Skip to content

Commit 9eabb2d

Browse files
authored
Fix AWS permissions updated notification (#207)
Added an optional permissions field to the role set of the polaris_aws_cnp_account_attachments resource. When used, the field will force the resource to be updated when the polaris_aws_cnp_permissions data source changes. During the update RSC will be notified about the updated permissions.
1 parent 436fe66 commit 9eabb2d

8 files changed

+68
-12
lines changed

docs/guides/aws_cnp_account.md

+5-3
Original file line numberDiff line numberDiff line change
@@ -132,11 +132,13 @@ resource "polaris_aws_cnp_account_attachments" "attachments" {
132132
dynamic "role" {
133133
for_each = aws_iam_role.role
134134
content {
135-
key = role.key
136-
arn = role.value["arn"]
135+
key = role.key
136+
arn = role.value["arn"]
137+
permissions = data.polaris_aws_cnp_permissions.permissions[role.key].id
137138
}
138139
}
139140
}
140141
```
141142
This attaches the instance profiles and roles to the AWS account in RSC. When Terraform processes this resource the AWS
142-
account will transition from the connecting state to the connected state in the RSC UI.
143+
account will transition from the connecting state to the connected state in the RSC UI. Note the `permissions` field of
144+
the `polaris_aws_cnp_account_attachments` resource requires version `0.10.0-beta.8` or later of the provider.

docs/guides/changelog.md

+13
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,19 @@ page_title: "Changelog"
44

55
# Changelog
66

7+
## v0.10.0-beta.8
8+
* Add the `permissions` field to the `polaris_aws_cnp_account_attachments` resource. The `permissions` field should be
9+
used with the `id` field of the `polaris_aws_cnp_permissions` data source to trigger an update of the resource
10+
whenever the permissions changes. This update will move the RSC cloud account from the missing permissions state.
11+
12+
## v0.10.0-beta.7
13+
* Add support for Azure Bring Your Own Kubernetes Exocompute, also known as BYOK and customer managed Exocompute.
14+
[[docs](../resources/azure_exocompute_cluster_attachment)], [[docs](../resources/azure_private_container_registry)]
15+
16+
## v0.10.0-beta.6
17+
* Add support for the Cloud Native Blob Protection feature to the `polaris_azure_subscription` resource.
18+
[[docs](../resources/azure_subscription#nested-schema-for-cloud_native_blob_protection)]
19+
720
## v0.10.0-beta.5
821
* The data_center_archival_location_amazon_s3 resource will now monitor and wait for the asynchronous CDM operations to
922
finish.

docs/resources/aws_cnp_account_attachments.md

+4
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,10 @@ Required:
7070
- `arn` (String) AWS role ARN.
7171
- `key` (String) RSC artifact key for the AWS role.
7272

73+
Optional:
74+
75+
- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `id` field of the `polaris_aws_cnp_permissions` data source.
76+
7377

7478
<a id="nestedblock--instance_profile"></a>
7579
### Nested Schema for `instance_profile`

go.mod

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ require (
88
github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
99
github.com/hashicorp/terraform-plugin-docs v0.16.0
1010
github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
11-
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8
11+
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9
1212
)
1313

1414
require (

go.sum

+2-2
Original file line numberDiff line numberDiff line change
@@ -270,8 +270,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
270270
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
271271
github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
272272
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
273-
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8 h1:dU2PQJUQ4G0FcdivN2Y0/vYsu/9hZRvAYld2I9Tqvro=
274-
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
273+
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9 h1:Jz10i2sNEmX7nEcijARy859jpn4qwRC1iD2Sb9r0fWM=
274+
github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
275275
github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
276276
github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
277277
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=

internal/provider/resource_aws_cnp_account_attachments.go

+25-3
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@ func awsReadCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, m
155155
}
156156
features := &schema.Set{F: schema.HashString}
157157
for _, feature := range account.Features {
158-
features.Add(string(feature.Feature.Name))
158+
features.Add(feature.Feature.Name)
159159
}
160160

