Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OPA support to the provider for Policies #690

Merged
merged 10 commits into from
Nov 21, 2022
Merged

Add OPA support to the provider for Policies #690

merged 10 commits into from
Nov 21, 2022

Conversation

mrinalirao
Copy link
Contributor

Description

Add OPA support to the tfe-provider for policies. OPA is still in beta phase.
The existing tfe_sentinel_policy will be deprecated in favour of tfe_policy which will allow for creation of both sentinel as well as OPA policies in the provider.

This is the first of the 3 PRs for adding OPA support:
Upcoming PRs

  • Add OPA support for policy sets
  • Update documentation

Testing plan

Added acceptance tests

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

Output from acceptance tests

$ TESTARGS="-run TestAccTFEPolicy_basic" envchain staging make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEPolicy_basic -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
=== RUN   TestAccTFEPolicy_basic
2022/11/16 09:46:32 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/16 09:46:32 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicy_basic (13.44s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe (cached)
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

$ TESTARGS="-run TestAccTFEPolicyOPA_basic" envchain staging make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEPolicyOPA_basic -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
=== RUN   TestAccTFEPolicyOPA_basic
2022/11/16 09:59:59 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/16 09:59:59 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicyOPA_basic (12.62s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe 13.051s
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

$ TESTARGS="-run TestAccTFEPolicy_update" envchain staging make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEPolicy_update -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
=== RUN   TestAccTFEPolicy_update
2022/11/16 10:01:01 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/16 10:01:01 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicy_update (21.59s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe 21.824s
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

$ TESTARGS="-run TestAccTFEPolicyOPA_update" envchain staging make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEPolicyOPA_update -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
=== RUN   TestAccTFEPolicyOPA_update
2022/11/16 10:01:58 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/16 10:01:58 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicyOPA_update (21.65s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe 21.902s
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

$ TESTARGS="-run TestAccTFEPolicy_import" envchain staging make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEPolicy_import -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
=== RUN   TestAccTFEPolicy_import
2022/11/16 10:02:56 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/16 10:02:56 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicy_import (14.39s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe 14.636s
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

@mrinalirao mrinalirao marked this pull request as ready for review November 15, 2022 23:42
@mrinalirao mrinalirao requested a review from a team as a code owner November 15, 2022 23:42
@mrinalirao mrinalirao mentioned this pull request Nov 16, 2022
Merged
glennsarti
glennsarti reviewed Nov 16, 2022
View reviewed changes
tfe/provider.go Show resolved Hide resolved
tfe/resource_tfe_policy.go Outdated Show resolved Hide resolved
tfe/resource_tfe_policy.go Show resolved Hide resolved
tfe/resource_tfe_policy.go Outdated Show resolved Hide resolved
tfe/resource_tfe_sentinel_policy.go Outdated Show resolved Hide resolved
@mrinalirao mrinalirao mentioned this pull request Nov 17, 2022
Merged
brandonc
brandonc requested changes Nov 17, 2022
View reviewed changes
Copy link
Collaborator

@brandonc brandonc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is my initial code review. Looks really good! I'm going to do some smoke testing now.

CHANGELOG.md Outdated Show resolved Hide resolved
tfe/resource_tfe_policy.go Show resolved Hide resolved
brandonc
brandonc requested changes Nov 17, 2022
View reviewed changes
tfe/resource_tfe_policy.go
"`",
"`",
"and")),
Optional: true,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this field is truly optional. I got this error when omitting it:

╷
│ Error: Error creating sentinel policy my-sentinel-policy for organization hashicorp: invalid attribute
│
│ invalid format for enforce
│
│   with tfe_policy.foo-sentinel,
│   on main.tf line 6, in resource "tfe_policy" "foo-sentinel":
│    6: resource "tfe_policy" "foo-sentinel" {
│

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! 👍 Turns out the api docs around data.attributes.enforce[].mode are wrong. The enforce_mode is required in Atlas.

