From 9eabb2d8940b2cf0548f393cdb393ca55ca4e067 Mon Sep 17 00:00:00 2001 From: Johan Andersson Date: Tue, 26 Nov 2024 14:30:45 +0100 Subject: [PATCH] Fix AWS permissions updated notification (#207) Added an optional permissions field to the role set of the polaris_aws_cnp_account_attachments resource. When used, the field will force the resource to be updated when the polaris_aws_cnp_permissions data source changes. During the update RSC will be notified about the updated permissions. --- docs/guides/aws_cnp_account.md | 8 ++++-- docs/guides/changelog.md | 13 +++++++++ docs/resources/aws_cnp_account_attachments.md | 4 +++ go.mod | 2 +- go.sum | 4 +-- .../resource_aws_cnp_account_attachments.go | 28 +++++++++++++++++-- templates/guides/aws_cnp_account.md.tmpl | 8 ++++-- templates/guides/changelog.md.tmpl | 13 +++++++++ 8 files changed, 68 insertions(+), 12 deletions(-) diff --git a/docs/guides/aws_cnp_account.md b/docs/guides/aws_cnp_account.md index d108dec..2ac668d 100644 --- a/docs/guides/aws_cnp_account.md +++ b/docs/guides/aws_cnp_account.md @@ -132,11 +132,13 @@ resource "polaris_aws_cnp_account_attachments" "attachments" { dynamic "role" { for_each = aws_iam_role.role content { - key = role.key - arn = role.value["arn"] + key = role.key + arn = role.value["arn"] + permissions = data.polaris_aws_cnp_permissions.permissions[role.key].id } } } ``` This attaches the instance profiles and roles to the AWS account in RSC. When Terraform processes this resource the AWS -account will transition from the connecting state to the connected state in the RSC UI. +account will transition from the connecting state to the connected state in the RSC UI. Note the `permissions` field of +the `polaris_aws_cnp_account_attachments` resource requires version `0.10.0-beta.8` or later of the provider. diff --git a/docs/guides/changelog.md b/docs/guides/changelog.md index 5523aee..2e14b03 100644 --- a/docs/guides/changelog.md +++ b/docs/guides/changelog.md @@ -4,6 +4,19 @@ page_title: "Changelog" # Changelog +## v0.10.0-beta.8 +* Add the `permissions` field to the `polaris_aws_cnp_account_attachments` resource. The `permissions` field should be + used with the `id` field of the `polaris_aws_cnp_permissions` data source to trigger an update of the resource + whenever the permissions changes. This update will move the RSC cloud account from the missing permissions state. + +## v0.10.0-beta.7 +* Add support for Azure Bring Your Own Kubernetes Exocompute, also known as BYOK and customer managed Exocompute. + [[docs](../resources/azure_exocompute_cluster_attachment)], [[docs](../resources/azure_private_container_registry)] + +## v0.10.0-beta.6 +* Add support for the Cloud Native Blob Protection feature to the `polaris_azure_subscription` resource. + [[docs](../resources/azure_subscription#nested-schema-for-cloud_native_blob_protection)] + ## v0.10.0-beta.5 * The data_center_archival_location_amazon_s3 resource will now monitor and wait for the asynchronous CDM operations to finish. diff --git a/docs/resources/aws_cnp_account_attachments.md b/docs/resources/aws_cnp_account_attachments.md index 0945329..72a9577 100644 --- a/docs/resources/aws_cnp_account_attachments.md +++ b/docs/resources/aws_cnp_account_attachments.md @@ -70,6 +70,10 @@ Required: - `arn` (String) AWS role ARN. - `key` (String) RSC artifact key for the AWS role. +Optional: + +- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `id` field of the `polaris_aws_cnp_permissions` data source. + ### Nested Schema for `instance_profile` diff --git a/go.mod b/go.mod index 2a99cc1..aad6d4b 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 github.com/hashicorp/terraform-plugin-docs v0.16.0 github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0 - github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8 + github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9 ) require ( diff --git a/go.sum b/go.sum index fab329a..5135280 100644 --- a/go.sum +++ b/go.sum @@ -270,8 +270,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8 h1:dU2PQJUQ4G0FcdivN2Y0/vYsu/9hZRvAYld2I9Tqvro= -github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE= +github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9 h1:Jz10i2sNEmX7nEcijARy859jpn4qwRC1iD2Sb9r0fWM= +github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE= github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= diff --git a/internal/provider/resource_aws_cnp_account_attachments.go b/internal/provider/resource_aws_cnp_account_attachments.go index 0423b8b..e81d6d9 100644 --- a/internal/provider/resource_aws_cnp_account_attachments.go +++ b/internal/provider/resource_aws_cnp_account_attachments.go @@ -155,7 +155,7 @@ func awsReadCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, m } features := &schema.Set{F: schema.HashString} for _, feature := range account.Features { - features.Add(string(feature.Feature.Name)) + features.Add(feature.Feature.Name) } // Request the cloud account artifacts. @@ -176,9 +176,14 @@ func awsReadCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, m return diag.FromErr(err) } + oldRoles := make(map[string]string) + for _, role := range d.Get(keyRole).