From 43052da61220f73f3d65f00ade2c42b1983eb4a3 Mon Sep 17 00:00:00 2001
From: Mahatva Garg <Mahatva.Garg@netapp.com>
Date: Thu, 16 Apr 2026 17:10:05 +0530
Subject: [PATCH] feat(terraform): add CIFS share provisioning module

---
 terraform/README.md                           | 30 +++++++-
 terraform/cifs-provision/main.tf              | 63 ++++++++++++++++
 terraform/cifs-provision/outputs.tf           | 19 +++++
 .../cifs-provision/terraform.tfvars.example   | 18 +++++
 terraform/cifs-provision/variables.tf         | 75 +++++++++++++++++++
 5 files changed, 202 insertions(+), 3 deletions(-)
 create mode 100644 terraform/cifs-provision/main.tf
 create mode 100644 terraform/cifs-provision/outputs.tf
 create mode 100644 terraform/cifs-provision/terraform.tfvars.example
 create mode 100644 terraform/cifs-provision/variables.tf

diff --git a/terraform/README.md b/terraform/README.md
index 02e5373..0e5a056 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -89,6 +89,25 @@ To tear down the resources:
 terraform destroy
 ```
 
+### CIFS (SMB) Share Provisioning
+
+Creates a FlexVol volume with NTFS security style, a CIFS share pointing to the
+volume, and an ACL granting the specified user/group the requested permission level.
+
+```bash
+cd cifs-provision
+cp terraform.tfvars.example terraform.tfvars
+# edit terraform.tfvars
+terraform init && terraform plan   # review the plan
+terraform apply                     # create resources
+```
+
+To tear down the resources:
+
+```bash
+terraform destroy
+```
+
 ---
 
 ## File Overview
@@ -101,10 +120,15 @@ terraform/
 │   ├── variables.tf                  # Input variables
 │   ├── outputs.tf                    # Cluster name, version, nodes
 │   └── terraform.tfvars.example      # Variable template
-└── nfs-provision/
-    ├── main.tf                       # Provider + resources
+├── nfs-provision/
+│   ├── main.tf                       # Provider + resources
+│   ├── variables.tf                  # Input variables
+│   ├── outputs.tf                    # Volume name, mount path, policy
+│   └── terraform.tfvars.example      # Variable template
+└── cifs-provision/
+    ├── main.tf                       # Provider + volume + CIFS share with ACL
     ├── variables.tf                  # Input variables
-    ├── outputs.tf                    # Volume name, mount path, policy
+    ├── outputs.tf                    # Volume name, mount path, share name/path
     └── terraform.tfvars.example      # Variable template
 ```
 
