Skip to content

Commit

Permalink
chore(release): 1.52.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@semantic-release-bot
semantic-release-bot committed May 28, 2024
1 parent 32fc976 commit b3dae0a
Show file tree
Hide file tree
Showing 6 changed files with 174 additions and 8 deletions.
12 changes: 12 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,15 @@
## [1.52.0](https://github.com/terraform-routeros/terraform-provider-routeros/compare/v1.51.0...v1.52.0) (2024-05-28)


### Features

* **firewall/raw:** Add new resource ([90eb2fa](https://github.com/terraform-routeros/terraform-provider-routeros/commit/90eb2fa762a92e61bdb408095f7c2ef5a1c03e8e)), closes [#462](https://github.com/terraform-routeros/terraform-provider-routeros/issues/462)


### Bug Fixes

* **dhcp-server:** Remove default values ([#470](https://github.com/terraform-routeros/terraform-provider-routeros/issues/470)) ([884e464](https://github.com/terraform-routeros/terraform-provider-routeros/commit/884e464d7f16f016b99c12371c2cbfca84a149fb)), closes [#466](https://github.com/terraform-routeros/terraform-provider-routeros/issues/466)

## [1.51.0](https://github.com/terraform-routeros/terraform-provider-routeros/compare/v1.50.0...v1.51.0) (2024-05-21)


Expand Down
21 changes: 20 additions & 1 deletion docs/data-sources/x509.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,26 @@
# routeros_x509 (Data Source)



## Example Usage
```terraform
# You can keep indents in front of the content lines of the certificate.
# The normalized certificate is available through the `pem` attribute
data "routeros_x509" "cert" {
data = <<EOT
-----BEGIN CERTIFICATE-----
MIIBlTCCATugAwIBAgIINLsws71B5zIwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
RXh0ZXJuYWwgQ2VydGlmaWNhdGUwHhcNMjQwNTE3MjEyOTUzWhcNMjUwNTE3MjEy
OTUzWjAfMR0wGwYDVQQDDBRFeHRlcm5hbCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABKE1g0Qj4ujIold9tklu2z4BUu/K7xDFF5YmedtOfJyM
1/80APNboqn71y4m4XNE1JNtQuR2bSZPHVrzODkR16ujYTBfMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgG2MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAdBgNVHQ4EFgQUNXd5bvluIV9YAhGc5yMHc6OzXpMwCgYIKoZIzj0EAwID
SAAwRQIhAODte/qS6CE30cvnQpxP/ObWBPIPZnHtkFHIIC1AOSXwAiBGCGQE+aJY
W72Rw0Y1ckvlt6sU0urkzGuj5wxVF/gSYA==
-----END CERTIFICATE-----
EOT
}
```

<!-- schema generated by tfplugindocs -->
## Schema
Expand Down
74 changes: 74 additions & 0 deletions docs/resources/firewall_raw.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# routeros_firewall_raw (Resource)




<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `action` (String) Action to take if a packet is matched by the rule
- `chain` (String) Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created.

