add more route options

Author: wasaga

example/main.tf

@@ -203,6 +203,41 @@ resource "pomerium_route" "kubernetes_route" {
   tls_upstream_allow_renegotiation = true
 }
 
+resource "pomerium_route" "advanced_route" {
+  name         = "advanced-route"
+  from         = "https://advanced.corp.example.com"
+  to           = ["https://internal-service.example.com"]
+  namespace_id = pomerium_namespace.test_namespace.id
+
+  # Response header manipulation
+  rewrite_response_headers = [
+    {
+      header = "Location"
+      prefix = "http://internal"
+      value  = "https://external"
+    },
+    {
+      header = "Content-Security-Policy"
+      value  = "default-src 'self'"
+    }
+  ]
+  set_response_headers = {
+    "Strict-Transport-Security" = "max-age=31536000"
+    "X-Frame-Options"           = "DENY"
+  }
+
+  tls_custom_ca_key_pair_id = pomerium_key_pair.test_key_pair.id
+  tls_skip_verify           = false
+
+  enable_google_cloud_serverless_authentication = true
+  kubernetes_service_account_token_file         = "/path/to/token"
+
+  description = "Advanced route with security headers"
+  logo_url    = "https://example.com/logo.png"
+
+  show_error_details = true
+}
+
 # Data source examples
 data "pomerium_namespaces" "all_namespaces" {}
 

internal/provider/route.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
@@ -199,6 +200,71 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Computed:    true,
 			},
 			"jwt_groups_filter": JWTGroupsFilterSchema,
+			"jwt_issuer_format": schema.ObjectAttribute{
+				Description: "JWT issuer format configuration.",
+				Optional:    true,
+				AttributeTypes: map[string]attr.Type{
+					"format": types.StringType,
+				},
+			},
+			"rewrite_response_headers": schema.SetNestedAttribute{
+				Description: "Response header rewrite rules.",
+				Optional:    true,
+				NestedObject: schema.NestedAttributeObject{
+					Attributes: map[string]schema.Attribute{
+						"header": schema.StringAttribute{
+							Required:    true,
+							Description: "Header name to rewrite",
+						},
+						"prefix": schema.StringAttribute{
+							Optional:    true,
+							Description: "Prefix matcher for the header",
+						},
+						"value": schema.StringAttribute{
+							Required:    true,
+							Description: "New value for the header",
+						},
+					},
+				},
+			},
+			"tls_custom_ca_key_pair_id": schema.StringAttribute{
+				Description: "Custom CA key pair ID for TLS verification.",
+				Optional:    true,
+			},
+			"tls_client_key_pair_id": schema.StringAttribute{
+				Description: "Client key pair ID for TLS client authentication.",
+				Optional:    true,
+			},
+			"description": schema.StringAttribute{
+				Description: "Description of the route.",
+				Optional:    true,
+			},
+			"kubernetes_service_account_token_file": schema.StringAttribute{
+				Description: "Path to the Kubernetes service account token file.",
+				Optional:    true,
+			},
+			"logo_url": schema.StringAttribute{
+				Description: "URL to the logo image.",
+				Optional:    true,
+			},
+			"enable_google_cloud_serverless_authentication": schema.BoolAttribute{
+				Description: "Enable Google Cloud serverless authentication.",
+				Optional:    true,
+			},
+			"redirect": schema.ObjectAttribute{
+				Description: "Redirect configuration.",
+				Optional:    true,
+				AttributeTypes: map[string]attr.Type{
+					"host_redirect":   types.StringType,
+					"https_redirect":  types.BoolType,
+					"path_redirect":   types.StringType,
+					"prefix_rewrite":  types.StringType,
+					"response_code":   types.Int64Type,
+					"strip_query":     types.BoolType,
+					"scheme_redirect": types.StringType,
+					"port_redirect":   types.Int64Type,
+				},
+			},
 		},
 	}
 }

internal/provider/route_model.go

@@ -4,49 +4,124 @@ import (
 	"context"
 
 	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/pomerium/enterprise-client-go/pb"
 )
 
