feat: add dynamic firewall parameter (#54)

* feat: add dynamic firewall parameter

* clean: delete dynamicFirewall from user.go

docs/resources/server.md

@@ -47,6 +47,7 @@ description: |-
 - **sso_auth** (Boolean) Require client to authenticate with single sign-on provider on each connection using web browser. Requires client to have access to Pritunl web server port and running updated Pritunl Client. Single sign-on provider must already be configured for this feature to work properly.
 - **otp_auth** (Boolean) Enables two-step authentication using Google Authenticator. Verification code is entered as the user password when connecting
 - **device_auth** (Boolean) Require administrator to approve every client device using TPM or Apple Secure Enclave
+- **dynamic_firewall** (Boolean) Block VPN server ports by default and open port for client IP address after authenticating with HTTPS request
 - **ping_interval** (Number) Interval to ping client
 - **ping_timeout** (Number) Timeout for client ping. Must be greater then ping interval
 - **port** (Number) The port for the server

internal/pritunl/client.go

@@ -303,6 +303,10 @@ func (c client) CreateServer(serverData map[string]interface{}) (*Server, error)
 		serverStruct.DeviceAuth = v.(bool)
 	}
 
+	if v, ok := serverData["dynamic_firewall"]; ok {
+		serverStruct.DynamicFirewall = v.(bool)
+	}
+
 	if v, ok := serverData["ipv6"]; ok {
 		serverStruct.IPv6 = v.(bool)
 	}

internal/pritunl/server.go

@@ -53,6 +53,7 @@ type Server struct {
 	SsoAuth          bool     `json:"sso_auth,omitempty"`
 	OtpAuth          bool     `json:"otp_auth,omitempty"`
 	DeviceAuth       bool     `json:"device_auth,omitempty"`
+	DynamicFirewall  bool     `json:"dynamic_firewall,omitempty"`
 	MssFix           int      `json:"mss_fix,omitempty"`
 	LzoCompression   bool     `json:"lzo_compression,omitempty"`
 	BlockOutsideDns  bool     `json:"block_outside_dns,omitempty"`

internal/provider/resource_server.go

@@ -209,6 +209,12 @@ func resourceServer() *schema.Resource {
 				Optional:    true,
 				Description: "Require administrator to approve every client device using TPM or Apple Secure Enclave",
 			},
+			"dynamic_firewall": {
+				Type:        schema.TypeBool,
+				Required:    false,
+				Optional:    true,
+				Description: "Block VPN server ports by default and open port for client IP address after authenticating with HTTPS request",
+			},
 			"ipv6": {
 				Type:        schema.TypeBool,
 				Required:    false,
@@ -533,6 +539,7 @@ func resourceReadServer(ctx context.Context, d *schema.ResourceData, meta interf
 	d.Set("sso_auth", server.SsoAuth)
 	d.Set("otp_auth", server.OtpAuth)
 	d.Set("device_auth", server.DeviceAuth)
+	d.Set("dynamic_firewall", server.DynamicFirewall)
 	d.Set("ipv6", server.IPv6)
 	d.Set("dh_param_bits", server.DhParamBits)
 	d.Set("ping_interval", server.PingInterval)
@@ -655,6 +662,7 @@ func resourceCreateServer(ctx context.Context, d *schema.ResourceData, meta inte
 		"sso_auth":           d.Get("sso_auth"),
 		"otp_auth":           d.Get("otp_auth"),
 		"device_auth":        d.Get("device_auth"),
+		"dynamic_firewall":   d.Get("dynamic_firewall"),
 		"ipv6":               d.Get("ipv6"),
 		"dh_param_bits":      d.Get("dh_param_bits"),
 		"ping_interval":      d.Get("ping_interval"),
@@ -817,6 +825,10 @@ func resourceUpdateServer(ctx context.Context, d *schema.ResourceData, meta inte
 		server.DeviceAuth = d.Get("device_auth").(bool)
 	}
 
+	if d.HasChange("dynamic_firewall") {
+		server.DynamicFirewall = d.Get("dynamic_firewall").(bool)
+	}
+
 	if d.HasChange("ipv6") {
 		server.IPv6 = d.Get("ipv6").(bool)
 	}

internal/provider/resource_server_test.go

@@ -131,7 +131,57 @@ func TestAccPritunlServer(t *testing.T) {
 			})
 		})
 	})
-
+
+	t.Run("creates a server with dynamic_firewall attribute", func(t *testing.T) {
+		serverName := "tfacc-server1"
+
+		testCase := func(t *testing.T, dynamicFirewall bool) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:          func() { preCheck(t) },
+				ProviderFactories: providerFactories,
+				CheckDestroy:      testPritunlServerDestroy,
+				Steps: []resource.TestStep{
+					{
+						Config: testPritunlServerConfigWithDynamicFirewall(serverName, dynamicFirewall),
+						Check: resource.ComposeTestCheckFunc(
+							resource.TestCheckResourceAttr("pritunl_server.test", "name", serverName),
+							resource.TestCheckResourceAttr("pritunl_server.test", "dynamic_firewall", strconv.FormatBool(dynamicFirewall)),
+						),
+					},
+					// import test
+					importStep("pritunl_server.test"),
+				},
+			})
+		}
+
+		t.Run("with enabled option", func(t *testing.T) {
+			testCase(t, true)
+		})
+
+		t.Run("with disabled option", func(t *testing.T) {
+			testCase(t, false)
+		})
+
+		t.Run("without an option", func(t *testing.T) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:          func() { preCheck(t) },
+				ProviderFactories: providerFactories,
+				CheckDestroy:      testPritunlServerDestroy,
+				Steps: []resource.TestStep{
+					{
+						Config: testPritunlServerSimpleConfig(serverName),
+						Check: resource.ComposeTestCheckFunc(
+							resource.TestCheckResourceAttr("pritunl_server.test", "name", serverName),
+							resource.TestCheckResourceAttr("pritunl_server.test", "dynamic_firewall", "false"),
+						),
+					},
+					// import test
+					importStep("pritunl_server.test"),
+				},
+			})
+		})
+	})
+
 	t.Run("creates a server with an attached organization", func(t *testing.T) {
 		serverName := "tfacc-server1"
 		orgName := "tfacc-org1"
@@ -489,6 +539,15 @@ func testPritunlServerConfigWithDeviceAuth(name string, deviceAuth bool) string
 	`, name, deviceAuth)
 }
 
+func testPritunlServerConfigWithDynamicFirewall(name string, dynamicFirewall bool) string {
+	return fmt.Sprintf(`
+		resource "pritunl_server" "test" {
+			name     = "%[1]s"
+			dynamic_firewall = %[2]v
+		}
+	`, name, dynamicFirewall)
+}
+
 func testPritunlServerConfigWithAttachedOrganization(name, organizationName string) string {
 	return fmt.Sprintf(`
 		resource "pritunl_organization" "test" {