KUBE-997: add policy per feature

Author: ValyaB

castai/data_source_gke.go

@@ -10,11 +10,37 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
+const (
+	// GKEPoliciesResourceName is the name of the resource
+	GKEPoliciesResourceName = "policy"
+	// GKELoadBalancersNetworkEndpointGroupPoliciesResourceName is the name of the resource
+	GKELoadBalancersNetworkEndpointGroupPoliciesResourceName = "castai_gke_load_balancers_network_endpoint_group_policies"
+	// GKELoadBalancersTargetBackendPoolsPoliciesResourceName is the name of the resource
+	GKELoadBalancersTargetBackendPoolsPoliciesResourceName = "castai_gke_load_balancers_target_backend_pools_policies"
+	// GKELoadBalancersUnmanagedInstanceGroupsPoliciesResourceName is the name of the resource
+	GKELoadBalancersUnmanagedInstanceGroupsPoliciesResourceName = "castai_gke_load_balancers_unmanaged_instance_groups_policies"
+)
+
 func dataSourceGKEPolicies() *schema.Resource {
 	return &schema.Resource{
 		ReadContext: dataSourceGKEPoliciesRead,
 		Schema: map[string]*schema.Schema{
-			"policy": {
+			GKEPoliciesResourceName: {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			GKELoadBalancersNetworkEndpointGroupPoliciesResourceName: {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			GKELoadBalancersTargetBackendPoolsPoliciesResourceName: {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			GKELoadBalancersUnmanagedInstanceGroupsPoliciesResourceName: {
 				Type:     schema.TypeList,
 				Computed: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
@@ -26,7 +52,37 @@ func dataSourceGKEPolicies() *schema.Resource {
 func dataSourceGKEPoliciesRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	policies, _ := gke.GetUserPolicy()
 	data.SetId("gke")
-	if err := data.Set("policy", policies); err != nil {
+	if err := data.Set(GKEPoliciesResourceName, policies); err != nil {
+		return diag.FromErr(fmt.Errorf("setting gke policy: %w", err))
+	}
+
+	return nil
+}
+
+func dataSourceGKELoadBalancersNetworkEndpointGroupPoliciesRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	policies, _ := gke.GetLoadBalancersNetworkEndpointGroupPolicy()
+	data.SetId("gke")
+	if err := data.Set(GKELoadBalancersNetworkEndpointGroupPoliciesResourceName, policies); err != nil {
+		return diag.FromErr(fmt.Errorf("setting gke policy: %w", err))
+	}
+
+	return nil
+}
+
+func dataSourceGKELoadBalancersTargetBackendPoolsPoliciesRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	policies, _ := gke.GetLoadBalancersTargetBackendPoolsPolicy()
+	data.SetId("gke")
+	if err := data.Set(GKELoadBalancersTargetBackendPoolsPoliciesResourceName, policies); err != nil {
+		return diag.FromErr(fmt.Errorf("setting gke policy: %w", err))
+	}
+
+	return nil
+}
+
+func dataSourceGKELoadBalancersUnmanagedInstanceGroupsPoliciesRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	policies, _ := gke.GetLoadBalancersUnmanagedInstanceGroupsPolicy()
+	data.SetId("gke")
+	if err := data.Set(GKELoadBalancersUnmanagedInstanceGroupsPoliciesResourceName, policies); err != nil {
 		return diag.FromErr(fmt.Errorf("setting gke policy: %w", err))
 	}
 

castai/policies/gke/loadBalancers-networkEndpointGroup.json

@@ -0,0 +1,8 @@
+{
+    "Policies": [
+      "compute.networkEndpointGroups.get",
+      "compute.networkEndpointGroups.list",
+      "compute.networkEndpointGroups.attachNetworkEndpoints",
+      "compute.networkEndpointGroups.detachNetworkEndpoints"
+    ]
+}

castai/policies/gke/loadBalancers-targetBackendPools.json

@@ -0,0 +1,8 @@
+{
+    "Policies": [
+      "compute.targetPools.get",
+      "compute.targetPools.addInstance",
+      "compute.targetPools.removeInstance",
+      "compute.instances.use"
+    ]
+}

castai/policies/gke/loadBalancers-unmanagedInstanceGroups.json

@@ -0,0 +1,6 @@
+{
+    "Policies": [
+      "compute.instanceGroups.update",
+      "compute.instances.use"
+    ]
+}

