From ae27874cacfed051427be16685c98fc1b3b6ecc2 Mon Sep 17 00:00:00 2001 From: mrinalirao Date: Wed, 31 Jan 2024 14:30:21 +1100 Subject: [PATCH 1/4] policy_set data and resource change to include attributes from PPRV --- go.mod | 2 +- go.sum | 2 + internal/provider/data_source_policy_set.go | 17 +++ .../provider/data_source_policy_set_test.go | 140 +++++++++++++++++- internal/provider/resource_tfe_policy_set.go | 36 ++++- .../provider/resource_tfe_policy_set_test.go | 116 +++++++++++++-- 6 files changed, 296 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 5ab73a630..9138b3208 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-retryablehttp v0.7.5 // indirect github.com/hashicorp/go-slug v0.13.4 - github.com/hashicorp/go-tfe v1.43.0 + github.com/hashicorp/go-tfe v1.44.0 github.com/hashicorp/go-version v1.6.0 github.com/hashicorp/hcl v1.0.0 github.com/hashicorp/hcl/v2 v2.19.1 // indirect diff --git a/go.sum b/go.sum index 696d3db60..2b742b91f 100644 --- a/go.sum +++ b/go.sum @@ -73,6 +73,8 @@ github.com/hashicorp/go-slug v0.13.4 h1:dIyjGKFVwbOVAqp0/s7tmONwCNr9D2UvmMuVE4mP github.com/hashicorp/go-slug v0.13.4/go.mod h1:THWVTAXwJEinbsp4/bBRcmbaO5EYNLTqxbG4tZ3gCYQ= github.com/hashicorp/go-tfe v1.43.0 h1:0rFw/87Mw87nBrkH4JkCIYlUlmR+l2IYs4Ip5cVBIC0= github.com/hashicorp/go-tfe v1.43.0/go.mod h1:bwFaHnmB+XigFoSVYaBXfYiwFI9+RecXTA0CrHT919s= +github.com/hashicorp/go-tfe v1.43.1-0.20240124225001-a70b00fc17ba h1:5ghRIwO76fM7XsNwONGlw/xE+XO9uU3yyTUE36JX/nM= +github.com/hashicorp/go-tfe v1.43.1-0.20240124225001-a70b00fc17ba/go.mod h1:bwFaHnmB+XigFoSVYaBXfYiwFI9+RecXTA0CrHT919s= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= diff --git a/internal/provider/data_source_policy_set.go b/internal/provider/data_source_policy_set.go index 5e5bb2ead..91b22ba91 100644 --- a/internal/provider/data_source_policy_set.go +++ b/internal/provider/data_source_policy_set.go @@ -53,6 +53,18 @@ func dataSourceTFEPolicySet() *schema.Resource { Optional: true, }, + "agent_enabled": { + Description: "Whether the policy set is executed in the TFC agent. True by default for OPA policies", + Type: schema.TypeBool, + Optional: true, + }, + + "policy_tool_version": { + Description: "The policy tool version to run the policy evaluation against", + Type: schema.TypeString, + Optional: true, + }, + "policies_path": { Type: schema.TypeString, Computed: true, @@ -146,6 +158,7 @@ func dataSourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error d.Set("description", policySet.Description) d.Set("global", policySet.Global) d.Set("policies_path", policySet.PoliciesPath) + d.Set("agent_enabled", policySet.AgentEnabled) if policySet.Kind != "" { d.Set("kind", policySet.Kind) @@ -155,6 +168,10 @@ func dataSourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error d.Set("overridable", policySet.Overridable) } + if policySet.PolicyToolVersion != "" { + d.Set("policy_tool_version", policySet.PolicyToolVersion) + } + var vcsRepo []interface{} if policySet.VCSRepo != nil { vcsRepo = append(vcsRepo, map[string]interface{}{ diff --git a/internal/provider/data_source_policy_set_test.go b/internal/provider/data_source_policy_set_test.go index 2985204e7..32ce23936 100644 --- a/internal/provider/data_source_policy_set_test.go +++ b/internal/provider/data_source_policy_set_test.go @@ -43,6 +43,61 @@ func TestAccTFEPolicySetDataSource_basic(t *testing.T) { "data.tfe_policy_set.bar", "organization", org.Name), resource.TestCheckResourceAttr( "data.tfe_policy_set.bar", "policy_ids.#", "1"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "agent_enabled", "false"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "workspace_ids.#", "1"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "excluded_workspace_ids.#", "1"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "project_ids.#", "1"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "vcs_repo.