chore(release): 1.65.0

CHANGELOG.md

@@ -1,3 +1,27 @@
+## [1.65.0](https://github.com/terraform-routeros/terraform-provider-routeros/compare/v1.64.2...v1.65.0) (2024-10-07)
+
+### Features
+
+* Disable warning output on system resources ([c799f29](https://github.com/terraform-routeros/terraform-provider-routeros/commit/c799f299629fd82c3004dd1903487d694aeffbbf))
+* **ipsec:** Add new resource `routeros_ip_ipsec_identity` ([afdbadb](https://github.com/terraform-routeros/terraform-provider-routeros/commit/afdbadb7297560dc97d07cbd0abe8d1f7fa0fb9f))
+* **ipsec:** Add new resource `routeros_ip_ipsec_key` ([14865b9](https://github.com/terraform-routeros/terraform-provider-routeros/commit/14865b9fa989e79a07a9e46857399cf560208f61))
+* **ipsec:** Add new resource `routeros_ip_ipsec_mode_config` ([ca88a77](https://github.com/terraform-routeros/terraform-provider-routeros/commit/ca88a77f14bd5177938d20930da4ccd515e647fa))
+* **ipsec:** Add new resource `routeros_ip_ipsec_policy_group` ([d4c0817](https://github.com/terraform-routeros/terraform-provider-routeros/commit/d4c0817f6af31a3b5d1fa766bf9c4c415b43aefd))
+* **ipsec:** Add new resource `routeros_ip_ipsec_policy` ([9ba2bf9](https://github.com/terraform-routeros/terraform-provider-routeros/commit/9ba2bf961a0d7dafaf5d778a10f0a2e153f0d666))
+* **ipsec:** Add new resource `routeros_ip_ipsec_profile` ([66aa2f8](https://github.com/terraform-routeros/terraform-provider-routeros/commit/66aa2f8c830a4cfe925a315c36114ded9842264d))
+* **ipsec:** Add new resource `routeros_ip_ipsec_proposal` ([9fee803](https://github.com/terraform-routeros/terraform-provider-routeros/commit/9fee803c5a19ad244d63ff8f052dc6c9de90c47f))
+* **ipsec:** Add new resource `routeros_ip_ipsec_settings` ([7388cae](https://github.com/terraform-routeros/terraform-provider-routeros/commit/7388cae3a5753ef9c0dfbf5c2423497ee9eba838))
+* **ipsec:** New resource `routeros_ip_ipsec_peer` ([7600d45](https://github.com/terraform-routeros/terraform-provider-routeros/commit/7600d457e5e4245c9c743f2f28d42194c2a0f0e8))
+
+### Bug Fixes
+
+* Adding fields to skip for rx and tx on resource_interface_ethernet.go ([#573](https://github.com/terraform-routeros/terraform-provider-routeros/issues/573)) ([1a905f5](https://github.com/terraform-routeros/terraform-provider-routeros/commit/1a905f5e26afbd782bbd9f67c18e49abe6937ea1))
+* **file:** Field 'last_modified' not found in the schema ([#580](https://github.com/terraform-routeros/terraform-provider-routeros/issues/580)) ([cb4635a](https://github.com/terraform-routeros/terraform-provider-routeros/commit/cb4635a97b50b1e33c82622ee3f3a3defe1e6b69)), closes [#579](https://github.com/terraform-routeros/terraform-provider-routeros/issues/579)
+* **ipsec:** Add the lost attributes ([6f61879](https://github.com/terraform-routeros/terraform-provider-routeros/commit/6f61879ef8e84254fbf0a602ec8a09b714bc58be))
+* validation for routeros_wifi_security.wps ([#578](https://github.com/terraform-routeros/terraform-provider-routeros/issues/578)) ([770bfe3](https://github.com/terraform-routeros/terraform-provider-routeros/commit/770bfe37c5708227daa3a891581d86f09c9c4b54))
+* **wireless:** Delete required parameters ([616049e](https://github.com/terraform-routeros/terraform-provider-routeros/commit/616049e04bd351111c7515e801b3e9e229dc3da8))
+* **wireless:** Delete required parameters ([33793fd](https://github.com/terraform-routeros/terraform-provider-routeros/commit/33793fd70aef7580862b577cd6f001cf9d954306))
+
 ## [1.64.2](https://github.com/terraform-routeros/terraform-provider-routeros/compare/v1.64.1...v1.64.2) (2024-09-29)
 
