Merge branch 'master' into co-4344-bump-max-drain-timeout

Author: oleksandrsan

castai/resource_edge_location.go

@@ -383,7 +383,7 @@ func (r *edgeLocationResource) Create(ctx context.Context, req resource.CreateRe
 
 	createReq := omni.EdgeLocationsAPICreateEdgeLocationJSONRequestBody{
 		Name:   plan.Name.ValueString(),
-		Region: plan.Region.ValueString(),
+		Region: plan.Region.ValueStringPointer(),
 		Zones:  lo.ToPtr(r.toZones(plan.Zones)),
 	}
 
@@ -463,7 +463,9 @@ func (r *edgeLocationResource) Read(ctx context.Context, req resource.ReadReques
 
 	edgeLocation := apiResp.JSON200
 
-	state.Region = types.StringValue(edgeLocation.Region)
+	if edgeLocation.Region != nil {
+		state.Region = types.StringValue(*edgeLocation.Region)
+	}
 	state.Name = types.StringValue(edgeLocation.Name)
 	state.Description = types.StringNull()
 	if edgeLocation.Description != nil {

castai/resource_enterprise_role_binding.go

@@ -417,7 +417,7 @@ func buildBatchCreateRoleBindingRequest(data *schema.ResourceData, enterpriseID
 		return nil, fmt.Errorf("reading role binding data: %w", err)
 	}
 
-	definition := buildRoleBindingDefinition(roleBinding)
+	definition := buildRoleBindingDefinition(roleBinding, enterpriseID)
 
 	request := organization_management.BatchCreateEnterpriseRoleBindingsRequest{
 		EnterpriseId: enterpriseID,
@@ -442,7 +442,7 @@ func buildBatchUpdateRoleBindingRequest(data *schema.ResourceData, enterpriseID,
 		return nil, fmt.Errorf("reading role binding data: %w", err)
 	}
 
-	definition := buildRoleBindingDefinition(roleBinding)
+	definition := buildRoleBindingDefinition(roleBinding, enterpriseID)
 
 	request := organization_management.BatchUpdateEnterpriseRoleBindingsRequest{
 		EnterpriseId: enterpriseID,
@@ -460,14 +460,20 @@ func buildBatchUpdateRoleBindingRequest(data *schema.ResourceData, enterpriseID,
 	return &request, nil
 }
 
-func buildRoleBindingDefinition(roleBinding EnterpriseRoleBinding) organization_management.RoleBindingDefinition {
+func buildRoleBindingDefinition(roleBinding EnterpriseRoleBinding, enterpriseID string) organization_management.RoleBindingDefinition {
 	subjects := convertEnterpriseRoleBindingSubjectsToSDK(roleBinding.Subjects)
 	scopes := convertEnterpriseRoleBindingScopesToSDK(roleBinding.Scopes)
 
 	definition := organization_management.RoleBindingDefinition{
 		RoleId: lo.ToPtr(roleBinding.RoleID),
 	}
 
+	// When the role binding targets a child organization, set ChildOrganizationId so the
+	// API validates role_id against the child org's roles instead of the enterprise's roles.
+	if roleBinding.OrganizationID != enterpriseID {
+		definition.ChildOrganizationId = lo.ToPtr(roleBinding.OrganizationID)
+	}
+
 	if len(subjects) > 0 {
 		definition.Subjects = &subjects
 	}

