Skip to content

Commit

Permalink
Add SHU to terraform provider (#46974)
Browse files Browse the repository at this point in the history
This change adds Terraform support for static host users.
  • Loading branch information
atburke authored Sep 30, 2024
1 parent aebf191 commit 0399b4f
Show file tree
Hide file tree
Showing 17 changed files with 2,310 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/pages/reference/terraform-provider/data-sources.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ The Teleport Terraform provider supports the following data-sources:
- [`teleport_role`](./data-sources/role.mdx)
- [`teleport_saml_connector`](./data-sources/saml_connector.mdx)
- [`teleport_session_recording_config`](./data-sources/session_recording_config.mdx)
- [`teleport_static_host_user`](./data-sources/static_host_user.mdx)
- [`teleport_trusted_cluster`](./data-sources/trusted_cluster.mdx)
- [`teleport_trusted_device`](./data-sources/trusted_device.mdx)
- [`teleport_user`](./data-sources/user.mdx)
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
title: Reference for the teleport_static_host_user Terraform data-source
description: This page describes the supported values of the teleport_static_host_user data-source of the Teleport Terraform provider.
---

{/*Auto-generated file. Do not edit.*/}
{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}





{/* schema generated by tfplugindocs */}
## Schema

### Required

- `metadata` (Attributes) metadata is resource metadata. (see [below for nested schema](#nested-schema-for-metadata))
- `spec` (Attributes) spec is the static host user spec. (see [below for nested schema](#nested-schema-for-spec))
- `version` (String) version is the resource version. It must be specified. Supported values are: `v2`.

### Optional

- `sub_kind` (String) sub_kind is an optional resource sub kind, used in some resources.

### Nested Schema for `metadata`

Required:

- `name` (String) name is an object name.

Optional:

- `description` (String) description is object description.
- `expires` (String)
- `labels` (Map of String) labels is a set of labels.


### Nested Schema for `spec`

Required:

- `matchers` (Attributes List) (see [below for nested schema](#nested-schema-for-specmatchers))

### Nested Schema for `spec.matchers`

Optional:

- `default_shell` (String) default_shell is the new user's default shell
- `gid` (Number) gid is the new user's gid.
- `groups` (List of String) groups is a list of additional groups to add the user to.
- `node_labels` (Attributes List) node_labels is a map of node labels that will create a user from this resource. (see [below for nested schema](#nested-schema-for-specmatchersnode_labels))
- `node_labels_expression` (String) node_labels_expression is a predicate expression to create a user from this resource.
- `sudoers` (List of String) sudoers is a list of sudoer entries to add.
- `take_ownership_if_user_exists` (Boolean) take_ownership_if_user_exists will take ownership of existing, unmanaged users
- `uid` (Number) uid is the new user's uid.

### Nested Schema for `spec.matchers.node_labels`

Required:

- `name` (String) The name of the label.
- `values` (List of String) The values associated with the label.

1 change: 1 addition & 0 deletions docs/pages/reference/terraform-provider/resources.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ The Teleport Terraform provider supports the following resources:
- [`teleport_saml_connector`](./resources/saml_connector.mdx)
- [`teleport_server`](./resources/server.mdx)
- [`teleport_session_recording_config`](./resources/session_recording_config.mdx)
- [`teleport_static_host_user`](./resources/static_host_user.mdx)
- [`teleport_trusted_cluster`](./resources/trusted_cluster.mdx)
- [`teleport_trusted_device`](./resources/trusted_device.mdx)
- [`teleport_user`](./resources/user.mdx)
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
---
title: Reference for the teleport_static_host_user Terraform resource
description: This page describes the supported values of the teleport_static_host_user resource of the Teleport Terraform provider.
---

{/*Auto-generated file. Do not edit.*/}
{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}



## Example Usage

```hcl
resource "teleport_static_host_user" "test" {
version = "v2"
metadata = {
name = "test"
}
spec = {
matchers = [
{
node_labels = [
{
name = "foo"
values = ["bar"]
}
]
node_labels_expression = "labels.foo == \"bar\""
groups = ["foo", "bar"]
sudoers = ["abcd1234"]
uid = 1234
gid = 1234
default_shell = "/bin/bash"
}
]
}
}
```

{/* schema generated by tfplugindocs */}
## Schema

### Required

- `metadata` (Attributes) metadata is resource metadata. (see [below for nested schema](#nested-schema-for-metadata))
- `spec` (Attributes) spec is the static host user spec. (see [below for nested schema](#nested-schema-for-spec))
- `version` (String) version is the resource version. It must be specified. Supported values are: `v2`.

