription: helpers.NewAttributeDescription("Use default CA certificate bundle").String,
+ Optional: true,
+ },
+ },
+ }
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Configure(_ context.Context, req resource.ConfigureRequest, _ *resource.ConfigureResponse) {
+ if req.ProviderData == nil {
+ return
+ }
+
+ r.client = req.ProviderData.(*SdwanProviderData).Client
+ r.updateMutex = req.ProviderData.(*SdwanProviderData).UpdateMutex
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+ var plan TLSSSLDecryptionPolicyDefinition
+
+ // Read plan
+ diags := req.Plan.Get(ctx, &plan)
+ resp.Diagnostics.Append(diags...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Beginning Create", plan.Name.ValueString()))
+
+ // Create object
+ body := plan.toBody(ctx)
+
+ res, err := r.client.Post("/template/policy/definition/ssldecryption/", body)
+ if err != nil {
+ resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Failed to configure object (POST), got error: %s, %s", err, res.String()))
+ return
+ }
+
+ plan.Id = types.StringValue(res.Get("definitionId").String())
+ plan.Version = types.Int64Value(0)
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Create finished successfully", plan.Name.ValueString()))
+
+ diags = resp.State.Set(ctx, &plan)
+ resp.Diagnostics.Append(diags...)
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+ var state TLSSSLDecryptionPolicyDefinition
+
+ // Read state
+ diags := req.State.Get(ctx, &state)
+ resp.Diagnostics.Append(diags...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Beginning Read", state.Name.String()))
+
+ res, err := r.client.Get("/template/policy/definition/ssldecryption/" + state.Id.ValueString())
+ if strings.Contains(res.Get("error.message").String(), "Failed to find specified resource") || strings.Contains(res.Get("error.message").String(), "Invalid template type") || strings.Contains(res.Get("error.message").String(), "Template definition not found") {
+ resp.State.RemoveResource(ctx)
+ return
+ } else if err != nil {
+ resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Failed to retrieve object (GET), got error: %s, %s", err, res.String()))
+ return
+ }
+
+ state.fromBody(ctx, res)
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Read finished successfully", state.Name.ValueString()))
+
+ diags = resp.State.Set(ctx, &state)
+ resp.Diagnostics.Append(diags...)
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+ var plan, state TLSSSLDecryptionPolicyDefinition
+
+ // Read plan
+ diags := req.Plan.Get(ctx, &plan)
+ resp.Diagnostics.Append(diags...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+ // Read state
+ diags = req.State.Get(ctx, &state)
+ resp.Diagnostics.Append(diags...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Beginning Update", plan.Name.ValueString()))
+
+ if plan.hasChanges(ctx, &state) {
+ body := plan.toBody(ctx)
+ r.updateMutex.Lock()
+ res, err := r.client.Put("/template/policy/definition/ssldecryption/"+plan.Id.ValueString(), body)
+ r.updateMutex.Unlock()
+ if err != nil {
+ if strings.Contains(res.Get("error.message").String(), "Failed to acquire lock") {
+ resp.Diagnostics.AddWarning("Client Warning", "Failed to modify policy due to policy being locked by another change. Policy changes will not be applied. Re-run 'terraform apply' to try again.")
+ } else {
+ resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Failed to configure object (PUT), got error: %s, %s", err, res.String()))
+ return
+ }
+ }
+ } else {
+ tflog.Debug(ctx, fmt.Sprintf("%s: No changes detected", plan.Name.ValueString()))
+ }
+ plan.Version = types.Int64Value(state.Version.ValueInt64() + 1)
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Update finished successfully", plan.Name.ValueString()))
+
+ diags = resp.State.Set(ctx, &plan)
+ resp.Diagnostics.Append(diags...)
