-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OPA support to the provider for Policies #690
Conversation
2a0aefc
to
966d2c2
Compare
966d2c2
to
dec3e79
Compare
1453b36
to
0ca2914
Compare
0ca2914
to
84363be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is my initial code review. Looks really good! I'm going to do some smoke testing now.
"`", | ||
"`", | ||
"and")), | ||
Optional: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this field is truly optional. I got this error when omitting it:
╷
│ Error: Error creating sentinel policy my-sentinel-policy for organization hashicorp: invalid attribute
│
│ invalid format for enforce
│
│ with tfe_policy.foo-sentinel,
│ on main.tf line 6, in resource "tfe_policy" "foo-sentinel":
│ 6: resource "tfe_policy" "foo-sentinel" {
│
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! 👍 Turns out the api docs around data.attributes.enforce[].mode
are wrong. The enforce_mode is required
in Atlas.
I have made changes to add defaults if the enforce mode is not provided.
Since the tfe_sentinel_policy
provider sets the enforce_mode as optional, I have done the same for tfe_policy
, so our customers dont have to care about the enforce_mode when they switch from tfe_sentinel_policy
to tfe_policy
and the experience is the same.
Meanwhile I am going to go fix the API docs :)
New Acceptance test results:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You added the default into the create action, but since it's not Computed (or also calculated in the update action), it appears as a config change on subsequent plans. To recreate this, just apply a config with no enforce argument, then apply it again. I think this can be fixed by adding Computed: true to the enforce schema but I didn't fully smoke test other scenarios with it, like unsetting it from explicit config, which I think would still break.
So I added a test for unsetting "enforce_mode", if the config changes from:
to this:
The enforce_mode is not updated. It remains what it previously was. Results of my tests:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh! One last thing. We released 0.39.0 since you wrote the release notes. Can you move them to a new section labelled "## Unreleased" ?
Description
Add OPA support to the tfe-provider for policies. OPA is still in beta phase.
The existing
tfe_sentinel_policy
will be deprecated in favour oftfe_policy
which will allow for creation of both sentinel as well as OPA policies in the provider.This is the first of the 3 PRs for adding OPA support:
Upcoming PRs
Testing plan
Added acceptance tests
External links
Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.
Output from acceptance tests
$ TESTARGS="-run TestAccTFEPolicy_basic" envchain staging make testacc
$ TESTARGS="-run TestAccTFEPolicyOPA_basic" envchain staging make testacc
$ TESTARGS="-run TestAccTFEPolicy_update" envchain staging make testacc
$ TESTARGS="-run TestAccTFEPolicyOPA_update" envchain staging make testacc
$ TESTARGS="-run TestAccTFEPolicy_import" envchain staging make testacc