rancher
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 3 additions & 0 deletions b/‎go.mod‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 0 deletions b/‎go.sum‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎rancher2/resource_rancher2_cluster_test.go‎
Lines changed: 45 additions & 3 deletions b/‎rancher2/resource_rancher2_cluster_test.go‎
Lines changed: 45 additions & 3 deletions
diff --git a/‎rancher2/schema_cluster_rke_config_services_kube_api.go‎
Lines changed: 50 additions & 3 deletions b/‎rancher2/schema_cluster_rke_config_services_kube_api.go‎
Lines changed: 50 additions & 3 deletions
diff --git a/‎rancher2/structure_cluster_rke_config_services_kube_api.go‎
Lines changed: 4 additions & 18 deletions b/‎rancher2/structure_cluster_rke_config_services_kube_api.go‎
Lines changed: 4 additions & 18 deletions
diff --git a/‎rancher2/structure_cluster_rke_config_services_kube_api_test.go‎
Lines changed: 3 additions & 3 deletions b/‎rancher2/structure_cluster_rke_config_services_kube_api_test.go‎
Lines changed: 3 additions & 3 deletions
@@ -2,10 +2,12 @@
 
 FEATURES:
 
-
+* **New Data Source:** `rancher2_pod_security_policy_template`
+* **New Resource:** `rancher2_pod_security_policy_template`
 
 ENHANCEMENTS:
 
+* Updated `rancher/norman` go modules and vendor files
 * Added `plugin` optional value `none` to `rke_config` argument on `rancher2_cluster` resource
 * Updated multiline arguments to trim spaces by default and avoid false diff
 * Updated `rancher/types` go modules and vendor files
@@ -14,6 +16,10 @@ ENHANCEMENTS:
 
 BUG FIXES:
 
+* Fix `audit_log.configuration.policy` argument to `rke_config.services.kube_api` argument on `rancher2_cluster` resource
+* Added `plugin` optional value `none` to `rke_config` argument on `rancher2_cluster` resource
+* Updated multiline arguments to trim spaces by default and avoid false diff
+* Updated `private_key_file` definition for openstack driver on `rancher2_node_template` docs 
 * Updated `private_key_file` definition for openstack driver on `rancher2_node_template` docs
 * Fixed `rke_config.cloud_provider.aws_cloud_provider.global` argument as computed to avoid false diff
 
 
@@ -3,12 +3,15 @@ module github.com/terraform-providers/terraform-provider-rancher2
 go 1.12
 
 require (
+	github.com/ghodss/yaml v1.0.0
 	github.com/google/btree v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.2.0
 	github.com/hashicorp/terraform-plugin-sdk v1.7.0
 	github.com/rancher/norman v0.0.0-20200206042542-ef3920abad1c
 	github.com/rancher/types v0.0.0-20191220141556-ad31d6815bbd
 	golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586
+	gopkg.in/yaml.v2 v2.2.5
+	k8s.io/apiserver v0.0.0
 )
 
 replace (
 
@@ -931,6 +931,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
@@ -940,6 +941,7 @@ gopkg.in/fsnotify/fsnotify.v1 v1.4.7/go.mod h1:Fyux9zXlo4rWoMSIzpn9fDAYjalPqJ/K1
 gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/mcuadros/go-syslog.v2 v2.2.1/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U=
@@ -973,6 +975,7 @@ howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCU
 k8s.io/api v0.0.0-20181213150558-05914d821849/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
 k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
+k8s.io/api v0.0.0-20190918155943-95b840bb6a1f h1:8FRUST8oUkEI45WYKyD8ed7Ad0Kg5v11zHyPkEVb2xo=
 k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48=
 k8s.io/apiextensions-apiserver v0.0.0-20190409022649-727a075fdec8/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
 k8s.io/apiextensions-apiserver v0.0.0-20190620085554-14e95df34f1f/go.mod h1:++XMkbLSSAutLgulnUnXW4kNbSkyQzlPL8PaW4hjJT4=
@@ -984,6 +987,7 @@ k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEj
 k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655 h1:CS1tBQz3HOXiseWZu6ZicKX361CZLT97UFnnPx0aqBw=
 k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655/go.mod h1:nL6pwRT8NgfF8TT68DBI8uEePRt89cSvoXUVqbkWHq4=
 k8s.io/apiserver v0.0.0-20190620085212-47dc9a115b18/go.mod h1:Hc9PbFVOsMigd7B7OiY/6bIRkR8y31eIKsr1D+JtKg4=
+k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad h1:IMoNR9pilTBaCS5WpwWnAdmoVYVeXowOD3bLrwxIAtQ=
 k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg=
 k8s.io/cli-runtime v0.0.0-20190918162238-f783a3654da8/go.mod h1:WRliO+M6Osz7/zdOF0RI42IsJgSYHUwbLgqAWJPneSs=
 k8s.io/client-go v12.0.0+incompatible/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k=
 