### Optional

- `sub_kind` (String) sub_kind is an optional resource sub kind, used in some resources.

### Nested Schema for `metadata`

Required:

- `name` (String) name is an object name.

Optional:

- `description` (String) description is object description.
- `expires` (String)
- `labels` (Map of String) labels is a set of labels.


### Nested Schema for `spec`

Required:

- `matchers` (Attributes List) (see [below for nested schema](#nested-schema-for-specmatchers))

### Nested Schema for `spec.matchers`

Optional:

- `default_shell` (String) default_shell is the new user's default shell
- `gid` (Number) gid is the new user's gid.
- `groups` (List of String) groups is a list of additional groups to add the user to.
- `node_labels` (Attributes List) node_labels is a map of node labels that will create a user from this resource. (see [below for nested schema](#nested-schema-for-specmatchersnode_labels))
- `node_labels_expression` (String) node_labels_expression is a predicate expression to create a user from this resource.
- `sudoers` (List of String) sudoers is a list of sudoer entries to add.
- `take_ownership_if_user_exists` (Boolean) take_ownership_if_user_exists will take ownership of existing, unmanaged users
- `uid` (Number) uid is the new user's uid.

### Nested Schema for `spec.matchers.node_labels`

Required:

- `name` (String) The name of the label.
- `values` (List of String) The values associated with the label.

8 changes: 8 additions & 0 deletions integrations/terraform/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,17 @@ endif
--terraform_out=config=protoc-gen-terraform-accessmonitoringrules.yaml:./tfschema \
teleport/accessmonitoringrules/v1/access_monitoring_rules.proto

@protoc \
-I=../../api/proto \
-I=$(PROTOBUF_MOD_PATH) \
--plugin=$(GENTERRAFORMPATH)/protoc-gen-terraform \
--terraform_out=config=protoc-gen-terraform-statichostuser.yaml:./tfschema \
teleport/userprovisioning/v2/statichostuser.proto

mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1/loginrule_terraform.go ./tfschema/loginrule/v1/
mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1/accesslist_terraform.go ./tfschema/accesslist/v1/
mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_terraform.go ./tfschema/accessmonitoringrules/v1/
mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser_terraform.go ./tfschema/userprovisioning/v2/
mv ./tfschema/github.com/gravitational/teleport/api/types/device_terraform.go ./tfschema/devicetrust/v1/
rm -r ./tfschema/github.com/
@go run ./gen/main.go
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
resource "teleport_static_host_user" "test" {
version = "v2"
metadata = {
name = "test"
}
spec = {
matchers = [
{
node_labels = [
{
name = "foo"
values = ["bar"]
}
]
node_labels_expression = "labels.foo == \"bar\""
groups = ["foo", "bar"]
sudoers = ["abcd1234"]
uid = 1234
gid = 1234
default_shell = "/bin/bash"
}
]
}
}
28 changes: 28 additions & 0 deletions integrations/terraform/gen/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,32 @@ var (
ExtraImports: []string{"apitypes \"github.com/gravitational/teleport/api/types\""},
ForceSetKind: "apitypes.KindAccessMonitoringRule",
}

