Skip to content

Commit c628041

Browse files
authored
Add support for permission updates (#24)
1 parent 0d19e12 commit c628041

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

50 files changed

+2432
-585
lines changed

README.md

+2
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
![Go version](https://img.shields.io/github/go-mod/go-version/rubrikinc/terraform-provider-polaris) ![License MIT](https://img.shields.io/github/license/rubrikinc/terraform-provider-polaris) ![Latest tag](https://img.shields.io/github/v/tag/rubrikinc/terraform-provider-polaris)
2+
13
<p align="center">
24
&#9888;&#65039; Code in this repository is in BETA and should NOT be used in a production system! &#9888;&#65039;
35
</p>
+42
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "polaris_azure_permissions Data Source - terraform-provider-polaris"
4+
subcategory: ""
5+
description: |-
6+
7+
---
8+
9+
# polaris_azure_permissions (Data Source)
10+
11+
12+
13+
## Example Usage
14+
15+
```terraform
16+
data "polaris_azure_permissions" "default" {
17+
features = [
18+
"cloud-native-protection",
19+
]
20+
}
21+
```
22+
23+
<!-- schema generated by tfplugindocs -->
24+
## Schema
25+
26+
### Required
27+
28+
- **features** (Set of String) Enabled features.
29+
30+
### Optional
31+
32+
- **id** (String) The ID of this resource.
33+
34+
### Read-Only
35+
36+
- **actions** (List of String) Allowed actions.
37+
- **data_actions** (List of String) Allowed data actions.
38+
- **hash** (String) SHA-256 hash of the permissions, can be used to detect changes to the permissions.
39+
- **not_actions** (List of String) Disallowed actions.
40+
- **not_data_actions** (List of String) Disallowed data actions.
41+
42+

docs/data-sources/gcp_permissions.md

+39
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "polaris_gcp_permissions Data Source - terraform-provider-polaris"
4+
subcategory: ""
5+
description: |-
6+
7+
---
8+
9+
# polaris_gcp_permissions (Data Source)
10+
11+
12+
13+
## Example Usage
14+
15+
```terraform
16+
data "polaris_gcp_permissions" "default" {
17+
features = [
18+
"cloud-native-protection",
19+
]
20+
}
21+
```
22+
23+
<!-- schema generated by tfplugindocs -->
24+
## Schema
25+
26+
### Required
27+
28+
- **features** (Set of String) Enabled features.
29+
30+
### Optional
31+
32+
- **id** (String) The ID of this resource.
33+
34+
### Read-Only
35+
36+
- **hash** (String) SHA-256 hash of the permissions, can be used to detect changes to the permissions.
37+
- **permissions** (List of String) Permissions required for the features enabled.
38+
39+