 ### Bug Fixes

docs/data-sources/wifi_easy_connect.md

@@ -12,6 +12,9 @@ data "routeros_wifi_easy_connect" "test" {
 output "qrcode" {
   value = data.routeros_wifi_easy_connect.test.qr_code
 }
+
+# We can disable the QR code output and view it in the state file if needed.
+# terraform.exe state show data.routeros_wifi_easy_connect.test
 ```
 
 <!-- schema generated by tfplugindocs -->

docs/resources/file.md

@@ -24,6 +24,7 @@ resource "routeros_file" "test" {
 
 - `creation_time` (String) A time when the file was created
 - `id` (String) The ID of this resource.
+- `last_modified` (String) A time when the file was modified
 - `package_architecture` (String) Architecture that package is built for. Applies only to RouterOS ".npk" files
 - `package_built_time` (String) A time when the package was built. Applies only to RouterOS ".npk" files
 - `package_name` (String) Name of the installable package. Applies only to RouterOS ".npk" files

docs/resources/interface_wireless.md

@@ -3,6 +3,16 @@
 
 ## Example Usage
 ```terraform
+variable "wlan_2ghz_disabled" {
+  type    = bool
+  default = false
+}
+
+resource "routeros_interface_wireless" "wlan-2ghz" {
+  name     = "wlan1"
+  disabled = var.wlan_2ghz_disabled
+}
+
 resource "routeros_interface_wireless_security_profiles" "test" {
   name                 = "test-profile"
   mode                 = "dynamic-keys"
@@ -15,7 +25,7 @@ resource "routeros_interface_wireless" "test" {
   depends_on       = [resource.routeros_interface_wireless_security_profiles.test]
   security_profile = resource.routeros_interface_wireless_security_profiles.test.name
   mode             = "ap-bridge"
-  master_interface = "wlan1"
+  master_interface = resource.routeros_interface_wireless.wlan-2ghz.name
   name             = "wlan-guest"
   ssid             = "guests"
   basic_rates_ag   = ["6Mbps", "9Mbps"]
@@ -27,9 +37,7 @@ resource "routeros_interface_wireless" "test" {
 
 ### Required
 
-- `mode` (String) Selection between different station and access point (AP) modes. **Station modes**: `station` - Basic station mode. Find and connect to acceptable AP. `station-wds` - Same as station, but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in wds. `station-pseudobridge` - Same as station, but additionally perform MAC address translation of all traffic. Allows interface to be bridged. `station-pseudobridge-clone` - Same as station-pseudobridge, but use station-bridge-clone-mac address to connect to AP. `station-bridge` - Provides support for transparent protocol-independent L2 bridging on the station device. RouterOS AP accepts clients in station-bridge mode when enabled using bridge-mode parameter. In this mode, the AP maintains a forwarding table with information on which MAC addresses are reachable over which station device. Only works with RouterOS APs. With station-bridge mode, it is not possible to connect to CAPsMAN controlled CAP. **AP modes**: `ap-bridge` - Basic access point mode. `bridge` - Same as ap-bridge, but limited to one associated client. `wds-slave` - Same as ap-bridge, but scan for AP with the same ssid and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If dfs-mode is radar-detect, then APs with enabled hide-ssid will not be found during scanning. **Special modes**: `alignment-only` - Put the interface in a continuous transmit mode that is used for aiming the remote antenna. `nstreme-dual-slave` - allow this interface to be used in nstreme-dual setup. MAC address translation in pseudobridge modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge.
 - `name` (String) Name of the interface.
-- `ssid` (String) SSID (service set identifier) is a name that identifies wireless network.
 