staticHostUser = payload{
Name: "StaticHostUser",
TypeName: "StaticHostUser",
VarName: "staticHostUser",
GetMethod: "StaticHostUserClient().GetStaticHostUser",
CreateMethod: "StaticHostUserClient().CreateStaticHostUser",
UpsertMethodArity: 2,
UpdateMethod: "StaticHostUserClient().UpsertStaticHostUser",
DeleteMethod: "StaticHostUserClient().DeleteStaticHostUser",
ID: "staticHostUser.Metadata.Name",
Kind: "static_host_user",
HasStaticID: false,
ProtoPackage: "userprovisioningv2",
ProtoPackagePath: "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2",
SchemaPackage: "schemav1",
SchemaPackagePath: "github.com/gravitational/teleport/integrations/terraform/tfschema/userprovisioning/v2",
TerraformResourceType: "teleport_static_host_user",
// Since [RFD 153](https://github.com/gravitational/teleport/blob/master/rfd/0153-resource-guidelines.md)
// resources are plain structs
IsPlainStruct: true,
// As 153-style resources don't have CheckAndSetDefaults, we must set the Kind manually.
// We import the package containing kinds, then use ForceSetKind.
ExtraImports: []string{"apitypes \"github.com/gravitational/teleport/api/types\""},
ForceSetKind: "apitypes.KindStaticHostUser",
}
)

func main() {
Expand Down Expand Up @@ -523,6 +549,8 @@ func genTFSchema() {
generateDataSource(installer, pluralDataSource)
generateResource(accessMonitoringRule, pluralResource)
generateDataSource(accessMonitoringRule, pluralDataSource)
generateResource(staticHostUser, pluralResource)
generateDataSource(staticHostUser, pluralDataSource)
}

func generateResource(p payload, tpl string) {
Expand Down
72 changes: 72 additions & 0 deletions integrations/terraform/protoc-gen-terraform-statichostuser.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
target_package_name: "v2"
default_package_name: "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2"
duration_custom_type: Duration
use_state_for_unknown_by_default: true

# Top-level type names to export
types:
- "StaticHostUser"

# These import paths were not being automatically picked up by
# protoc-gen-terraform without these overrides
import_path_overrides:
"types": "github.com/gravitational/teleport/api/types"
"wrappers": "github.com/gravitational/teleport/api/types/wrappers"
"durationpb": "google.golang.org/protobuf/types/known/durationpb"
"timestamppb": "google.golang.org/protobuf/types/known/timestamppb"
"v1": "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
"v11": "github.com/gravitational/teleport/api/gen/proto/go/teleport/label/v1"


# id field is required for integration tests. It is not used by provider.
# We have to add it manually (might be removed in the future versions).
injected_fields:
StaticHostUser:
- name: id
type: github.com/hashicorp/terraform-plugin-framework/types.StringType
computed: true
plan_modifiers:
- "github.com/hashicorp/terraform-plugin-framework/tfsdk.UseStateForUnknown()"

# These fields will be excluded
exclude_fields:
# Metadata (we id resources by name on our side)
- "StaticHostUser.metadata.id"

# These fields will be marked as Computed: true
computed_fields:
# Metadata
- "StaticHostUser.metadata.namespace"
- "StaticHostUser.kind"

# These fields will be marked as Required: true
required_fields:
- "StaticHostUser.version"
- "StaticHostUser.metadata"
- "StaticHostUser.metadata.name"
- "StaticHostUser.spec"
- "StaticHostUser.spec.matchers"
- "StaticHostUser.spec.matchers.node_labels.name"
- "StaticHostUser.spec.matchers.node_labels.values"

plan_modifiers:
# Force to recreate resource if it's name changes
Metadata.name:
- "github.com/hashicorp/terraform-plugin-framework/tfsdk.RequiresReplace()"

# This must be defined for the generator to be happy, but in reality all time
# fields are overridden (because the protobuf timestamps contain locks and the
# linter gets mad if we use raw structs instead of pointers).
time_type:
type: "PlaceholderType"
duration_type:
type: "PlaceholderType"

validators:
# Expires must be in the future
Metadata.expires:
- github_com_gravitational_teleport_integrations_terraform_tfschema.MustTimeBeInFuture()

custom_types:
"StaticHostUser.metadata.expires": Timestamp
Loading

0 comments on commit 0399b4f

Please sign in to comment.