Support restriction in elasticstack_elasticsearch_security_api_key
#577
Conversation
|
💚 CLA has been signed |
| if esClient, err := client.GetESClient(); err == nil { | ||
| req := esapi.InfoRequest{} | ||
| res, err := req.Do(ctx, esClient.Transport) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
|
|
||
| defer res.Body.Close() | ||
|
|
||
| var info info | ||
| err = json.NewDecoder(res.Body).Decode(&info) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
|
|
||
| currentVersion, err := version.NewVersion(info.Version.Number) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
|
|
||
| supportedVersion, _ := version.NewVersion("8.9.0") // restriction is supported since 8.9.x | ||
|
|
||
| if currentVersion.LessThan(supportedVersion) { | ||
| return false, err | ||
| } | ||
| } | ||
| return true, nil |
There was a problem hiding this comment.
Can replace this with something like
| if esClient, err := client.GetESClient(); err == nil { | |
| req := esapi.InfoRequest{} | |
| res, err := req.Do(ctx, esClient.Transport) | |
| if err != nil { | |
| return false, err | |
| } | |
| defer res.Body.Close() | |
| var info info | |
| err = json.NewDecoder(res.Body).Decode(&info) | |
| if err != nil { | |
| return false, err | |
| } | |
| currentVersion, err := version.NewVersion(info.Version.Number) | |
| if err != nil { | |
| return false, err | |
| } | |
| supportedVersion, _ := version.NewVersion("8.9.0") // restriction is supported since 8.9.x | |
| if currentVersion.LessThan(supportedVersion) { | |
| return false, err | |
| } | |
| } | |
| return true, nil | |
| currentVersion, diags := client.ServerVersion() | |
| if diags.HasError() { | |
| return true | |
| } | |
| return currentVersion.GreaterThanOrEqual(APIKeyWithRestrictionMinVersion) |
There was a problem hiding this comment.
Let me give that a go
There was a problem hiding this comment.
@tobio I made a slight variation but it now uses the ServerVersion call from the client directly instead of making the whole request objects like I had before.
|
Hey @sandermvanvliet-stack are you able to sign the CLA so we can continue with this one? |
|
@tobio I'm still waiting on some internal comms before I do that. Trying to figure out if we have/need/want a corporate CLA for this. |
|
@tobio the CLA should now be signed as a company wide one by our teams, would you be able to check so we can get on the merge train? |
I can't see any signed agreements from your company or email domain. I'm not familiar with the company wide agreement process, I'll ask around and see if there's something we need to do. |
|
@sandermvanvliet-stack we can't find any recent CLA activity on anyone related to Stack Overflow or Stack Exchange. Are you able to get some more details about how the CLA was signed so we can try and track this down? |
|
@tobio I was told it was handled but let me prod some people here. Thanks for checking 👍 |
|
@tobio the CLA was signed 26th of June. The contact listed is David Whitt. |
Ok, weird. I can't find anything under that name where we'd expect it to be (our internal tooling or in the Docusign account used for the CLA agreements). I've followed up via email so you can share a copy of the CLA. Once I've got a copy I can try and find out what's happened here. At the very least, IIUC we should be able to manually add your accounts with a copy of the agreement. |
|
@sandermvanvliet-stack sorry about the delay here. I'm not clear why it took a while for this agreement to show up. It looks like everything's good to go here. Thanks for taking the time to add this into the provider, and dealing with the box ticking :) |
* origin/main: Add support for the `alert_delay` param in the Create Rule API (#715) chore: prepare release v0.11.6 (#716) Validate that mappings are a JSON object, not just valid json (#719) fix: move all resources in one namespace for tcp monitor acc tests (#717) Bump github.com/golangci/golangci-lint from 1.59.1 to 1.60.1 in /tools (#714) Bump github.com/docker/docker in /tools (#718) Bump github.com/goreleaser/goreleaser from 1.26.1 to 1.26.2 in /tools (#642) Bump github.com/hashicorp/terraform-plugin-framework (#705) Add kibana synthetics http and tcp monitor resources (#699) Kibana spaces data source (#682) Use ephemeral github token for build. (#712) chore: 8.15.0 is here - lets try it out (#708) Update changelog for 0.11.5 Bump version for 0.11.5 (#706) Bugfix SLO API: Update type for `group_by` to accept either string or array-of-strings (#701) Support `restriction` in `elasticstack_elasticsearch_security_api_key` (#577) chore: follow-up CR changes for synthetics private location resource (#697)
In its current form the provider is unable to provision API keys that have a restriction specified in the role descriptors.
For example, given this terraform:
The provider will happily create an API key named
restricted-keyhowever therestrictionfield is not persisted in Elasticsearch.On the next
terraform plan, this API key will be marked as needing replacement due to the fact that the comparison between the local terraform definition and the response from the Elasicsearch API are different. That is because the local terraform definition serializes to JSON and will containrestrictionwhile the JSON for the existing API key does not have that field.This PR adds the
restrictionto the model structs necessary to provision the API keys.In order to achieve that, the
Rolestruct was duplicated to an API key specific structApiKeyRoleDescriptor. PreviouslyRolewas shared between theelasticstack_elasticsearch_security_api_keyresource and theelasticstack_elasticsearch_security_roledata source.In Elasticsearch, the
restrictionis only available from 8.9.x and up. To provide some feedback to users, an error will be generated during plan/apply time when the target Elasticsearch is below 8.9 and the user has specified arestrictionin their local terraform definition:This is currently making a call directly to the Elasticsearch instance which is probably not ideal, however I could not find a reference to the current version in the code. If that's available that would be a much better option.