@@ -26,7 +26,20 @@ resource "rancher2_cluster" "foo" {
         creation = "6h"
         retention = "24h"
       }
-	}
+      kube_api {
+        audit_log {
+          enabled = true
+          configuration {
+            max_age = 5
+            max_backup = 5
+            max_size = 100
+            path = "-"
+            format = "json"
+            policy = "apiVersion: audit.k8s.io/v1\nkind: Policy\nmetadata:\n  creationTimestamp: null\nomitStages:\n- RequestReceived\nrules:\n- level: RequestResponse\n  resources:\n  - resources:\n    - pods\n"
+          }
+        }
+      }
+    }
   }
 }
 `
@@ -44,7 +57,20 @@ resource "rancher2_cluster" "foo" {
         creation = "12h"
         retention = "72h"
       }
-	}
+      kube_api {
+        audit_log {
+          enabled = true
+          configuration {
+            max_age = 7
+            max_backup = 5
+            max_size = 100
+            path = "-"
+            format = "json"
+            policy = "apiVersion: audit.k8s.io/v1\nkind: Policy\nmetadata:\n  creationTimestamp: null\nomitStages:\n- RequestReceived\nrules:\n- level: RequestResponse\n  resources:\n  - resources:\n    - pods\n"
+          }
+        }
+      }
+    }
   }
 }
  `
@@ -62,7 +88,20 @@ resource "rancher2_cluster" "foo" {
         creation = "6h"
         retention = "24h"
       }
-	}
+      kube_api {
+        audit_log {
+          enabled = true
+          configuration {
+            max_age = 5
+            max_backup = 5
+            max_size = 100
+            path = "-"
+            format = "json"
+            policy = "apiVersion: audit.k8s.io/v1\nkind: Policy\nmetadata:\n  creationTimestamp: null\nomitStages:\n- RequestReceived\nrules:\n- level: RequestResponse\n  resources:\n  - resources:\n    - pods\n"
+          }
+        }
+      }
+    }
   }
 }
  `
@@ -105,6 +144,7 @@ func TestAccRancher2Cluster_basic_RKE(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "description", "Terraform custom cluster acceptance test"),
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.etcd.0.creation", "6h"),
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.etcd.0.retention", "24h"),
+					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.kube_api.0.audit_log.0.configuration.0.max_age", "5"),
 				),
 			},
 			resource.TestStep{
@@ -115,6 +155,7 @@ func TestAccRancher2Cluster_basic_RKE(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "description", "Terraform custom cluster acceptance test - updated"),
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.etcd.0.creation", "12h"),
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.etcd.0.retention", "72h"),
+					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.kube_api.0.audit_log.0.configuration.0.max_age", "7"),
 				),
 			},
 			resource.TestStep{
@@ -125,6 +166,7 @@ func TestAccRancher2Cluster_basic_RKE(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "description", "Terraform custom cluster acceptance test"),
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.etcd.0.creation", "6h"),
 					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.etcd.0.retention", "24h"),
+					resource.TestCheckResourceAttr(testAccRancher2ClusterType+".foo", "rke_config.0.services.0.kube_api.0.audit_log.0.configuration.0.max_age", "5"),
 				),
 			},
 		},
 
@@ -1,16 +1,23 @@
 package rancher2
 
 import (
+	"fmt"
+	"reflect"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
 )
 
 const (
-	servicesKubeAPIAuditLogPolicyOmitStages = "omitStages"
-	servicesKubeAPIAuditLogPolicyRules      = "rules"
+	clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyApiversionTag = "apiVersion"
+	clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyKindDefault   = "Policy"
+	clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyKindTag       = "kind"
 )
 
 var (
-	servicesKubeAPIAuditLogPolicy = []string{servicesKubeAPIAuditLogPolicyOmitStages, servicesKubeAPIAuditLogPolicyRules}
+	clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyRequired = []string{
+		clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyApiversionTag,
+		clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyKindTag}
 )
 
