datadrivers / terraform-provider-nexus Goto Github PK

View Code? Open in Web Editor NEW

102.0 16.0 46.0 1.9 MB

Terraform provider for Sonatype Nexus

Home Page: https://registry.terraform.io/providers/datadrivers/nexus

License: Mozilla Public License 2.0

Makefile 0.23% Go 99.21% Shell 0.15% HTML 0.42%

terraform terraform-provider nexus sonatype-nexus sonatype automation cicd go golang

terraform-provider-nexus's Introduction

Terraform provider Nexus

Terraform provider Nexus

Introduction

Terraform provider to configure Sonatype Nexus using its API.

Implemented and tested with Sonatype Nexus 3.64.0-03.

Usage

Provider config

provider "nexus" {
  insecure = true
  password = "admin123"
  url      = "https://127.0.0.1:8080"
  username = "admin"
}

Development

Build

There is a makefile to build the provider and place it in repos root dir.

make

To use the local build version you need tell terraform where to look for it via a terraform config override.

Create dev.tfrc in your terraform code folder (f.e. in dev.tfrc):

# dev.tfrc
provider_installation {

  # Use /home/developer/tmp/terraform-nexus as an overridden package directory
  # for the datadrivers/nexus provider. This disables the version and checksum
  # verifications for this provider and forces Terraform to look for the
  # nexus provider plugin in the given directory.
  # relative path also works, but no variable or ~ evaluation
  dev_overrides {
    "datadrivers/nexus" = "../../"
  }

  # For all other providers, install them directly from their origin provider
  # registries as normal. If you omit this, Terraform will _only_ use
  # the dev_overrides block, and so no other providers will be available.
  direct {}
}

Tell your shell environment to use override file:

export TF_CLI_CONFIG_FILE=dev.tfrc

Now run your terraform commands (plan or apply), init is not required.

# start local nexus
make start-services
# run local terraform code
cd examples/local-development
terraform plan
terraform apply

Testing

NOTE: For testing Nexus Pro features, place the license.lic in scripts/.

For testing start a local Docker containers using make

make start-services

This will start a Docker and MinIO containers and expose ports 8081 and 9000.

Now start the tests

make testacc

or skipped tests:

SKIP_S3_TESTS=true make testacc
SKIP_AZURE_TESTS=true make testacc
SKIP_PRO_TESTS=true make testacc

To debug tests

Set env variable TF_LOG=DEBUG to see additional output.

Use printState() function to discover terraform state (and resource props) during test.

Debug configurations are also available for VS Code.

Create documentation

When creating or updating resources/data resources please make sure to update the examples in the respective folder (./examples/resources/<name> for resources, ./examples/data-sources/<name> for data sources)

Next you can use the following command to generate the terraform documentation from go files

make docs

Author

Datadrivers GmbH

terraform-provider-nexus's People

Stargazers

Watchers

terraform-provider-nexus's Issues

Proxy and Remote repository types should not allow `write_policy` attribute under `storage`

Hi,
one more submission. As per Nexus' API Proxy and Remote repository types should not allow write_policy attribute under storage.

S3 support: make bucket_security optional

Hi,

Could you make bucket_security optional as the nexus EC2 instance will have an instance profile with policies to read/write to the S3 bucket.

Best regards

Proxy without authentication section

Hi !
When I declare a proxy repository (maven2 and pypi) without authentification, I have the message :

HTTP: 400, [ {
"id" : "PARAMETER type",
"message" : "may not be empty"
} ]

resource nexus_repository maven_sonatype_public {
name   = "sonatype-public"
type   = "proxy"
format = "maven2"
online = true

proxy {
    remote_url  = "https://oss.sonatype.org/content/repositories/public/"
    content_max_age  = 1440
    metadata_max_age = 1440
}
negative_cache {
    enabled = true
    ttl     = 1440
}
storage {
    blob_store_name                = "default"
    strict_content_type_validation = true
}
maven {
    version_policy = "MIXED"
    layout_policy  = "STRICT"
}

http_client {
}

Client : 1.6.0
Server: 3.23.0-03

NPM Repository

Hi, I see there are a bunch of repo formats (bower, nuget, docker etc.) - but no npm... are there plans to include npm repositories?
Thanks S

Roles found to have changes. Though they are up to date and no changes were made.

I am creating few roles as follow:

resource "nexus_role" "ROLE" {
  roleid      = "ROLE"
  name        = "ldap-role bla"
  description = "LDAP role for bla"
  privileges  = ["nx-repository-view-maven2-maven-internal-releases-*", "nx-repository-view-maven2-maven-internal-snapshots-*", "nx-repository-view-maven2-maven-internal-snapshots-browse", "nx-repository-view-maven2-maven-internal-releases-browse"]
  roles       = ["npm-group-read", "internal-atap-read", "internal-atap-write", "docker-group-read", "pypi-group-read"]
}

And during second or any other applies they are tried to be changed:

 # nexus_role.ROLE will be updated in-place
  ~ resource "nexus_role" "ROLE" {
      ~ description = "ROLE" -> "LDAP role for bla"
        id          = "ROLE"
      ~ name        = "ROLE" -> "ldap-role bla"
      ~ privileges  = [
          + "nx-repository-view-maven2-maven-internal-releases-*",
          + "nx-repository-view-maven2-maven-internal-snapshots-*",
          + "nx-repository-view-maven2-maven-internal-snapshots-browse",
          + "nx-repository-view-maven2-maven-internal-releases-browse",
        ]
        roleid      = "ROLE"
      ~ roles       = [
          + "npm-group-read",
          + "internal-read",
          + "internal-write",
          + "docker-group-read",
          + "pypi-group-read",
        ]
    }

But in fact there is some error in logic. As description filed never was equal to "ROLE" . The same as name, privileges etc.

