TF: allow Role V7 resource

Add support for Role V7.
gravitational · Sep 26, 2023 · a60e6c0 · a60e6c0
1 parent efa67e1
commit a60e6c0
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 2 deletions.
diff --git a/terraform/protoc-gen-terraform-teleport.yaml b/terraform/protoc-gen-terraform-teleport.yaml
@@ -368,7 +368,7 @@ validators:
   ProvisionTokenV2.Version:
     - UseVersionBetween(2,2)
   RoleV6.Version:
-    - UseVersionBetween(3,6)
+    - UseVersionBetween(3,7)
   SAMLConnectorV2.Version:
     - UseVersionBetween(2,2)
   SAMLConnectorV2.Spec:

diff --git a/terraform/test/fixtures/role_with_kube_verbs.tf b/terraform/test/fixtures/role_with_kube_verbs.tf
@@ -0,0 +1,21 @@
+resource "teleport_role" "kube_verbs" {
+  metadata = {
+    name = "kube_verbs"
+  }
+
+  spec = {
+    allow = {
+      logins = ["onev6"]
+      kubernetes_resources = [
+        {
+          kind      = "pod"
+          name      = "*"
+          namespace = "myns"
+          verbs     = ["get", "watch", "list"]
+        }
+      ]
+    }
+  }
+
+  version = "v7"
+}
diff --git a/terraform/test/role_test.go b/terraform/test/role_test.go
@@ -325,6 +325,7 @@ func (s *TerraformSuite) TestRoleWithKubernetesResources() {
 					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.kind", "pod"),
 					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.name", "*"),
 					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.namespace", "myns"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.0", "*"),
 				),
 			},
 			{
@@ -334,3 +335,41 @@ func (s *TerraformSuite) TestRoleWithKubernetesResources() {
 		},
 	})
 }
+
+func (s *TerraformSuite) TestRoleWithKubernetesVerbs() {
+	checkDestroyed := func(state *terraform.State) error {
+		_, err := s.client.GetRole(s.Context(), "kube_verbs")
+		if trace.IsNotFound(err) {
+			return nil
+		}
+
+		return err
+	}
+
+	name := "teleport_role.kube_verbs"
+
+	resource.Test(s.T(), resource.TestCase{
+		ProtoV6ProviderFactories: s.terraformProviders,
+		CheckDestroy:             checkDestroyed,
+		Steps: []resource.TestStep{
+			{
+				Config: s.getFixture("role_with_kube_verbs.tf"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "kind", "role"),
+					resource.TestCheckResourceAttr(name, "version", "v7"),
+					resource.TestCheckResourceAttr(name, "spec.allow.logins.0", "onev6"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.kind", "pod"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.name", "*"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.namespace", "myns"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.0", "get"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.1", "watch"),
+					resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.2", "list"),
+				),
+			},
+			{
+				Config:   s.getFixture("role_with_kube_verbs.tf"),
+				PlanOnly: true,
+			},
+		},
+	})
+}
diff --git a/terraform/tfschema/types_terraform.go b/terraform/tfschema/types_terraform.go