NSOF-5770 roles: enforce at least one of 'apply_to_orgs', 'all_suborg…

…s', 'suborgs_expression'
nsofnetworks · Feb 2, 2022 · ba3e7cb · ba3e7cb
1 parent 3a2c84a
commit ba3e7cb
Show file tree

Hide file tree

Showing 12 changed files with 80 additions and 30 deletions.
diff --git a/docs/data-sources/role.md b/docs/data-sources/role.md
@@ -43,7 +43,7 @@ output "role_by_name" {
 - **all_read_privileges** (Boolean)
 - **all_suborgs** (Boolean)
 - **all_write_privileges** (Boolean)
-- **apply_to_orgs** (List of String) indicates which orgs this role applies to. By default, it is applied to current org.
+- **apply_to_orgs** (List of String) indicates which orgs this role applies to.
 - **description** (String)
 - **privileges** (Set of String) Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc.
 - **suborgs_expression** (String) Allows grouping of entities according to their tags. Filtering by tag value is also supported, if provided. Supported operations: AND, OR, XOR, parenthesis.
diff --git a/docs/resources/group_roles_attachment.md b/docs/resources/group_roles_attachment.md
@@ -17,18 +17,24 @@ This means that any group with the roles attached using any other method, includ
 ## Example Usage
 
 ```terraform
+locals {
+  org_id = "org123abc"
+}
+
 resource "pfptmeta_group" "group" {
   name = "admins"
 }
 
 resource "pfptmeta_role" "metaport_role" {
-  name       = "metaport role"
-  privileges = ["metaports:read", "metaports:write"]
+  name          = "metaport role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
-  name       = "network element role"
-  privileges = ["network_elements:read", "network_elements:write"]
+  name          = "network element role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["network_elements:read", "network_elements:write"]
 }
 
 resource "pfptmeta_group_roles_attachment" "attachment" {

diff --git a/docs/resources/role.md b/docs/resources/role.md
@@ -13,9 +13,14 @@ Roles define operations on the enterprise network, such as adding and removing u
 ## Example Usage
 
 ```terraform
+locals {
+  org_id = "org123abc"
+}
+
 resource "pfptmeta_role" "read_only" {
   name                = "all read only"
   description         = "role with all read privileges"
+  apply_to_orgs       = [local.org_id]
   all_read_privileges = true
 }
 
@@ -28,8 +33,9 @@ resource "pfptmeta_role" "admin_role" {
 }
 
 resource "pfptmeta_role" "with_privileges" {
-  name       = "with privs"
-  privileges = ["metaports:read", "metaports:write"]
+  name          = "with privs"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["metaports:read", "metaports:write"]
 }
 ```
 
@@ -45,7 +51,7 @@ resource "pfptmeta_role" "with_privileges" {
 - **all_read_privileges** (Boolean)
 - **all_suborgs** (Boolean)
 - **all_write_privileges** (Boolean)
-- **apply_to_orgs** (List of String) indicates which orgs this role applies to. By default, it is applied to current org.
+- **apply_to_orgs** (List of String) indicates which orgs this role applies to.
 - **description** (String)
 - **privileges** (Set of String) Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc.
 - **suborgs_expression** (String) Allows grouping of entities according to their tags. Filtering by tag value is also supported, if provided. Supported operations: AND, OR, XOR, parenthesis.

diff --git a/docs/resources/user_roles_attachment.md b/docs/resources/user_roles_attachment.md
@@ -17,20 +17,26 @@ This means that any user with the roles attached using any other method, includi
 ## Example Usage
 
 ```terraform
+locals {
+  org_id = "org123abc"
+}
+
 resource "pfptmeta_user" "user" {
   given_name  = "John"
   family_name = "Smith"
   email       = "[email protected]"
 }
 
 resource "pfptmeta_role" "metaport_role" {
-  name       = "metaport role"
-  privileges = ["metaports:read", "metaports:write"]
+  name          = "metaport role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
-  name       = "network element role"
-  privileges = ["network_elements:read", "network_elements:write"]
+  name          = "network element role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["network_elements:read", "network_elements:write"]
 }
 
 resource "pfptmeta_user_roles_attachment" "attachment" {

diff --git a/examples/resources/pfptmeta_group_roles_attachment/resource.tf b/examples/resources/pfptmeta_group_roles_attachment/resource.tf
@@ -1,15 +1,21 @@
+locals {
+  org_id = "org123abc"
+}
+
 resource "pfptmeta_group" "group" {
   name = "admins"
 }
 
 resource "pfptmeta_role" "metaport_role" {
-  name       = "metaport role"
-  privileges = ["metaports:read", "metaports:write"]
+  name          = "metaport role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
-  name       = "network element role"
-  privileges = ["network_elements:read", "network_elements:write"]
+  name          = "network element role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["network_elements:read", "network_elements:write"]
 }
 
 resource "pfptmeta_group_roles_attachment" "attachment" {

diff --git a/examples/resources/pfptmeta_role/resource.tf b/examples/resources/pfptmeta_role/resource.tf
@@ -1,6 +1,11 @@
+locals {
+  org_id = "org123abc"
+}
+
 resource "pfptmeta_role" "read_only" {
   name                = "all read only"
   description         = "role with all read privileges"
+  apply_to_orgs       = [local.org_id]
   all_read_privileges = true
 }
 