 // RouteModel represents the shared model for route resources and data sources
 type RouteModel struct {
-	ID                               types.String         `tfsdk:"id"`
-	Name                             types.String         `tfsdk:"name"`
-	From                             types.String         `tfsdk:"from"`
-	To                               types.Set            `tfsdk:"to"`
-	NamespaceID                      types.String         `tfsdk:"namespace_id"`
-	Policies                         types.Set            `tfsdk:"policies"`
-	StatName                         types.String         `tfsdk:"stat_name"`
-	Prefix                           types.String         `tfsdk:"prefix"`
-	Path                             types.String         `tfsdk:"path"`
-	Regex                            types.String         `tfsdk:"regex"`
-	PrefixRewrite                    types.String         `tfsdk:"prefix_rewrite"`
-	RegexRewritePattern              types.String         `tfsdk:"regex_rewrite_pattern"`
-	RegexRewriteSubstitution         types.String         `tfsdk:"regex_rewrite_substitution"`
-	HostRewrite                      types.String         `tfsdk:"host_rewrite"`
-	HostRewriteHeader                types.String         `tfsdk:"host_rewrite_header"`
-	HostPathRegexRewritePattern      types.String         `tfsdk:"host_path_regex_rewrite_pattern"`
-	HostPathRegexRewriteSubstitution types.String         `tfsdk:"host_path_regex_rewrite_substitution"`
-	RegexPriorityOrder               types.Int64          `tfsdk:"regex_priority_order"`
-	Timeout                          timetypes.GoDuration `tfsdk:"timeout"`
-	IdleTimeout                      timetypes.GoDuration `tfsdk:"idle_timeout"`
-	AllowWebsockets                  types.Bool           `tfsdk:"allow_websockets"`
-	AllowSPDY                        types.Bool           `tfsdk:"allow_spdy"`
-	TLSSkipVerify                    types.Bool           `tfsdk:"tls_skip_verify"`
-	TLSUpstreamServerName            types.String         `tfsdk:"tls_upstream_server_name"`
-	TLSDownstreamServerName          types.String         `tfsdk:"tls_downstream_server_name"`
-	TLSUpstreamAllowRenegotiation    types.Bool           `tfsdk:"tls_upstream_allow_renegotiation"`
-	SetRequestHeaders                types.Map            `tfsdk:"set_request_headers"`
-	RemoveRequestHeaders             types.Set            `tfsdk:"remove_request_headers"`
-	SetResponseHeaders               types.Map            `tfsdk:"set_response_headers"`
-	PreserveHostHeader               types.Bool           `tfsdk:"preserve_host_header"`
-	PassIdentityHeaders              types.Bool           `tfsdk:"pass_identity_headers"`
-	KubernetesServiceAccountToken    types.String         `tfsdk:"kubernetes_service_account_token"`
-	IDPClientID                      types.String         `tfsdk:"idp_client_id"`
-	IDPClientSecret                  types.String         `tfsdk:"idp_client_secret"`
-	ShowErrorDetails                 types.Bool           `tfsdk:"show_error_details"`
-	JWTGroupsFilter                  types.Object         `tfsdk:"jwt_groups_filter"`
+	AllowSPDY                                 types.Bool           `tfsdk:"allow_spdy"`
+	AllowWebsockets                           types.Bool           `tfsdk:"allow_websockets"`
+	Description                               types.String         `tfsdk:"description"`
+	EnableGoogleCloudServerlessAuthentication types.Bool           `tfsdk:"enable_google_cloud_serverless_authentication"`
+	From                                      types.String         `tfsdk:"from"`
+	HostPathRegexRewritePattern               types.String         `tfsdk:"host_path_regex_rewrite_pattern"`
+	HostPathRegexRewriteSubstitution          types.String         `tfsdk:"host_path_regex_rewrite_substitution"`
+	HostRewrite                               types.String         `tfsdk:"host_rewrite"`
+	HostRewriteHeader                         types.String         `tfsdk:"host_rewrite_header"`
+	ID                                        types.String         `tfsdk:"id"`
+	IdleTimeout                               timetypes.GoDuration `tfsdk:"idle_timeout"`
+	IDPClientID                               types.String         `tfsdk:"idp_client_id"`
+	IDPClientSecret                           types.String         `tfsdk:"idp_client_secret"`
+	JWTGroupsFilter                           types.Object         `tfsdk:"jwt_groups_filter"`
+	JWTIssuerFormat                           types.Object         `tfsdk:"jwt_issuer_format"`
+	KubernetesServiceAccountToken             types.String         `tfsdk:"kubernetes_service_account_token"`
+	KubernetesServiceAccountTokenFile         types.String         `tfsdk:"kubernetes_service_account_token_file"`
+	LogoURL                                   types.String         `tfsdk:"logo_url"`
+	Name                                      types.String         `tfsdk:"name"`
+	NamespaceID                               types.String         `tfsdk:"namespace_id"`
+	PassIdentityHeaders                       types.Bool           `tfsdk:"pass_identity_headers"`
+	Path                                      types.String         `tfsdk:"path"`
+	Policies                                  types.Set            `tfsdk:"policies"`
+	Prefix                                    types.String         `tfsdk:"prefix"`
+	PrefixRewrite                             types.String         `tfsdk:"prefix_rewrite"`
+	PreserveHostHeader                        types.Bool           `tfsdk:"preserve_host_header"`
+	Redirect                                  types.Object         `tfsdk:"redirect"`
+	Regex                                     types.String         `tfsdk:"regex"`
+	RegexPriorityOrder                        types.Int64          `tfsdk:"regex_priority_order"`
+	RegexRewritePattern                       types.String         `tfsdk:"regex_rewrite_pattern"`
+	RegexRewriteSubstitution                  types.String         `tfsdk:"regex_rewrite_substitution"`
+	RemoveRequestHeaders                      types.Set            `tfsdk:"remove_request_headers"`
+	RewriteResponseHeaders                    types.Set            `tfsdk:"rewrite_response_headers"`
+	SetRequestHeaders                         types.Map            `tfsdk:"set_request_headers"`
+	SetResponseHeaders                        types.Map            `tfsdk:"set_response_headers"`
+	ShowErrorDetails                          types.Bool           `tfsdk:"show_error_details"`
+	StatName                                  types.String         `tfsdk:"stat_name"`
+	Timeout                                   timetypes.GoDuration `tfsdk:"timeout"`
+	TLSClientKeyPairID                        types.String         `tfsdk:"tls_client_key_pair_id"`
+	TLSCustomCAKeyPairID                      types.String         `tfsdk:"tls_custom_ca_key_pair_id"`
+	TLSDownstreamServerName                   types.String         `tfsdk:"tls_downstream_server_name"`
+	TLSSkipVerify                             types.Bool           `tfsdk:"tls_skip_verify"`
+	TLSUpstreamAllowRenegotiation             types.Bool           `tfsdk:"tls_upstream_allow_renegotiation"`
+	TLSUpstreamServerName                     types.String         `tfsdk:"tls_upstream_server_name"`
+	To                                        types.Set            `tfsdk:"to"`
+}
+
+var rewriteHeaderAttrTypes = map[string]attr.Type{
+	"header": types.StringType,
+	"value":  types.StringType,
+	"prefix": types.StringType,
+}
+
+// RewriteHeaderAttrTypes returns the attribute type map for rewrite headers
+func RewriteHeaderAttrTypes() map[string]attr.Type {
+	return rewriteHeaderAttrTypes
+}
+
+func rewriteHeadersToPB(src types.Set) []*pb.RouteRewriteHeader {
+	if (src).IsNull() {
+		return nil
+	}
+
+	headers := make([]*pb.RouteRewriteHeader, 0)
+	elements := src.Elements()
+	for _, element := range elements {
+		obj := element.(types.Object)
+		prefixAttr := obj.Attributes()["prefix"].(types.String)
+
+		header := &pb.RouteRewriteHeader{
+			Header: obj.Attributes()["header"].(types.String).ValueString(),
+			Value:  obj.Attributes()["value"].(types.String).ValueString(),
+		}
+
+		if !prefixAttr.IsNull() && prefixAttr.ValueString() != "" {
+			header.Matcher = &pb.RouteRewriteHeader_Prefix{Prefix: prefixAttr.ValueString()}
+		}
+
+		headers = append(headers, header)
+	}
+	return headers
+}
+
+func rewriteHeadersFromPB(headers []*pb.RouteRewriteHeader) types.Set {
+	if len(headers) == 0 {
+		return types.SetNull(RewriteHeaderObjectType())
+	}
+
+	elements := make([]attr.Value, 0, len(headers))
+	for _, header := range headers {
+		prefix := header.GetPrefix()
+		prefixValue := types.StringNull()
+		if prefix != "" {
+			prefixValue = types.StringValue(prefix)
+		}
+
+		attrs := map[string]attr.Value{
+			"header": types.StringValue(header.Header),
+			"value":  types.StringValue(header.Value),
+			"prefix": prefixValue,
+		}
+		obj, _ := types.ObjectValue(rewriteHeaderAttrTypes, attrs)
+		elements = append(elements, obj)
+	}
+	result, _ := types.SetValue(RewriteHeaderObjectType(), elements)
+	return result
+}
+
+func RewriteHeaderObjectType() attr.Type {
+	return types.ObjectType{AttrTypes: rewriteHeaderAttrTypes}
 }
 