castai/resource_enterprise_role_binding_test.go

@@ -129,7 +129,8 @@ func TestResourceEnterpriseRoleBindingCreateContext(t *testing.T) {
 						Name:        "engineering-viewer",
 						Description: lo.ToPtr("Engineering viewer role binding"),
 						Definition: organization_management.RoleBindingDefinition{
-							RoleId: lo.ToPtr(roleID),
+							RoleId:              lo.ToPtr(roleID),
+							ChildOrganizationId: lo.ToPtr(organizationID1),
 							Subjects: &[]organization_management.Subject{
 								{
 									User: &organization_management.UserSubject{
@@ -511,6 +512,121 @@ func TestResourceEnterpriseRoleBindingCreateContext(t *testing.T) {
 		r.True(result.HasError())
 		r.Contains(result[0].Summary, "at least one scope (organization or cluster) must be defined")
 	})
+
+	t.Run("when organization_id differs from enterprise_id then ChildOrganizationId is set in definition", func(t *testing.T) {
+		t.Parallel()
+		r := require.New(t)
+		mockClient := mockOrganizationManagement.NewMockClientWithResponsesInterface(gomock.NewController(t))
+
+		ctx := context.Background()
+		provider := &ProviderConfig{
+			organizationManagementClient: mockClient,
+		}
+
+		enterpriseID := uuid.NewString()
+		childOrgID := uuid.NewString() // different from enterpriseID
+		roleBindingID := uuid.NewString()
+		roleID := uuid.NewString()
+		userID := uuid.NewString()
+
+		expectedCreateRequest := organization_management.BatchCreateEnterpriseRoleBindingsRequest{
+			EnterpriseId: enterpriseID,
+			Requests: []organization_management.BatchCreateEnterpriseRoleBindingsRequestCreateRoleBindingRequest{
+				{
+					OrganizationId: childOrgID,
+					RoleBinding: organization_management.BatchCreateEnterpriseRoleBindingsRequestRoleBinding{
+						Name:        "child-org-binding",
+						Description: lo.ToPtr(""),
+						Definition: organization_management.RoleBindingDefinition{
+							RoleId:              lo.ToPtr(roleID),
+							ChildOrganizationId: lo.ToPtr(childOrgID),
+							Subjects: &[]organization_management.Subject{
+								{
+									User: &organization_management.UserSubject{Id: userID},
+								},
+							},
+							Scopes: &[]organization_management.Scope{
+								{
+									Organization: &organization_management.OrganizationScope{Id: childOrgID},
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		mockClient.EXPECT().
+			EnterpriseAPIBatchCreateEnterpriseRoleBindingsWithResponse(gomock.Any(), enterpriseID, expectedCreateRequest).
+			Return(&organization_management.EnterpriseAPIBatchCreateEnterpriseRoleBindingsResponse{
+				Body:         nil,
+				HTTPResponse: &http.Response{StatusCode: http.StatusOK},
+				JSON200: &organization_management.BatchCreateEnterpriseRoleBindingsResponse{
+					RoleBindings: &[]organization_management.RoleBinding{
+						{
+							Id:             lo.ToPtr(roleBindingID),
+							Name:           lo.ToPtr("child-org-binding"),
+							OrganizationId: lo.ToPtr(childOrgID),
+							Definition: &organization_management.RoleBindingDefinition{
+								RoleId:              lo.ToPtr(roleID),
+								ChildOrganizationId: lo.ToPtr(childOrgID),
+								Subjects: &[]organization_management.Subject{
+									{User: &organization_management.UserSubject{Id: userID}},
+								},
+								Scopes: &[]organization_management.Scope{
+									{Organization: &organization_management.OrganizationScope{Id: childOrgID}},
+								},
+							},
+						},
+					},
+				},
+			}, nil)
+
+		stateValue := cty.ObjectVal(map[string]cty.Value{
+			FieldEnterpriseRoleBindingEnterpriseID:   cty.StringVal(enterpriseID),
+			FieldEnterpriseRoleBindingOrganizationID: cty.StringVal(childOrgID),
+			FieldEnterpriseRoleBindingName:           cty.StringVal("child-org-binding"),
+			FieldEnterpriseRoleBindingDescription:    cty.StringVal(""),
+			FieldEnterpriseRoleBindingRoleID:         cty.StringVal(roleID),
+			FieldEnterpriseRoleBindingSubjects: cty.ListVal([]cty.Value{
+				cty.ObjectVal(map[string]cty.Value{
+					FieldEnterpriseRoleBindingSubjectUser: cty.ListVal([]cty.Value{
+						cty.ObjectVal(map[string]cty.Value{
+							FieldEnterpriseRoleBindingSubjectID: cty.StringVal(userID),
+						}),
+					}),
+					FieldEnterpriseRoleBindingSubjectServiceAccount: cty.ListValEmpty(cty.Object(map[string]cty.Type{
+						FieldEnterpriseRoleBindingSubjectID: cty.String,
+					})),
+					FieldEnterpriseRoleBindingSubjectGroup: cty.ListValEmpty(cty.Object(map[string]cty.Type{
+						FieldEnterpriseRoleBindingSubjectID: cty.String,
+					})),
+				}),
+			}),
+			FieldEnterpriseRoleBindingScopes: cty.ListVal([]cty.Value{
+				cty.ObjectVal(map[string]cty.Value{
+					FieldEnterpriseRoleBindingScopeOrganization: cty.ListVal([]cty.Value{
+						cty.ObjectVal(map[string]cty.Value{
+							FieldEnterpriseRoleBindingScopeID: cty.StringVal(childOrgID),
+						}),
+					}),
+					FieldEnterpriseRoleBindingScopeCluster: cty.ListValEmpty(cty.Object(map[string]cty.Type{
+						FieldEnterpriseRoleBindingScopeID: cty.String,
+					})),
+				}),
+			}),
+		})
+		state := terraform.NewInstanceStateShimmedFromValue(stateValue, 0)
+
+		resource := resourceEnterpriseRoleBinding()
+		data := resource.Data(state)
+
+		result := resource.CreateContext(ctx, data, provider)
+
+		r.Nil(result)
+		r.False(result.HasError())
+		r.Equal(roleBindingID, data.Id())
+	})
 }
 