 ### Optional
 
@@ -79,6 +87,7 @@ resource "routeros_interface_wireless" "test" {
 - `mac_address` (String) MAC address.
 - `master_interface` (String) Name of wireless interface that has virtual-ap capability. Virtual AP interface will only work if master interface is in ap-bridge, bridge, station or wds-slave mode. This property is only for virtual AP interfaces.
 - `max_station_count` (Number) Maximum number of associated clients. WDS links also count toward this limit.
+- `mode` (String) Selection between different station and access point (AP) modes. **Station modes**: `station` - Basic station mode. Find and connect to acceptable AP. `station-wds` - Same as station, but create WDS link with AP, using proprietary extension. AP configuration has to allow WDS links with this device. Note that this mode does not use entries in wds. `station-pseudobridge` - Same as station, but additionally perform MAC address translation of all traffic. Allows interface to be bridged. `station-pseudobridge-clone` - Same as station-pseudobridge, but use station-bridge-clone-mac address to connect to AP. `station-bridge` - Provides support for transparent protocol-independent L2 bridging on the station device. RouterOS AP accepts clients in station-bridge mode when enabled using bridge-mode parameter. In this mode, the AP maintains a forwarding table with information on which MAC addresses are reachable over which station device. Only works with RouterOS APs. With station-bridge mode, it is not possible to connect to CAPsMAN controlled CAP. **AP modes**: `ap-bridge` - Basic access point mode. `bridge` - Same as ap-bridge, but limited to one associated client. `wds-slave` - Same as ap-bridge, but scan for AP with the same ssid and establishes WDS link. If this link is lost or cannot be established, then continue scanning. If dfs-mode is radar-detect, then APs with enabled hide-ssid will not be found during scanning. **Special modes**: `alignment-only` - Put the interface in a continuous transmit mode that is used for aiming the remote antenna. `nstreme-dual-slave` - allow this interface to be used in nstreme-dual setup. MAC address translation in pseudobridge modes works by inspecting packets and building a table of corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is a single entry in the address translation table for all non-IP packets, hence more than one host in the bridged network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge.
 - `mtu` (String) Layer3 Maximum transmission unit ('auto', 0 .. 65535)
 - `multicast_buffering` (String) For a client that has power saving, buffer multicast packets until next beacon time. A client should wake up to receive a beacon, by receiving beacon it sees that there are multicast packets pending, and it should wait for multicast packets to be sent.
 - `multicast_helper` (String) When set to full, multicast packets will be sent with a unicast destination MAC address, resolving  multicast problem on the wireless link. This option should be enabled only on the access point, clients should be configured in station-bridge mode. Available starting from v5.15.disabled - disables the helper and sends multicast packets with multicast destination MAC addressesdhcp - dhcp packet mac addresses are changed to unicast mac addresses prior to sending them outfull - all multicast packet mac address are changed to unicast mac addresses prior to sending them outdefault - default choice that currently is set to dhcp. Value can be changed in future releases.
@@ -105,6 +114,7 @@ resource "routeros_interface_wireless" "test" {
 - `secondary_frequency` (String) Specifies secondary channel, required to enable 80+80MHz transmission. To disable 80+80MHz functionality, set secondary-frequency to `` or unset the value via CLI/GUI.
 - `security_profile` (String) Name of profile from  security-profiles.
 - `skip_dfs_channels` (String) These values are used to skip all DFS channels or specifically skip DFS CAC channels in range 5600-5650MHz which detection could go up to 10min.
+- `ssid` (String) SSID (service set identifier) is a name that identifies wireless network.
 - `station_bridge_clone_mac` (String) This property has effect only in the station-pseudobridge-clone mode.Use this MAC address when connection to AP. If this value is 00:00:00:00:00:00, station will initially use MAC address of the wireless interface.As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP using that address.
 - `station_roaming` (String) Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.
 - `supported_rates_ag` (String) List of supported rates, used for all bands except 2ghz-b.

