diff --git a/docs/pages/reference/terraform-provider/data-sources/role.mdx b/docs/pages/reference/terraform-provider/data-sources/role.mdx index ff453e50bcc19..6ef5d98029f93 100644 --- a/docs/pages/reference/terraform-provider/data-sources/role.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/role.mdx @@ -139,6 +139,7 @@ Optional: - `annotations` (Map of List of String) Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. - `claims_to_roles` (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see [below for nested schema](#nested-schema-for-specallowrequestclaims_to_roles)) +- `kubernetes_resources` (Attributes List) kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources. (see [below for nested schema](#nested-schema-for-specallowrequestkubernetes_resources)) - `max_duration` (String) MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. - `roles` (List of String) Roles is the name of roles which will match the request rule. - `search_as_roles` (List of String) SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. @@ -154,6 +155,13 @@ Optional: - `value` (String) Value is a claim value to match. +### Nested Schema for `spec.allow.request.kubernetes_resources` + +Optional: + +- `kind` (String) kind specifies the Kubernetes Resource type. + + ### Nested Schema for `spec.allow.request.thresholds` Optional: @@ -311,6 +319,7 @@ Optional: - `annotations` (Map of List of String) Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. - `claims_to_roles` (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see [below for nested schema](#nested-schema-for-specdenyrequestclaims_to_roles)) +- `kubernetes_resources` (Attributes List) kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources. (see [below for nested schema](#nested-schema-for-specdenyrequestkubernetes_resources)) - `max_duration` (String) MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. - `roles` (List of String) Roles is the name of roles which will match the request rule. - `search_as_roles` (List of String) SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. @@ -326,6 +335,13 @@ Optional: - `value` (String) Value is a claim value to match. +### Nested Schema for `spec.deny.request.kubernetes_resources` + +Optional: + +- `kind` (String) kind specifies the Kubernetes Resource type. + + ### Nested Schema for `spec.deny.request.thresholds` Optional: diff --git a/docs/pages/reference/terraform-provider/resources/role.mdx b/docs/pages/reference/terraform-provider/resources/role.mdx index d2d344b089650..9cc8710c72480 100644 --- a/docs/pages/reference/terraform-provider/resources/role.mdx +++ b/docs/pages/reference/terraform-provider/resources/role.mdx @@ -193,6 +193,7 @@ Optional: - `annotations` (Map of List of String) Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. - `claims_to_roles` (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see [below for nested schema](#nested-schema-for-specallowrequestclaims_to_roles)) +- `kubernetes_resources` (Attributes List) kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources. (see [below for nested schema](#nested-schema-for-specallowrequestkubernetes_resources)) - `max_duration` (String) MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. - `roles` (List of String) Roles is the name of roles which will match the request rule. - `search_as_roles` (List of String) SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. @@ -208,6 +209,13 @@ Optional: - `value` (String) Value is a claim value to match. +### Nested Schema for `spec.allow.request.kubernetes_resources` + +Optional: + +- `kind` (String) kind specifies the Kubernetes Resource type. + + ### Nested Schema for `spec.allow.request.thresholds` Optional: @@ -365,6 +373,7 @@ Optional: - `annotations` (Map of List of String) Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. - `claims_to_roles` (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see [below for nested schema](#nested-schema-for-specdenyrequestclaims_to_roles)) +- `kubernetes_resources` (Attributes List) kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources. (see [below for nested schema](#nested-schema-for-specdenyrequestkubernetes_resources)) - `max_duration` (String) MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. - `roles` (List of String) Roles is the name of roles which will match the request rule. - `search_as_roles` (List of String) SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. @@ -380,6 +389,13 @@ Optional: - `value` (String) Value is a claim value to match. +### Nested Schema for `spec.deny.request.kubernetes_resources` + +Optional: + +- `kind` (String) kind specifies the Kubernetes Resource type. + + ### Nested Schema for `spec.deny.request.thresholds` Optional: diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go index 13628d9ab6ee9..c0bd40a041b0d 100644 --- a/integrations/terraform/tfschema/types_terraform.go +++ b/integrations/terraform/tfschema/types_terraform.go @@ -1795,6 +1795,15 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Description: "ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.", Optional: true, }, + "kubernetes_resources": { + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.ListNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"kind": { + Description: "kind specifies the Kubernetes Resource type.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, + }}), + Description: "kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources.", + Optional: true, + }, "max_duration": { Description: "MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.", Optional: true, @@ -2244,6 +2253,15 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Description: "ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.", Optional: true, }, + "kubernetes_resources": { + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.ListNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"kind": { + Description: "kind specifies the Kubernetes Resource type.