Skip to content

feat(rbac): support RBAC resource restriction on rolebinding #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mattisonchao merged 6 commits into from
Aug 24, 2025
Merged

feat(rbac): support RBAC resource restriction on rolebinding #133

mattisonchao merged 6 commits into from
Aug 24, 2025

Conversation

@mattisonchao
Copy link
Member

@mattisonchao mattisonchao commented Aug 22, 2025

Motivation

Support RBAC resource restriction on rolebinding

Examples

resource "streamnative_rolebinding" "rb_resource_name_restriction" {
  name         = "rb_resource_name_restriction"
  organization = "o-y8z75"
  cluster_role_name = "topic-producer"
  service_account_names = ["sv-1"]
  resource_name_restriction {
    common_instance = "instance-1"
    common_cluster = "cluster-1"
    common_tenant = "tenant-1"
    common_namespace = "ns-1"
    common_topic = "allPartition('topic-1')"
    pulsar_topic_domain = "persistent"
  }
}

data "streamnative_rolebinding" "rb_resource_name_restriction" {
  depends_on = [streamnative_rolebinding.rb_resource_name_restriction]
  name         = "rb_resource_name_restriction"
  organization = "o-y8z75"
}

@mattisonchao mattisonchao self-assigned this Aug 22, 2025
@mattisonchao mattisonchao requested a review from a team as a code owner August 22, 2025 05:58
@mattisonchao mattisonchao requested a review from Copilot August 22, 2025 06:06
Copilot AI reviewed Aug 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for RBAC resource restriction on rolebinding resources in the Terraform provider. It introduces a new resource_name_restriction field while deprecating the existing condition_resource_names approach.

Key changes:

  • Adds new resource_name_restriction block with structured fields for resource scoping
  • Deprecates the existing condition_resource_names field in favor of the new approach
  • Implements parsing logic to convert between Terraform schema and API structures

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
examples/rolebinding/main.tf Updates example to demonstrate new resource_name_restriction usage
cloud/resource_rolebinding.go Adds resource_name_restriction field and deprecates condition_resource_names
cloud/rbac/rbac.go Implements parsing and schema generation for resource name restrictions
cloud/rbac/rbac_test.go Adds comprehensive tests for the new RBAC parsing functionality
cloud/data_source_rolebinding.go Updates data source to read resource_name_restriction field

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

tuteng
tuteng reviewed Aug 22, 2025
View reviewed changes
jiangpengcheng
jiangpengcheng previously approved these changes Aug 22, 2025
View reviewed changes
tuteng
tuteng previously approved these changes Aug 23, 2025
View reviewed changes
@mattisonchao mattisonchao merged commit 0570395 into main Aug 24, 2025
1 check passed
@mattisonchao mattisonchao deleted the feat.rbac.resource.restriction branch August 24, 2025 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tuteng tuteng tuteng approved these changes

@jiangpengcheng jiangpengcheng Awaiting requested review from jiangpengcheng

Assignees

@mattisonchao mattisonchao

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mattisonchao @jiangpengcheng @tuteng