diff --git a/kubernetes/resource_kubernetes_cluster_role.go b/kubernetes/resource_kubernetes_cluster_role.go index ad6d7bea41..034ad773de 100644 --- a/kubernetes/resource_kubernetes_cluster_role.go +++ b/kubernetes/resource_kubernetes_cluster_role.go @@ -27,12 +27,31 @@ func resourceKubernetesClusterRole() *schema.Resource { "rule": { Type: schema.TypeList, Description: "List of PolicyRules for this ClusterRole", - Required: true, + Optional: true, + Computed: true, MinItems: 1, Elem: &schema.Resource{ Schema: policyRuleSchema(), }, }, + "aggregation_rule": { + Type: schema.TypeList, + Description: "Describes how to build the Rules for this ClusterRole.", + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "cluster_role_selectors": { + Type: schema.TypeList, + Description: "A list of selectors which will be used to find ClusterRoles and create the rules.", + Optional: true, + Elem: &schema.Resource{ + Schema: labelSelectorFields(true), + }, + }, + }, + }, + }, }, } } @@ -48,6 +67,11 @@ func resourceKubernetesClusterRoleCreate(d *schema.ResourceData, meta interface{ ObjectMeta: metadata, Rules: expandClusterRoleRules(d.Get("rule").([]interface{})), } + + if v, ok := d.GetOk("aggregation_rule"); ok { + cRole.AggregationRule = expandClusterRoleAggregationRule(v.([]interface{})) + } + log.Printf("[INFO] Creating new cluster role: %#v", cRole) out, err := conn.RbacV1().ClusterRoles().Create(&cRole) if err != nil { @@ -71,6 +95,10 @@ func resourceKubernetesClusterRoleUpdate(d *schema.ResourceData, meta interface{ diffOps := patchRbacRule(d) ops = append(ops, diffOps...) } + if d.HasChange("aggregation_rule") { + diffOps := patchRbacAggregationRule(d) + ops = append(ops, diffOps...) + } data, err := ops.MarshalJSON() if err != nil { return fmt.Errorf("Failed to marshal update operations: %s", err) @@ -108,8 +136,16 @@ func resourceKubernetesClusterRoleRead(d *schema.ResourceData, meta interface{}) if err != nil { return err } - d.Set("rule", flattenClusterRoleRules(cRole.Rules)) - + err = d.Set("rule", flattenClusterRoleRules(cRole.Rules)) + if err != nil { + return err + } + if cRole.AggregationRule != nil { + err = d.Set("aggregation_rule", flattenClusterRoleAggregationRule(cRole.AggregationRule)) + if err != nil { + return err + } + } return nil } diff --git a/kubernetes/resource_kubernetes_cluster_role_test.go b/kubernetes/resource_kubernetes_cluster_role_test.go index 15fab2e35f..5d16d1069e 100644 --- a/kubernetes/resource_kubernetes_cluster_role_test.go +++ b/kubernetes/resource_kubernetes_cluster_role_test.go @@ -13,43 +13,44 @@ import ( func TestAccKubernetesClusterRole_basic(t *testing.T) { var conf api.ClusterRole - name := fmt.Sprintf("tf-acc-test:%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)) + resourceName := "kubernetes_cluster_role.test" + name := acctest.RandomWithPrefix("tf-acc-test") resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, - IDRefreshName: "kubernetes_cluster_role.test", + IDRefreshName: resourceName, Providers: testAccProviders, CheckDestroy: testAccCheckKubernetesClusterRoleDestroy, Steps: []resource.TestStep{ { Config: testAccKubernetesClusterRoleConfig_basic(name), Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckKubernetesClusterRoleExists("kubernetes_cluster_role.test", &conf), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.#", "2"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.0", "pods"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.1", "pods/log"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.#", "2"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.0", "get"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.1", "list"), + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.0", "pods"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.1", "pods/log"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.0", "get"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.1", "list"), ), }, { Config: testAccKubernetesClusterRoleConfig_modified(name), Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckKubernetesClusterRoleExists("kubernetes_cluster_role.test", &conf), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.#", "3"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.#", "3"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.2", "watch"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.api_groups.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.0", "deployments"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.#", "2"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.0", "get"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.1", "list"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.non_resource_urls.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.non_resource_urls.0", "/metrics"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.verbs.0", "get"), + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "rule.#", "3"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.#", "3"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.2", "watch"), + resource.TestCheckResourceAttr(resourceName, "rule.1.api_groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.0", "deployments"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.0", "get"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.1", "list"), + resource.TestCheckResourceAttr(resourceName, "rule.2.non_resource_urls.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.2.non_resource_urls.0", "/metrics"), + resource.TestCheckResourceAttr(resourceName, "rule.2.