// ---------------------------------------------------------------------------- // // *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** // // ---------------------------------------------------------------------------- // // This file is automatically generated by Magic Modules and manual // changes will be clobbered when the file is regenerated. // // Please read more about how to change this file in // .github/CONTRIBUTING.md. // // ---------------------------------------------------------------------------- package google import ( "bytes" "fmt" "log" "reflect" "regexp" "github.com/hashicorp/terraform/helper/hashcode" "github.com/hashicorp/terraform/helper/schema" "github.com/hashicorp/terraform/helper/validation" ) func defaultBinaryAuthorizationPolicy(project string) map[string]interface{} { return map[string]interface{}{ "name": fmt.Sprintf("projects/%s/policy", project), "admissionWhitelistPatterns": []interface{}{ map[string]interface{}{ "namePattern": "gcr.io/google_containers/*", }, }, "defaultAdmissionRule": map[string]interface{}{ "evaluationMode": "ALWAYS_ALLOW", "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG", }, } } func resourceBinaryAuthorizationPolicy() *schema.Resource { return &schema.Resource{ Create: resourceBinaryAuthorizationPolicyCreate, Read: resourceBinaryAuthorizationPolicyRead, Update: resourceBinaryAuthorizationPolicyUpdate, Delete: resourceBinaryAuthorizationPolicyDelete, Importer: &schema.ResourceImporter{ State: resourceBinaryAuthorizationPolicyImport, }, Schema: map[string]*schema.Schema{ "default_admission_rule": { Type: schema.TypeList, Required: true, MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "enforcement_mode": { Type: schema.TypeString, Required: true, ValidateFunc: validation.StringInSlice([]string{"ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"}, false), }, "evaluation_mode": { Type: schema.TypeString, Required: true, ValidateFunc: validation.StringInSlice([]string{"ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"}, false), }, "require_attestations_by": { Type: schema.TypeSet, Optional: true, DiffSuppressFunc: compareSelfLinkOrResourceName, Elem: &schema.Schema{ Type: schema.TypeString, }, Set: selfLinkNameHash, }, }, }, }, "description": { Type: schema.TypeString, Optional: true, }, "admission_whitelist_patterns": { Type: schema.TypeList, Optional: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "name_pattern": { Type: schema.TypeString, Optional: true, }, }, }, }, "cluster_admission_rules": { Type: schema.TypeSet, Optional: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "cluster": { Type: schema.TypeString, Required: true, }, "evaluation_mode": { Type: schema.TypeString, Optional: true, ValidateFunc: validation.StringInSlice([]string{"ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY", ""}, false), }, "require_attestations_by": { Type: schema.TypeSet, Optional: true, DiffSuppressFunc: compareSelfLinkOrResourceName, Elem: &schema.Schema{ Type: schema.TypeString, }, Set: selfLinkNameHash, }, "enforcement_mode": { Type: schema.TypeString, Optional: true, ValidateFunc: validation.StringInSlice([]string{"ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY", ""}, false), }, }, }, Set: func(v interface{}) int { // require_attestations_by is a set of strings that can have the format // projects/{project}/attestors/{attestor} or {attestor}. We diffsuppress // and hash that set on the name, but now we need to make sure that the // overall hash here respects that so changing the attestor format doesn't // change the hash code of cluster_admission_rules. raw := v.(map[string]interface{}) at := raw["require_attestations_by"].(*schema.Set) if at != nil { t := convertAndMapStringArr(at.List(), GetResourceNameFromSelfLink) raw["require_attestations_by"] = schema.NewSet(selfLinkNameHash, convertStringArrToInterface(t)) } var buf bytes.Buffer schema.SerializeResourceForHash(&buf, raw, resourceBinaryAuthorizationPolicy().Schema["cluster_admission_rules"].Elem.