(*schema.Set).List() { + block := role.(map[string]any) + oldRoles[block[keyKey].(string)] = block[keyPermissions].(string) + } rolesAttr := &schema.Set{F: schema.HashResource(roleResource())} for key, arn := range roles { - rolesAttr.Add(map[string]any{keyKey: key, keyARN: arn}) + rolesAttr.Add(map[string]any{keyKey: key, keyARN: arn, keyPermissions: oldRoles[key]}) } if err := d.Set(keyRole, rolesAttr); err != nil { return diag.FromErr(err) @@ -199,6 +204,7 @@ func awsUpdateCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, if err != nil { return diag.FromErr(err) } + var features []core.Feature for _, feature := range d.Get(keyFeatures).(*schema.Set).List() { features = append(features, core.Feature{Name: feature.(string)}) @@ -214,12 +220,20 @@ func awsUpdateCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, roles[block[keyKey].(string)] = block[keyARN].(string) } - // Request artifacts be added to account. + // Update artifacts. _, err = aws.Wrap(client).AddAccountArtifacts(ctx, aws.CloudAccountID(id), features, profiles, roles) if err != nil { return diag.FromErr(err) } + // Notify RSC about updated permissions. Note, we notify RSC that the + // permissions for all features have been updated without checking the + // permissions hash, the reason is there is no way for us to connect a role + // to a feature. + if err := aws.Wrap(client).PermissionsUpdated(ctx, id, nil); err != nil { + return diag.FromErr(err) + } + return nil } @@ -266,6 +280,14 @@ func roleResource() *schema.Resource { Description: "AWS role ARN.", ValidateFunc: validation.StringIsNotWhiteSpace, }, + keyPermissions: { + Type: schema.TypeString, + Optional: true, + Description: "Permissions updated signal. When this field changes, the provider will notify " + + "RSC that the permissions for the feature has been updated. Use this field with the `id` field " + + "of the `polaris_aws_cnp_permissions` data source.", + ValidateFunc: validation.StringIsNotWhiteSpace, + }, }, } } diff --git a/templates/guides/aws_cnp_account.md.tmpl b/templates/guides/aws_cnp_account.md.tmpl index d108dec..2ac668d 100644 --- a/templates/guides/aws_cnp_account.md.tmpl +++ b/templates/guides/aws_cnp_account.md.tmpl @@ -132,11 +132,13 @@ resource "polaris_aws_cnp_account_attachments" "attachments" { dynamic "role" { for_each = aws_iam_role.role content { - key = role.key - arn = role.value["arn"] + key = role.key + arn = role.value["arn"] + permissions = data.polaris_aws_cnp_permissions.permissions[role.key].id } } } ``` This attaches the instance profiles and roles to the AWS account in RSC. When Terraform processes this resource the AWS -account will transition from the connecting state to the connected state in the RSC UI. +account will transition from the connecting state to the connected state in the RSC UI. Note the `permissions` field of +the `polaris_aws_cnp_account_attachments` resource requires version `0.10.0-beta.8` or later of the provider. diff --git a/templates/guides/changelog.md.tmpl b/templates/guides/changelog.md.tmpl index 5523aee..2e14b03 100644 --- a/templates/guides/changelog.md.tmpl +++ b/templates/guides/changelog.md.tmpl @@ -4,6 +4,19 @@ page_title: "Changelog" # Changelog +## v0.10.0-beta.8 +* Add the `permissions` field to the `polaris_aws_cnp_account_attachments` resource. The `permissions` field should be + used with the `id` field of the `polaris_aws_cnp_permissions` data source to trigger an update of the resource + whenever the permissions changes. This update will move the RSC cloud account from the missing permissions state. + +## v0.10.0-beta.7 +* Add support for Azure Bring Your Own Kubernetes Exocompute, also known as BYOK and customer managed Exocompute. + [[docs](../resources/azure_exocompute_cluster_attachment)], [[docs](../resources/azure_private_container_registry)] + +## v0.10.0-beta.6 +* Add support for the Cloud Native Blob Protection feature to the `polaris_azure_subscription` resource. + [[docs](../resources/azure_subscription#nested-schema-for-cloud_native_blob_protection)] + ## v0.10.0-beta.5 * The data_center_archival_location_amazon_s3 resource will now monitor and wait for the asynchronous CDM operations to finish.