#", "0"), + ), + }, + }, + }, + ) +} + +func TestAccTFEPolicySetDataSource_pinnedPolicyRuntimeVersion(t *testing.T) { + skipUnlessBeta(t) + tfeClient, err := getClientUsingEnv() + if err != nil { + t.Fatal(err) + } + + sha := genSentinelSha(t, "secret", "data") + version := genSafeRandomSentinelVersion() + + org, orgCleanup := createBusinessOrganization(t, tfeClient) + t.Cleanup(orgCleanup) + + rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + CheckDestroy: testAccCheckTFESentinelVersionDestroy, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccTFEPolicySetDataSourceConfig_pinnedPolicyRuntimeVersion(org.Name, rInt, version, sha), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet("data.tfe_policy_set.bar", "id"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "name", fmt.Sprintf("tst-policy-set-%d", rInt)), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "description", "Policy Set"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "global", "false"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "organization", org.Name), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "policy_ids.#", "1"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "agent_enabled", "true"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "policy_tool_version", version), resource.TestCheckResourceAttr( "data.tfe_policy_set.bar", "workspace_ids.#", "1"), resource.TestCheckResourceAttr( @@ -65,17 +120,21 @@ func TestAccTFEPolicySetDataSourceOPA_basic(t *testing.T) { t.Fatal(err) } + sha := genSentinelSha(t, "secret", "data") + version := genSafeRandomOPAVersion() + org, orgCleanup := createBusinessOrganization(t, tfeClient) t.Cleanup(orgCleanup) rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int() resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, + PreCheck: func() { testAccPreCheck(t) }, + CheckDestroy: testAccCheckTFEOPAVersionDestroy, + Providers: testAccProviders, Steps: []resource.TestStep{ { - Config: testAccTFEPolicySetDataSourceConfigOPA_basic(org.Name, rInt), + Config: testAccTFEPolicySetDataSourceConfigOPA_basic(org.Name, rInt, version, sha), Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttrSet("data.tfe_policy_set.bar", "id"), resource.TestCheckResourceAttr( @@ -88,6 +147,8 @@ func TestAccTFEPolicySetDataSourceOPA_basic(t *testing.T) { "data.tfe_policy_set.bar", "organization", org.Name), resource.TestCheckResourceAttr( "data.tfe_policy_set.bar", "kind", "opa"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "agent_enabled", "true"), resource.TestCheckResourceAttr( "data.tfe_policy_set.bar", "overridable", "true"), resource.TestCheckResourceAttr( @@ -147,6 +208,8 @@ func TestAccTFEPolicySetDataSource_vcs(t *testing.T) { "data.tfe_policy_set.bar", "global", "false"), resource.TestCheckResourceAttr( "data.tfe_policy_set.bar", "kind", "sentinel"), + resource.TestCheckResourceAttr( + "data.tfe_policy_set.bar", "agent_enabled", "false"), resource.TestCheckResourceAttr( "data.tfe_policy_set.bar", "organization", org.Name), resource.TestCheckResourceAttr( @@ -225,15 +288,79 @@ resource "tfe_workspace_policy_set_exclusion" "foobar" { data "tfe_policy_set" "bar" { name = tfe_policy_set.foobar.name organization = local.organization_name + depends_on=[tfe_policy_set.foobar, tfe_project_policy_set.foobar, tfe_workspace_policy_set_exclusion.foobar] }`, organization, rInt, rInt, rInt) } -func testAccTFEPolicySetDataSourceConfigOPA_basic(organization string, rInt int) string { +func testAccTFEPolicySetDataSourceConfig_pinnedPolicyRuntimeVersion(organization string, rInt int, version string, sha string) string { return fmt.Sprintf(` locals { organization_name = "%s" } + +resource "tfe_sentinel_version" "foobar" { + version = "%s" + url = "https://www.hashicorp.com" + sha = "%s" +} + +resource "tfe_workspace" "foobar" { + name = "workspace-foo-%d" + organization = local.organization_name +} + +resource "tfe_project" "foobar" { + name = "project-foo-%d" + organization = local.organization_name +} + +resource "tfe_sentinel_policy" "foo" { + name = "policy-foo" + policy = "main = rule { true }" + organization = local.organization_name +} + +resource "tfe_policy_set" "foobar" { + name = "tst-policy-set-%d" + description = "Policy Set" + organization = local.organization_name + agent_enabled = true + policy_tool_version = "%s" + policy_ids = [tfe_sentinel_policy.foo.id] + workspace_ids = [tfe_workspace.foobar.id] +} + +resource "tfe_project_policy_set" "foobar" { + policy_set_id = tfe_policy_set.foobar.id + project_id = tfe_project.foobar.id +} + +resource "tfe_workspace_policy_set_exclusion" "foobar" { + policy_set_id = tfe_policy_set.foobar.id + workspace_id = tfe_workspace.foobar.id +} + +data "tfe_policy_set" "bar" { + name = tfe_policy_set.foobar.name + organization = local.organization_name + depends_on=[tfe_policy_set.foobar, tfe_project_policy_set.foobar, tfe_workspace_policy_set_exclusion.foobar] +}`, organization, version, sha, rInt, rInt, rInt, version) +} + +func testAccTFEPolicySetDataSourceConfigOPA_basic(organization string, rInt int, version string, sha string) string { + return fmt.Sprintf(` +locals { + organization_name = "%s" +} + + +resource "tfe_opa_version" "foobar" { + version = "%s" + url = "https://www.hashicorp.com" + sha = "%s" +} + resource "tfe_workspace" "foobar" { name = "workspace-foo-%d" organization = local.organization_name @@ -249,6 +376,8 @@ resource "tfe_policy_set" "foobar" { description = "Policy Set" organization = local.organization_name kind = "opa" + agent_enabled = true + policy_tool_version = "%s" overridable = true workspace_ids = [tfe_workspace.foobar.id] } @@ -267,7 +396,8 @@ data "tfe_policy_set" "bar" { name = tfe_policy_set.foobar.name organization = local.organization_name kind = "opa" -}`, organization, rInt, rInt, rInt) + depends_on=[tfe_policy_set.foobar, tfe_project_policy_set.foobar, tfe_workspace_policy_set_exclusion.foobar] +}`, organization, version, sha, rInt, rInt, rInt, version) } func testAccTFEPolicySetDataSourceConfig_vcs(organization string, rInt int) string { diff --git a/internal/provider/resource_tfe_policy_set.go b/internal/provider/resource_tfe_policy_set.go index 658d9cf30..b9418faab 100644 --- a/internal/provider/resource_tfe_policy_set.go +++ b/internal/provider/resource_tfe_policy_set.go @@ -75,6 +75,18 @@ func resourceTFEPolicySet() *schema.Resource { Default: false, }, + "agent_enabled": { + Description: "Whether the policy set is executed in the TFC agent. True by default for OPA policies", + Type: schema.TypeBool, + Optional: true, + }, + + "policy_tool_version": { + Description: "The policy tool version to run the policy evaluation against", + Type: schema.TypeString, + Optional: true, + }, + "policies_path": { Type: schema.TypeString, Optional: true, @@ -171,6 +183,14 @@ func resourceTFEPolicySetCreate(d *schema.ResourceData, meta interface{}) error options.Overridable = tfe.Bool(vOverridable.(bool)) } + if vAgentEnabled, ok := d.GetOk("agent_enabled"); ok { + options.AgentEnabled = tfe.Bool(vAgentEnabled.(bool)) + } + + if vPolicyToolVersion, ok := d.GetOk("policy_tool_version"); ok { + options.PolicyToolVersion = tfe.String(vPolicyToolVersion.(string)) + } + if desc, ok := d.GetOk("description"); ok { options.Description = tfe.String(desc.