diff --git a/terraform/protoc-gen-terraform-teleport.yaml b/terraform/protoc-gen-terraform-teleport.yaml index 4e150e716..4937cf1d3 100644 --- a/terraform/protoc-gen-terraform-teleport.yaml +++ b/terraform/protoc-gen-terraform-teleport.yaml @@ -368,7 +368,7 @@ validators: ProvisionTokenV2.Version: - UseVersionBetween(2,2) RoleV6.Version: - - UseVersionBetween(3,6) + - UseVersionBetween(3,7) SAMLConnectorV2.Version: - UseVersionBetween(2,2) SAMLConnectorV2.Spec: diff --git a/terraform/test/fixtures/role_with_kube_verbs.tf b/terraform/test/fixtures/role_with_kube_verbs.tf new file mode 100644 index 000000000..7a0831421 --- /dev/null +++ b/terraform/test/fixtures/role_with_kube_verbs.tf @@ -0,0 +1,21 @@ +resource "teleport_role" "kube_verbs" { + metadata = { + name = "kube_verbs" + } + + spec = { + allow = { + logins = ["onev6"] + kubernetes_resources = [ + { + kind = "pod" + name = "*" + namespace = "myns" + verbs = ["get", "watch", "list"] + } + ] + } + } + + version = "v7" +} diff --git a/terraform/test/role_test.go b/terraform/test/role_test.go index d3dfda287..8f59ea879 100644 --- a/terraform/test/role_test.go +++ b/terraform/test/role_test.go @@ -325,6 +325,7 @@ func (s *TerraformSuite) TestRoleWithKubernetesResources() { resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.kind", "pod"), resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.name", "*"), resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.namespace", "myns"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.0", "*"), ), }, { @@ -334,3 +335,41 @@ func (s *TerraformSuite) TestRoleWithKubernetesResources() { }, }) } + +func (s *TerraformSuite) TestRoleWithKubernetesVerbs() { + checkDestroyed := func(state *terraform.State) error { + _, err := s.client.GetRole(s.Context(), "kube_verbs") + if trace.IsNotFound(err) { + return nil + } + + return err + } + + name := "teleport_role.kube_verbs" + + resource.Test(s.T(), resource.TestCase{ + ProtoV6ProviderFactories: s.terraformProviders, + CheckDestroy: checkDestroyed, + Steps: []resource.TestStep{ + { + Config: s.getFixture("role_with_kube_verbs.tf"), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(name, "kind", "role"), + resource.TestCheckResourceAttr(name, "version", "v7"), + resource.TestCheckResourceAttr(name, "spec.allow.logins.0", "onev6"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.kind", "pod"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.name", "*"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.namespace", "myns"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.0", "get"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.1", "watch"), + resource.TestCheckResourceAttr(name, "spec.allow.kubernetes_resources.0.verbs.2", "list"), + ), + }, + { + Config: s.getFixture("role_with_kube_verbs.tf"), + PlanOnly: true, + }, + }, + }) +} diff --git a/terraform/tfschema/types_terraform.go b/terraform/tfschema/types_terraform.go index 8a7ea9f16..00fa44da6 100644 --- a/terraform/tfschema/types_terraform.go +++ b/terraform/tfschema/types_terraform.go @@ -2430,7 +2430,7 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, PlanModifiers: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributePlanModifier{github_com_hashicorp_terraform_plugin_framework_tfsdk.UseStateForUnknown()}, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, - Validators: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributeValidator{UseVersionBetween(3, 6)}, + Validators: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributeValidator{UseVersionBetween(3, 7)}, }, }}, nil }