 //Schemas
@@ -45,6 +52,45 @@ func clusterRKEConfigServicesKubeAPIAuditLogConfigFields() map[string]*schema.Sc
 		"policy": {
 			Type:     schema.TypeString,
 			Optional: true,
+			Computed: true,
+			ValidateFunc: func(val interface{}, key string) (warns []string, errs []error) {
+				v, ok := val.(string)
+				if !ok || len(v) == 0 {
+					return
+				}
+				m, err := ghodssyamlToMapInterface(v)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("%q must be in yaml format, error: %v", key, err))
+					return
+				}
+				for _, k := range clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyRequired {
+					check, ok := m[k].(string)
+					if !ok || len(check) == 0 {
+						errs = append(errs, fmt.Errorf("%s is required on yaml", k))
+					}
+					if k == clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyKindTag {
+						if check != clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyKindDefault {
+							errs = append(errs, fmt.Errorf("%s value %s should be: %s", k, check, clusterRKEConfigServicesKubeAPIAuditLogConfigPolicyKindDefault))
+						}
+					}
+
+				}
+				return
+			},
+			DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+				if old == "" || new == "" {
+					return false
+				}
+				oldPolicy := &auditv1.Policy{}
+				newPolicy := &auditv1.Policy{}
+				oldMap, _ := ghodssyamlToMapInterface(old)
+				newMap, _ := ghodssyamlToMapInterface(new)
+				oldStr, _ := mapInterfaceToJSON(oldMap)
+				newStr, _ := mapInterfaceToJSON(newMap)
+				jsonToInterface(oldStr, oldPolicy)
+				jsonToInterface(newStr, newPolicy)
+				return reflect.DeepEqual(oldPolicy, newPolicy)
+			},
 		},
 	}
 	return s
@@ -56,6 +102,7 @@ func clusterRKEConfigServicesKubeAPIAuditLogFields() map[string]*schema.Schema {
 			Type:     schema.TypeList,
 			MaxItems: 1,
 			Optional: true,
+			Computed: true,
 			Elem: &schema.Resource{
 				Schema: clusterRKEConfigServicesKubeAPIAuditLogConfigFields(),
 			},
 
@@ -19,18 +19,11 @@ func flattenClusterRKEConfigServicesKubeAPIAuditLogConfig(in *managementClient.A
 	obj["path"] = in.Path
 
 	if len(in.Policy) > 0 {
-		policy := map[string]interface{}{}
-
-		for _, field := range servicesKubeAPIAuditLogPolicy {
-			if in.Policy[field] != nil {
-				policy[field] = in.Policy[field]
-			}
-		}
-		policyMap, err := mapInterfaceToJson(policy)
+		policyStr, err := mapInterfaceToYAML(in.Policy)
 		if err != nil {
 			return nil, err
 		}
-		obj["policy"] = policyMap
+		obj["policy"] = policyStr
 	}
 
 	return []interface{}{obj}, nil
@@ -170,19 +163,12 @@ func expandClusterRKEConfigServicesKubeAPIAuditLogConfig(p []interface{}) (*mana
 	}
 
 	if v, ok := in["policy"].(string); ok && len(v) > 0 {
-		policyMap, err := jsonToMapInterface(v)
+		policyMap, err := ghodssyamlToMapInterface(v)
 		if err != nil {
 			return nil, err
 		}
-		policy := map[string]interface{}{}
-
-		for _, field := range servicesKubeAPIAuditLogPolicy {
-			if policyMap[field] != nil {
-				policy[field] = policyMap[field]
-			}
-		}
 
-		obj.Policy = policy
+		obj.Policy = policyMap
 	}
 
 	return obj, nil
 
@@ -28,8 +28,8 @@ func init() {
 		MaxSize:   100,
 		Path:      "path",
 		Policy: map[string]interface{}{
-			"omitStages": "conf1",
-			"rules":      "conf2",
+			"apiVersion": "audit.k8s.io/v1",
+			"kind":       "Policy",
 		},
 	}
 	testClusterRKEConfigServicesKubeAPIAuditLogConfigInterface = []interface{}{
@@ -39,7 +39,7 @@ func init() {
 			"max_backup": 10,
 			"max_size":   100,
 			"path":       "path",
-			"policy":     `{"omitStages":"conf1","rules":"conf2"}`,
+			"policy":     "apiVersion: audit.k8s.io/v1\nkind: Policy\n",
 		},
 	}
 	testClusterRKEConfigServicesKubeAPIAuditLogConf = &managementClient.AuditLog{