Hence there are seem to be multiple issues:

description and name fields for some reason evaluated by the provider as equal to id field value. Even though in reality they have different values.
roles and privilages either change its order or somethings else. As they have valid values but are modified all the time.

Can't update default maven-public repository

A standard install of nexus-oss comes with a default maven2 group repository "maven-public".

I attempted to add a repository to this group using the provider with a configuration like this:

resource "nexus_repository" "maven_public" {
  name   = "maven-public"
  format = "maven2"
  type   = "group"
  online = true

  group {
    member_names = [
      "maven-releases",
      "maven-snapshots",
      "maven-central",
      "my-other-maven2-repo"
    ]
  }

  http_client {
    blocked = false
  }

  storage {
    blob_store_name                = "default"
    strict_content_type_validation = true
  }
}

and received the following error:

could not create repository 'maven-public': HTTP: 400, "Cannot index record #17:8: found duplicated key 'maven-public' in index 'repository_repository_name_idx' previously assigned to the record #17:3

Looking at the code in resource_repository.go I wonder if this is because there is no setup for reading and writing maven2 repos?

Proposal: Rename data_source_user{_test}.go -> data_source_security_user{_test}.go

Within the Nexus API security management has been placed after the /security/ subpath.
This has also been considered in the naming of security_ldap and security_realms. Since users is part of the security management it would make sense to rename those files to.

Hi there o/

I see that this repo is quite recent.

Are you willing to accept third party contributions?

Thank you!

No field `password` available for http_client authentication section.

When I try to create it I get the error as follow:

 Error: could not update repository 'maven-release': HTTP: 400, [ {
  "id" : "FIELD password",
  "message" : "may not be empty"
} ]

TF code block for this looks as follow:

  http_client {
      blocked = false
      auto_block = false
      authentication {
        type = "username"
        username = "nexus"
        ntlm_host = ""
        ntlm_domain = ""
      }
  }

If I try to provide a field called password I got a message:
An argument named "password" is not expected here.

Doesn't seem to be possible to get/extract a list of privileges for Repository created.

Hi guys,

This is an enhancement request.

After Repository creation, Nexus creates privileges for this repository.
Further, in work it might happen that more privileges need to be added/attached to this or that role.
And it's impossible right now to get a list of privileges for the specific repository.
Use-case: needed a role that has privileges from multiple Repositories.
It would be awesome to have this kind of feature. ;)

Regards,
Taras.

Data - Nexus Repository - Group

Hi !

When I want to get repository from data, this error occured : Error: Invalid address to set: []string{"group"}

 data "nexus_repository" "maven_public" {
      name = "maven_public"
 }

Order of repositories in docker repository group is not respected

Summary
When I define a docker repository group the order of the items in the member_names is not respected which leads to unreliable results when image are pulled.

Reproduce

Create two repos. One for a hosted variant and one for a proxy. As they are ordered by name please name the hosted repo z-repo and the proxy repo a-repo.
Define a repository group with the hosted as first item.

# ... repository definition for docker_hosted and docker_proxy. 

resource "nexus_repository" "docker_group" {
  depends_on = [nexus_repository.z_repo,nexus_repository.a_repo]
  name   = "docker-group"
	format = "docker"
	type   = "group"
	online = true

	group {
		member_names = ["z-repo","a-repo"]
	}

	# ... rest or resource configuration.
}

Create an image and push this to the proxied repo with the image tag test:a
Create an image and push this to the hosted repo on nexus with the same image tag.
Pull the image with the tag from the docker-group repo.

Expected result
The image from the z-repo would be pulled.

Actual result
The image from the a-repo is pulled.

nexus_role times out

Almost every time (9/10 times, at least), my nexus_roles times out while refreshing the state during a tf apply.

Is there any way of increasing the timeout? I work remotely via a VPN, and I'm not sure if that's causing the problem. As mentioned above, it works, but I have to run it 10 times to get one successful run. I've even tried -target to limit to one resource, and the same happens.

nexus_role.role_2: Refreshing state... [id=role_2]
nexus_role.role_3: Refreshing state... [id=role_3]
nexus_role.role_4: Refreshing state... [id=role_4]
nexus_role.role_5: Refreshing state... [id=role_5]
nexus_role.role_6: Refreshing state... [id=role_6]
nexus_role.role_7: Refreshing state... [id=role_7]

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Error: Get "https://nexus.domain.com/service/rest/beta/security/roles": context deadline exceeded (Client.Timeout exceeded while awaiting headers)```

Creating a maven proxy repository returns 404

Hi,

Trying to create a maven proxy repository returns a 404. I tried to create multiple different maven proxy repositories, but all of them return 404. Below is one example.

resource "nexus_repository" "repo1_proxy" {
  name   = "repo1-proxy"
  format = "maven2"
  type   = "proxy"

  maven {
    version_policy = "RELEASE"
    layout_policy = "STRICT"
  }

  negative_cache {
    enabled = true
    ttl     = 1440
  }

  proxy {
    remote_url  = "https://repo1.maven.org/maven2"
  }

  storage {
    blob_store_name                = nexus_blobstore.s3.name
    strict_content_type_validation = true
  }
}

nuget proxy repositories parameter missing

Nexus API returns the following error when I try to create a nuget proxy repository. I could not find any parameters unique to nuget proxy repositories in the code. However Nexus doesn't seem to allow creating a nuget proxy repository with this parameter missing.

