oracle
diff --git a/‎examples/dns/dnssec/provider.tf‎
Lines changed: 33 additions & 0 deletions b/‎examples/dns/dnssec/provider.tf‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎examples/dns/dnssec/zone.tf‎
Lines changed: 83 additions & 0 deletions b/‎examples/dns/dnssec/zone.tf‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎examples/dns/global/zone.tf‎
Lines changed: 14 additions & 0 deletions b/‎examples/dns/global/zone.tf‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎internal/integrationtest/dns_zone_dnssec_test.go‎
Lines changed: 107 additions & 0 deletions b/‎internal/integrationtest/dns_zone_dnssec_test.go‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎internal/integrationtest/dns_zone_promote_dnssec_key_version_test.go‎
Lines changed: 68 additions & 0 deletions b/‎internal/integrationtest/dns_zone_promote_dnssec_key_version_test.go‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎internal/integrationtest/dns_zone_stage_dnssec_key_version_test.go‎
Lines changed: 80 additions & 0 deletions b/‎internal/integrationtest/dns_zone_stage_dnssec_key_version_test.go‎
Lines changed: 80 additions & 0 deletions
@@ -0,0 +1,33 @@
+// Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+/*
+ * Provider config for dns sample
+ */
+
+variable "tenancy_ocid" {
+}
+
+variable "user_ocid" {
+}
+
+variable "fingerprint" {
+}
+
+variable "private_key_path" {
+}
+
+variable "compartment_ocid" {
+}
+
+variable "region" {
+}
+
+provider "oci" {
+  region           = var.region
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  fingerprint      = var.fingerprint
+  private_key_path = var.private_key_path
+}
+
@@ -0,0 +1,83 @@
+// Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+/*
+ * This file demonstrates initial setup of a dnssec enabled zone when the zone's
+ * parent zone is in OCI. It does not demonstrate setting up dnssec for the parent
+ * zone or handle rotating the dnssec key versions.
+ */
+
+resource "random_string" "random_prefix" {
+  length  = 4
+  numeric = false
+  special = false
+}
+
+resource "oci_dns_zone" "dnssec_parent_zone" {
+  compartment_id = var.compartment_ocid
+  name           = "${data.oci_identity_tenancy.tenancy.name}-${random_string.random_prefix.result}-tf-example-dnssec-parent.oci-dns"
+  zone_type      = "PRIMARY"
+  scope          = "GLOBAL"
+  dnssec_state   = "ENABLED"
+}
+
+resource "oci_dns_zone" "dnssec_child_zone" {
+  compartment_id = var.compartment_ocid
+  name           = "child.${oci_dns_zone.dnssec_parent_zone.name}"
+  zone_type      = "PRIMARY"
+  scope          = "GLOBAL"
+  dnssec_state   = "ENABLED"
+}
+
+resource "oci_dns_rrset" "parent_zone_ns_rrset" {
+  zone_name_or_id = oci_dns_zone.dnssec_parent_zone.id
+  domain          = oci_dns_zone.dnssec_child_zone.name
+  rtype           = "NS"
+
+  items {
+    domain = oci_dns_zone.dnssec_child_zone.name
+    rtype  = "NS"
+    rdata  = oci_dns_zone.dnssec_child_zone.nameservers[0].hostname
+    ttl    = 86400
+  }
+}
+
+locals {
+  ksk = oci_dns_zone.dnssec_child_zone.dnssec_config[0].ksk_dnssec_key_versions[0]
+}
+
+resource "oci_dns_rrset" "parent_zone_ds_rrset" {
+  zone_name_or_id = oci_dns_zone.dnssec_parent_zone.id
+  domain          = oci_dns_zone.dnssec_child_zone.name
+  rtype           = "DS"
+
+  items {
+    domain = oci_dns_zone.dnssec_child_zone.name
+    rtype  = "DS"
+    rdata  = local.ksk.ds_data[0].rdata
+    ttl    = 86400
+  }
+
+  lifecycle {
+    ignore_changes = [
+      items,
+    ]
+  }
+}
+
+resource "oci_dns_zone_promote_dnssec_key_version" "promote_dnssec_key_version" {