### Optional

- `address_list` (String) Name of the address list used in 'add-dst-to-address-list' and 'add-src-to-address-list' actions.
- `address_list_timeout` (String) Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions.
- `comment` (String)
- `content` (String) Match packets that contain specified text.
- `disabled` (Boolean)
- `dscp` (Number) Matches DSCP IP header field.
- `dst_address` (String) Matches packets which destination is equal to specified IP or falls into specified IP range.
- `dst_address_list` (String) Matches destination address of a packet against user-defined address list.
- `dst_address_type` (String) Matches destination address type.
- `dst_limit` (String) Matches packets until a given rate is exceeded.
- `dst_port` (String) List of destination port numbers or port number ranges.
- `fragment` (Boolean) Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet
- `hotspot` (String) Matches packets received from HotSpot clients against various HotSpot matchers.
- `icmp_options` (String) Matches ICMP type: code fields.
- `in_bridge_port` (String) Actual interface the packet has entered the router if the incoming interface is a bridge. Works only if use-ip-firewall is enabled in bridge settings.
- `in_bridge_port_list` (String) Set of interfaces defined in interface list. Works the same as in-bridge-port.
- `in_interface` (String) Interface the packet has entered the router.
- `in_interface_list` (String) Set of interfaces defined in interface list. Works the same as in-interface.
- `ingress_priority` (Number) Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP, or MPLS EXP bit.
- `ipsec_policy` (String) Matches the policy used by IPsec. Value is written in the following format: direction, policy.
- `ipv4_options` (String) Matches IPv4 header options.
- `jump_target` (String) Name of the target chain to jump to. Applicable only if action=jump.
- `limit` (String) Matches packets up to a limited rate (packet rate or bit rate). A rule using this matcher will match until this limit is reached. Parameters are written in the following format: rate[/time],burst:mode.
- `log` (Boolean) Add a message to the system log.
- `log_prefix` (String) Adds specified text at the beginning of every log message. Applicable if action=log or log=yes configured.
- `nth` (String) Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule
- `out_bridge_port` (String) Actual interface the packet is leaving the router if the outgoing interface is a bridge. Works only if use-ip-firewall is enabled in bridge settings.
- `out_bridge_port_list` (String) Set of interfaces defined in interface list. Works the same as out-bridge-port.
- `out_interface` (String) Interface the packet is leaving the router.
- `out_interface_list` (String) Set of interfaces defined in interface list. Works the same as out-interface.
- `packet_mark` (String) Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet.
- `packet_size` (String) Matches packets of specified size or size range in bytes.
- `per_connection_classifier` (String) PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream.
- `place_before` (String) Before which position the rule will be inserted.
> Please check the effect of this option, as it does not work as you think!
> Best way to use in conjunction with a data source. See [example](../data-sources/firewall.md#example-usage).
- `port` (String) Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP
- `priority` (Number) Matches the packet's priority after a new priority has been set. Priority may be derived from VLAN, WMM, DSCP, MPLS EXP bit, or from the priority that has been set using the set-priority action.
- `protocol` (String) Matches particular IP protocol specified by protocol name or number.
- `psd` (String) Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight.
- `random` (Number) Matches packets randomly with a given probability.
- `src_address` (String) Matches packets which source is equal to specified IP or falls into a specified IP range.
- `src_address_list` (String) Matches source address of a packet against user-defined address list.
- `src_address_type` (String) Matches source address type.
- `src_mac_address` (String) Matches source MAC address of the packet.
- `src_port` (String) List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP.
- `tcp_flags` (String) Matches specified TCP flags.
- `tcp_mss` (String) Matches TCP MSS value of an IP packet.
- `time` (String) Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date.
- `tls_host` (String) Allows matching HTTPS traffic based on TLS SNI hostname.
- `ttl` (String) Matches packets TTL value.

### Read-Only

- `dynamic` (Boolean) Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
- `id` (String) The ID of this resource.
- `invalid` (Boolean)


1 change: 1 addition & 0 deletions docs/resources/interface_list_member.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ resource "routeros_interface_list_member" "list_member" {

### Optional

- `comment` (String)
- `disabled` (Boolean)

### Read-Only
Expand Down
72 changes: 66 additions & 6 deletions docs/resources/system_certificate.md
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,38 @@
# routeros_system_certificate (Resource)


Certificate resource management consists of two independent processes:
* key creation and certificate signing request (`key` + `csr`)
* certificate signing by the issuer (`crt`)

For a complete certificate creation cycle, both of the above steps must be performed. In this case the `sign {}` block must be specified in the configuration.

If you need to import the current state of the certificate resource, then do not specify the `sign{}` block.

Importing an external certificate is also done without specifying the `sign{}` block, because the certificate should have already been signed by the issuer at this step.

---

## Example Usage
```terraform
resource "routeros_system_certificate" "root_ca" {
name = "Test-Root-CA"
common_name = "RootCA"
key_usage = ["key-cert-sign", "crl-sign"]
trusted = true
// Sign Root CA.
# Sign Root CA.
sign {
}
}
// digitalSignature: Used for entity and data origin authentication with integrity.
// keyEncipherment: Used to encrypt symmetric key, which is then transferred to target.
// keyAgreement: Enables use of key agreement to establish symmetric key with target.
# digitalSignature: Used for entity and data origin authentication with integrity.
# keyEncipherment: Used to encrypt symmetric key, which is then transferred to target.
# keyAgreement: Enables use of key agreement to establish symmetric key with target.
resource "routeros_system_certificate" "server_crt" {
name = "Server-Certificate"
common_name = "server.crt"
// KUs: igitalSignature, keyEncipherment or keyAgreement
# KUs: igitalSignature, keyEncipherment or keyAgreement
key_usage = ["digital-signature", "key-encipherment", "tls-server"]
sign {
ca = routeros_system_certificate.root_ca.name
Expand All @@ -31,7 +43,7 @@ resource "routeros_system_certificate" "client_crt" {
name = "Client-Certificate"
common_name = "client.crt"
key_size = "prime256v1"
// KUs: digitalSignature and/or keyAgreement
# KUs: digitalSignature and/or keyAgreement
key_usage = ["digital-signature", "key-agreement", "tls-client"]
sign {
ca = routeros_system_certificate.root_ca.name
Expand All @@ -54,6 +66,54 @@ resource "routeros_system_certificate" "scep_client" {
scep_url = "http://scep.server/scep/test"
}
}
# Import certificate
data "routeros_x509" "cert" {
data = <<EOT
-----BEGIN CERTIFICATE-----
MIIBlTCCATugAwIBAgIINLsws71B5zIwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
RXh0ZXJuYWwgQ2VydGlmaWNhdGUwHhcNMjQwNTE3MjEyOTUzWhcNMjUwNTE3MjEy
OTUzWjAfMR0wGwYDVQQDDBRFeHRlcm5hbCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABKE1g0Qj4ujIold9tklu2z4BUu/K7xDFF5YmedtOfJyM
1/80APNboqn71y4m4XNE1JNtQuR2bSZPHVrzODkR16ujYTBfMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgG2MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAdBgNVHQ4EFgQUNXd5bvluIV9YAhGc5yMHc6OzXpMwCgYIKoZIzj0EAwID
SAAwRQIhAODte/qS6CE30cvnQpxP/ObWBPIPZnHtkFHIIC1AOSXwAiBGCGQE+aJY
W72Rw0Y1ckvlt6sU0urkzGuj5wxVF/gSYA==
-----END CERTIFICATE-----
EOT
}
resource "routeros_file" "key" {
name = "external.key"
# The lines of the certificate must not contain indentation.
contents = <<EOT
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiy/wEW6/MglgICCAAw
HQYJYIZIAWUDBAEqBBD6v8dLA2FjPn62Xz57pcu9BIGQhclivPw1eC2b14ea58Tw
nzDdbYN6/yUiMqapW2xZaT7ZFnbEai4n9/utgtEDnfKHlZvZj2kRhvYoWrvTkt/W
1mkd5d/runsn+B5GO+CMHFHh4t41WMpZysmg+iP8FiiehOQEsWyEZFaedxfYYtSL
Sk+abxJ+NMQoh+S5d73niu1CO8uqQjOd8BoSOurURsOh
-----END ENCRYPTED PRIVATE KEY-----
EOT
}
resource "routeros_file" "cert" {
name = "external.crt"
# Normalized certificate
contents = data.routeros_x509.cert.pem
}
resource "routeros_system_certificate" "external" {
name = "external.crt"
common_name = data.routeros_x509.cert.common_name
import {
cert_file_name = routeros_file.cert.name
key_file_name = routeros_file.key.name
passphrase = "11111111"
}
depends_on = [routeros_file.key, routeros_file.cert]
}
```

<!-- schema generated by tfplugindocs -->
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "terraform-provider-routeros",
"version": "1.51.0",
"version": "1.52.0",
"repository": {
"type": "git",
"url": "https://github.com/terraform-routeros/terraform-provider-routeros"
Expand Down

0 comments on commit b3dae0a

Please sign in to comment.