I have made changes to add defaults if the enforce mode is not provided.
Since the tfe_sentinel_policy provider sets the enforce_mode as optional, I have done the same for tfe_policy, so our customers dont have to care about the enforce_mode when they switch from tfe_sentinel_policy to tfe_policy and the experience is the same.

Meanwhile I am going to go fix the API docs :)

@mrinalirao
Copy link
Contributor Author

mrinalirao commented Nov 18, 2022
edited
Loading

New Acceptance test results:

 TESTARGS="-run TestAccTFEPolicy_basicWithDefaults" envchain staging make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEPolicy_basicWithDefaults -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
=== RUN   TestAccTFEPolicy_basicWithDefaults
2022/11/18 14:55:46 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/18 14:55:46 [ERROR] Error reading CLI config or credentials file /Users/mrinalirao/.terraformrc: open /Users/mrinalirao/.terraformrc: no such file or directory
2022/11/18 14:55:46 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicy_basicWithDefaults (13.95s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe 14.393s
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

brandonc
brandonc requested changes Nov 18, 2022
View reviewed changes
Copy link
Collaborator

@brandonc brandonc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You added the default into the create action, but since it's not Computed (or also calculated in the update action), it appears as a config change on subsequent plans. To recreate this, just apply a config with no enforce argument, then apply it again. I think this can be fixed by adding Computed: true to the enforce schema but I didn't fully smoke test other scenarios with it, like unsetting it from explicit config, which I think would still break.

Screen Shot 2022-11-18 at 7 29 07 AM

@mrinalirao
Copy link
Contributor Author

mrinalirao commented Nov 20, 2022
edited
Loading

So I added a test for unsetting "enforce_mode", if the config changes from:

resource "tfe_sentinel_policy" "test" {
  name         = "my-policy-name"
  description  = "This policy always passes"
  organization = "my-org-name"
  policy       = "main = rule { true }"
  enforce_mode = "hard-mandatory"
}

to this:

resource "tfe_sentinel_policy" "test" {
  name         = "my-policy-name"
  description  = "This policy always passes"
  organization = "my-org-name"
  policy       = "main = rule { true }"
}

The enforce_mode is not updated. It remains what it previously was.

Results of my tests:

/usr/local/go/bin/go tool test2json -t /private/var/folders/dw/g3nt1z3d5sl4ll_r8f27ytwc0000gq/T/GoLand/___2TestAccTFEPolicy_unsetEnforce_in_github_com_hashicorp_terraform_provider_tfe_tfe.test -test.v -test.paniconexit0 -test.run ^\QTestAccTFEPolicy_unsetEnforce\E$
=== RUN   TestAccTFEPolicy_unsetEnforce
2022/11/21 10:18:18 [DEBUG] Configuring client for host "app.staging.terraform.io"
2022/11/21 10:18:18 [ERROR] Error reading CLI config or credentials file /Users/mrinalirao/.terraformrc: open /Users/mrinalirao/.terraformrc: no such file or directory
2022/11/21 10:18:18 [DEBUG] Service discovery for app.staging.terraform.io at https://app.staging.terraform.io/.well-known/terraform.json
--- PASS: TestAccTFEPolicy_unsetEnforce (22.02s)
PASS

brandonc
brandonc approved these changes Nov 21, 2022
View reviewed changes
Copy link
Collaborator

@brandonc brandonc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

brandonc
brandonc requested changes Nov 21, 2022
View reviewed changes
Copy link
Collaborator

@brandonc brandonc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh! One last thing. We released 0.39.0 since you wrote the release notes. Can you move them to a new section labelled "## Unreleased" ?

@mrinalirao mrinalirao merged commit ec6b82a into main Nov 21, 2022
@mrinalirao mrinalirao deleted the mr/TF-1451-policies branch November 21, 2022 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandonc brandonc brandonc approved these changes

@glennsarti glennsarti glennsarti approved these changes

@cam-stitt cam-stitt Awaiting requested review from cam-stitt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mrinalirao @brandonc @glennsarti