Error: could not create repository 'nuget-proxy': HTTP: 400, [ {
  "id" : "PARAMETER nugetProxy",
  "message" : "must not be null"
} ]

Furthermore I submitted the following issue to sonatype (not sure if under the right repo!) as the api endpoints description ( and possibly implementation ) has an error.
sonatype-nexus-community/nexus-scripting-examples#7

Support for Google Cloud Storage blobstore

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

It's currently not possible to define blobstore of type Google Cloud Storage.
Would be great to have support for it.

Support for Azure Blob Storage

It would be nice to have support for Azure Blob Storage.

This feature was added in Nexus 3.30.0.

Support will need to be added to go-nexus-client first.

Is this in the pipeline?

Privilege creation fails

Nexus provider version: v1.6.0

My TF code:

resource "nexus_privilege" "nx-repository-view-apt-apt-proxy-bionic-read" {
  name = "nx-repository-view-apt-apt-proxy-bionic-read"
  description = "Read privilege for apt-proxy-bionic repository views"
  type = "repository-view"
  format = "apt"
  repository = "apt-proxy-bionic"
  actions = [
    "read"
  ]
}

TF plan:

An execution plan has been generated and is shown below.

Resource actions are indicated with the following symbols:
  + create
Terraform will perform the following actions:
  # nexus_privilege.nx-repository-view-apt-apt-proxy-bionic-read will be created
  + resource "nexus_privilege" "nx-repository-view-apt-apt-proxy-bionic-read" {
      + actions     = [
          + "read",
        ]
      + description = "Read privilege for apt-proxy-bionic repository views"
      + format      = "apt"
      + id          = (known after apply)
      + name        = "nx-repository-view-apt-apt-proxy-bionic-read"
      + repository  = "apt-proxy-bionic"
      + type        = "repository-view"
    }
Plan: 1 to add, 0 to change, 0 to destroy.

TF apply (fails with the error):

nexus_privilege.nx-repository-view-apt-apt-proxy-bionic-read: Creating...
Error: could not create privilege "nx-repository-view-apt-apt-proxy-bionic-read": HTTP: 400, [ {
  "id" : "PARAMETER format",
  "message" : "may not be empty"
} ]
  on privileges.tf line 3, in resource "nexus_privilege" "nx-repository-view-apt-apt-proxy-bionic-read":
   3: resource "nexus_privilege" "nx-repository-view-apt-apt-proxy-bionic-read" {

Can’t see reason why this would fail. There is no “ID” field or “Message”. Can’t find these in a code of groovy for privilege entity as well. Perhaps a bug that can be addressed?

Publish provider to https://registry.terraform.io/

Hi,

it really reduces the barrier to use this provider if it was registred at https://registry.terraform.io/
Please consider registering it.

Best regards
Christian

PS: Yes, I know #76 and #80 exist

Some objects are not get updated.

Hi guys,

I tried to use resources as follow:

resource "nexus_repository" "docker_hosted" {
  name   = "docker-hosted-test"
  format = "docker"
  type   = "hosted"
  online = true

  docker {
    http_port        = 8083
    https_port       = 8084
    force_basic_auth = true
    v1enabled        = true
  }

  storage {
    blob_store_name                = "default"
    strict_content_type_validation = true
    write_policy                   = "ALLOW_ONCE"
  }
}

In this resource, port update or repo name update for example doesn't update it on Nexus server. Even though TF reports as there is a change for in-place update.

And one more:

resource "nexus_blobstore" "tf-test" {
  name = "blobstore-0101"
  type = "File"
  path = "/nexus-data/blobstore-01"

  soft_quota {
    limit = 1024
    type  = "spaceRemainingQuota"
  }
}

In this resource, soft quota is set up to 0 by default which is incorrect set-up at all. Despite it being provided as 1024 in code. After changes and re-applying still no effect. Even though TF reports as there is a change for in-place updates. It goes through. Says updated and no effect on the Nexus server.

Proposal: add possibility to get a list of repositories in data source.

Hi guys,
I have tried to get a list of repositories with the usage of data source for Repositories:

data "nexus_repository" "all_repos" {
  name = ""
  format = "docker"
}

But it requires explicit name. No asterisk or RegExp is accepted. E.G. it can get only 1 repo. Base on format etc.
Would be nice to have it done in the way that allows just to get a full list of Repositories based on type or format etc.
So that we could just parse for any reason all the repositories inside of Nexus.

Feature request: Repository format type = raw is not available

Hi guys

I have found almost all the needed resources in your provider. And that is very cool.
Though 1 resource type seems to be missing or just not implemented yet.
Would be wonderful to have it added/implemented as well and be able to fully manage Nexus as code.
This is repository format = raw . I can’t find it implemented in your provider.
We use it for repository types as follow: hosted, group, proxy .

I had a look into the code here:
https://github.com/datadrivers/terraform-provider-nexus/blob/master/nexus/resource_repository.go

And don’t see that raw format is supported.
Here is the official link to the description: https://help.sonatype.com/repomanager3/formats/raw-repositories

maven2 repository type not accepted.