castai/policies/gke/policy.go

@@ -8,6 +8,15 @@ import (
 var (
 	//go:embed iam-policy.json
 	Policy []byte
+
+	//go:embed loadBalancers-networkEndpointGroup.json
+	LoadBalancersNetworkEndpointGroup []byte
+
+	//go:embed loadBalancers-targetBackendPools.json
+	LoadBalancersTargetBackendPools []byte
+
+	//go:embed loadBalancers-unmanagedInstanceGroups.json
+	LoadBalancersUnmanagedInstanceGroups []byte
 )
 
 type pols struct {
@@ -23,3 +32,33 @@ func GetUserPolicy() ([]string, error) {
 
 	return p.Policies, nil
 }
+
+func GetLoadBalancersNetworkEndpointGroupPolicy() ([]string, error) {
+	var p pols
+	err := json.Unmarshal(LoadBalancersNetworkEndpointGroup, &p)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.Policies, nil
+}
+
+func GetLoadBalancersTargetBackendPoolsPolicy() ([]string, error) {
+	var p pols
+	err := json.Unmarshal(LoadBalancersTargetBackendPools, &p)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.Policies, nil
+}
+
+func GetLoadBalancersUnmanagedInstanceGroupsPolicy() ([]string, error) {
+	var p pols
+	err := json.Unmarshal(LoadBalancersUnmanagedInstanceGroups, &p)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.Policies, nil
+}

castai/policies/gke/policy_test.go

@@ -1,6 +1,7 @@
 package gke
 
 import (
+	"github.com/stretchr/testify/require"
 	"testing"
 )
 
@@ -14,12 +15,61 @@ func TestPolicies(t *testing.T) {
 			t.Fatalf("couldn't generate user policy")
 		}
 
-		clustersGet := "container.clusters.get"
-		zonesGet := "serviceusage.services.list"
+		wantClustersGet := "container.clusters.get"
+		wantZonesGet := "serviceusage.services.list"
 
-		if !contains(userpolicy, clustersGet) || !contains(userpolicy, zonesGet) {
+		if !contains(userpolicy, wantClustersGet) || !contains(userpolicy, wantZonesGet) {
 			t.Fatalf("generated User policy document does not contain required policies")
 		}
+		require.Equal(t, 37, len(userpolicy))
+	})
+	t.Run("LoadBalancersNetworkEndpointGroup policy", func(t *testing.T) {
+		lbNegPolicy, err := GetLoadBalancersNetworkEndpointGroupPolicy()
+		if err != nil {
+			t.Error(err)
+		}
+		if lbNegPolicy == nil {
+			t.Fatalf("couldn't generate LoadBalancersNetworkEndpointGroup policy")
+		}
+
+		want := "compute.networkEndpointGroups.get"
+
+		if !contains(lbNegPolicy, want) {
+			t.Fatalf("generated LoadBalancersNetworkEndpointGroup policy document does not contain required policies")
+		}
+		require.Equal(t, 4, len(lbNegPolicy))
+	})
+	t.Run("LoadBalancersTargetBackendPools policy", func(t *testing.T) {
+		lbTbpPolicy, err := GetLoadBalancersTargetBackendPoolsPolicy()
+		if err != nil {
+			t.Error(err)
+		}
+		if lbTbpPolicy == nil {
+			t.Fatalf("couldn't generate LoadBalancersTargetBackendPools policy")
+		}
+
+		want := "compute.targetPools.get"
+
+		if !contains(lbTbpPolicy, want) {
+			t.Fatalf("generated LoadBalancersTargetBackendPools policy document does not contain required policies")
+		}
+		require.Equal(t, 4, len(lbTbpPolicy))
+	})
+	t.Run("LoadBalancersUnmanagedInstanceGroups policy", func(t *testing.T) {
+		lbUigPolicy, err := GetLoadBalancersUnmanagedInstanceGroupsPolicy()
+		if err != nil {
+			t.Error(err)
+		}
+		if lbUigPolicy == nil {
+			t.Fatalf("couldn't generate LoadBalancersUnmanagedInstanceGroups policy")
+		}
+
+		want := "compute.instanceGroups.update"
+
+		if !contains(lbUigPolicy, want) {
+			t.Fatalf("generated LoadBalancersUnmanagedInstanceGroups policy document does not contain required policies")
+		}
+		require.Equal(t, 2, len(lbUigPolicy))
 	})
 }