docs/resources/ip_ipsec_identity.md

@@ -0,0 +1,70 @@
+# routeros_ip_ipsec_identity (Resource)
+
+
+## Example Usage
+```terraform
+resource "routeros_ip_ipsec_mode_config" "test" {
+  name      = "NordVPN"
+  responder = false
+}
+
+resource "routeros_ip_ipsec_peer" "test" {
+  address       = "lv20.nordvpn.com"
+  exchange_mode = "ike2"
+  name          = "NordVPN"
+}
+
+resource "routeros_ip_ipsec_identity" "test" {
+  auth-method     = "eap"
+  certificate     = ""
+  eap-methods     = "eap-mschapv2"
+  generate-policy = "port-strict"
+  mode-config     = routeros_ip_ipsec_mode_config.test.name
+  peer            = routeros_ip_ipsec_peer.test.name
+  username        = "[email protected]"
+  password        = "secret"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `peer` (String) Name of the peer on which the identity applies.
+
+### Optional
+
+- `auth_method` (String) Authentication method: `digital-signature` - authenticate using a pair of RSA certificates; `eap` - IKEv2 EAP authentication for initiator (peer with a netmask of `/32`). Must be used together with eap-methods; `eap-radius` - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; `pre-shared-key` - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); `rsa-key` - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; `pre-shared-key-xauth` - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; `rsa-signature-hybrid` - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
+- `certificate` (String) Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (`auth-method=digital-signature`) or EAP (a`uth-method=eap`) is used.
+- `comment` (String)
+- `disabled` (Boolean)
+- `eap_methods` (String) All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: `eap-mschapv2`; `eap-peap` - also known as PEAPv0/EAP-MSCHAPv2; `eap-tls` - requires additional client certificate specified under certificate parameter; `eap-ttls`.
+- `generate_policy` (String) Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. `no` - do not generate policies; `port-override` - generate policies and force policy to use any port (old behavior); `port-strict` - use ports from peer's proposal, which should match peer's policy.
+- `key` (String) Name of the private key from keys menu. Applicable if RSA key authentication method (`auth-method=rsa-key`) is used.
+- `match_by` (String) Defines the logic used for peer's identity validation. `remote-id` - will verify the peer's ID according to remote-id setting. `certificate` will verify the peer's certificate with what is specified under remote-certificate setting.
+- `mode_config` (String) Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
+- `my_id` (String) On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. `auto` - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; `address` - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; `fqdn` - fully qualified domain name; `key-id` - use the specified key ID for the identity; `user-fqdn` - specifies a fully-qualified username string, for example, `[email protected]`.
+- `notrack_chain` (String) Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
+- `password` (String, Sensitive) XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (`auth-method=pre-shared-key-xauth`) or EAP (`auth-method=eap`) is used.
+- `policy_template_group` (String) If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
+- `remote_certificate` (String) Name of a certificate (listed in `System/Certificates`) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (`auth-method=digital-signature`) is used.
+- `remote_id` (String) This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. `auto` - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; `fqdn` - fully qualified domain name. Only supported in IKEv2; `user-fqdn` - a fully-qualified username string, for example, `[email protected]`. Only supported in IKEv2; `key-id` - specific key ID for the identity. Only supported in IKEv2; `ignore` - do not verify received ID with certificate (dangerous). * Wildcard key ID matching **is not supported**, for example `remote-id=`key-id:CN=*.domain.com`.
+- `remote_key` (String) Name of the public key from keys menu. Applicable if RSA key authentication method (`auth-method=rsa-key`) is used.
+- `secret` (String, Sensitive) Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (`auth-method=pre-shared-key` and `auth-method=pre-shared-key-xauth`) is used.
+- `username` (String) XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (`auth-method=pre-shared-key-xauth`) or EAP (`auth-method=eap`) is used.
+
+### Read-Only
+
+- `dynamic` (Boolean) Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
+- `id` (String) The ID of this resource.
+
+## Import
+Import is supported using the following syntax:
+```shell
+#The ID can be found via API or the terminal
+#The command for the terminal is -> :put [/ip/ipsec/identity get [print show-ids]]
+terraform import routeros_ip_ipsec_identity.test *3
+#Or you can import a resource using one of its attributes
+terraform import routeros_ip_ipsec_identity.test "peer=NordVPN"
+```