Add OPA support for policy sets

hashicorp · Nov 16, 2022 · 1f947af · 1f947af
1 parent e685bdb
commit 1f947af
Show file tree

Hide file tree

Showing 6 changed files with 172 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-slug v0.10.0
-	github.com/hashicorp/go-tfe v1.12.0
+	github.com/hashicorp/go-tfe v1.13.0
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/hcl v0.0.0-20180404174102-ef8a98b0bbce
 	github.com/hashicorp/hcl/v2 v2.15.0 // indirect

diff --git a/go.sum b/go.sum
@@ -163,8 +163,8 @@ github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1
 github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-slug v0.10.0 h1:mh4DDkBJTh9BuEjY/cv8PTo7k9OjT4PcW8PgZnJ4jTY=
 github.com/hashicorp/go-slug v0.10.0/go.mod h1:Ib+IWBYfEfJGI1ZyXMGNbu2BU+aa3Dzu41RKLH301v4=
-github.com/hashicorp/go-tfe v1.12.0 h1:2l7emKW8rNTTbnxYHNVj6b46iJzOEp2G/3xIHfGSDnc=
-github.com/hashicorp/go-tfe v1.12.0/go.mod h1:thYtIxtgBpDDNdf/2yYPdBJ94Fz5yT5XCNZvGtTGHAU=
+github.com/hashicorp/go-tfe v1.13.0 h1:Z8pJrmN9BV5EncnFRmQmLjhP7pHMNXkC2VkCQXWxKjM=
+github.com/hashicorp/go-tfe v1.13.0/go.mod h1:thYtIxtgBpDDNdf/2yYPdBJ94Fz5yT5XCNZvGtTGHAU=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=

diff --git a/tfe/data_source_policy_set.go b/tfe/data_source_policy_set.go
@@ -33,6 +33,18 @@ func dataSourceTFEPolicySet() *schema.Resource {
 				Computed: true,
 			},
 
+			"kind": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  string(tfe.Sentinel),
+			},
+
+			"overridable": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"policies_path": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -100,6 +112,7 @@ func dataSourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error
 		}
 
 		for _, policySet := range policySetList.Items {
+			// nolint: nestif
 			if policySet.Name == name {
 				d.Set("name", policySet.Name)
 				d.Set("description", policySet.Description)
@@ -110,6 +123,14 @@ func dataSourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error
 					d.Set("organization", policySet.Organization.Name)
 				}
 
+				if policySet.Kind != "" {
+					d.Set("kind", policySet.Kind)
+				}
+
+				if policySet.Overridable != nil {
+					d.Set("overridable", policySet.Overridable)
+				}
+
 				var vcsRepo []interface{}
 				if policySet.VCSRepo != nil {
 					vcsRepo = append(vcsRepo, map[string]interface{}{

diff --git a/tfe/data_source_policy_set_test.go b/tfe/data_source_policy_set_test.go
@@ -50,6 +50,49 @@ func TestAccTFEPolicySetDataSource_basic(t *testing.T) {
 	)
 }
 
+func TestAccTFEPolicySetDataSourceOPA_basic(t *testing.T) {
+	skipUnlessBeta(t)
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	org, orgCleanup := createBusinessOrganization(t, tfeClient)
+	t.Cleanup(orgCleanup)
+
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEPolicySetDataSourceConfigOPA_basic(org.Name, rInt),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet("data.tfe_policy_set.bar", "id"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "name", fmt.Sprintf("tst-policy-set-%d", rInt)),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "description", "Policy Set"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "global", "false"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "organization", org.Name),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "kind", "opa"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "overridable", "true"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "workspace_ids.#", "1"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "vcs_repo.#", "0"),
+				),
+			},
+		},
+	},
+	)
+}
+
 func TestAccTFEPolicySetDataSource_vcs(t *testing.T) {
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
@@ -152,6 +195,33 @@ data "tfe_policy_set" "bar" {
 }`, organization, rInt, rInt)
 }
 