Hi,
Firstly thank you for solving the previous issue regarding maven repositories. There is another issue that came up during exploratory testing.

The provider accepts maven as a repository type, but it should accept maven2. When maven 2 is input you see the error in code block 1). when you change it to maven the tf code executes just fine, but it creates maven2 repositories in nexus (when you insepct the UI). On a subsequent tf apply it tries to change the repo type from maven2 to maven. tf code can be found in block 0).

blocks:
0)

resource "nexus_repository" "maven_hosted" {
  depends_on = [helm_release.nexus]

  name   = "maven-hosted"
  format = "maven"
  type   = "hosted"

  maven {
    version_policy = "MIXED"
    layout_policy  = "STRICT"
  }


  storage {
    blob_store_name                = nexus_blobstore.s3.name
    strict_content_type_validation = true
    write_policy                   = "ALLOW"
  }
}

Warning: This resource is deprecated and will be removed in the next major version.
Please supply the URL of your repository to helm_release resources directly, using the repository attribute.
See: https://www.terraform.io/docs/providers/helm/r/release.html#example-usage

  on modules/helm-nexus/main.tf line 61, in data "helm_repository" "oteemo":
  61: data "helm_repository" "oteemo" {



Error: expected format to be one of [apt bower conan docker helm maven npm nuget pypi yum], got maven2

  on modules/helm-nexus/nexus_repositories_maven.tf line 82, in resource "nexus_repository" "maven_hosted":
  82: resource "nexus_repository" "maven_hosted" {


make: *** [apply] Error 1

  # module.helm_nexus.nexus_repository.maven_hosted must be replaced
-/+ resource "nexus_repository" "maven_hosted" {
      ~ format = "maven2" -> "maven" # forces replacement
      ~ id     = "maven-hosted" -> (known after apply)
        name   = "maven-hosted"
        online = true
        type   = "hosted"

        maven {
            layout_policy  = "STRICT"
            version_policy = "MIXED"
        }

        storage {
            blob_store_name                = "REDACTED"
            strict_content_type_validation = true
            write_policy                   = "ALLOW"
        }
    }

Privileges order change on every apply

When creating role and applying set or privileges (as list of strings), updating nexus works.
But validation (or re-applying the same terraform config) causes nexus to be updated every time, as list of privileges comes in different order.

Example output from terraform:

  # module.project.nexus_role.nx-project will be updated in-place
  ~ resource "nexus_role" "nx-project" {
        description = "Project role"
        id          = "nx-project"
        name        = "nx-project"
      ~ privileges  = [
            "nx-repository-admin-maven2-common-public-snapshots-*",
            "nx-repository-admin-maven2-common-snapshots-*",
          + "nx-repository-admin-maven2-project-snapshots-*",
            "nx-repository-admin-maven2-project-public-snapshots-*",
          - "nx-repository-admin-maven2-project-releases-*",
          + "nx-repository-admin-maven2-common-public-releases-*",
            "nx-repository-admin-maven2-common-releases-*",
          - "nx-repository-admin-maven2-project-snapshots-*",
          + "nx-repository-admin-maven2-project-releases-*",
            "nx-repository-admin-maven2-project-public-releases-*",
          - "nx-repository-admin-maven2-common-public-releases-*",
        ]
        roleid      = "nx-project"
        roles       = []
    }

The privileges will be updated in place, but changes are irrelevant. Just an order.
But when one want to validate whether configuration is up to date (e.g. someone have not changed configuration manually), this will fail every time.

Possible solution would be to sort this list after fetching from nexus server, and sort it for validation/applying.

Similar issue might be with other list-related configurations, but I haven't check.

Feaure request (https proxy): Repository --> proxy --> "Use the Nexus truststore" is not implemented.

Hi guys,
Using Nexus 3.23.0 can't find this option to be either enabled or disabled for the locations which use https protocol:

Don't see it in a "proxy" code configuration section for the repository as well.
It would be nice to have it added.
Thank you a lot in advance! :)

Kindest regards,
Taras.

No support for deploying on a Nexus behind HTTP proxy ?

So far I'm unable to connect through an HTTP proxy to the Nexus API : I'm trying to run Terraform through a proxy (works perfectly with embedded plugins).

nexus_blobstore.project-docker: Creating...
nexus_blobstore.project-maven: Creating...
nexus_blobstore.project-npm-blobstore: Creating...

Error: Post "https://nexus.aws/service/rest/beta/blobstores/s3": dial tcp: lookup nexus.aws on 127.0.0.53:53: no such host

  on artifact_repositories.tf line 15, in resource "nexus_blobstore" "project-docker":
  15: resource "nexus_blobstore" "project-docker" {



Error: Post "https://nexus.aws/service/rest/beta/blobstores/s3": dial tcp: lookup nexus.aws on 127.0.0.53:53: no such host

  on artifact_repositories.tf line 62, in resource "nexus_blobstore" "project-maven":
  62: resource "nexus_blobstore" "project-maven" {



Error: Post "https://nexus.aws/service/rest/beta/blobstores/s3": dial tcp: lookup nexus.aws on 127.0.0.53:53: no such host

  on artifact_repositories.tf line 142, in resource "nexus_blobstore" "project-npm-blobstore":
 142: resource "nexus_blobstore" "project-npm-blobstore" {

nexus.aws is resolvable by my proxy, but it seems nothing is forwarded despite http_proxy and https_proxy being set.

