Fix #339: add snmp v3 support

CHANGELOG.md

@@ -3,6 +3,12 @@
 
 ENHANCEMENTS:
 
+* resource/`junos_snmp`: add `engine_id` argument (Fixes parts of #339)
+* add `junos_snmp_v3_community` resource
+* add `junos_snmp_v3_usm_user` resource (Fixes parts of #339)
+* add `junos_snmp_v3_vacm_accessgroup` resource (Fixes parts of #339)
+* add `junos_snmp_v3_vacm_securitytogroup` resource (Fixes parts of #339)
+
 BUG FIXES:
 
 ## 1.24.1 (February 11, 2022)

docs/resources/snmp.md

@@ -36,6 +36,9 @@ The following arguments are supported:
   Contact information for administrator.
 - **description** (Optional, String)  
   System description.
+- **engine_id** (Optional, String)  
+  SNMPv3 engine ID.  
+  Need to be `use-default-ip-address`, `use-mac-address` or `local ...`
 - **filter_duplicates** (Optional, Boolean)  
   Filter requests with duplicate source address/port and request ID.
 - **filter_interfaces** (Optional, Set of String)  

docs/resources/snmp_v3_community.md

@@ -0,0 +1,47 @@
+---
+page_title: "Junos: junos_snmp_v3_community"
+---
+
+# junos_snmp_v3_community
+
+Provides a snmp v3 community resource.
+
+## Example Usage
+
+```hcl
+# Add a snmp v3 community
+resource junos_snmp_v3_community "index1" {
+  community_index = "index1"
+  security_name   = "john"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- **community_index** (Required, String, Forces new resource)  
+  Unique index value in this community table entry.
+- **security_name** (Required, String)  
+  Security name used when performing access control.  
+- **community_name** (Optional, String)  
+  SNMPv1/v2c community name (default is same as community-index).
+- **context** (Optional, String)  
+  Context used when performing access control.
+- **tag** (Optional, String)  
+  Tag identifier for set of targets allowed to use this community string.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+- **id** (String)  
+  An identifier for the resource with format `<community_index>`.
+
+## Import
+
+Junos snmp v3 community can be imported using an id made up of `<community_index>`, e.g.
+
+```shell
+$ terraform import junos_snmp_v3_community.index1 index1
+```

docs/resources/snmp_v3_usm_user.md

@@ -0,0 +1,88 @@
+---
+page_title: "Junos: junos_snmp_v3_usm_user"
+---
+
+# junos_snmp_v3_usm_user
+
+Provides a snmp v3 USM user resource.
+
+## Example Usage
+
+```hcl
+# Add a snmp v3 usm local-engine user
+resource junos_snmp_v3_usm_user "user1" {
+  name = "user1"
+}
+# Add a snmp v3 usm remote-engine user
+resource junos_snmp_v3_usm_user "user2" {
+  name        = "user2"
+  engine_type = "remote"
+  engine_id   = "800007E5804089071BC6D10A41"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- **name** (Required, String, Forces new resource)  
+  The name of snmp v3 USM user.
+- **engine_type** (Optional, String, Forces new resource)  
+  Local or remote engine user.  
+  Need to be `local` or `remote`.  
+  Defaults to `local`.
+- **engine_id** (Optional, String, Forces new resource)  
+  Remote engine id (Hex format).
+- **authentication_key** (Optional, String, Sensitive)  
+  Encrypted key used for user authentication.  
+  If the encrypted key is present on Junos device and `authentication_password` is used
+  in Terraform config, the value of this argument is left blank to avoid conflict.  
+  Conflict with `authentication_password`.
+- **authentication_password** (Optional, String, Sensitive)  
+  User's authentication password.  
+  Due to encryption, when Terraform refreshes the resource, the password can't be read,
+  so the provider only checks if it exists and can't detect a change of the password itself
+  outside of Terraform.  
+  To be able to detect a change of the password outside of Terraform,
+  preferably use `authentication_key` argument.  
+  Conflict with `authentication_key`.
+- **authentication_type** (Optional, String)  
+  Define authentication type.  
+  Need to be `authentication-md5`, `authentication-sha` or `authentication-none`.  
+  Defaults to `authentication-none`.  
+  `authentication_key` or `authentication_password` need to set when `authentication_type` != `authentication-none`.
+- **privacy_key** (Optional, String, Sensitive)  
+  Encrypted key used for user privacy.  
+  If the encrypted key is present on Junos device and `privacy_password` is used
+  in Terraform config, the value of this argument is left blank to avoid conflict.  
+  Conflict with `privacy_password`.
+- **privacy_password** (Optional, String, Sensitive)  
+  User's privacy password.  
+  Due to encryption, when Terraform refreshes the resource, the password can't be read,
+  so the provider only checks if it exists and can't detect a change of the password itself
+  outside of Terraform.  
+  To be able to detect a change of the password outside of Terraform,
+  preferably use `privacy_key` argument.  
+  Conflict with `privacy_key`.
+- **privacy_type** (Optional, String)  
+  Define privacy type.  
+  Need to be `privacy-3des`, `privacy-aes128`, `privacy-des` or `privacy-none`.  
+  Defaults to `privacy-none`.  
+  `privacy_key` or `privacy_password` need to set when `privacy_type` != `privacy-none`.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+- **id** (String)  
+  An identifier for the resource with format `local_-_<name>` or `remote_-_<engine_id>_-_<name>`.
+
+## Import
+
+Junos snmp v3 USM user can be imported using an id made up
+of `local_-_<name>` or `remote_-_<engine_id>_-_<name>`, e.g.
+
+```shell
+$ terraform import junos_snmp_v3_usm_user.user1 local_-_user1
+$ terraform import junos_snmp_v3_usm_user.user2 remote_-_800007E5804089071BC6D10A41_-_user2
+```