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.2.verbs.0", "get"), ), }, }, @@ -58,7 +59,7 @@ func TestAccKubernetesClusterRole_basic(t *testing.T) { func TestAccKubernetesClusterRole_importBasic(t *testing.T) { resourceName := "kubernetes_cluster_role.test" - name := fmt.Sprintf("tf-acc-test:%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)) + name := acctest.RandomWithPrefix("tf-acc-test") resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -77,75 +78,169 @@ func TestAccKubernetesClusterRole_importBasic(t *testing.T) { }) } -func TestAccKubernetesClusterRoleUpdatePatchOperationsOrderWithRemovals(t *testing.T) { +func TestAccKubernetesClusterRole_updatePatchOperationsOrderWithRemovals(t *testing.T) { var conf api.ClusterRole - name := fmt.Sprintf("tf-acc-test:%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)) + resourceName := "kubernetes_cluster_role.test" + name := acctest.RandomWithPrefix("tf-acc-test") resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, - IDRefreshName: "kubernetes_cluster_role.test", + IDRefreshName: resourceName, Providers: testAccProviders, CheckDestroy: testAccCheckKubernetesClusterRoleDestroy, Steps: []resource.TestStep{ { Config: testAccKubernetesClusterRoleConfigBug_step_0(name), Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckKubernetesClusterRoleExists("kubernetes_cluster_role.test", &conf), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.#", "3"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.0", "pods"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.0", "get"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.0", "deployments"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.0", "list"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.non_resource_urls.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.non_resource_urls.0", "/metrics"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.verbs.0", "get"), + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "rule.#", "3"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.0", "pods"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.0", "get"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.0", "deployments"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.0", "list"), + resource.TestCheckResourceAttr(resourceName, "rule.2.non_resource_urls.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.2.non_resource_urls.0", "/metrics"), + resource.TestCheckResourceAttr(resourceName, "rule.2.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.2.verbs.0", "get"), ), }, { Config: testAccKubernetesClusterRoleConfigBug_step_1(name), Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckKubernetesClusterRoleExists("kubernetes_cluster_role.test", &conf), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.#", "2"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.0", "deployments"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.#", "2"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.0", "get"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.1", "list"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.api_groups.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.0", "jobs"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.0", "get"), + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "rule.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.0", "deployments"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.0", "get"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.1", "list"), + resource.TestCheckResourceAttr(resourceName, "rule.1.api_groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.0", "jobs"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.0", "get"), ), }, { Config: testAccKubernetesClusterRoleConfigBug_step_2(name), Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckKubernetesClusterRoleExists("kubernetes_cluster_role.test", &conf), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.#", "4"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.resources.0", "pods"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.0.verbs.0", "list"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.resources.0", "deployments"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.1.verbs.0", "list"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.non_resource_urls.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.non_resource_urls.0", "/metrics"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.2.verbs.0", "get"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.3.api_groups.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.3.resources.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.3.resources.0", "jobs"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.3.verbs.#", "1"), - resource.TestCheckResourceAttr("kubernetes_cluster_role.test", "rule.3.verbs.0", "get"), + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "rule.#", "4"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.0", "pods"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.0", "list"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.resources.0", "deployments"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.1.verbs.0", "list"), + resource.TestCheckResourceAttr(resourceName, "rule.2.non_resource_urls.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.2.non_resource_urls.0", "/metrics"), + resource.TestCheckResourceAttr(resourceName, "rule.2.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.2.verbs.0", "get"), + resource.TestCheckResourceAttr(resourceName, "rule.3.api_groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.3.resources.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.3.resources.0", "jobs"), + resource.TestCheckResourceAttr(resourceName, "rule.3.verbs.