Group members in repository resource are not updated

Summary
When a nexus_repository of the type group has group->member_names set it does not add new members when they are added to the list after first apply.

Reproduce

Create a resource group.

# ... repository definition for docker_hosted. 

resource "nexus_repository" "docker_group" {
  depends_on = [nexus_repository.docker_hosted]
  name   = "docker-group"
	format = "docker"
	type   = "group"
	online = true

	group {
		member_names = ["docker-hosted"]
	}

	# ... rest or resource configuration.
}

Apply changes
Add 2rd repository.

# ... repository definition for docker_hosted and docker_proxy. 

resource "nexus_repository" "docker_group" {
  depends_on = [nexus_repository.docker_hosted,nexus_repository.docker_proxy]
  name   = "docker-group"
	format = "docker"
	type   = "group"
	online = true

	group {
		member_names = ["docker-hosted","docker-proxy"]
	}

	# ... rest or resource configuration.
}

Apply changes.

Expected result

A 2nd repository created and added as a member to the docker group members.

Current result

A 2nd repository is created but not added to the docker group members.

Errors when changing or deleting resources: Put: EOF

Hello.

Thank you for the great Nexus management tool, which helps a lot with our work.

However, we have encountered problems when updating or deleting resources.

Describe the bug

When resources are changed and Terraform is restarted, errors like the following occurs:

nexus_role.write_only_all: Modifying... [id=nx-write-only-all]

Error: Put "https://nexus-host/service/rest/beta/security/roles/nx-write-only-all": EOF

Running the same command again successfully removes or modifies resources.

The problem occurs not only with Nexus roles, but also with users. It is difficult to reproduce the problem because the error does not occur every time.

It is suspected that the problem is with Nexus, Nexus Proxy or Nginx behind which Nexus is running, but we have not been able to find out at which stage the error occurs.

Expected behavior

The changes go through the first time.

Log output

The nexus provider related log messages can be found here: https://pastebin.com/raw/QSq0pPcA

No available resources for realms and ldap configuration

There is no current available resources for managing realms and ldap configuration

GET
/beta/security/realms/active
List the active realm IDs in order

PUT
/beta/security/realms/active
Set the active security realms in the order they should be used

GET
/beta/security/realms/available
List the available realms

GET
/beta/security/ldap
List LDAP servers

POST
/beta/security/ldap
Create LDAP server

GET
/beta/security/ldap/{name}
Get LDAP server

PUT
/beta/security/ldap/{name}
Update LDAP server

DELETE
/beta/security/ldap/{name}
Delete LDAP server

POST
/beta/security/ldap/change-order
Change LDAP server order
``

Inconsistent plan when having empty parameter blocks

Hi, first of all: thank you for this provider and all your work!

I noticed a inconsistent plan when having empty parameter blocks vs. having no parameter block at all. My resource looks like this:

resource "nexus_repository" "maven_central" {
  name   = "proxy-maven-central"
  type   = "proxy"
  format = "maven2"

  http_client {
    auto_block = true
    blocked    = false
  }

  negative_cache {
    enabled = true
    ttl     = 1440
  }

  proxy {
    remote_url = "https://repo1.maven.org/maven2/"
  }

  storage {
    blob_store_name                = "default"
    strict_content_type_validation = true
  }
}

When applying this I'll get the following plan and error:

Terraform will perform the following actions:

  # nexus_repository.maven_central will be created
  + resource "nexus_repository" "maven_central" {
      + format = "maven2"
      + id     = (known after apply)
      + name   = "proxy-maven-central"
      + online = true
      + type   = "proxy"

      + http_client {
          + auto_block = true
          + blocked    = false
        }

      + negative_cache {
          + enabled = true
          + ttl     = 1440
        }

      + proxy {
          + content_max_age  = 1440
          + metadata_max_age = 1440
          + remote_url       = "https://repo1.maven.org/maven2/"
        }

      + storage {
          + blob_store_name                = "default"
          + strict_content_type_validation = true
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

nexus_repository.maven_central: Creating...

Error: could not create repository 'proxy-maven-central': HTTP: 400, [ {
  "id" : "PARAMETER maven",
  "message" : "must not be null"
} ]

  on repositories-cache.tf line 37, in resource "nexus_repository" "maven_central":
  37: resource "nexus_repository" "maven_central" {

When adding a empty maven {} parameter block to my resource like so:

resource "nexus_repository" "maven_central" {
  name   = "proxy-maven-central"
  type   = "proxy"
  format = "maven2"

+ maven {}

  http_client {
    auto_block = true
    blocked    = false
  }

  negative_cache {
    enabled = true
    ttl     = 1440
  }

  proxy {
    remote_url = "https://repo1.maven.org/maven2/"
  }

  storage {
    blob_store_name                = "default"
    strict_content_type_validation = true
  }
}

My plan changes to this:

# nexus_repository.maven_central will be created
  + resource "nexus_repository" "maven_central" {
      + format = "maven2"
      + id     = (known after apply)
      + name   = "proxy-maven-central"
      + online = true
      + type   = "proxy"

      + http_client {
          + auto_block = true
          + blocked    = false
        }

      + maven {
          + layout_policy  = "PERMISSIVE"
          + version_policy = "RELEASE"
        }

      + negative_cache {
          + enabled = true
          + ttl     = 1440
        }

      + proxy {
          + content_max_age  = 1440
          + metadata_max_age = 1440
          + remote_url       = "https://repo1.maven.org/maven2/"
        }

      + storage {
          + blob_store_name                = "default"
          + strict_content_type_validation = true
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

As you can see above my Terraform Plan changes. There is now a maven block with some default parameters!