docs/resources/snmp_v3_vacm_accessgroup.md

@@ -0,0 +1,75 @@
+---
+page_title: "Junos: junos_snmp_v3_vacm_accessgroup"
+---
+
+# junos_snmp_v3_vacm_accessgroup
+
+Provides a snmp v3 VACM access group resource.
+
+## Example Usage
+
+```hcl
+# Add a snmpv3 VACM access group
+resource junos_snmp_v3_vacm_accessgroup "group1" {
+  name = "group1"
+  default_context_prefix {
+    model     = "any"
+    level     = "none"
+    read_view = "all"
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+-> **Note:** At least one of `context_prefix` or `default_context_prefix` need to be set
+
+- **name** (Required, String, Forces new resource)  
+  SNMPv3 VACM group name.
+- **context_prefix** (Optional, Block List)  
+  For each prefix of context-prefix access configuration
+  - **prefix** (Required, String)  
+    SNMPv3 VACM context prefix.
+  - **access_config** (Optional, Block Set)  
+    For each combination of `model` and `level`, define context-prefix access configuration.  
+    See [below for nested schema](#access_config-or-default_context_prefix-arguments).
+- **default_context_prefix** (Optional, Block Set)  
+  For each combination of `model` and `level`, define default context-prefix access configuration.  
+  See [below for nested schema](#access_config-or-default_context_prefix-arguments).
+
+---
+
+### access_config or default_context_prefix arguments
+
+- **model** (Required, String)  
+  Security model access configuration.  
+  Need to be `any`, `usm`, `v1` or `v2c`.
+- **level** (Required, String)  
+  Security level access configuration.  
+  Need to be `authentication`, `none` or `privacy`.
+- **context_match** (Optional, String)  
+  Type of match to perform on context-prefix.  
+  Need to be `exact` or `prefix`.
+- **notify_view** (Optional, String)  
+  View used to notifications.
+- **read_view** (Optional, String)  
+  View used for read access.
+- **write_view** (Optional, String)  
+  View used for write access.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+- **id** (String)  
+  An identifier for the resource with format `<name>`.
+
+## Import
+
+Junos snmp v3 VACM access group can be imported using an id made up of `<name>`, e.g.
+
+```shell
+$ terraform import junos_snmp_v3_vacm_accessgroup.group1 group1
+```

docs/resources/snmp_v3_vacm_securitytogroup.md

@@ -0,0 +1,46 @@
+---
+page_title: "Junos: junos_snmp_v3_vacm_securitytogroup"
+---
+
+# junos_snmp_v3_vacm_securitytogroup
+
+Provides a snmp v3 VACM security name assignment to group resource.
+
+## Example Usage
+
+```hcl
+# Assigns security names to group
+resource junos_snmp_v3_vacm_securitytogroup "read" {
+  model = "usm"
+  name  = "read"
+  group = "group1"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- **model** (Required, String, Forces new resource)  
+  Security model context for group assignment.  
+  Need to be `usm`, `v1` or `v2c`.
+- **name** (Required, String, Forces new resource)  
+  Security name to assign to group.
+- **group** (Required, String)  
+  Group to which to assign security name.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+- **id** (String)  
+  An identifier for the resource with format `<model>_-_<name>`.
+
+## Import
+
+Junos snmp v3 VACM security name assignment to group can be imported using an id made up of
+`<model>_-_<name>`, e.g.
+
+```shell
+$ terraform import junos_snmp_v3_vacm_securitytogroup.read usm_-_read
+```