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.3.verbs.0", "get"), + ), + }, + }, + }) +} + +func TestAccKubernetesClusterRole_aggregationRuleBasic(t *testing.T) { + var conf api.ClusterRole + resourceName := "kubernetes_cluster_role.test" + name := acctest.RandomWithPrefix("tf-acc-test") + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + IDRefreshName: resourceName, + Providers: testAccProviders, + CheckDestroy: testAccCheckKubernetesClusterRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccKubernetesClusterRoleConfig_aggRule(name), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.#", "1"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.#", "1"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_expressions.0.key", "environment"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_expressions.0.operator", "In"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_expressions.0.values.#", "1"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_labels.foo", "bar"), + ), + }, + { + Config: testAccKubernetesClusterRoleConfig_aggRuleModified(name), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.#", "1"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.#", "1"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_expressions.0.key", "env"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_expressions.0.operator", "NotIn"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_expressions.0.values.#", "1"), + resource.TestCheckResourceAttr(resourceName, "aggregation_rule.0.cluster_role_selectors.0.match_labels.bar", "foo"), + ), + }, + }, + }) +} + +func TestAccKubernetesClusterRole_aggregationRuleRuleAggregation(t *testing.T) { + var conf api.ClusterRole + resourceName := "kubernetes_cluster_role.test" + name := acctest.RandomWithPrefix("tf-acc-test") + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + IDRefreshName: resourceName, + Providers: testAccProviders, + CheckDestroy: testAccCheckKubernetesClusterRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccKubernetesClusterRoleConfig_aggRule2(name), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), ), }, + { + Config: testAccKubernetesClusterRoleConfig_aggRule2(name), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckKubernetesClusterRoleExists(resourceName, &conf), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.0", "pods"), + resource.TestCheckResourceAttr(resourceName, "rule.0.resources.1", "pods/log"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.#", "2"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.0", "get"), + resource.TestCheckResourceAttr(resourceName, "rule.0.verbs.1", "list"), + ), + }, + }, + }) +} + +func TestAccKubernetesClusterRole_importAggregationRule(t *testing.T) { + resourceName := "kubernetes_cluster_role.test" + name := acctest.RandomWithPrefix("tf-acc-test") + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + IDRefreshName: resourceName, + Providers: testAccProviders, + CheckDestroy: testAccCheckKubernetesClusterRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccKubernetesClusterRoleConfig_aggRule(name), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"metadata.0.resource_version"}, + }, }, }) } @@ -325,3 +420,96 @@ resource "kubernetes_cluster_role" "test" { } `, name) } + +func testAccKubernetesClusterRoleConfig_aggRule(name string) string { + return fmt.Sprintf(` +resource "kubernetes_cluster_role" "test" { + metadata { + labels = { + TestLabelOne = "one" + TestLabelTwo = "two" + TestLabelThree = "three" + } + + name = "%s" + } + + aggregation_rule { + cluster_role_selectors { + match_labels = { + foo = "bar" + } + + match_expressions { + key = "environment" + operator = "In" + values = ["non-exists-12345"] + } + } + } +} +`, name) +} + +func testAccKubernetesClusterRoleConfig_aggRuleModified(name string) string { + return fmt.Sprintf(` +resource "kubernetes_cluster_role" "test" { + metadata { + labels = { + TestLabelOne = "one" + TestLabelTwo = "two" + TestLabelThree = "three" + } + + name = "%s" + } + + aggregation_rule { + cluster_role_selectors { + match_labels = { + bar = "foo" + } + + match_expressions { + key = "env" + operator = "NotIn" + values = ["non"] + } + } + } +} +`, name) +} + +func testAccKubernetesClusterRoleConfig_aggRule2(name string) string { + return fmt.Sprintf(` +resource "kubernetes_cluster_role" "test" { + metadata { + name = "%[1]s" + } + + aggregation_rule { + cluster_role_selectors { + match_labels = { + "rbac.example.com/aggregate-to-monitoring" = "true" + } + } + } +} + +resource "kubernetes_cluster_role" "test2" { + metadata { + labels = { + "rbac.example.com/aggregate-to-monitoring" = "true" + } + name = "%[1]s-2" + } + + rule { + api_groups = [""] + resources = ["pods", "pods/log"] + verbs = ["get", "list"] + } +} +`, name) +} diff --git a/kubernetes/structures_rbac.go b/kubernetes/structures_rbac.go index d12fe99124..e9cd2d5e95 100644 --- a/kubernetes/structures_rbac.go +++ b/kubernetes/structures_rbac.go @@ -5,6 +5,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/helper/schema" api "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func expandRBACRoleRef(in []interface{}) api.RoleRef { @@ -79,6 +80,22 @@ func expandClusterRoleRules(in []interface{}) []api.PolicyRule { return rules } +func expandClusterRoleAggregationRule(in []interface{}) *api.AggregationRule { + if len(in) == 0 || in[0] == nil { + return &api.AggregationRule{} + } + ref := &api.AggregationRule{} + m := in[0].(map[string]interface{}) + + if v, ok := m["cluster_role_selectors"].