      + maven {
          + layout_policy  = "PERMISSIVE"
          + version_policy = "RELEASE"
        }

This feels like a bug, doesn't it? Either mark this maven block as required or always pass the default values for this block.

Versions:
Terraform v0.13.0

provider registry.terraform.io/datadrivers/nexus v1.10.2

Cannot define quota limit for blobstore

I have in main.tf

soft_quota {
     limit = 1024
     type = "spaceUsedQuota"
}

But getting in UI:

nexus version: 3.23.0-03

Update: Same for "spaceRemainingQuota"

Proxy Repository of type Docker requires `index_url` parameter even though it's an optional

Tried to create docker proxy repo as in the readme's example:

resource "nexus_repository" "docker-proxy" {
  name   = "docker-proxy"
  type   = "proxy"
  format = "docker"

  docker {
    force_basic_auth = true
    v1enabled        = false
    http_port        = 5000
  }

  docker_proxy {
    index_type = "HUB"
  }

  http_client {
    blocked = false
    auto_block = false
  }

  negative_cache {
    enabled = true
    ttl     = 1440
  }

  proxy {
    remote_url  = "https://registry-1.docker.io"
    metadata_max_age = "1440"
    content_max_age = "1440"
  }

  storage {
    blob_store_name                = "docker-proxy"
    strict_content_type_validation = true
    write_policy                   = "ALLOW"
  }
}

Getting the error as follow:

Error: could not create repository 'docker-proxy': HTTP: 400, [ {
  "id" : "FIELD indexUrl",
  "message" : "URL should be in the format 'http://www.example.com'"
} ]

If I try to provide an empty index_url="" still fails with the same.

Missing parameters are required for resource(repository) creation. Example declaration statement missing?.

Hi guys

Can you please point me at all possible parameters for the resources creation?
E.G. I am creating repository of type proxy and format apt :

  name   = "apt-proxy-bionic"
  format = "apt"
  type   = "proxy"
  apt {
    distribution = "bionic"
  }
  storage {
    blob_store_name                = "apt-internal"
    strict_content_type_validation = true
    write_policy                   = "ALLOW_ONCE"
  }
  depends_on = [nexus_blobstore.apt-internal]
}
Once I run apply:
nexus_repository.apt-proxy-bionic: Creating...
Error: could not create repository 'apt-proxy-bionic': HTTP: 400, [ {
  "id" : "PARAMETER httpClient",
  "message" : "must not be null"
}, {
  "id" : "PARAMETER negativeCache",
  "message" : "must not be null"
}, {
  "id" : "PARAMETER proxy",
  "message" : "must not be null"
}, {
  "id" : "PARAMETER flat",
  "message" : "must not be null"
} ]
  on repositories.tf line 1, in resource "nexus_repository" "apt-proxy-bionic":
   1: resource "nexus_repository" "apt-proxy-bionic" {

I do have those section in my real repo and would like them to be declared even with null or empry values. But I can’t figure out how to define them. And can’t even find them in repository’s resource GO code as of here:
https://github.com/datadrivers/terraform-provider-nexus/blob/master/nexus/resource_repository.go
It would be nice to have full list of possible parameters or just 1 big example with all possible options provided. It would make it much more easier using this provider. I think it can be applied to all the resources.

Destroy action should delete blobstore after destroing repos

If I'm destroying all my repos and blobstore I got error:
Error: could not delete blobstore "default": HTTP: 500, ERROR: (ID cc540e55-32c3-49c8-895c-1821fb7ec437) java.lang.IllegalStateException: BlobStore default is in use and cannot be deleted

If I retry destroy command again, it is able to destroy

nexus_privilege resource doesn't have the required pattern parameter for wildcard

nexus_privilege resource doesn't have the required pattern parameter for wildcard privilege type.

terraform-provider-nexus/nexus/resource_privilege.go

Lines 19 to 63 in c286aa7

 Schema: map[string]*schema.Schema{ 

 "actions": { 

 Description: "Actions for the privilege (browse, read, edit, add, delete, all and run)", 

 Elem: &schema.Schema{Type: schema.TypeString}, 

 Required: true, 

 Type: schema.TypeSet, 

 }, 

 "content_selector": { 

 Description: "The content selector for the privilege", 

 Optional: true, 

 Type: schema.TypeString, 

 }, 

 "description": { 

 Description: "A description of the privilege", 

 Optional: true, 

 Type: schema.TypeString, 

 }, 

 "domain": { 

 Description: "The domain of the privilege", 

 Optional: true, 

 Type: schema.TypeString, 

 }, 

 "format": { 

 Description: "The format of the privilege", 

 Optional: true, 

 Type: schema.TypeString, 

 ValidateFunc: validation.StringInSlice(nexus.RepositoryFormats, false), 

 }, 

 "name": { 

 Description: "The name of the privilege", 

 ForceNew: true, 

 Required: true, 

 Type: schema.TypeString, 

 }, 

 "repository": { 

 Description: "The repository of the privilege", 

 Optional: true, 

 Type: schema.TypeString, 

 }, 

 "type": { 

 Description: "The type of the privilege", 

 Required: true, 

 Type: schema.TypeString, 

 ValidateFunc: validation.StringInSlice([]string{"application", "repository-admin", "repository-content-selector", "repository-view", "script", "wildcard"}, false), 

 },

S3 type for blobstore

Thanks for great work!