diff --git a/terraform/cifs-provision/main.tf b/terraform/cifs-provision/main.tf
new file mode 100644
index 0000000..a9ee7f3
--- /dev/null
+++ b/terraform/cifs-provision/main.tf
@@ -0,0 +1,63 @@
+# cifs-provision — Create a CIFS (SMB) share with volume and ACL.
+
+terraform {
+  required_version = ">= 1.4"
+
+  required_providers {
+    netapp-ontap = {
+      source  = "NetApp/netapp-ontap"
+      version = "~> 2.5"
+    }
+  }
+}
+
+provider "netapp-ontap" {
+  connection_profiles = [
+    {
+      name           = "cluster1"
+      hostname       = var.ontap_host
+      username       = var.ontap_username
+      password       = var.ontap_password
+      validate_certs = var.validate_certs
+    },
+  ]
+}
+
+# Step 1 — Create the FlexVol volume with NTFS security style
+resource "netapp-ontap_volume" "cifs_vol" {
+  cx_profile_name = "cluster1"
+  name            = var.volume_name
+  svm_name        = var.svm_name
+  aggregates = [
+    { name = var.aggregate_name },
+  ]
+  space = {
+    size      = var.volume_size
+    size_unit = var.volume_size_unit
+  }
+  nas = {
+    junction_path  = "/${var.volume_name}"
+    security_style = "ntfs"
+  }
+}
+
+# Step 2 — Create the CIFS share with ACL on the volume
+resource "netapp-ontap_cifs_share" "cifs_share" {
+  cx_profile_name = "cluster1"
+  name            = var.share_name
+  path            = "/${var.volume_name}"
+  svm_name        = var.svm_name
+  comment         = var.share_comment
+
+  acls = [
+    {
+      permission    = var.acl_permission
+      type          = "windows"
+      user_or_group = var.acl_user
+    },
+  ]
+
+  depends_on = [
+    netapp-ontap_volume.cifs_vol,
+  ]
+}
diff --git a/terraform/cifs-provision/outputs.tf b/terraform/cifs-provision/outputs.tf
new file mode 100644
index 0000000..a59e62a
--- /dev/null
+++ b/terraform/cifs-provision/outputs.tf
@@ -0,0 +1,19 @@
+output "volume_name" {
+  description = "Name of the created volume"
+  value       = netapp-ontap_volume.cifs_vol.name
+}
+
+output "mount_path" {
+  description = "NAS junction path for the volume"
+  value       = netapp-ontap_volume.cifs_vol.nas.junction_path
+}
+
+output "share_name" {
+  description = "Name of the CIFS share"
+  value       = netapp-ontap_cifs_share.cifs_share.name
+}
+
+output "share_path" {
+  description = "Path the CIFS share points to"
+  value       = netapp-ontap_cifs_share.cifs_share.path
+}
diff --git a/terraform/cifs-provision/terraform.tfvars.example b/terraform/cifs-provision/terraform.tfvars.example
new file mode 100644
index 0000000..95c1e85
--- /dev/null
+++ b/terraform/cifs-provision/terraform.tfvars.example
@@ -0,0 +1,18 @@
+# Copy to terraform.tfvars and fill in your values.
+# terraform.tfvars is loaded automatically and should NOT be committed.
+
+ontap_host     = "10.0.0.1"
+ontap_username = "admin"
+ontap_password = "CHANGEME"
+validate_certs = false  # supports self-signed certs; set true once CA-signed certs are in place
+
+svm_name         = "vs0"
+volume_name      = "vol_cifs_test_01"
+volume_size      = 100
+volume_size_unit = "mb"
+aggregate_name   = "aggr1"
+
+share_name     = "cifs_share_test"
+share_comment  = "Provisioned by orchestrio"
+acl_user       = "Everyone"
+acl_permission = "full_control"
diff --git a/terraform/cifs-provision/variables.tf b/terraform/cifs-provision/variables.tf
new file mode 100644
index 0000000..cff2d2f
--- /dev/null
+++ b/terraform/cifs-provision/variables.tf
@@ -0,0 +1,75 @@
+variable "ontap_host" {
+  description = "ONTAP cluster management LIF hostname or IP"
+  type        = string
+}
+
+variable "ontap_username" {
+  description = "ONTAP admin username"
+  type        = string
+  default     = "admin"
+}
+
+variable "ontap_password" {
+  description = "ONTAP admin password"
+  type        = string
+  sensitive   = true
+}
+
+variable "validate_certs" {
+  description = "Validate TLS certificates — false to support self-signed certs; set true once CA-signed certs are in place"
+  type        = bool
+  default     = false
+}
+
+variable "svm_name" {
+  description = "Storage Virtual Machine (SVM / vserver) name"
+  type        = string
+  default     = "vs0"
+}
+
+variable "volume_name" {
+  description = "Name for the new FlexVol volume"
+  type        = string
+  default     = "vol_cifs_test_01"
+}
+
+variable "volume_size" {
+  description = "Volume size"
+  type        = number
+  default     = 100
+}
+
+variable "volume_size_unit" {
+  description = "Size unit (mb, gb, tb)"
+  type        = string
+  default     = "mb"
+}
+
+variable "aggregate_name" {
+  description = "Aggregate to place the volume on"
+  type        = string
+}
+
+variable "share_name" {
+  description = "Name for the CIFS (SMB) share"
+  type        = string
+  default     = "cifs_share_test"
+}
+
+variable "share_comment" {
+  description = "Descriptive comment for the CIFS share"
+  type        = string
+  default     = "Provisioned by orchestrio"
+}
+
+variable "acl_user" {
+  description = "User or group for the share ACL"
+  type        = string
+  default     = "Everyone"
+}
+
+variable "acl_permission" {
+  description = "ACL permission level (read, change, full_control, no_access)"
+  type        = string
+  default     = "full_control"
+}