(*schema.Resource)) return hashcode.String(buf.String()) }, }, "project": { Type: schema.TypeString, Optional: true, Computed: true, ForceNew: true, }, }, } } func resourceBinaryAuthorizationPolicyCreate(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) obj := make(map[string]interface{}) descriptionProp, err := expandBinaryAuthorizationPolicyDescription(d.Get("description"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { obj["description"] = descriptionProp } admissionWhitelistPatternsProp, err := expandBinaryAuthorizationPolicyAdmissionWhitelistPatterns(d.Get("admission_whitelist_patterns"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("admission_whitelist_patterns"); !isEmptyValue(reflect.ValueOf(admissionWhitelistPatternsProp)) && (ok || !reflect.DeepEqual(v, admissionWhitelistPatternsProp)) { obj["admissionWhitelistPatterns"] = admissionWhitelistPatternsProp } clusterAdmissionRulesProp, err := expandBinaryAuthorizationPolicyClusterAdmissionRules(d.Get("cluster_admission_rules"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("cluster_admission_rules"); !isEmptyValue(reflect.ValueOf(clusterAdmissionRulesProp)) && (ok || !reflect.DeepEqual(v, clusterAdmissionRulesProp)) { obj["clusterAdmissionRules"] = clusterAdmissionRulesProp } defaultAdmissionRuleProp, err := expandBinaryAuthorizationPolicyDefaultAdmissionRule(d.Get("default_admission_rule"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("default_admission_rule"); !isEmptyValue(reflect.ValueOf(defaultAdmissionRuleProp)) && (ok || !reflect.DeepEqual(v, defaultAdmissionRuleProp)) { obj["defaultAdmissionRule"] = defaultAdmissionRuleProp } url, err := replaceVars(d, config, "https://binaryauthorization.googleapis.com/v1beta1/projects/{{project}}/policy") if err != nil { return err } log.Printf("[DEBUG] Creating new Policy: %#v", obj) res, err := sendRequest(config, "PUT", url, obj) if err != nil { return fmt.Errorf("Error creating Policy: %s", err) } // Store the ID now id, err := replaceVars(d, config, "{{project}}") if err != nil { return fmt.Errorf("Error constructing id: %s", err) } d.SetId(id) log.Printf("[DEBUG] Finished creating Policy %q: %#v", d.Id(), res) return resourceBinaryAuthorizationPolicyRead(d, meta) } func resourceBinaryAuthorizationPolicyRead(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) url, err := replaceVars(d, config, "https://binaryauthorization.googleapis.com/v1beta1/projects/{{project}}/policy") if err != nil { return err } res, err := sendRequest(config, "GET", url, nil) if err != nil { return handleNotFoundError(err, d, fmt.Sprintf("BinaryAuthorizationPolicy %q", d.Id())) } if err := d.Set("description", flattenBinaryAuthorizationPolicyDescription(res["description"])); err != nil { return fmt.Errorf("Error reading Policy: %s", err) } if err := d.Set("admission_whitelist_patterns", flattenBinaryAuthorizationPolicyAdmissionWhitelistPatterns(res["admissionWhitelistPatterns"])); err != nil { return fmt.Errorf("Error reading Policy: %s", err) } if err := d.Set("cluster_admission_rules", flattenBinaryAuthorizationPolicyClusterAdmissionRules(res["clusterAdmissionRules"])); err != nil { return fmt.Errorf("Error reading Policy: %s", err) } if err := d.Set("default_admission_rule", flattenBinaryAuthorizationPolicyDefaultAdmissionRule(res["defaultAdmissionRule"])); err != nil { return fmt.Errorf("Error reading Policy: %s", err) } project, err := getProject(d, config) if err != nil { return err } if err := d.Set("project", project); err != nil { return fmt.Errorf("Error reading Policy: %s", err) } return nil } func resourceBinaryAuthorizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) obj := make(map[string]interface{}) descriptionProp, err := expandBinaryAuthorizationPolicyDescription(d.Get("description"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { obj["description"] = descriptionProp } admissionWhitelistPatternsProp, err := expandBinaryAuthorizationPolicyAdmissionWhitelistPatterns(d.Get("admission_whitelist_patterns"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("admission_whitelist_patterns"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, admissionWhitelistPatternsProp)) { obj["admissionWhitelistPatterns"] = admissionWhitelistPatternsProp } clusterAdmissionRulesProp, err := expandBinaryAuthorizationPolicyClusterAdmissionRules(d.Get("cluster_admission_rules"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("cluster_admission_rules"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, clusterAdmissionRulesProp)) { obj["clusterAdmissionRules"] = clusterAdmissionRulesProp } defaultAdmissionRuleProp, err := expandBinaryAuthorizationPolicyDefaultAdmissionRule(d.Get("default_admission_rule"), d, config) if err != nil { return err } else if v, ok := d.GetOkExists("default_admission_rule"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, defaultAdmissionRuleProp)) { obj["defaultAdmissionRule"] = defaultAdmissionRuleProp } url, err := replaceVars(d, config, "https://binaryauthorization.googleapis.com/v1beta1/projects/{{project}}/policy") if err != nil { return err } log.Printf("[DEBUG] Updating Policy %q: %#v", d.Id(), obj) _, err = sendRequest(config, "PUT", url, obj) if err != nil { return fmt.Errorf("Error updating Policy %q: %s", d.Id(), err) } return resourceBinaryAuthorizationPolicyRead(d, meta) } func resourceBinaryAuthorizationPolicyDelete(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) url, err := replaceVars(d, config, "https://binaryauthorization.googleapis.com/v1beta1/projects/{{project}}/policy") if err != nil { return err } var obj map[string]interface{} obj = defaultBinaryAuthorizationPolicy(d.Get("project").