 func ConvertRouteToPB(
@@ -90,14 +165,19 @@ func ConvertRouteToPB(
 	pbRoute.IdpClientSecret = src.IDPClientSecret.ValueStringPointer()
 	pbRoute.ShowErrorDetails = src.ShowErrorDetails.ValueBool()
 	JWTGroupsFilterToPB(ctx, &pbRoute.JwtGroupsFilter, src.JWTGroupsFilter, &diagnostics)
+	ToStringSliceFromSet(ctx, &pbRoute.To, src.To, &diagnostics)
+	ToStringSliceFromSet(ctx, &pbRoute.PolicyIds, src.Policies, &diagnostics)
+	pbRoute.TlsClientKeyPairId = src.TLSClientKeyPairID.ValueStringPointer()
+	pbRoute.TlsCustomCaKeyPairId = src.TLSCustomCAKeyPairID.ValueStringPointer()
+	pbRoute.Description = src.Description.ValueStringPointer()
+	pbRoute.LogoUrl = src.LogoURL.ValueStringPointer()
+	if !src.EnableGoogleCloudServerlessAuthentication.IsNull() {
+		pbRoute.EnableGoogleCloudServerlessAuthentication = src.EnableGoogleCloudServerlessAuthentication.ValueBool()
+	}
+	pbRoute.KubernetesServiceAccountTokenFile = src.KubernetesServiceAccountTokenFile.ValueStringPointer()
 