+func testAccTFEPolicySetDataSourceConfigOPA_basic(organization string, rInt int) string {
+	return fmt.Sprintf(`
+locals {
+  organization_name = "%s"
+}
+
+resource "tfe_workspace" "foobar" {
+  name         = "workspace-foo-%d"
+  organization = local.organization_name
+}
+
+resource "tfe_policy_set" "foobar" {
+  name         = "tst-policy-set-%d"
+  description  = "Policy Set"
+  organization = local.organization_name
+  kind         = "opa"
+  overridable  = true
+  workspace_ids = [tfe_workspace.foobar.id]
+}
+
+data "tfe_policy_set" "bar" {
+  name = tfe_policy_set.foobar.name
+  organization = local.organization_name
+  kind = "opa"
+}`, organization, rInt, rInt)
+}
+
 func testAccTFEPolicySetDataSourceConfig_vcs(organization string, rInt int) string {
 	return fmt.Sprintf(`
 locals {

diff --git a/tfe/resource_tfe_policy_set.go b/tfe/resource_tfe_policy_set.go
@@ -46,6 +46,23 @@ func resourceTFEPolicySet() *schema.Resource {
 				ConflictsWith: []string{"workspace_ids"},
 			},
 
+			"kind": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  string(tfe.Sentinel),
+				ValidateFunc: validation.StringInSlice(
+					[]string{
+						string(tfe.OPA),
+						string(tfe.Sentinel),
+					}, false),
+			},
+
+			"overridable": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"policies_path": {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -123,6 +140,14 @@ func resourceTFEPolicySetCreate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	// Process all configured options.
+	if vKind, ok := d.GetOk("kind"); ok {
+		options.Kind = tfe.PolicyKind(vKind.(string))
+	}
+
+	if vOverridable, ok := d.GetOk("overridable"); ok {
+		options.Overridable = tfe.Bool(vOverridable.(bool))
+	}
+
 	if desc, ok := d.GetOk("description"); ok {
 		options.Description = tfe.String(desc.(string))
 	}
@@ -192,13 +217,18 @@ func resourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error {
 	// Update the config.
 	d.Set("name", policySet.Name)
 	d.Set("description", policySet.Description)
+	d.Set("kind", policySet.Kind)
 	d.Set("global", policySet.Global)
 	d.Set("policies_path", policySet.PoliciesPath)
 
 	if policySet.Organization != nil {
 		d.Set("organization", policySet.Organization.Name)
 	}
 
+	if policySet.Overridable != nil {
+		d.Set("overridable", policySet.Overridable)
+	}
+
 	// Set VCS policy set options.
 	var vcsRepo []interface{}
 	if policySet.VCSRepo != nil {

diff --git a/tfe/resource_tfe_policy_set_test.go b/tfe/resource_tfe_policy_set_test.go
@@ -46,6 +46,44 @@ func TestAccTFEPolicySet_basic(t *testing.T) {
 	})
 }
 
+func TestAccTFEPolicySetOPA_basic(t *testing.T) {
+	skipUnlessBeta(t)
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	org, orgCleanup := createBusinessOrganization(t, tfeClient)
+	t.Cleanup(orgCleanup)
+
+	policySet := &tfe.PolicySet{}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckTFEPolicySetDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEPolicySetOPA_basic(org.Name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEPolicySetExists("tfe_policy_set.foobar", policySet),
+					testAccCheckTFEPolicySetAttributes(policySet),
+					resource.TestCheckResourceAttr(
+						"tfe_policy_set.foobar", "name", "tst-terraform"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy_set.foobar", "kind", "opa"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy_set.foobar", "overridable", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy_set.foobar", "description", "Policy Set"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy_set.foobar", "global", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccTFEPolicySet_update(t *testing.T) {
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
@@ -819,6 +857,16 @@ resource "tfe_policy_set" "foobar" {
 }`, organization, organization)
 }
 
+func testAccTFEPolicySetOPA_basic(organization string) string {
+	return fmt.Sprintf(`
+resource "tfe_policy_set" "foobar" {
+  name         = "tst-terraform"
+  description  = "Policy Set"
+  organization = "%s"
+  kind         = "opa"
+}`, organization)
+}
+
 func testAccTFEPolicySet_empty(organization string) string {
 	return fmt.Sprintf(`
  resource "tfe_policy_set" "foobar" {