 func TestResourceEnterpriseRoleBindingReadContext(t *testing.T) {
@@ -982,7 +1098,8 @@ func TestResourceEnterpriseRoleBindingUpdateContext(t *testing.T) {
 					OrganizationId: organizationID,
 					Description:    lo.ToPtr("Updated description"),
 					Definition: organization_management.RoleBindingDefinition{
-						RoleId: lo.ToPtr(newRoleID),
+						RoleId:              lo.ToPtr(newRoleID),
+						ChildOrganizationId: lo.ToPtr(organizationID),
 						Subjects: &[]organization_management.Subject{
 							{
 								User: &organization_management.UserSubject{
@@ -1238,7 +1355,8 @@ func TestResourceEnterpriseRoleBindingUpdateContext(t *testing.T) {
 					OrganizationId: organizationID,
 					Description:    lo.ToPtr("Test description"),
 					Definition: organization_management.RoleBindingDefinition{
-						RoleId: lo.ToPtr(roleID),
+						RoleId:              lo.ToPtr(roleID),
+						ChildOrganizationId: lo.ToPtr(organizationID),
 						Subjects: &[]organization_management.Subject{
 							{
 								User: &organization_management.UserSubject{
@@ -1419,7 +1537,8 @@ func TestResourceEnterpriseRoleBindingUpdateContext(t *testing.T) {
 					OrganizationId: organizationID,
 					Description:    lo.ToPtr("Test description"),
 					Definition: organization_management.RoleBindingDefinition{
-						RoleId: lo.ToPtr(roleID),
+						RoleId:              lo.ToPtr(roleID),
+						ChildOrganizationId: lo.ToPtr(organizationID),
 						Subjects: &[]organization_management.Subject{
 							{
 								User: &organization_management.UserSubject{

castai/resource_node_configuration.go

@@ -48,6 +48,7 @@ const (
 	FieldNodeConfigurationAKSApplicationSecurityGroups = "application_security_groups"
 	FieldNodeConfigurationAKSPublicIP                  = "public_ip"
 	FieldNodeConfigurationAKSPodSubnetID               = "pod_subnet_id"
+	FieldNodeConfigurationAKSEncryptionAtHost          = "enable_encryption_at_host"
 )
 
 const (
@@ -491,6 +492,11 @@ func resourceNodeConfiguration() *schema.Resource {
 							Optional:    true,
 							Description: "ID of pod subnet to be used for provisioned nodes.",
 						},
+						FieldNodeConfigurationAKSEncryptionAtHost: {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "Whether to enable encryption at host for provisioned nodes. See https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data",
+						},
 					},
 				},
 			},
@@ -1190,6 +1196,10 @@ func toAKSSConfig(obj map[string]interface{}) *sdk.NodeconfigV1AKSConfig {
 		out.PodSubnetId = toPtr(v)
 	}
 
+	if v, ok := obj[FieldNodeConfigurationAKSEncryptionAtHost].(bool); ok {
+		out.EnableEncryptionAtHost = toPtr(v)
+	}
+
 	return out
 }
 
@@ -1386,6 +1396,10 @@ func flattenAKSConfig(config *sdk.NodeconfigV1AKSConfig) []map[string]interface{
 		m[FieldNodeConfigurationAKSPodSubnetID] = *v
 	}
 
+	if v := config.EnableEncryptionAtHost; v != nil {
+		m[FieldNodeConfigurationAKSEncryptionAtHost] = *v
+	}
+
 	return []map[string]interface{}{m}
 }
 

castai/resource_node_configuration_test.go

@@ -376,3 +376,55 @@ func Test_NodeConfiguration_UpdateContext(t *testing.T) {
 		})
 	}
 }
+
+func TestToAKSSConfig_EnableEncryptionAtHost(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    any
+		expected any
+	}{
+		{name: "true", input: true, expected: true},
+		{name: "false", input: false, expected: false},
+		{name: "nil", input: nil, expected: nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			out := toAKSSConfig(map[string]any{
+				FieldNodeConfigurationAKSEncryptionAtHost: tt.input,
+			})
+
+			if tt.expected == nil {
+				require.Nil(t, out.EnableEncryptionAtHost)
+			} else {
+				require.Equal(t, tt.expected, *out.EnableEncryptionAtHost)
+			}
+		})
+	}
+
+	t.Run("empty", func(t *testing.T) {
+		out := toAKSSConfig(map[string]any{})
+
+		require.Nil(t, out.EnableEncryptionAtHost)
+	})
+}
+
+func TestFlattenAKSConfig_EnableEncryptionAtHost(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    *bool
+		expected any
+	}{
+		{name: "true", input: toPtr(true), expected: true},
+		{name: "false", input: toPtr(false), expected: false},
+		{name: "nil", input: nil, expected: nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := flattenAKSConfig(&sdk.NodeconfigV1AKSConfig{
+				EnableEncryptionAtHost: tt.input,
+			})
+			require.Len(t, result, 1)
+			require.Equal(t, tt.expected, result[0][FieldNodeConfigurationAKSEncryptionAtHost])
+		})
+	}
+}