feat: add an attribute "docker_plugin.grant_permissions"

https://github.com/kreuzwerker/terraform-provider-docker/pull/35/files#r549843380
kreuzwerker · Dec 30, 2020 · 03b2187 · 03b2187
1 parent 967f2ba
commit 03b2187
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 5 deletions.
diff --git a/docker/resource_docker_plugin.go b/docker/resource_docker_plugin.go
@@ -33,9 +33,33 @@ func resourceDockerPlugin() *schema.Resource {
 				Default:  true,
 			},
 			"grant_all_permissions": {
-				Type:        schema.TypeBool,
-				Optional:    true,
-				Description: "If true, grant all permissions necessary to run the plugin",
+				Type:          schema.TypeBool,
+				Optional:      true,
+				Description:   "If true, grant all permissions necessary to run the plugin",
+				ConflictsWith: []string{"grant_permissions"},
+			},
+			"grant_permissions": {
+				Type:          schema.TypeSet,
+				Optional:      true,
+				ConflictsWith: []string{"grant_all_permissions"},
+				Set: func(v interface{}) int {
+					return schema.HashString(v.(map[string]interface{})["name"].(string))
+				},
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"value": {
+							Type:     schema.TypeSet,
+							Required: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+					},
+				},
 			},
 			"env": {
 				Type:     schema.TypeSet,

diff --git a/docker/resource_docker_plugin_funcs.go b/docker/resource_docker_plugin_funcs.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"strings"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
@@ -23,19 +24,54 @@ func getDockerPluginEnv(src interface{}) []string {
 	return envs
 }
 
+func getDockerPluginGrantPermissions(src interface{}) func(types.PluginPrivileges) (bool, error) {
+	grantPermissionsSet := src.(*schema.Set)
+	grantPermissions := make(map[string]map[string]struct{}, grantPermissionsSet.Len())
+	for _, b := range grantPermissionsSet.List() {
+		c := b.(map[string]interface{})
+		name := c["name"].(string)
+		values := c["value"].(*schema.Set)
+		grantPermission := make(map[string]struct{}, values.Len())
+		for _, value := range values.List() {
+			grantPermission[value.(string)] = struct{}{}
+		}
+		grantPermissions[name] = grantPermission
+	}
+	return func(privileges types.PluginPrivileges) (bool, error) {
+		for _, privilege := range privileges {
+			grantPermission, nameOK := grantPermissions[privilege.Name]
+			if !nameOK {
+				log.Print("[DEBUG] to install the plugin, the following permissions are required: " + privilege.Name + " [" + strings.Join(privilege.Value, ", ") + "]")
+				return false, nil
+			}
+			for _, value := range privilege.Value {
+				if _, ok := grantPermission[value]; !ok {
+					log.Print("[DEBUG] to install the plugin, the following permissions are required: " + privilege.Name + " [" + strings.Join(privilege.Value, ", ") + "]")
+					return false, nil
+				}
+			}
+		}
+		return true, nil
+	}
+}
+
 func resourceDockerPluginCreate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*ProviderConfig).DockerClient
 	ctx := context.Background()
 	pluginRef := d.Get("plugin_reference").(string)
 	alias := d.Get("alias").(string)
 	log.Printf("[DEBUG] Install a Docker plugin " + pluginRef)
-	body, err := client.PluginInstall(ctx, alias, types.PluginInstallOptions{
+	opts := types.PluginInstallOptions{
 		RemoteRef:            pluginRef,
 		AcceptAllPermissions: d.Get("grant_all_permissions").(bool),
 		Disabled:             !d.Get("enabled").(bool),
 		// TODO support other settings
 		Args: getDockerPluginEnv(d.Get("env")),
-	})
+	}
+	if v, ok := d.GetOk("grant_permissions"); ok {
+		opts.AcceptPermissionsFunc = getDockerPluginGrantPermissions(v)
+	}
+	body, err := client.PluginInstall(ctx, alias, opts)
 	if err != nil {
 		return fmt.Errorf("install a Docker plugin "+pluginRef+": %w", err)
 	}