@@ -13,6 +18,7 @@ resource "pfptmeta_role" "admin_role" {
 }
 
 resource "pfptmeta_role" "with_privileges" {
-  name       = "with privs"
-  privileges = ["metaports:read", "metaports:write"]
+  name          = "with privs"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["metaports:read", "metaports:write"]
 }
diff --git a/examples/resources/pfptmeta_user_roles_attachment/resource.tf b/examples/resources/pfptmeta_user_roles_attachment/resource.tf
@@ -1,17 +1,23 @@
+locals {
+  org_id = "org123abc"
+}
+
 resource "pfptmeta_user" "user" {
   given_name  = "John"
   family_name = "Smith"
   email       = "[email protected]"
 }
 
 resource "pfptmeta_role" "metaport_role" {
-  name       = "metaport role"
-  privileges = ["metaports:read", "metaports:write"]
+  name          = "metaport role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
-  name       = "network element role"
-  privileges = ["network_elements:read", "network_elements:write"]
+  name          = "network element role"
+  apply_to_orgs = [local.org_id]
+  privileges    = ["network_elements:read", "network_elements:write"]
 }
 
 resource "pfptmeta_user_roles_attachment" "attachment" {

diff --git a/internal/provider/acc_tests/group_roles_attachment_test.go b/internal/provider/acc_tests/group_roles_attachment_test.go
@@ -41,11 +41,13 @@ resource "pfptmeta_group" "group" {
 
 resource "pfptmeta_role" "metaport_role" {
   name       = "metaport role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
   name       = "network element role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["network_elements:read", "network_elements:write"]
 }
 
@@ -62,11 +64,13 @@ resource "pfptmeta_group" "group" {
 
 resource "pfptmeta_role" "metaport_role" {
   name       = "metaport role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
   name       = "network element role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["network_elements:read", "network_elements:write"]
 }
 

diff --git a/internal/provider/acc_tests/role_test.go b/internal/provider/acc_tests/role_test.go
@@ -75,12 +75,14 @@ const testAccResourceRoleStep1 = `
 resource "pfptmeta_role" "admin_role" {
   name                 = "admin role"
   description          = "role with all privileges"
+  apply_to_orgs = ["org-31126"]
   all_read_privileges  = true
   all_write_privileges = true
 }
 
 resource "pfptmeta_role" "with_privileges" {
   name                 = "with privs"
+  apply_to_orgs = ["org-31126"]
   privileges		   = ["metaports:read", "metaports:write"]
 }
 `
@@ -89,6 +91,7 @@ const testAccResourceRoleStep2 = `
 resource "pfptmeta_role" "admin_role" {
   name                 = "admin role1"
   description          = "role with all privileges1"
+  apply_to_orgs = ["org-31126"]
   all_read_privileges  = false
 }
 `

diff --git a/internal/provider/acc_tests/user_roles_attachment_test.go b/internal/provider/acc_tests/user_roles_attachment_test.go
@@ -49,11 +49,13 @@ resource "pfptmeta_user" "user" {
 
 resource "pfptmeta_role" "metaport_role" {
   name       = "metaport role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
   name       = "network element role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["network_elements:read", "network_elements:write"]
 }
 
@@ -72,11 +74,13 @@ resource "pfptmeta_user" "user" {
 
 resource "pfptmeta_role" "metaport_role" {
   name       = "metaport role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["metaports:read", "metaports:write"]
 }
 
 resource "pfptmeta_role" "network_element_role" {
   name       = "network element role"
+  apply_to_orgs = ["org-31126"]
   privileges = ["network_elements:read", "network_elements:write"]
 }
 

diff --git a/internal/provider/role/common.go b/internal/provider/role/common.go
@@ -10,7 +10,7 @@ import (
 
 const (
 	description           = "Roles define operations on the enterprise network, such as adding and removing users, defining security policies, etc."
-	applyToOrgsDesc       = "indicates which orgs this role applies to. By default, it is applied to current org."
+	applyToOrgsDesc       = "indicates which orgs this role applies to."
 	privilegesDesc        = "Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc."
 	subOrgsExpressionDesc = "Allows grouping of entities according to their tags. Filtering by tag value is also supported, if provided. Supported operations: AND, OR, XOR, parenthesis."
 )

diff --git a/internal/provider/role/resource.go b/internal/provider/role/resource.go
@@ -41,8 +41,9 @@ func Resource() *schema.Resource {
 				Computed: true,
 			},
 			"apply_to_orgs": {
-				Description: applyToOrgsDesc,
-				Type:        schema.TypeList,
+				AtLeastOneOf: []string{"all_suborgs", "suborgs_expression"},
+				Description:  applyToOrgsDesc,
+				Type:         schema.TypeList,
 				Elem: &schema.Schema{
 					Type:             schema.TypeString,
 					ValidateDiagFunc: common.ValidateID(false, "org"),
@@ -58,13 +59,15 @@ func Resource() *schema.Resource {
 				Optional: true,
 			},
 			"all_suborgs": {
-				Type:     schema.TypeBool,
-				Optional: true,
+				AtLeastOneOf: []string{"apply_to_orgs", "suborgs_expression"},
+				Type:         schema.TypeBool,
+				Optional:     true,
 			},
 			"suborgs_expression": {
-				Description: subOrgsExpressionDesc,
-				Type:        schema.TypeString,
-				Optional:    true,
+				AtLeastOneOf: []string{"apply_to_orgs", "all_suborgs"},
+				Description:  subOrgsExpressionDesc,
+				Type:         schema.TypeString,
+				Optional:     true,
 			},
 		},
 	}