As I understand there is missed support for S3 type yet:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # nexus_blobstore.maven will be created
  + resource "nexus_blobstore" "maven" {
      + available_space_in_bytes = (known after apply)
      + blob_count               = (known after apply)
      + id                       = (known after apply)
      + name                     = "maven"
      + path                     = "/"
      + total_size_in_bytes      = (known after apply)
      + type                     = "S3"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

nexus_blobstore.maven: Creating...

Error: could not create blobstore "maven": HTTP: 400, [ {
  "id" : "PARAMETER bucketConfiguration",
  "message" : "must not be null"
} ]

  on blobs.tf line 12, in resource "nexus_blobstore" "maven":
  12: resource "nexus_blobstore" "maven" {

Do you have some plans to add S3 type for blobstore?
Will be nice to have this possibility for stateless instances
Thanks!

Cannot update nexus_security_ldap resource

I'm trying to update a parameter on a newly created nexus_security_ldap resources but get the following error:

Error: could not update LDAP server `My AD`: HTTP: 400, :[ {
  "id" : "PARAMETER id",
  "message" : "may not be empty"
} ]

I've only changed the connection_retry_delay_seconds from 1 to 2 to reproduce this bug. My Terraform Plan looks like this:

# nexus_security_ldap.this will be updated in-place
  ~ resource "nexus_security_ldap" "this" {
        auth_password                  = (sensitive value)
        auth_realm                     = "LOCAL"
        auth_schema                    = "SIMPLE"
        auth_username                  = "NexusAD"
      ~ connection_retry_delay_seconds = 1 -> 2
        connection_timeout_seconds     = 1
        group_base_dn                  = "OU=Groups"
        group_id_attribute             = "sAMAccountName"
        (.... more keys removed....)
    }

Terraform Version: 0.13.0
Provider Version 1.10.2
Nexus Version: 3.25.1

More findings:

The whitespace in the name is not a problem, same issue without whitespace
I also see there is already code that sends the ID to the nexus package correctly

terraform-provider-nexus/nexus/resource_security_ldap.go

Lines 215 to 220 in fd33183

ldapID := d.Id()

ldap := getSecurityLDAPFromResourceData(d)

if err := client.LDAPUpdate(ldapID, ldap); err != nil {

return err

}
"id" attribute exist in my terraform state file but is NOT the same as in nexus? When clicking on the LDAP setting I'll get routed to "/#admin/security/ldap:d0d442e3-01f5-4354-a588-9e119ad1b0d6" and maybe "d0d442e3-01f5-4354-a588-9e119ad1b0d6" is the ID? Not sure.

PROPOSAL: Split repository entity by repo types.

Currently all the possible repositories are backed by the same resource called "nexus_repository".

The problem with this approach is that..

It's hard to use, for example, currently in VSCode intellisense checks and advises apt-related configuration sections for docker repos (it doesn't check conflicts)

It's hard to extend.
For example, here you can see the number of fields which should be modified to add just one additional repo https://github.com/datadrivers/terraform-provider-nexus/pull/8/files
If all the possible repositories will be supported by provider (see the list below), then the resource "nexus_repository" will become unmaintainable and unreadable.

Proposal

Split repository by type and format (they have quite different configurations anyways).

Usage example in Terraform:

resource "nexus_repository_apt_hosted" "my_apt_hosted_repo" {
  name   = "my-apt"    
  distribution = "bionic"

  signing {
    keypair    = "<keypair>"
    passphrase = "<passphrase>"
  }

  storage {
    blob_store_name                = "default"
    strict_content_type_validation = true
    write_policy                   = "ALLOW_ONCE"
  }
}

From code point of view, it will produce quite similar files forked files from existing terraform-provider-nexus/nexus/resource_repository.go

Pros:

better intellisense support
better isolation: impl. of additional repository type will not affect any existing implementations
much easier to read source code
less test cases to test

Cons:

Code duplication for some fields like "storage" field which is applicable for multiple repo types.
Possible breaking change (*)
Some work to do

(*) Breaking change can be postponed by:

Building alternative resources besides existing multiresources.
Releasing current version under a tag
Dropping current implementation later with major release

npm proxy repository remote url does not change

Hi,
when changing the remote_url parameter on an existing remote repository of npm format the change is accepted as will be updated in place by the provider and executed, however the underlying nexus parameter does not change.

Please let me know if you would like further details.

description field in nexus_role does not get updated in state

description field of nexus_role always shows changes to be applied when performing plan.

13:07:46    # nexus_role.role["1cc99b0fb76325c7d8259c7fbb7e1402"] will be updated in-place
13:07:46    ~ resource "nexus_role" "role" {
13:07:46        ~ description = "cloud_engineering" -> "Created by Terraform"
13:07:46          id          = "cloud_engineering"
13:07:46          name        = "cloud_engineering"
13:07:46        ~ privileges  = [
13:07:46            + "nx-repository-admin-x-ce-dev-x-x",
13:07:46            + "nx-repository-view-x-ce-dev-x-x",
13:07:46            + "nx-repository-admin-x-ce-prod-x-x",
13:07:46            + "nx-repository-view-x-ce-prod-x-x",
13:07:46            + "nx-repository-admin-apt-ce-prod-test1-*",
13:07:46          ]
13:07:46          roleid      = "cloud_engineering"
13:07:46          roles       = []
13:07:46      }

I noticed that the field is getting updated in nexus but not in the state file.