([]interface{}); ok && len(v) > 0 { + crs := make([]metav1.LabelSelector, 0) + crs = append(crs, *expandLabelSelector(v)) + ref.ClusterRoleSelectors = crs + } + + return ref +} + func flattenRBACRoleRef(in api.RoleRef) []interface{} { att := make(map[string]interface{}) @@ -121,6 +138,18 @@ func flattenClusterRoleRules(in []api.PolicyRule) []interface{} { return att } +func flattenClusterRoleAggregationRule(in *api.AggregationRule) []interface{} { + att := make(map[string]interface{}) + + if len(in.ClusterRoleSelectors) > 0 { + for _, crs := range in.ClusterRoleSelectors { + att["cluster_role_selectors"] = flattenLabelSelector(&crs) + } + } + + return []interface{}{att} +} + // Patch Ops func patchRbacSubject(d *schema.ResourceData) PatchOperations { o, n := d.GetChange("subject") @@ -189,3 +218,17 @@ func patchRbacRule(d *schema.ResourceData) PatchOperations { } return ops } + +func patchRbacAggregationRule(d *schema.ResourceData) PatchOperations { + _, n := d.GetChange("aggregation_rule") + //oldrules := expandClusterRoleRules(o.([]interface{})) + newAggRule := expandClusterRoleAggregationRule(n.([]interface{})) + ops := make([]PatchOperation, 0) + + ops = append(ops, &ReplaceOperation{ + Path: "/aggregationRule", + Value: newAggRule, + }) + + return ops +} diff --git a/website/docs/r/cluster_role.html.markdown b/website/docs/r/cluster_role.html.markdown index 3b1c110eaf..706b87a2d9 100644 --- a/website/docs/r/cluster_role.html.markdown +++ b/website/docs/r/cluster_role.html.markdown @@ -26,12 +26,38 @@ resource "kubernetes_cluster_role" "example" { } ``` +## Aggregation Rule Example Usage + +```hcl +resource "kubernetes_cluster_role" "example" { + metadata { + name = "terraform-example" + } + + aggregation_rule { + cluster_role_selectors { + match_labels = { + foo = "bar" + } + + match_expressions { + key = "environment" + operator = "In" + values = ["non-exists-12345"] + } + } + } +} +``` + ## Argument Reference The following arguments are supported: -- `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) -- `rule` - (Required) The PolicyRoles for this ClusterRole. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) +* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) +* `rule` - (Optional) The PolicyRoles for this ClusterRole. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) +* `aggregation_rule` - (Optional) Describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be overwritten by the controller. +. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) ## Nested Blocks @@ -39,31 +65,45 @@ The following arguments are supported: #### Arguments -- `annotations` - (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata. +* `annotations` - (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata. **By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem).** For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations) -- `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency) -- `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding. +* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency) +* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding. **By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem).** For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels) -- `name` - (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#names) +* `name` - (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#names) #### Attributes -- `generation` - A sequence number representing a specific generation of the desired state. -- `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency) -- `self_link` - A URL representing this cluster role binding. -- `uid` - The unique in time and space value for this cluster role binding. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#uids) +* `generation` - A sequence number representing a specific generation of the desired state. +* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency) +* `self_link` - A URL representing this cluster role binding. +* `uid` - The unique in time and space value for this cluster role binding. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#uids) ### `rule` #### Arguments -- `api_groups` - (Optional) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. -- `non_resource_urls` - (Optional) NonResourceURLs is a set of partial urls that a user should have access to. \*s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. -- `resource_names` - (Optional) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. -- `resources` - (Optional) Resources is a list of resources this rule applies to. ResourceAll represents all resources. -- `verbs` - (Required) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. +* `api_groups` - (Optional) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. +* `non_resource_urls` - (Optional) NonResourceURLs is a set of partial urls that a user should have access to. \*s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. +* `resource_names` - (Optional) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. +* `resources` - (Optional) Resources is a list of resources this rule applies to. ResourceAll represents all resources. +* `verbs` - (Required) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. + +### `aggregation_rule` + +#### Arguments + +* `cluster_role_selectors` - (Optional) A list of selectors which will be used to find ClusterRoles and create the rules. + +### `cluster_role_selectors` + +#### Arguments + +* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed. +* `match_labels` - (Optional) A map of `{key,value}` pairs. A single `{key,value}` in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + ## Import