(string)) } @@ -243,6 +263,7 @@ func resourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error { d.Set("description", policySet.Description) d.Set("global", policySet.Global) d.Set("policies_path", policySet.PoliciesPath) + d.Set("agent_enabled", policySet.AgentEnabled) if policySet.Organization != nil { d.Set("organization", policySet.Organization.Name) @@ -257,6 +278,10 @@ func resourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error { d.Set("overridable", policySet.Overridable) } + if policySet.PolicyToolVersion != "" { + d.Set("policy_tool_version", policySet.PolicyToolVersion) + } + // Set VCS policy set options. var vcsRepo []interface{} if policySet.VCSRepo != nil { @@ -330,7 +355,7 @@ func resourceTFEPolicySetUpdate(d *schema.ResourceData, meta interface{}) error } // Don't bother updating the policy set's attributes if they haven't changed - if d.HasChange("name") || d.HasChange("description") || d.HasChange("global") || d.HasChange("vcs_repo") || d.HasChange("overridable") { + if d.HasChange("name") || d.HasChange("description") || d.HasChange("global") || d.HasChange("vcs_repo") || d.HasChange("overridable") || d.HasChange("agent_enabled") || d.HasChange("policy_tool_version") { // Create a new options struct. options := tfe.PolicySetUpdateOptions{ Name: tfe.String(name), @@ -346,6 +371,15 @@ func resourceTFEPolicySetUpdate(d *schema.ResourceData, meta interface{}) error options.Overridable = tfe.Bool(o) } + if d.HasChange("agent_enabled") { + o := d.Get("agent_enabled").(bool) + options.AgentEnabled = tfe.Bool(o) + } + + if policyToolVersion, ok := d.GetOk("policy_tool_version"); ok { + options.PolicyToolVersion = tfe.String(policyToolVersion.(string)) + } + if v, ok := d.GetOk("vcs_repo"); ok { vcsRepo := v.([]interface{})[0].(map[string]interface{}) diff --git a/internal/provider/resource_tfe_policy_set_test.go b/internal/provider/resource_tfe_policy_set_test.go index 47583891b..9f26b0bd6 100644 --- a/internal/provider/resource_tfe_policy_set_test.go +++ b/internal/provider/resource_tfe_policy_set_test.go @@ -41,6 +41,50 @@ func TestAccTFEPolicySet_basic(t *testing.T) { "tfe_policy_set.foobar", "description", "Policy Set"), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "global", "false"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "agent_enabled", "false"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "policy_ids.#", "1"), + ), + }, + }, + }) +} + +func TestAccTFEPolicySet_pinnedPolicyRuntimeVersion(t *testing.T) { + tfeClient, err := getClientUsingEnv() + if err != nil { + t.Fatal(err) + } + + sha := genSentinelSha(t, "secret", "data") + version := genSafeRandomSentinelVersion() + + org, orgCleanup := createBusinessOrganization(t, tfeClient) + t.Cleanup(orgCleanup) + + policySet := &tfe.PolicySet{} + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckTFEPolicySetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccTFEPolicySet_pinnedPolicyRuntimeVersion(org.Name, version, sha), + Check: resource.ComposeTestCheckFunc( + testAccCheckTFEPolicySetExists("tfe_policy_set.foobar", policySet), + testAccCheckTFEPolicySetAttributes(policySet), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "name", "tst-terraform"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "description", "Policy Set"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "global", "false"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "agent_enabled", "true"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "policy_tool_version", version), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "policy_ids.#", "1"), ), @@ -50,12 +94,14 @@ func TestAccTFEPolicySet_basic(t *testing.T) { } func TestAccTFEPolicySetOPA_basic(t *testing.T) { - skipUnlessBeta(t) tfeClient, err := getClientUsingEnv() if err != nil { t.Fatal(err) } + sha := genSentinelSha(t, "secret", "data") + version := genSafeRandomOPAVersion() + org, orgCleanup := createBusinessOrganization(t, tfeClient) t.Cleanup(orgCleanup) @@ -67,7 +113,7 @@ func TestAccTFEPolicySetOPA_basic(t *testing.T) { CheckDestroy: testAccCheckTFEPolicySetDestroy, Steps: []resource.TestStep{ { - Config: testAccTFEPolicySetOPA_basic(org.Name), + Config: testAccTFEPolicySetOPA_basic(org.Name, version, sha), Check: resource.ComposeTestCheckFunc( testAccCheckTFEPolicySetExists("tfe_policy_set.foobar", policySet), testAccCheckTFEPolicySetAttributes(policySet), @@ -76,7 +122,11 @@ func TestAccTFEPolicySetOPA_basic(t *testing.T) { resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "kind", "opa"), resource.TestCheckResourceAttr( - "tfe_policy_set.foobar", "overridable", "false"), + "tfe_policy_set.foobar", "overridable", "true"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "agent_enabled", "true"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "policy_tool_version", version), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "description", "Policy Set"), resource.TestCheckResourceAttr( @@ -88,11 +138,12 @@ func TestAccTFEPolicySetOPA_basic(t *testing.T) { } func TestAccTFEPolicySet_updateOverridable(t *testing.T) { - skipUnlessBeta(t) tfeClient, err := getClientUsingEnv() if err != nil { t.Fatal(err) } + sha := genSentinelSha(t, "secret", "data") + version := genSafeRandomOPAVersion() org, orgCleanup := createBusinessOrganization(t, tfeClient) t.Cleanup(orgCleanup) @@ -105,7 +156,7 @@ func TestAccTFEPolicySet_updateOverridable(t *testing.T) { CheckDestroy: testAccCheckTFEPolicySetDestroy, Steps: []resource.TestStep{ { - Config: testAccTFEPolicySetOPA_basic(org.Name), + Config: testAccTFEPolicySetOPA_basic(org.Name, version, sha), Check: resource.ComposeTestCheckFunc( testAccCheckTFEPolicySetExists("tfe_policy_set.foobar", policySet), testAccCheckTFEPolicySetAttributes(policySet), @@ -115,6 +166,8 @@ func TestAccTFEPolicySet_updateOverridable(t *testing.T) { "tfe_policy_set.foobar", "description", "Policy Set"), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "kind", "opa"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "agent_enabled", "true"), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "global", "false"), resource.TestCheckResourceAttr( @@ -123,7 +176,7 @@ func TestAccTFEPolicySet_updateOverridable(t *testing.T) { }, { - Config: testAccTFEPolicySetOPA_overridable(org.Name), + Config: testAccTFEPolicySetOPA_overridable(org.Name, version, sha), Check: resource.ComposeTestCheckFunc( testAccCheckTFEPolicySetExists("tfe_policy_set.foobar", policySet), resource.TestCheckResourceAttr( @@ -132,6 +185,8 @@ func TestAccTFEPolicySet_updateOverridable(t *testing.T) { "tfe_policy_set.foobar", "global", "false"), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "kind", "opa"), + resource.TestCheckResourceAttr( + "tfe_policy_set.foobar", "agent_enabled", "true"), resource.TestCheckResourceAttr( "tfe_policy_set.foobar", "workspace_ids.#", "1"), resource.TestCheckResourceAttr( @@ -979,15 +1034,48 @@ resource "tfe_policy_set" "foobar" { }`, organization, organization) } -func testAccTFEPolicySetOPA_basic(organization string) string { +func testAccTFEPolicySet_pinnedPolicyRuntimeVersion(organization string, version string, sha string) string { return fmt.Sprintf(` +resource "tfe_sentinel_version" "foobar" { + version = "%s" + url = "https://www.hashicorp.com" + sha = "%s" +} + +resource "tfe_sentinel_policy" "foo" { + name = "policy-foo" + policy = "main = rule { true }" + organization = "%s" +} + +resource "tfe_policy_set" "foobar" { + name = "tst-terraform" + description = "Policy Set" + organization = "%s" + agent_enabled = true + policy_tool_version = "%s" + policy_ids = [tfe_sentinel_policy.foo.id] +}`, version, sha, organization, organization, version) +} + +func testAccTFEPolicySetOPA_basic(organization string, version string, sha string) string { + return fmt.Sprintf(` +resource "tfe_opa_version" "foobar" { + version = "%s" + url = "https://www.hashicorp.com" + sha = "%s" +} + resource "tfe_policy_set" "foobar" { name = "tst-terraform" description = "Policy Set" organization = "%s" kind = "opa" overridable = "true" -}`, organization) + agent_enabled = "true" + policy_tool_version = "%s" + depends_on = [tfe_opa_version.foobar] +}`, version, sha, organization, version) } func testAccTFEPolicySet_empty(organization string) string { @@ -1024,12 +1112,18 @@ resource "tfe_policy_set" "foobar" { }`, organization) } -func testAccTFEPolicySetOPA_overridable(organization string) string { +func testAccTFEPolicySetOPA_overridable(organization string, version string, sha string) string { return fmt.Sprintf(` locals { organization_name = "%s" } +resource "tfe_opa_version" "foobar" { + version = "%s" + url = "https://www.hashicorp.com" + sha = "%s" +} + resource "tfe_workspace" "foo" { name = "workspace-foo" organization = local.organization_name @@ -1040,8 +1134,10 @@ resource "tfe_policy_set" "foobar" { organization = local.organization_name workspace_ids = [tfe_workspace.foo.id] overridable = "false" + agent_enabled = "true" + policy_tool_version = "%s" kind = "opa" -}`, organization) +}`, organization, version, sha, version) } func testAccTFEPolicySet_updatePopulated(organization string) string { From 0cfda51ad6a3c71786c2cba16e7dec3a969dac75 Mon Sep 17 00:00:00 2001 From: mrinalirao Date: Wed, 31 Jan 2024 14:52:05 +1100 Subject: [PATCH 2/4] add CHANGELOG and update doc --- CHANGELOG.md | 2 ++ website/docs/d/policy_set.html.markdown | 2 ++ website/docs/r/policy_set.html.markdown | 31 +++++++++++++++---------- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ca4659ec5..59d74c65f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ FEATURES: * **New Data Source**: `d/tfe_registry_providers` is a new data source to retrieve information about public and private providers in the private registry, by @tmatilai [1185](https://github.com/hashicorp/terraform-provider-tfe/pull/1185) * **New Resource**: `r/tfe_sentinel_version` adds the ability for admins to configure settings for sentinel versions ([#1202](https://github.com/hashicorp/terraform-provider-tfe/pull/1202)) * **New Resource**: `r/tfe_opa_version` adds the ability for admins to configure settings for OPA versions ([#1202](https://github.com/hashicorp/terraform-provider-tfe/pull/1202)) +* `r/tfe_policy_set`: Add `agent_enabled` and `policy_tool_version` attributes to allow setting a policy runtime version to the policy set, by @mrinalirao [1234](https://github.com/hashicorp/terraform-provider-tfe/pull/1234) +* `d/tfe_policy_set`: Add `agent_enabled` and `policy_tool_version` attributes to get the policy runtime version of a policy set, by @mrinalirao [1234](https://github.com/hashicorp/terraform-provider-tfe/pull/1234) BUG FIXES: diff --git a/website/docs/d/policy_set.html.markdown b/website/docs/d/policy_set.html.markdown index fe614630f..141a6b472 100644 --- a/website/docs/d/policy_set.html.markdown +++ b/website/docs/d/policy_set.html.markdown @@ -35,6 +35,8 @@ The following arguments are supported: * `description` - Description of the policy set. * `global` - Whether or not the policy set applies to all workspaces in the organization. * `kind` - The policy-as-code framework for the policy. Valid values are "sentinel" and "opa". +* `agent_enabled` - Whether or not the policy set is run as a policy evaluation within the agent. True by default for all "opa" policy sets. +* `policy_tool_version` - The policy tool version to run the evaluation against. * `overridable` - Whether users can override this policy when it fails during a run. Only valid for OPA policies. * `workspace_ids` - IDs of the workspaces that use the policy set. * `excluded_workspace_ids` - IDs of the workspaces that do not use the policy set. diff --git a/website/docs/r/policy_set.html.markdown b/website/docs/r/policy_set.html.markdown index a5a252e02..c27881951 100644 --- a/website/docs/r/policy_set.html.markdown +++ b/website/docs/r/policy_set.html.markdown @@ -21,12 +21,14 @@ Basic usage (VCS-based policy set): ```hcl resource "tfe_policy_set" "test" { - name = "my-policy-set" - description = "A brand new policy set" - organization = "my-org-name" - kind = "sentinel" - policies_path = "policies/my-policy-set" - workspace_ids = [tfe_workspace.test.id] + name = "my-policy-set" + description = "A brand new policy set" + organization = "my-org-name" + kind = "sentinel" + agent_enabled = "true" + policy_tool_version = "0.24.1" + policies_path = "policies/my-policy-set" + workspace_ids = [tfe_workspace.test.id] vcs_repo { identifier = "my-org-name/my-policy-set-repository" @@ -41,12 +43,14 @@ Using manually-specified policies: ```hcl resource "tfe_policy_set" "test" { - name = "my-policy-set" - description = "A brand new policy set" - organization = "my-org-name" - kind = "sentinel" - policy_ids = [tfe_sentinel_policy.test.id] - workspace_ids = [tfe_workspace.test.id] + name = "my-policy-set" + description = "A brand new policy set" + organization = "my-org-name" + kind = "sentinel" + agent_enabled = "true" + policy_tool_version = "0.24.1" + policy_ids = [tfe_sentinel_policy.test.id] + workspace_ids = [tfe_workspace.test.id] } ``` @@ -81,6 +85,9 @@ The following arguments are supported: * `kind` - (Optional) The policy-as-code framework associated with the policy. Defaults to `sentinel` if not provided. Valid values are `sentinel` and `opa`. A policy set can only have policies that have the same underlying kind. +* `agent_enabled` - (Optional) Whether or not the policy set is run as a policy evaluation within the agent. + True by default for all "opa" policy sets. +* `policy_tool_version` - (Optional) The policy tool version to run the evaluation against. * `overridable` - (Optional) Whether or not users can override this policy when it fails during a run. Defaults to `false`. Only valid for OPA policies. * `organization` - (Optional) Name of the organization. If omitted, organization must be defined in the provider config. From 58fb5a040625c10e1fb807460f1b72b1de8405dc Mon Sep 17 00:00:00 2001 From: mrinalirao Date: Thu, 1 Feb 2024 08:58:04 +1100 Subject: [PATCH 3/4] minor changes as per feedback --- go.mod | 2 +- go.sum | 4 ++++ internal/provider/data_source_policy_set.go | 4 ++-- internal/provider/data_source_policy_set_test.go | 1 - internal/provider/resource_tfe_policy_set.go | 2 ++ 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 9138b3208..eaa044057 100644 --- a/go.mod +++ b/go.mod @@ -43,7 +43,7 @@ require ( github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect github.com/hashicorp/go-plugin v1.6.0 // indirect github.com/hashicorp/go-uuid v1.0.3 - github.com/hashicorp/jsonapi v1.2.0 // indirect + github.com/hashicorp/jsonapi v1.3.1 // indirect github.com/hashicorp/logutils v1.0.0 // indirect github.com/hashicorp/terraform-exec v0.20.0 // indirect github.com/hashicorp/terraform-json v0.21.0 // indirect diff --git a/go.sum b/go.sum index 2b742b91f..52aebfed9 100644 --- a/go.sum +++ b/go.sum @@ -75,6 +75,8 @@ github.com/hashicorp/go-tfe v1.43.0 h1:0rFw/87Mw87nBrkH4JkCIYlUlmR+l2IYs4Ip5cVBI github.com/hashicorp/go-tfe v1.43.0/go.mod h1:bwFaHnmB+XigFoSVYaBXfYiwFI9+RecXTA0CrHT919s= github.com/hashicorp/go-tfe v1.43.1-0.20240124225001-a70b00fc17ba h1:5ghRIwO76fM7XsNwONGlw/xE+XO9uU3yyTUE36JX/nM= github.com/hashicorp/go-tfe v1.43.1-0.20240124225001-a70b00fc17ba/go.mod h1:bwFaHnmB+XigFoSVYaBXfYiwFI9+RecXTA0CrHT919s= +github.com/hashicorp/go-tfe v1.44.0 h1:eQ9n2Ecfel6O5j03UW6B9LNsM1x6KbHErsjwSd9BLmg= +github.com/hashicorp/go-tfe v1.44.0/go.mod h1:3ZGX+wxeyp/JnP8qEZo8m3s0ggJ7H+L2BvJRpkRdtVU= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -88,6 +90,8 @@ github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5R github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= github.com/hashicorp/jsonapi v1.2.0 h1:ezDCzOFsKTL+KxVQuA1rNxkIGTvZph1rNu8kT5A8trI= github.com/hashicorp/jsonapi v1.2.0/go.mod h1:Yog5+CPEM3c99L1CL2CFCYoSzgWm5vTU58idbRUaLik= +github.com/hashicorp/jsonapi