Publishing provider on https://registry.terraform.io/

Hi,
Do you have any plans to publish provider to public registry, to allow automatic installation?

Resource for System Capability Settings

Hi, would be cool to configure the System Capabilities with this Provider. There are multiple types of capabilities so we'd probably need multiple resources. The thing that I want to do specific is to configure the session timeout of nexus. This can be found in the settings in System -> Capabilities -> UI Settings.

https://help.sonatype.com/repomanager3/system-configuration/capabilities/ui-settings-capability

Add support to enable and disable anonymous user access

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
Disable and anonymous user in nexus

Additional context
Add any other context or screenshots about the feature request here.

Modification are done all the time even though no code changes

resource "nexus_repository" "apt-proxy-bionic" {
  name   = "apt-proxy-bionic"
  format = "apt"
  type   = "proxy"
  online = true
  apt {
    distribution = "bionic"
    flat = false
  }
  negative_cache {
    enabled = true
    ttl     = 1440
  }
  http_client {
      auto_block = true
      authentication {
		type = "username"
      }
  }
  proxy {
    remote_url  = "http://archive.ubuntu.com/ubuntu/"
    metadata_max_age = "1440"
    content_max_age = "1440"
  }
  storage {
    blob_store_name                = "apt-internal"
    strict_content_type_validation = true
    write_policy                   = "ALLOW_ONCE"
  }
  depends_on = [nexus_blobstore.apt-internal]
}

During TF Plan:

Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:
  # nexus_repository.apt-proxy-bionic will be updated in-place
  ~ resource "nexus_repository" "apt-proxy-bionic" {
        format = "apt"
        id     = "apt-proxy-bionic"
        name   = "apt-proxy-bionic"
        online = true
        type   = "proxy"
        apt {
            distribution = "bionic"
            flat         = false
        }
      ~ http_client {
            auto_block = true
            blocked    = false
          + authentication {
              + type = "username"
            }
        }
        negative_cache {
            enabled = true
            ttl     = 1440
        }
        proxy {
            content_max_age  = 1440
            metadata_max_age = 1440
            remote_url       = "http://archive.ubuntu.com/ubuntu/"
        }
      ~ storage {
            blob_store_name                = "apt-internal"
            strict_content_type_validation = true
          ~ write_policy                   = "ALLOW" -> "ALLOW_ONCE"
        }
    }
Plan: 0 to add, 1 to change, 0 to destroy.

Hence those two parameters (write_policy and for authentication http_client) are being kind of touched all the time.

Maven Group - 404

Hi !
When I want to declare a Maven group repository, a 404 error occurred.
Example :

resource "nexus_repository" "maven_group_all" {
name   = "maven-public-2"
format = "maven2"
type   = "group"
group {
    member_names = [
        "maven-central",
        "maven-releases",
        "maven-snapshots"
    ]
}
}

Provider version : 1.6.0
Server version : 3.23.0-03

Add documentation about encryption in nexus_blobstore

Looks like there is documentation missing about the encryption stanza in nexus_blobstore.

This encryption stanza seems to work but it appears to be missing from the documentation.

    encryption {
      encryption_type = "s3ManagedEncryption"
    }

Can't create a docker hub repository

Hi,

When creating the docker hub repository, it tells me about a missing "type" parameter :

  "id" : "PARAMETER type",
  "message" : "may not be empty"
} ]```

In my terraform script, the "type" is well specified : 
```resource "nexus_repository" "docker_hub" {
  name   = "%s"
  format = "docker"
  type   = "proxy"
...
}```

My Nexus version is 3.22.1

Best regards

	Schema: map[string]*schema.Schema{
	"actions": {
	Description: "Actions for the privilege (browse, read, edit, add, delete, all and run)",
	Elem: &schema.Schema{Type: schema.TypeString},
	Required: true,
	Type: schema.TypeSet,
	},
	"content_selector": {
	Description: "The content selector for the privilege",
	Optional: true,
	Type: schema.TypeString,
	},
	"description": {
	Description: "A description of the privilege",
	Optional: true,
	Type: schema.TypeString,
	},
	"domain": {
	Description: "The domain of the privilege",
	Optional: true,
	Type: schema.TypeString,
	},
	"format": {
	Description: "The format of the privilege",
	Optional: true,
	Type: schema.TypeString,
	ValidateFunc: validation.StringInSlice(nexus.RepositoryFormats, false),
	},
	"name": {
	Description: "The name of the privilege",
	ForceNew: true,
	Required: true,
	Type: schema.TypeString,
	},
	"repository": {
	Description: "The repository of the privilege",
	Optional: true,
	Type: schema.TypeString,
	},
	"type": {
	Description: "The type of the privilege",
	Required: true,
	Type: schema.TypeString,
	ValidateFunc: validation.StringInSlice([]string{"application", "repository-admin", "repository-content-selector", "repository-view", "script", "wildcard"}, false),
	},

	ldapID := d.Id()
	ldap := getSecurityLDAPFromResourceData(d)

	if err := client.LDAPUpdate(ldapID, ldap); err != nil {
	return err
	}