-	diags := src.To.ElementsAs(ctx, &pbRoute.To, false)
-	diagnostics.Append(diags...)
+	pbRoute.RewriteResponseHeaders = rewriteHeadersToPB(src.RewriteResponseHeaders)
 
-	if !src.Policies.IsNull() {
-		diags = src.Policies.ElementsAs(ctx, &pbRoute.PolicyIds, false)
-		diagnostics.Append(diags...)
-	}
 	return pbRoute, diagnostics
 }
 
@@ -143,6 +223,17 @@ func ConvertRouteFromPB(
 	dst.IDPClientSecret = types.StringPointerValue(src.IdpClientSecret)
 	dst.ShowErrorDetails = types.BoolValue(src.ShowErrorDetails)
 	JWTGroupsFilterFromPB(&dst.JWTGroupsFilter, src.JwtGroupsFilter)
+	dst.TLSClientKeyPairID = types.StringPointerValue(src.TlsClientKeyPairId)
+	dst.TLSCustomCAKeyPairID = types.StringPointerValue(src.TlsCustomCaKeyPairId)
+	dst.Description = types.StringPointerValue(src.Description)
+	dst.LogoURL = types.StringPointerValue(src.LogoUrl)
+	dst.EnableGoogleCloudServerlessAuthentication = types.BoolNull()
+	if src.EnableGoogleCloudServerlessAuthentication {
+		dst.EnableGoogleCloudServerlessAuthentication = types.BoolValue(true)
+	}
+	dst.KubernetesServiceAccountTokenFile = types.StringPointerValue(src.KubernetesServiceAccountTokenFile)
+
+	dst.RewriteResponseHeaders = rewriteHeadersFromPB(src.RewriteResponseHeaders)
 
 	return diagnostics
 }