+  dnssec_key_version_uuid = local.ksk.uuid
+  zone_id                 = oci_dns_zone.dnssec_child_zone.id
+  scope                   = "GLOBAL"
+  depends_on              = [oci_dns_rrset.parent_zone_ds_rrset]
+  lifecycle {
+    ignore_changes = [
+      dnssec_key_version_uuid,
+    ]
+  }
+}
+
+data "oci_identity_tenancy" "tenancy" {
+  tenancy_id = var.tenancy_ocid
+}
+
@@ -46,6 +46,20 @@ resource "oci_dns_zone" "zone3" {
   zone_type      = "PRIMARY"
 }
 
+resource "oci_dns_zone" "zone4" {
+  compartment_id = var.compartment_ocid
+  name           = "${data.oci_identity_tenancy.tenancy.name}-${random_string.random_prefix.result}-tf-example-primary.oci-dns4"
+  zone_type      = "PRIMARY"
+  scope          = "GLOBAL"
+  dnssec_state   = "ENABLED"
+}
+
+resource "oci_dns_zone_stage_dnssec_key_version" "stage_dnssec_key_version" {
+  predecessor_dnssec_key_version_uuid = oci_dns_zone.zone4.dnssec_config[0].zsk_dnssec_key_versions[0].uuid
+  zone_id                             = oci_dns_zone.zone4.id
+  scope                               = "GLOBAL"
+}
+
 data "oci_dns_zones" "zs" {
   compartment_id = var.compartment_ocid
   name_contains  = "example"
 
@@ -0,0 +1,107 @@
+// Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package integrationtest
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/oracle/terraform-provider-oci/httpreplay"
+	"github.com/oracle/terraform-provider-oci/internal/acctest"
+	"github.com/oracle/terraform-provider-oci/internal/utils"
+)
+
+var (
+	zoneRepresentationGlobal = map[string]interface{}{
+		"compartment_id": acctest.Representation{RepType: acctest.Required, Create: `${var.compartment_id}`},
+		"name": acctest.Representation{RepType: acctest.Required,
+			Create: `${data.oci_identity_tenancy.test_tenancy.name}.{{.token}}.stage-dnssec-key-version-test`},
+		"zone_type": acctest.Representation{RepType: acctest.Required, Create: `PRIMARY`},
+		"scope":     acctest.Representation{RepType: acctest.Required, Create: `GLOBAL`},
+	}
+
+	ZoneResourceDnssecDependencies = `
+			data "oci_identity_tenancy" "test_tenancy" {
+				tenancy_id = "${var.tenancy_ocid}"
+			}
+		`
+)
+
+func TestDnsZoneResourceDnssec(t *testing.T) {
+	httpreplay.SetScenario("TestDnsZoneResourceDnssec")
+	defer httpreplay.SaveScenario()
+
+	config := acctest.ProviderTestConfig()
+
+	compartmentId := utils.GetEnvSettingWithBlankDefault("compartment_ocid")
+	compartmentIdVariableStr := fmt.Sprintf("variable \"compartment_id\" { default = \"%s\" }\n", compartmentId)
+
+	resourceName := "oci_dns_zone.test_zone"
+
+	_, tokenFn := acctest.TokenizeWithHttpReplay("dns_zone")
+
+	acctest.ResourceTest(t, testAccCheckDnsZoneDestroy, []resource.TestStep{
+		// create a zone with DNSSEC disabled
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneResourceDnssecDependencies+
+				acctest.GenerateResourceFromRepresentationMap("oci_dns_zone", "test_zone", acctest.Required,
+					acctest.Create, zoneRepresentationGlobal), nil),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "dnssec_state", "DISABLED"),
+			),
+		},
+
+		// verify enabling DNSSEC
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneResourceDnssecDependencies+
+				acctest.GenerateResourceFromRepresentationMap("oci_dns_zone", "test_zone", acctest.Optional,
+					acctest.Update, acctest.RepresentationCopyWithNewProperties(zoneRepresentationGlobal,
+						map[string]interface{}{
+							"dnssec_state": acctest.Representation{RepType: acctest.Optional,
+								Create: `ENABLED`},
+						})), nil),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "dnssec_state", "ENABLED"),