docs/guides/permissions.md

+150
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,150 @@
1+
---
2+
page_title: "Manage Permissions"
3+
---
4+
5+
# Manage Permissions
6+
Polaris requires permissions to operate and as new features are added to Polaris the set of required permissions
7+
changes. This guide explains how Terraform can be used to keep this set of permissions up to date.
8+
9+
## AWS
10+
For AWS this is managed through a CloudFormation stack. When the status of an account feature is `missing-permissions`
11+
the CloudFormation stack must be updated for the feature to continue to function. This can be managed by setting the
12+
`permissions` argument to `update`.
13+
```hcl
14+
resource "polaris_aws_account" "default" {
15+
profile = "default"
16+
permissions = "update"
17+
18+
cloud_native_protection {
19+
regions = [
20+
"us-east-2",
21+
]
22+
}
23+
}
24+
```
25+
This will generate a diff when the status of at least one feature is `missing-permissions`. Applying the account
26+
resource for this diff will update the CloudFormation stack. If the `permissions` argument is not specified the
27+
provider will not attempt to update the CloudFormation stack.
28+
29+
## Azure
30+
For Azure permissions are managed through a service principal. When the status of a subscription feature is
31+
`missing-permissions` the permissions of the service principal must be updated for the feature to continue to
32+
function. This can be managed by Terraform using the
33+
[azurerm](https://registry.terraform.io/providers/hashicorp/azurerm/latest) provider:
34+
```hcl
35+
data "polaris_azure_permissions" "default" {
36+
features = [
37+
"cloud-native-protection",
38+
"exocompute",
39+
]
40+
}
41+
42+
resource "azurerm_role_definition" "default" {
43+
name = "terraform"
44+
scope = data.azurerm_subscription.default.id
45+
46+
permissions {
47+
actions = data.polaris_azure_permissions.default.actions
48+
data_actions = data.polaris_azure_permissions.default.data_actions
49+
not_actions = data.polaris_azure_permissions.default.not_actions
50+
not_data_actions = data.polaris_azure_permissions.default.not_data_actions
51+
}
52+
}
53+
54+
resource "azurerm_role_assignment" "default" {
55+
principal_id = "9e7f3952-1fc1-11ec-b57a-972144d12d97"
56+
role_definition_id = azurerm_role_definition.default.role_definition_resource_id
57+
scope = data.azurerm_subscription.default.id
58+
}
59+
60+
resource "polaris_azure_service_principal" "default" {
61+
sdk_auth = "${path.module}/sdk-service-principal.json"
62+
tenant_domain = "mydomain.onmicrosoft.com"
63+
permissions_hash = data.polaris_azure_permissions.default.hash
64+
65+
depends_on = [
66+
azurerm_role_definition.default,
67+
azurerm_role_assignment.default,
68+
]
69+
}
70+
```
71+
When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
72+
role definition and service principal resources. Applying the diff will first update the permissions of the service
73+
principal's role definition and then notify Polaris about the update.
74+
75+
## GCP
76+
For GCP permissions are managed through a service account. When the status of a project feature is `missing-permissions`
77+
the permissions of the service account must be updated for the feature to continue to function. This can be managed by
78+
Terraform using the [google](https://registry.terraform.io/providers/hashicorp/google/latest) provider.
79+
80+
### Project Service Account
81+
When the service account is specified as part of the project resource:
82+
83+
```terraform
84+
data "polaris_gcp_permissions" "default" {
85+
features = [
86+
"cloud-native-protection",
87+
]
88+
}
89+
90+
resource "google_project_iam_custom_role" "default" {
91+
role_id = "terraform"
92+
title = "Terraform"
93+
permissions = data.polaris_gcp_permissions.default.permissions
94+
}
95+
96+
resource "google_project_iam_member" "default" {
97+
role = google_project_iam_custom_role.default.id
98+
member = "serviceAccount:[email protected]"
99+
}
100+
101+
resource "polaris_gcp_project" "default" {
102+
credentials = "${path.module}//my-project-d978f94d6c4d.json"
103+
permissions_hash = data.polaris_gcp_permissions.default.hash
104+
105+
cloud_native_protection {
106+
}
107+
108+
depends_on = [
109+
google_project_iam_custom_role.default,
110+
google_project_iam_member.default,
111+
]
112+
}
113+
```
114+
When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
115+
custom role and the project resources. Applying the diff will first update the permissions of the service account's
116+
custom role and then notify Polaris about the update.
117+
118+
### Default Service Account
119+
When the service account is specified as part of the service account resource:
120+
```terraform
121+
data "polaris_gcp_permissions" "default" {
122+
features = [
123+
"cloud-native-protection",
124+
]
125+
}
126+
127+
resource "google_project_iam_custom_role" "default" {
128+
role_id = "terraform"
129+
title = "Terraform"
130+
permissions = data.polaris_gcp_permissions.default.permissions
131+
}
132+
133+
resource "google_project_iam_member" "default" {
134+
role = google_project_iam_custom_role.default.id
135+
member = "serviceAccount:[email protected]"
136+
}
137+
138+
resource "polaris_gcp_service_account" "default" {
139+
credentials = "${path.module}/my-project-d978f94d6c4d.json"
140+
permissions_hash = data.polaris_gcp_permissions.default.hash
141+
142+
depends_on = [
143+
google_project_iam_custom_role.default,
144+
google_project_iam_member.default,
145+
]
146+
}
147+
```
148+
When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
149+
custom role and the project resources. Applying the diff will first update the permissions of the service account's
150+
custom role and then notify Polaris about the update.