161161
// Request the cloud account artifacts.
@@ -176,9 +176,14 @@ func awsReadCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, m
176176
return diag.FromErr(err)
177177
}
178178

179+
oldRoles := make(map[string]string)
180+
for _, role := range d.Get(keyRole).(*schema.Set).List() {
181+
block := role.(map[string]any)
182+
oldRoles[block[keyKey].(string)] = block[keyPermissions].(string)
183+
}
179184
rolesAttr := &schema.Set{F: schema.HashResource(roleResource())}
180185
for key, arn := range roles {
181-
rolesAttr.Add(map[string]any{keyKey: key, keyARN: arn})
186+
rolesAttr.Add(map[string]any{keyKey: key, keyARN: arn, keyPermissions: oldRoles[key]})
182187
}
183188
if err := d.Set(keyRole, rolesAttr); err != nil {
184189
return diag.FromErr(err)
@@ -199,6 +204,7 @@ func awsUpdateCnpAccountAttachments(ctx context.Context, d *schema.ResourceData,
199204
if err != nil {
200205
return diag.FromErr(err)
201206
}
207+
202208
var features []core.Feature
203209
for _, feature := range d.Get(keyFeatures).(*schema.Set).List() {
204210
features = append(features, core.Feature{Name: feature.(string)})
@@ -214,12 +220,20 @@ func awsUpdateCnpAccountAttachments(ctx context.Context, d *schema.ResourceData,
214220
roles[block[keyKey].(string)] = block[keyARN].(string)
215221
}
216222

217-
// Request artifacts be added to account.
223+
// Update artifacts.
218224
_, err = aws.Wrap(client).AddAccountArtifacts(ctx, aws.CloudAccountID(id), features, profiles, roles)
219225
if err != nil {
220226
return diag.FromErr(err)
221227
}
222228

229+
// Notify RSC about updated permissions. Note, we notify RSC that the
230+
// permissions for all features have been updated without checking the
231+
// permissions hash, the reason is there is no way for us to connect a role
232+
// to a feature.
233+
if err := aws.Wrap(client).PermissionsUpdated(ctx, id, nil); err != nil {
234+
return diag.FromErr(err)
235+
}
236+
223237
return nil
224238
}
225239

@@ -266,6 +280,14 @@ func roleResource() *schema.Resource {
266280
Description: "AWS role ARN.",
267281
ValidateFunc: validation.StringIsNotWhiteSpace,
268282
},
283+
keyPermissions: {
284+
Type: schema.TypeString,
285+
Optional: true,
286+
Description: "Permissions updated signal. When this field changes, the provider will notify " +
287+
"RSC that the permissions for the feature has been updated. Use this field with the `id` field " +
288+
"of the `polaris_aws_cnp_permissions` data source.",
289+
ValidateFunc: validation.StringIsNotWhiteSpace,
290+
},
269291
},
270292
}
271293
}

templates/guides/aws_cnp_account.md.tmpl

+5-3
Original file line numberDiff line numberDiff line change
@@ -132,11 +132,13 @@ resource "polaris_aws_cnp_account_attachments" "attachments" {
132132
dynamic "role" {
133133
for_each = aws_iam_role.role
134134
content {
135-
key = role.key
136-
arn = role.value["arn"]
135+
key = role.key
136+
arn = role.value["arn"]
137+
permissions = data.polaris_aws_cnp_permissions.permissions[role.key].id
137138
}
138139
}
139140
}
140141
```
141142
This attaches the instance profiles and roles to the AWS account in RSC. When Terraform processes this resource the AWS
142-
account will transition from the connecting state to the connected state in the RSC UI.
143+
account will transition from the connecting state to the connected state in the RSC UI. Note the `permissions` field of
144+
the `polaris_aws_cnp_account_attachments` resource requires version `0.10.0-beta.8` or later of the provider.

templates/guides/changelog.md.tmpl

+13
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,19 @@ page_title: "Changelog"
44

55
# Changelog
66

7+
## v0.10.0-beta.8
8+
* Add the `permissions` field to the `polaris_aws_cnp_account_attachments` resource. The `permissions` field should be
9+
used with the `id` field of the `polaris_aws_cnp_permissions` data source to trigger an update of the resource
10+
whenever the permissions changes. This update will move the RSC cloud account from the missing permissions state.
11+
12+
## v0.10.0-beta.7
13+
* Add support for Azure Bring Your Own Kubernetes Exocompute, also known as BYOK and customer managed Exocompute.
14+
[[docs](../resources/azure_exocompute_cluster_attachment)], [[docs](../resources/azure_private_container_registry)]
15+
16+
## v0.10.0-beta.6
17+
* Add support for the Cloud Native Blob Protection feature to the `polaris_azure_subscription` resource.
18+
[[docs](../resources/azure_subscription#nested-schema-for-cloud_native_blob_protection)]
19+
720
## v0.10.0-beta.5
821
* The data_center_archival_location_amazon_s3 resource will now monitor and wait for the asynchronous CDM operations to
922
finish.

0 commit comments

Comments
 (0)