junos/constants.go

@@ -34,4 +34,6 @@ const (
 	noLoopbackWord        = "no-loopback"
 	actionCos             = "class-of-service"
 	actionMarkDiffServ    = "mark-diffserv"
+	localWord             = "local"
+	privacyNoneWord       = "privacy-none"
 )

junos/func_common.go

@@ -277,6 +277,28 @@ func copyAndRemoveItemMapList(identifier string,
 	return list
 }
 
+func copyAndRemoveItemMapList2(identifier, identifier2 string,
+	m map[string]interface{}, list []map[string]interface{}) []map[string]interface{} {
+	if m[identifier] == nil {
+		panic(fmt.Errorf("internal error: can't find identifier %s in map", identifier))
+	}
+	if m[identifier2] == nil {
+		panic(fmt.Errorf("internal error: can't find identifier %s in map", identifier2))
+	}
+	for i, element := range list {
+		if element[identifier] == m[identifier] && element[identifier2] == m[identifier2] {
+			for key, value := range element {
+				m[key] = value
+			}
+			list = append(list[:i], list[i+1:]...)
+
+			break
+		}
+	}
+
+	return list
+}
+
 func checkCompatibilitySecurity(jnprSess *NetconfObject) bool {
 	if strings.HasPrefix(strings.ToLower(jnprSess.SystemInformation.HardwareModel), "srx") {
 		return true
@@ -343,3 +365,29 @@ func validateIsIPv6Address(i interface{}, k string) (warnings []string, errors [
 
 	return warnings, errors
 }
+
+func stringLenBetweenSensitive(min, max int) schema.SchemaValidateDiagFunc {
+	return func(i interface{}, path cty.Path) diag.Diagnostics {
+		var diags diag.Diagnostics
+		v, ok := i.(string)
+		if !ok {
+			diags = append(diags, diag.Diagnostic{
+				Severity:      diag.Error,
+				Summary:       "expected type to be string",
+				AttributePath: path,
+			})
+
+			return diags
+		}
+
+		if len(v) < min || len(v) > max {
+			diags = append(diags, diag.Diagnostic{
+				Severity:      diag.Error,
+				Summary:       fmt.Sprintf("expected length to be in the range (%d - %d), got %d", min, max, len(v)),
+				AttributePath: path,
+			})
+		}
+
+		return diags
+	}
+}

junos/provider.go

@@ -188,6 +188,10 @@ func Provider() *schema.Provider {
 			"junos_snmp":                                                 resourceSnmp(),
 			"junos_snmp_clientlist":                                      resourceSnmpClientlist(),
 			"junos_snmp_community":                                       resourceSnmpCommunity(),
+			"junos_snmp_v3_community":                                    resourceSnmpV3Community(),
+			"junos_snmp_v3_usm_user":                                     resourceSnmpV3UsmUser(),
+			"junos_snmp_v3_vacm_accessgroup":                             resourceSnmpV3VacmAccessGroup(),
+			"junos_snmp_v3_vacm_securitytogroup":                         resourceSnmpV3VacmSecurityToGroup(),
 			"junos_snmp_view":                                            resourceSnmpView(),
 			"junos_static_route":                                         resourceStaticRoute(),
 			"junos_switch_options":                                       resourceSwitchOptions(),

junos/resource_eventoptions_policy.go

@@ -1145,17 +1145,9 @@ func readEventoptionsPolicyThen(then map[string]interface{}, itemTrim string) er
 			"transfer_delay": -1,
 			"user_name":      "",
 		}
-		for i, element := range then["upload"].([]map[string]interface{}) {
-			if element["filename"] == upload["filename"] && element["destination"] == upload["destination"] {
-				for key, value := range element {
-					upload[key] = value
-				}
-				then["upload"] = append(then["upload"].([]map[string]interface{})[:i],
-					then["upload"].([]map[string]interface{})[i+1:]...)
 
-				break
-			}
-		}
+		then["upload"] = copyAndRemoveItemMapList2(
+			"filename", "destination", upload, then["upload"].([]map[string]interface{}))
 		itemTrimUpload := strings.TrimPrefix(
 			itemTrim, "then upload filename "+itemTrimSplit[3]+" destination "+itemTrimSplit[5]+" ")
 		switch {