(string)) log.Printf("[DEBUG] Deleting Policy %q", d.Id()) res, err := sendRequest(config, "PUT", url, obj) if err != nil { return handleNotFoundError(err, d, "Policy") } log.Printf("[DEBUG] Finished deleting Policy %q: %#v", d.Id(), res) return nil } func resourceBinaryAuthorizationPolicyImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { config := meta.(*Config) parseImportId([]string{"projects/(?P[^/]+)", "(?P[^/]+)"}, d, config) // Replace import id for the resource id id, err := replaceVars(d, config, "{{project}}") if err != nil { return nil, fmt.Errorf("Error constructing id: %s", err) } d.SetId(id) return []*schema.ResourceData{d}, nil } func flattenBinaryAuthorizationPolicyDescription(v interface{}) interface{} { return v } func flattenBinaryAuthorizationPolicyAdmissionWhitelistPatterns(v interface{}) interface{} { if v == nil { return v } l := v.([]interface{}) transformed := make([]interface{}, 0, len(l)) for _, raw := range l { original := raw.(map[string]interface{}) transformed = append(transformed, map[string]interface{}{ "name_pattern": flattenBinaryAuthorizationPolicyAdmissionWhitelistPatternsNamePattern(original["namePattern"]), }) } return transformed } func flattenBinaryAuthorizationPolicyAdmissionWhitelistPatternsNamePattern(v interface{}) interface{} { return v } func flattenBinaryAuthorizationPolicyClusterAdmissionRules(v interface{}) interface{} { if v == nil { return v } l := v.(map[string]interface{}) transformed := make([]interface{}, 0, len(l)) for k, raw := range l { original := raw.(map[string]interface{}) transformed = append(transformed, map[string]interface{}{ "cluster": k, "evaluation_mode": flattenBinaryAuthorizationPolicyClusterAdmissionRulesEvaluationMode(original["evaluationMode"]), "require_attestations_by": flattenBinaryAuthorizationPolicyClusterAdmissionRulesRequireAttestationsBy(original["requireAttestationsBy"]), "enforcement_mode": flattenBinaryAuthorizationPolicyClusterAdmissionRulesEnforcementMode(original["enforcementMode"]), }) } return transformed } func flattenBinaryAuthorizationPolicyClusterAdmissionRulesEvaluationMode(v interface{}) interface{} { return v } func flattenBinaryAuthorizationPolicyClusterAdmissionRulesRequireAttestationsBy(v interface{}) interface{} { if v == nil { return v } return schema.NewSet(selfLinkNameHash, v.([]interface{})) } func flattenBinaryAuthorizationPolicyClusterAdmissionRulesEnforcementMode(v interface{}) interface{} { return v } func flattenBinaryAuthorizationPolicyDefaultAdmissionRule(v interface{}) interface{} { if v == nil { return nil } original := v.(map[string]interface{}) transformed := make(map[string]interface{}) transformed["evaluation_mode"] = flattenBinaryAuthorizationPolicyDefaultAdmissionRuleEvaluationMode(original["evaluationMode"]) transformed["require_attestations_by"] = flattenBinaryAuthorizationPolicyDefaultAdmissionRuleRequireAttestationsBy(original["requireAttestationsBy"]) transformed["enforcement_mode"] = flattenBinaryAuthorizationPolicyDefaultAdmissionRuleEnforcementMode(original["enforcementMode"]) return []interface{}{transformed} } func flattenBinaryAuthorizationPolicyDefaultAdmissionRuleEvaluationMode(v interface{}) interface{} { return v } func flattenBinaryAuthorizationPolicyDefaultAdmissionRuleRequireAttestationsBy(v interface{}) interface{} { if v == nil { return v } return schema.NewSet(selfLinkNameHash, v.([]interface{})) } func flattenBinaryAuthorizationPolicyDefaultAdmissionRuleEnforcementMode(v interface{}) interface{} { return v } func expandBinaryAuthorizationPolicyDescription(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } func expandBinaryAuthorizationPolicyAdmissionWhitelistPatterns(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { l := v.