v1.3.1 h1:GtPvnmcWgYwCuDGvYT5VZBHcUyFdq9lSyCzDjn1DdPo= +github.com/hashicorp/jsonapi v1.3.1/go.mod h1:kWfdn49yCjQvbpnvY1dxxAuAFzISwrrMDQOcu6NsFoM= github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/terraform-exec v0.20.0 h1:DIZnPsqzPGuUnq6cH8jWcPunBfY+C+M8JyYF3vpnuEo= diff --git a/internal/provider/data_source_policy_set.go b/internal/provider/data_source_policy_set.go index 91b22ba91..069584f9c 100644 --- a/internal/provider/data_source_policy_set.go +++ b/internal/provider/data_source_policy_set.go @@ -56,13 +56,13 @@ func dataSourceTFEPolicySet() *schema.Resource { "agent_enabled": { Description: "Whether the policy set is executed in the TFC agent. True by default for OPA policies", Type: schema.TypeBool, - Optional: true, + Computed: true, }, "policy_tool_version": { Description: "The policy tool version to run the policy evaluation against", Type: schema.TypeString, - Optional: true, + Computed: true, }, "policies_path": { diff --git a/internal/provider/data_source_policy_set_test.go b/internal/provider/data_source_policy_set_test.go index 32ce23936..ab2691008 100644 --- a/internal/provider/data_source_policy_set_test.go +++ b/internal/provider/data_source_policy_set_test.go @@ -61,7 +61,6 @@ func TestAccTFEPolicySetDataSource_basic(t *testing.T) { } func TestAccTFEPolicySetDataSource_pinnedPolicyRuntimeVersion(t *testing.T) { - skipUnlessBeta(t) tfeClient, err := getClientUsingEnv() if err != nil { t.Fatal(err) diff --git a/internal/provider/resource_tfe_policy_set.go b/internal/provider/resource_tfe_policy_set.go index b9418faab..ce4317fd1 100644 --- a/internal/provider/resource_tfe_policy_set.go +++ b/internal/provider/resource_tfe_policy_set.go @@ -79,12 +79,14 @@ func resourceTFEPolicySet() *schema.Resource { Description: "Whether the policy set is executed in the TFC agent. True by default for OPA policies", Type: schema.TypeBool, Optional: true, + Computed: true, }, "policy_tool_version": { Description: "The policy tool version to run the policy evaluation against", Type: schema.TypeString, Optional: true, + Computed: true, }, "policies_path": { From a51a7d485c14713ad7757637ca84eb0c838db661 Mon Sep 17 00:00:00 2001 From: mrinalirao Date: Thu, 1 Feb 2024 09:06:55 +1100 Subject: [PATCH 4/4] go mod tidy --- go.sum | 6 ------ 1 file changed, 6 deletions(-) diff --git a/go.sum b/go.sum index 52aebfed9..29962dbb1 100644 --- a/go.sum +++ b/go.sum @@ -71,10 +71,6 @@ github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= github.com/hashicorp/go-slug v0.13.4 h1:dIyjGKFVwbOVAqp0/s7tmONwCNr9D2UvmMuVE4mPfv0= github.com/hashicorp/go-slug v0.13.4/go.mod h1:THWVTAXwJEinbsp4/bBRcmbaO5EYNLTqxbG4tZ3gCYQ= -github.com/hashicorp/go-tfe v1.43.0 h1:0rFw/87Mw87nBrkH4JkCIYlUlmR+l2IYs4Ip5cVBIC0= -github.com/hashicorp/go-tfe v1.43.0/go.mod h1:bwFaHnmB+XigFoSVYaBXfYiwFI9+RecXTA0CrHT919s= -github.com/hashicorp/go-tfe v1.43.1-0.20240124225001-a70b00fc17ba h1:5ghRIwO76fM7XsNwONGlw/xE+XO9uU3yyTUE36JX/nM= -github.com/hashicorp/go-tfe v1.43.1-0.20240124225001-a70b00fc17ba/go.mod h1:bwFaHnmB+XigFoSVYaBXfYiwFI9+RecXTA0CrHT919s= github.com/hashicorp/go-tfe v1.44.0 h1:eQ9n2Ecfel6O5j03UW6B9LNsM1x6KbHErsjwSd9BLmg= github.com/hashicorp/go-tfe v1.44.0/go.mod h1:3ZGX+wxeyp/JnP8qEZo8m3s0ggJ7H+L2BvJRpkRdtVU= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -88,8 +84,6 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI= github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= -github.com/hashicorp/jsonapi v1.2.0 h1:ezDCzOFsKTL+KxVQuA1rNxkIGTvZph1rNu8kT5A8trI= -github.com/hashicorp/jsonapi v1.2.0/go.mod h1:Yog5+CPEM3c99L1CL2CFCYoSzgWm5vTU58idbRUaLik= github.com/hashicorp/jsonapi v1.3.1 h1:GtPvnmcWgYwCuDGvYT5VZBHcUyFdq9lSyCzDjn1DdPo= github.com/hashicorp/jsonapi v1.3.1/go.mod h1:kWfdn49yCjQvbpnvY1dxxAuAFzISwrrMDQOcu6NsFoM= github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=