+				resource.TestCheckResourceAttr(resourceName, "dnssec_config.0.zsk_dnssec_key_versions.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "dnssec_config.0.ksk_dnssec_key_versions.#", "1"),
+			),
+		},
+
+		// delete before next Create
+		{
+			Config: tokenFn(config+compartmentIdVariableStr, nil),
+		},
+
+		// verify zone creation with DNSSEC enabled
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneResourceDnssecDependencies+
+				acctest.GenerateResourceFromRepresentationMap("oci_dns_zone", "test_zone", acctest.Optional, acctest.Create,
+					acctest.RepresentationCopyWithNewProperties(zoneRepresentationGlobal, map[string]interface{}{
+						"dnssec_state": acctest.Representation{RepType: acctest.Required,
+							Create: `ENABLED`},
+					})), nil),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "dnssec_state", "ENABLED"),
+				resource.TestCheckResourceAttr(resourceName, "dnssec_config.0.zsk_dnssec_key_versions.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "dnssec_config.0.ksk_dnssec_key_versions.#", "1"),
+			),
+		},
+
+		// verify disabling DNSSEC
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneResourceDnssecDependencies+
+				acctest.GenerateResourceFromRepresentationMap("oci_dns_zone", "test_zone", acctest.Optional,
+					acctest.Update, acctest.RepresentationCopyWithNewProperties(zoneRepresentationGlobal,
+						map[string]interface{}{
+							"dnssec_state": acctest.Representation{RepType: acctest.Optional,
+								Create: `DISABLED`},
+						})), nil),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "dnssec_state", "DISABLED"),
+			),
+		},
+	})
+}
@@ -0,0 +1,68 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package integrationtest
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/oracle/terraform-provider-oci/httpreplay"
+	"github.com/oracle/terraform-provider-oci/internal/acctest"
+	"github.com/oracle/terraform-provider-oci/internal/utils"
+)
+
+var (
+	ZonePromoteDnssecKeyVersionResourceDependencies = acctest.GenerateResourceFromRepresentationMap("oci_dns_zone",
+		"test_dnssec_zone", acctest.Required, acctest.Create, zoneRepresentationDnssec) +
+		DefinedTagsDependencies + `
+			data "oci_identity_tenancy" "test_tenancy" {
+				tenancy_id = "${var.tenancy_ocid}"
+			}
+		`
+)
+
+// issue-routing-tag: dns/default
+func TestDnsZonePromoteDnssecKeyVersionResource_basic(t *testing.T) {
+	httpreplay.SetScenario("TestDnsZonePromoteDnssecKeyVersionResource_basic")
+	defer httpreplay.SaveScenario()
+
+	config := acctest.ProviderTestConfig()
+
+	compartmentId := utils.GetEnvSettingWithBlankDefault("compartment_ocid")
+	compartmentIdVariableStr := fmt.Sprintf("variable \"compartment_id\" { default = \"%s\" }\n", compartmentId)
+
+	resourceName := "oci_dns_zone.test_dnssec_zone"
+
+	_, tokenFn := acctest.TokenizeWithHttpReplay("dns_resource")
+
+	acctest.ResourceTest(t, nil, []resource.TestStep{
+
+		// Create a dnssec enabled zone
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZonePromoteDnssecKeyVersionResourceDependencies, nil),
+		},
+
+		// Promote the staged KSK version
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZonePromoteDnssecKeyVersionResourceDependencies+`
+				resource "oci_dns_zone_promote_dnssec_key_version" "test_zone_promote_dnssec_key_version" {
+					zone_id                 = oci_dns_zone.test_dnssec_zone.id
+					dnssec_key_version_uuid = oci_dns_zone.test_dnssec_zone.dnssec_config[0].ksk_dnssec_key_versions[0].uuid
+					scope                   = "GLOBAL"
+				}
+				`, nil),
+		},
+
+		// Validate that the KSK key version's time_promoted was updated.