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+ var state TLSSSLDecryptionPolicyDefinition
+
+ // Read state
+ diags := req.State.Get(ctx, &state)
+ resp.Diagnostics.Append(diags...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Beginning Delete", state.Name.ValueString()))
+
+ res, err := r.client.Delete("/template/policy/definition/ssldecryption/" + state.Id.ValueString())
+ if err != nil {
+ resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Failed to delete object (DELETE), got error: %s, %s", err, res.String()))
+ return
+ }
+
+ tflog.Debug(ctx, fmt.Sprintf("%s: Delete finished successfully", state.Name.ValueString()))
+
+ resp.State.RemoveResource(ctx)
+}
+
+func (r *TLSSSLDecryptionPolicyDefinitionResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+ resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+}
diff --git a/internal/provider/resource_sdwan_tls_ssl_decryption_policy_definition_test.go b/internal/provider/resource_sdwan_tls_ssl_decryption_policy_definition_test.go
new file mode 100644
index 00000000..38e775f7
--- /dev/null
+++ b/internal/provider/resource_sdwan_tls_ssl_decryption_policy_definition_test.go
@@ -0,0 +1,97 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Mozilla Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://mozilla.org/MPL/2.0/
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: MPL-2.0
+
+// Code generated by "gen/generator.go"; DO NOT EDIT.
+
+package provider
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccSdwanTLSSSLDecryptionPolicyDefinition(t *testing.T) {
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccSdwanTLSSSLDecryptionPolicyDefinitionConfig,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "name", "Example"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "description", "My description"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "mode", "security"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "default_action", "noIntent"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.base_action", "doNotDecrypt"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.rule_id", "4"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.rule_name", "Example"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.rule_type", "sslDecryption"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.source_and_destination_configuration.0.option", "destinationIp"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "network_rules.0.source_and_destination_configuration.0.value", "10.0.0.0/12"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "ssl_decryption_enabled", "true"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "expired_certificate", "drop"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "untrusted_certificate", "drop"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "certificate_revocation_status", "none"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "unknown_revocation_status", "drop"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "unsupported_protocol_versions", "drop"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "unsupported_cipher_suites", "drop"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "failure_mode", "close"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "rsa_key_pair_modulus", "2048"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "ec_key_type", "P384"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "certificate_lifetime_in_days", "1"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "minimal_tls_version", "TLSv1.2"),
+ resource.TestCheckResourceAttr("sdwan_tls_ssl_decryption_policy_definition.test", "use_default_ca_cert_bundle", "true"),
+ ),
+ },
+ },
+ })
+}
+
+const testAccSdwanTLSSSLDecryptionPolicyDefinitionConfig = `
+
+
+resource "sdwan_tls_ssl_decryption_policy_definition" "test" {
+ name = "Example"
+ description = "My description"
+ mode = "security"
+ default_action = "noIntent"
+ network_rules = [{
+ base_action = "doNotDecrypt"
+ rule_id = 4
+ rule_name = "Example"
+ rule_type = "sslDecryption"
+ source_and_destination_configuration = [{
+ option = "destinationIp"
+ value = "10.0.0.0/12"
+ }]
+ }]
+ ssl_decryption_enabled = "true"
+ expired_certificate = "drop"
+ untrusted_certificate = "drop"
+ certificate_revocation_status = "none"
+ unknown_revocation_status = "drop"
+ unsupported_protocol_versions = "drop"
+ unsupported_cipher_suites = "drop"
+ failure_mode = "close"
+ rsa_key_pair_modulus = "2048"
+ ec_key_type = "P384"
+ certificate_lifetime_in_days = 1
+ minimal_tls_version = "TLSv1.2"
+ use_default_ca_cert_bundle = true
+}
+`
diff --git a/templates/guides/changelog.md.tmpl b/templates/guides/changelog.md.tmpl
index 4e58792f..9c06565d 100644
--- a/templates/guides/changelog.md.tmpl
+++ b/templates/guides/changelog.md.tmpl
@@ -14,6 +14,7 @@ description: |-
- Add `sdwan_tls_ssl_profile_policy_definition` resource and data source
- BREAKING CHANGE: Rename `timers_spf_initial_holf` attribute of `sdwan_cisco_ospf_feature_template` resource and data source to `timers_spf_initial_hold`
- Fix issue with setting an `omp_tag` match condition using a `sdwan_route_policy_definition` resource
+- Add `sdwan_tls_ssl_decryption_policy_definition` resource and data source
## 0.2.7