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, + }}), + Description: "kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources.", + Optional: true, + }, "max_duration": { Description: "MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.", Optional: true, @@ -16739,6 +16757,51 @@ func CopyRoleV6FromTerraform(_ context.Context, tf github_com_hashicorp_terrafor } } } + { + a, ok := tf.Attrs["kubernetes_resources"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.List) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources", "github.com/hashicorp/terraform-plugin-framework/types.List"}) + } else { + obj.KubernetesResources = make([]github_com_gravitational_teleport_api_types.RequestKubernetesResource, len(v.Elems)) + if !v.Null && !v.Unknown { + for k, a := range v.Elems { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources", "github_com_hashicorp_terraform_plugin_framework_types.Object"}) + } else { + var t github_com_gravitational_teleport_api_types.RequestKubernetesResource + if !v.Null && !v.Unknown { + tf := v + obj := &t + { + a, ok := tf.Attrs["kind"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources.kind"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources.kind", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.Kind = t + } + } + } + } + obj.KubernetesResources[k] = t + } + } + } + } + } + } } } } @@ -18608,6 +18671,51 @@ func CopyRoleV6FromTerraform(_ context.Context, tf github_com_hashicorp_terrafor } } } + { + a, ok := tf.Attrs["kubernetes_resources"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.List) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources", "github.com/hashicorp/terraform-plugin-framework/types.List"}) + } else { + obj.KubernetesResources = make([]github_com_gravitational_teleport_api_types.RequestKubernetesResource, len(v.Elems)) + if !v.Null && !v.Unknown { + for k, a := range v.Elems { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources", "github_com_hashicorp_terraform_plugin_framework_types.Object"}) + } else { + var t github_com_gravitational_teleport_api_types.RequestKubernetesResource + if !v.Null && !v.Unknown { + tf := v + obj := &t + { + a, ok := tf.Attrs["kind"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources.kind"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources.kind", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.Kind = t + } + } + } + } + obj.KubernetesResources[k] = t + } + } + } + } + } + } } } } @@ -22030,6 +22138,84 @@ func CopyRoleV6ToTerraform(ctx context.Context, obj *github_com_gravitational_te tf.Attrs["max_duration"] = v } } + { + a, ok := tf.AttrTypes["kubernetes_resources"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources"}) + } else { + o, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.ListType) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources", "github.com/hashicorp/terraform-plugin-framework/types.ListType"}) + } else { + c, ok := tf.Attrs["kubernetes_resources"].(github_com_hashicorp_terraform_plugin_framework_types.List) + if !ok { + c = github_com_hashicorp_terraform_plugin_framework_types.List{ + + ElemType: o.ElemType, + Elems: make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.KubernetesResources)), + Null: true, + } + } else { + if c.Elems == nil { + c.Elems = make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.KubernetesResources)) + } + } + if obj.KubernetesResources != nil { + o := o.ElemType.(github_com_hashicorp_terraform_plugin_framework_types.ObjectType) + if len(obj.KubernetesResources) != len(c.Elems) { + c.Elems = make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.KubernetesResources)) + } + for k, a := range obj.KubernetesResources { + v, ok := tf.Attrs["kubernetes_resources"].(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + v = github_com_hashicorp_terraform_plugin_framework_types.Object{ + + AttrTypes: o.AttrTypes, + Attrs: make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(o.AttrTypes)), + } + } else { + if v.Attrs == nil { + v.Attrs = make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(tf.AttrTypes)) + } + } + { + obj := a + tf := &v + { + t, ok := tf.AttrTypes["kind"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources.kind"}) + } else { + v, ok := tf.Attrs["kind"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"RoleV6.Spec.Allow.Request.kubernetes_resources.kind", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"RoleV6.Spec.Allow.Request.kubernetes_resources.kind", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(obj.Kind) == "" + } + v.Value = string(obj.Kind) + v.Unknown = false + tf.Attrs["kind"] = v + } + } + } + v.Unknown = false + c.Elems[k] = v + } + if len(obj.KubernetesResources) > 0 { + c.Null = false + } + } + c.Unknown = false + tf.Attrs["kubernetes_resources"] = c + } + } + } } v.Unknown = false tf.Attrs["request"] = v @@ -25296,6 +25482,84 @@ func CopyRoleV6ToTerraform(ctx context.Context, obj *github_com_gravitational_te tf.Attrs["max_duration"] = v } } + { + a, ok := tf.AttrTypes["kubernetes_resources"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources"}) + } else { + o, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.ListType) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources", "github.com/hashicorp/terraform-plugin-framework/types.ListType"}) + } else { + c, ok := tf.Attrs["kubernetes_resources"].(github_com_hashicorp_terraform_plugin_framework_types.List) + if !ok { + c = github_com_hashicorp_terraform_plugin_framework_types.List{ + + ElemType: o.ElemType, + Elems: make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.KubernetesResources)), + Null: true, + } + } else { + if c.Elems == nil { + c.Elems = make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.KubernetesResources)) + } + } + if obj.KubernetesResources != nil { + o := o.ElemType.(github_com_hashicorp_terraform_plugin_framework_types.ObjectType) + if len(obj.KubernetesResources) != len(c.Elems) { + c.Elems = make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.KubernetesResources)) + } + for k, a := range obj.KubernetesResources { + v, ok := tf.Attrs["kubernetes_resources"].(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + v = github_com_hashicorp_terraform_plugin_framework_types.Object{ + + AttrTypes: o.AttrTypes, + Attrs: make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(o.AttrTypes)), + } + } else { + if v.Attrs == nil { + v.Attrs = make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(tf.AttrTypes)) + } + } + { + obj := a + tf := &v + { + t, ok := tf.AttrTypes["kind"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources.kind"}) + } else { + v, ok := tf.Attrs["kind"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"RoleV6.Spec.Deny.Request.kubernetes_resources.kind", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"RoleV6.Spec.Deny.Request.kubernetes_resources.kind", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(obj.Kind) == "" + } + v.Value = string(obj.Kind) + v.Unknown = false + tf.Attrs["kind"] = v + } + } + } + v.Unknown = false + c.Elems[k] = v + } + if len(obj.KubernetesResources) > 0 { + c.Null = false + } + } + c.Unknown = false + tf.Attrs["kubernetes_resources"] = c + } + } + } } v.Unknown = false tf.Attrs["request"] = v