docs/guides/upgrade_guide_v0.3.0.md

+123
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,123 @@
1+
---
2+
page_title: "Upgrade Guide: v0.3.0 "
3+
subcategory: "Upgrade"
4+
---
5+
6+
# v0.3.0 of the Polaris Provider
7+
v0.3.0 introduces breaking changes to the following resources:
8+
* `polaris_aws_account`
9+
* `polaris_azure_subscription`
10+
* `polaris_azure_service_principal`
11+
* `polaris_gcp_project`
12+
13+
After the Terraform configuration files has been updated according to the instructions in this guide first validate
14+
their correctness by running:
15+
```bash
16+
$ terraform plan
17+
```
18+
19+
If this doesn't produce any error proceed by running:
20+
```bash
21+
$ terraform refresh
22+
```
23+
This will read the remote state of the resources and migrate the local Terraform state to v0.3.0.
24+
25+
## AWS
26+
### polaris_aws_account
27+
To update the resource add a new `cloud_native_protection` block. Then move the `regions` argument from the resource
28+
into the new `cloud_native_protection` block.
29+
30+
I.e. if the initial resource configuration looked like this:
31+
```hcl
32+
resource "polaris_aws_account" "default" {
33+
profile = "default"
34+
35+
regions = [
36+
"us-east-2",
37+
]
38+
}
39+
```
40+
41+
It should look like this after the manual update:
42+
```hcl
43+
resource "polaris_aws_account" "default" {
44+
profile = "default"
45+
46+
cloud_native_protection {
47+
regions = [
48+
"us-east-2",
49+
]
50+
}
51+
}
52+
```
53+
54+
## Azure
55+
### polaris_azure_subscription
56+
To update the resource add a new `cloud_native_protection` block. Then move the `regions` argument from the resource
57+
into the new `cloud_native_protection` block.
58+
59+
I.e. if the initial resource configuration looked like this:
60+
```hcl
61+
resource "polaris_azure_subscription" "default" {
62+
subscription_id = "1bb87eb6-2039-11ec-8a8a-3ba3fe58b590"
63+
tenant_domain = "mydomain.onmicrosoft.com"
64+
65+
regions = [
66+
"us-east-2",
67+
]
68+
}
69+
```
70+
71+
It should look like this after the manual update:
72+
```hcl
73+
resource "polaris_azure_subscription" "default" {
74+
subscription_id = "1bb87eb6-2039-11ec-8a8a-3ba3fe58b590"
75+
tenant_domain = "mydomain.onmicrosoft.com"
76+
77+
cloud_native_protection {
78+
regions = [
79+
"us-east-2",
80+
]
81+
}
82+
}
83+
```
84+
85+
### polaris_azure_service_principal
86+
To update the resource add a new `tenant_domain` argument. The value of this argument can be found in the credentials
87+
file, as either `tenant_domain` or `tenantDomain`.
88+
89+
I.e. if the initial resource configuration looked like this:
90+
```hcl
91+
resource "polaris_azure_service_principal" "default" {
92+
credentials = "${path.module}/service-principal.json"
93+
}
94+
```
95+
96+
It should look like this after the manual update:
97+
```hcl
98+
resource "polaris_azure_service_principal" "default" {
99+
credentials = "${path.module}/service-principal.json"
100+
tenant_domain = "mydomain.onmicrosoft.com"
101+
}
102+
```
103+
104+
## GCP
105+
### polaris_gcp_project
106+
To update the resource add a new `cloud_native_protection` block.
107+
108+
I.e. if the initial resource configuration looked like this:
109+
```hcl
110+
resource "polaris_gcp_project" "default" {
111+
credentials = "${path.module}/my-project-bf80e97f8c4e.json"
112+
}
113+
```
114+
115+
It should look like this after the manual update:
116+
```hcl
117+
resource "polaris_gcp_project" "default" {
118+
credentials = "${path.module}/my-project-bf80e97f8c4e.json"
119+
120+
cloud_native_protection {
121+
}
122+
}
123+
```

0 commit comments

Comments
 (0)