+		// This requires a separate step because it requires a refresh of the/zone resource.
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZonePromoteDnssecKeyVersionResourceDependencies, nil),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttrSet(resourceName, "dnssec_config.0.ksk_dnssec_key_versions.0.time_promoted"),
+			),
+		},
+	})
+}
@@ -0,0 +1,80 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package integrationtest
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/oracle/terraform-provider-oci/httpreplay"
+	"github.com/oracle/terraform-provider-oci/internal/acctest"
+	"github.com/oracle/terraform-provider-oci/internal/utils"
+)
+
+var (
+	zoneRepresentationDnssec = map[string]interface{}{
+		"compartment_id": acctest.Representation{RepType: acctest.Required, Create: `${var.compartment_id}`},
+		"name": acctest.Representation{RepType: acctest.Required,
+			Create: `${data.oci_identity_tenancy.test_tenancy.name}.{{.token}}.stage-dnssec-key-version-test`},
+		"zone_type":    acctest.Representation{RepType: acctest.Required, Create: `PRIMARY`},
+		"scope":        acctest.Representation{RepType: acctest.Required, Create: `GLOBAL`},
+		"dnssec_state": acctest.Representation{RepType: acctest.Required, Create: `ENABLED`},
+	}
+
+	ZoneStageDnssecKeyVersionResourceDependencies = acctest.GenerateResourceFromRepresentationMap("oci_dns_zone",
+		"test_dnssec_zone", acctest.Required, acctest.Create, zoneRepresentationDnssec) +
+		DefinedTagsDependencies + `
+			data "oci_identity_tenancy" "test_tenancy" {
+				tenancy_id = "${var.tenancy_ocid}"
+			}
+		`
+)
+
+// issue-routing-tag: dns/default
+func TestDnsZoneStageDnssecKeyVersionResource_basic(t *testing.T) {
+	httpreplay.SetScenario("TestDnsZoneStageDnssecKeyVersionResource_basic")
+	defer httpreplay.SaveScenario()
+
+	config := acctest.ProviderTestConfig()
+
+	compartmentId := utils.GetEnvSettingWithBlankDefault("compartment_ocid")
+	compartmentIdVariableStr := fmt.Sprintf("variable \"compartment_id\" { default = \"%s\" }\n", compartmentId)
+
+	resourceName := "oci_dns_zone.test_dnssec_zone"
+
+	_, tokenFn := acctest.TokenizeWithHttpReplay("dns_resource")
+
+	acctest.ResourceTest(t, nil, []resource.TestStep{
+
+		// Create a dnssec enabled zone
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneStageDnssecKeyVersionResourceDependencies, nil),
+		},
+
+		// Stage a replacement ZSK version
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneStageDnssecKeyVersionResourceDependencies+`
+                                locals {
+                                  predecessor_uuid = length(oci_dns_zone.test_dnssec_zone.dnssec_config[0].zsk_dnssec_key_versions) == 1 ? oci_dns_zone.test_dnssec_zone.dnssec_config[0].zsk_dnssec_key_versions[0].uuid : [ for zsk in oci_dns_zone.test_dnssec_zone.dnssec_config[0].zsk_dnssec_key_versions : zsk if zsk.successor_dnssec_key_version_uuid != ""][0].uuid
+                                }
+				resource "oci_dns_zone_stage_dnssec_key_version" "test_zone_stage_dnssec_key_version" {
+					zone_id                             = oci_dns_zone.test_dnssec_zone.id
+					predecessor_dnssec_key_version_uuid = local.predecessor_uuid
+					scope                               = "GLOBAL"
+				}
+				`, nil),
+		},
+
+		// Validate that a second ZSK key version was added to the dnssec configuration.
+		// This requires a separate step because it requires a refresh of the zone resource.
+		{
+			Config: tokenFn(config+compartmentIdVariableStr+ZoneStageDnssecKeyVersionResourceDependencies, nil),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "dnssec_config.0.zsk_dnssec_key_versions.#", "2"),
+			),
+		},
+	})
+}