([]interface{}) req := make([]interface{}, 0, len(l)) for _, raw := range l { original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) transformedNamePattern, err := expandBinaryAuthorizationPolicyAdmissionWhitelistPatternsNamePattern(original["name_pattern"], d, config) if err != nil { return nil, err } transformed["namePattern"] = transformedNamePattern req = append(req, transformed) } return req, nil } func expandBinaryAuthorizationPolicyAdmissionWhitelistPatternsNamePattern(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } func expandBinaryAuthorizationPolicyClusterAdmissionRules(v interface{}, d *schema.ResourceData, config *Config) (map[string]interface{}, error) { if v == nil { return map[string]interface{}{}, nil } m := make(map[string]interface{}) for _, raw := range v.(*schema.Set).List() { original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) transformedEvaluationMode, err := expandBinaryAuthorizationPolicyClusterAdmissionRulesEvaluationMode(original["evaluation_mode"], d, config) if err != nil { return nil, err } transformed["evaluationMode"] = transformedEvaluationMode transformedRequireAttestationsBy, err := expandBinaryAuthorizationPolicyClusterAdmissionRulesRequireAttestationsBy(original["require_attestations_by"], d, config) if err != nil { return nil, err } transformed["requireAttestationsBy"] = transformedRequireAttestationsBy transformedEnforcementMode, err := expandBinaryAuthorizationPolicyClusterAdmissionRulesEnforcementMode(original["enforcement_mode"], d, config) if err != nil { return nil, err } transformed["enforcementMode"] = transformedEnforcementMode m[original["cluster"].(string)] = transformed } return m, nil } func expandBinaryAuthorizationPolicyClusterAdmissionRulesEvaluationMode(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } func expandBinaryAuthorizationPolicyClusterAdmissionRulesRequireAttestationsBy(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { r := regexp.MustCompile("projects/(.+)/attestors/(.+)") // It's possible that all entries in the list will specify a project, in // which case the user wouldn't necessarily have to specify a provider // project. var project string var err error for _, s := range v.(*schema.Set).List() { if !r.MatchString(s.(string)) { project, err = getProject(d, config) if err != nil { return []interface{}{}, err } break } } return convertAndMapStringArr(v.(*schema.Set).List(), func(s string) string { if r.MatchString(s) { return s } return fmt.Sprintf("projects/%s/attestors/%s", project, s) }), nil } func expandBinaryAuthorizationPolicyClusterAdmissionRulesEnforcementMode(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } func expandBinaryAuthorizationPolicyDefaultAdmissionRule(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { l := v.([]interface{}) if len(l) == 0 { return nil, nil } raw := l[0] original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) transformedEvaluationMode, err := expandBinaryAuthorizationPolicyDefaultAdmissionRuleEvaluationMode(original["evaluation_mode"], d, config) if err != nil { return nil, err } transformed["evaluationMode"] = transformedEvaluationMode transformedRequireAttestationsBy, err := expandBinaryAuthorizationPolicyDefaultAdmissionRuleRequireAttestationsBy(original["require_attestations_by"], d, config) if err != nil { return nil, err } transformed["requireAttestationsBy"] = transformedRequireAttestationsBy transformedEnforcementMode, err := expandBinaryAuthorizationPolicyDefaultAdmissionRuleEnforcementMode(original["enforcement_mode"], d, config) if err != nil { return nil, err } transformed["enforcementMode"] = transformedEnforcementMode return transformed, nil } func expandBinaryAuthorizationPolicyDefaultAdmissionRuleEvaluationMode(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } func expandBinaryAuthorizationPolicyDefaultAdmissionRuleRequireAttestationsBy(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { r := regexp.MustCompile("projects/(.+)/attestors/(.+)") // It's possible that all entries in the list will specify a project, in // which case the user wouldn't necessarily have to specify a provider // project. var project string var err error for _, s := range v.(*schema.Set).List() { if !r.MatchString(s.(string)) { project, err = getProject(d, config) if err != nil { return []interface{}{}, err } break } } return convertAndMapStringArr(v.(*schema.Set).List(), func(s string) string { if r.MatchString(s) { return s } return fmt.Sprintf("projects/%s/attestors/%s", project, s) }), nil } func expandBinaryAuthorizationPolicyDefaultAdmissionRuleEnforcementMode(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil }