From b3dae0a992b9810fb1ae37c667cdb3e7abbf843c Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 28 May 2024 06:52:10 +0000 Subject: [PATCH] chore(release): 1.52.0 --- CHANGELOG.md | 12 ++++ docs/data-sources/x509.md | 21 ++++++- docs/resources/firewall_raw.md | 74 +++++++++++++++++++++++++ docs/resources/interface_list_member.md | 1 + docs/resources/system_certificate.md | 72 ++++++++++++++++++++++-- package.json | 2 +- 6 files changed, 174 insertions(+), 8 deletions(-) create mode 100644 docs/resources/firewall_raw.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 9da2f39f..c99cc694 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +## [1.52.0](https://github.com/terraform-routeros/terraform-provider-routeros/compare/v1.51.0...v1.52.0) (2024-05-28) + + +### Features + +* **firewall/raw:** Add new resource ([90eb2fa](https://github.com/terraform-routeros/terraform-provider-routeros/commit/90eb2fa762a92e61bdb408095f7c2ef5a1c03e8e)), closes [#462](https://github.com/terraform-routeros/terraform-provider-routeros/issues/462) + + +### Bug Fixes + +* **dhcp-server:** Remove default values ([#470](https://github.com/terraform-routeros/terraform-provider-routeros/issues/470)) ([884e464](https://github.com/terraform-routeros/terraform-provider-routeros/commit/884e464d7f16f016b99c12371c2cbfca84a149fb)), closes [#466](https://github.com/terraform-routeros/terraform-provider-routeros/issues/466) + ## [1.51.0](https://github.com/terraform-routeros/terraform-provider-routeros/compare/v1.50.0...v1.51.0) (2024-05-21) diff --git a/docs/data-sources/x509.md b/docs/data-sources/x509.md index 86b4480c..51fe2eca 100644 --- a/docs/data-sources/x509.md +++ b/docs/data-sources/x509.md @@ -1,7 +1,26 @@ # routeros_x509 (Data Source) - +## Example Usage +```terraform +# You can keep indents in front of the content lines of the certificate. +# The normalized certificate is available through the `pem` attribute +data "routeros_x509" "cert" { + data = < ## Schema diff --git a/docs/resources/firewall_raw.md b/docs/resources/firewall_raw.md new file mode 100644 index 00000000..db7a23be --- /dev/null +++ b/docs/resources/firewall_raw.md @@ -0,0 +1,74 @@ +# routeros_firewall_raw (Resource) + + + + + +## Schema + +### Required + +- `action` (String) Action to take if a packet is matched by the rule +- `chain` (String) Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. + +### Optional + +- `address_list` (String) Name of the address list used in 'add-dst-to-address-list' and 'add-src-to-address-list' actions. +- `address_list_timeout` (String) Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions. +- `comment` (String) +- `content` (String) Match packets that contain specified text. +- `disabled` (Boolean) +- `dscp` (Number) Matches DSCP IP header field. +- `dst_address` (String) Matches packets which destination is equal to specified IP or falls into specified IP range. +- `dst_address_list` (String) Matches destination address of a packet against user-defined address list. +- `dst_address_type` (String) Matches destination address type. +- `dst_limit` (String) Matches packets until a given rate is exceeded. +- `dst_port` (String) List of destination port numbers or port number ranges. +- `fragment` (Boolean) Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet +- `hotspot` (String) Matches packets received from HotSpot clients against various HotSpot matchers. +- `icmp_options` (String) Matches ICMP type: code fields. +- `in_bridge_port` (String) Actual interface the packet has entered the router if the incoming interface is a bridge. Works only if use-ip-firewall is enabled in bridge settings. +- `in_bridge_port_list` (String) Set of interfaces defined in interface list. Works the same as in-bridge-port. +- `in_interface` (String) Interface the packet has entered the router. +- `in_interface_list` (String) Set of interfaces defined in interface list. Works the same as in-interface. +- `ingress_priority` (Number) Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP, or MPLS EXP bit. +- `ipsec_policy` (String) Matches the policy used by IPsec. Value is written in the following format: direction, policy. +- `ipv4_options` (String) Matches IPv4 header options. +- `jump_target` (String) Name of the target chain to jump to. Applicable only if action=jump. +- `limit` (String) Matches packets up to a limited rate (packet rate or bit rate). A rule using this matcher will match until this limit is reached. Parameters are written in the following format: rate[/time],burst:mode. +- `log` (Boolean) Add a message to the system log. +- `log_prefix` (String) Adds specified text at the beginning of every log message. Applicable if action=log or log=yes configured. +- `nth` (String) Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule +- `out_bridge_port` (String) Actual interface the packet is leaving the router if the outgoing interface is a bridge. Works only if use-ip-firewall is enabled in bridge settings. +- `out_bridge_port_list` (String) Set of interfaces defined in interface list. Works the same as out-bridge-port. +- `out_interface` (String) Interface the packet is leaving the router. +- `out_interface_list` (String) Set of interfaces defined in interface list. Works the same as out-interface. +- `packet_mark` (String) Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet. +- `packet_size` (String) Matches packets of specified size or size range in bytes. +- `per_connection_classifier` (String) PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream. +- `place_before` (String) Before which position the rule will be inserted. + > Please check the effect of this option, as it does not work as you think! + > Best way to use in conjunction with a data source. See [example](../data-sources/firewall.md#example-usage). +- `port` (String) Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP +- `priority` (Number) Matches the packet's priority after a new priority has been set. Priority may be derived from VLAN, WMM, DSCP, MPLS EXP bit, or from the priority that has been set using the set-priority action. +- `protocol` (String) Matches particular IP protocol specified by protocol name or number. +- `psd` (String) Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight. +- `random` (Number) Matches packets randomly with a given probability. +- `src_address` (String) Matches packets which source is equal to specified IP or falls into a specified IP range. +- `src_address_list` (String) Matches source address of a packet against user-defined address list. +- `src_address_type` (String) Matches source address type. +- `src_mac_address` (String) Matches source MAC address of the packet. +- `src_port` (String) List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP. +- `tcp_flags` (String) Matches specified TCP flags. +- `tcp_mss` (String) Matches TCP MSS value of an IP packet. +- `time` (String) Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date. +- `tls_host` (String) Allows matching HTTPS traffic based on TLS SNI hostname. +- `ttl` (String) Matches packets TTL value. + +### Read-Only + +- `dynamic` (Boolean) Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified. +- `id` (String) The ID of this resource. +- `invalid` (Boolean) + + diff --git a/docs/resources/interface_list_member.md b/docs/resources/interface_list_member.md index 8012b19f..b2bde1a3 100644 --- a/docs/resources/interface_list_member.md +++ b/docs/resources/interface_list_member.md @@ -19,6 +19,7 @@ resource "routeros_interface_list_member" "list_member" { ### Optional +- `comment` (String) - `disabled` (Boolean) ### Read-Only diff --git a/docs/resources/system_certificate.md b/docs/resources/system_certificate.md index c7ae003c..54ee31ee 100644 --- a/docs/resources/system_certificate.md +++ b/docs/resources/system_certificate.md @@ -1,6 +1,18 @@ # routeros_system_certificate (Resource) +Certificate resource management consists of two independent processes: +* key creation and certificate signing request (`key` + `csr`) +* certificate signing by the issuer (`crt`) + +For a complete certificate creation cycle, both of the above steps must be performed. In this case the `sign {}` block must be specified in the configuration. + +If you need to import the current state of the certificate resource, then do not specify the `sign{}` block. + +Importing an external certificate is also done without specifying the `sign{}` block, because the certificate should have already been signed by the issuer at this step. + +--- + ## Example Usage ```terraform resource "routeros_system_certificate" "root_ca" { @@ -8,19 +20,19 @@ resource "routeros_system_certificate" "root_ca" { common_name = "RootCA" key_usage = ["key-cert-sign", "crl-sign"] trusted = true - // Sign Root CA. + # Sign Root CA. sign { } } -// digitalSignature: Used for entity and data origin authentication with integrity. -// keyEncipherment: Used to encrypt symmetric key, which is then transferred to target. -// keyAgreement: Enables use of key agreement to establish symmetric key with target. +# digitalSignature: Used for entity and data origin authentication with integrity. +# keyEncipherment: Used to encrypt symmetric key, which is then transferred to target. +# keyAgreement: Enables use of key agreement to establish symmetric key with target. resource "routeros_system_certificate" "server_crt" { name = "Server-Certificate" common_name = "server.crt" - // KUs: igitalSignature, keyEncipherment or keyAgreement + # KUs: igitalSignature, keyEncipherment or keyAgreement key_usage = ["digital-signature", "key-encipherment", "tls-server"] sign { ca = routeros_system_certificate.root_ca.name @@ -31,7 +43,7 @@ resource "routeros_system_certificate" "client_crt" { name = "Client-Certificate" common_name = "client.crt" key_size = "prime256v1" - // KUs: digitalSignature and/or keyAgreement + # KUs: digitalSignature and/or keyAgreement key_usage = ["digital-signature", "key-agreement", "tls-client"] sign { ca = routeros_system_certificate.root_ca.name @@ -54,6 +66,54 @@ resource "routeros_system_certificate" "scep_client" { scep_url = "http://scep.server/scep/test" } } + +# Import certificate +data "routeros_x509" "cert" { + data = < diff --git a/package.json b/package.json index 6ceb4a77..e6011462 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "terraform-provider-routeros", - "version": "1.51.0", + "version": "1.52.0", "repository": { "type": "git", "url": "https://github.com/terraform-routeros/terraform-provider-routeros"