Doesn't seem to be possible to get/extract a list of privileges for Repository created.

[fog1985]

Hi guys,

This is an enhancement request.

After Repository creation, Nexus creates privileges for this repository.
Further, in work it might happen that more privileges need to be added/attached to this or that role.
And it's impossible right now to get a list of privileges for the specific repository.
Use-case: needed a role that has privileges from multiple Repositories.
It would be awesome to have this kind of feature. ;)

Regards,
Taras.

[Nosmoht]

Hi @fog1985 ,

would it help to provide a data source for privileges? It could return, based on a filter like domain, repository or name, all privileges matching the filter. You could than use the returned list to do some other stuff with it.

resource "nexus_repository" "demo" {
  type   = "hosted"
  format = "maven2"
  name   = "demo"
  ...
}

data "nexus_privileges" "demo" {
  repository = nexus_repository.demo.name
}

[fog1985]

Hi @Nosmoht ,
Yeap. It would work like a charm.

[fog1985]

@Nosmoht ,
It would be nice to have the possibility of multiple filters or nested results. Cuz in the repository there are multiple types of privileges. Hence it would be nice to get let's say privileges of type repository-view which are applied for this repository.

[Nosmoht]

Hi @fog1985 ,

this should be fixed with v1.7.0.

Documentation

[fog1985]

Documentation

Cool. Thank you @Nosmoht

[Nosmoht]

@fog1985 Please let me know if it works and if we can close the issue.

[fog1985]

Hey @Nosmoht ,
I am sure it works. Don't have a chance to put a new release and test it right away.
Or please leave it for a few days and I will try my best to test it out early next week.

[fog1985]

Hi @Nosmoht ,
I have just tried to use it. And a bit confused with the way of how to declare all the needed stuff.
Here what I have:

data "nexus_privileges" "apt-proxy-read" {
  format     = "apt"
  repository = "apt-proxy"
  type = "repository-view"
  privileges {
    actions = ["read"]
  }
}

Was referring at this code:
https://github.com/datadrivers/terraform-provider-nexus/blob/master/nexus/data_source_privileges.go

It indeed seems to have privileges section.
But not sure what is the difference between format for example in a root declaration and format inside of the privileges.

Nevertheless, I get as follow:

Error: "privileges": this field cannot be set

  on roles.tf line 1, in data "nexus_privileges" "apt-proxy-read":
   1: data "nexus_privileges" "apt-proxy-read" {

If I put actions into the root still fails that actions are not expected here.

[Nosmoht]

Hi @fog1985 ,

the data resource is used to get the list of privileges for the specified repository format and type. So please remove the privileges from your declaration and you should get a list of all privileges of repository apt-proxy as return value.

[fog1985]

Hi @Nosmoht ,
Thanks. I have managed to read all the privileges' names as follow:

data "nexus_privileges" "apt-proxy-read" {
  format     = "apt"
  repository = "apt-proxy"
  type = "repository-view"
}

output "privileges" {
    value = data.nexus_privileges.apt-proxy-read.privileges.*.name
}

Is there a way to get a privilege for example which's action stands for READ or WRITE?
Or just a list of all privileges?

Also not clear about this parameter in data source block:

type = "repository-view"

Should it be the format of the repository or format of the privileges?
If it's a format of the privileges then it doesn't work as expected. Cuz with repository-view I got the full list of all the privileges including those aimed for write/edit etc.

It would be nice to have a short example on how to filter out the output of data source to some READ, WRITE, or other filters for privileges.

[Nosmoht]

I believe the only thing we could do is to add a name filter like name = ".*-read". So we could use a regexp on the privilege name to get only privileges matching the regexp. Would that help you?

[fog1985]

I think yes. That would work.
I also tried to use Terrafomr's filter facility. As described here:
https://www.terraform.io/docs/providers/oci/guides/filters.html
Doesn't work either.

data "nexus_privileges" "apt-proxy-read" {
  format     = "apt"
  repository = "apt-proxy"
  type = "repository-view"
  
  filter {
    name = "actions"
    values = ["READ"]
  }
}

Result:

Error: Unsupported block type

  on roles.tf line 6, in data "nexus_privileges" "apt-proxy-read":
   6:   filter {

Blocks of type "filter" are not expected here.

So name would work if possible.

[fog1985]

As an interim solution, I have just come up with this one:

value = [for x in data.nexus_privileges.apt-proxy-read.privileges: x.name if contains(x["actions"], "READ")]

Which returns READ privilege. :)

[fog1985]

For those who might be looking for the same:

output "privileges_apt_proxy_all_read" {
    value = [for x in data.nexus_privileges.apt-proxy-read.privileges: x.name if can(regex("ALL|READ", join("",x.actions)))]
}

output "privileges_apt_proxy_browse" {
    value = [for x in data.nexus_privileges.apt-proxy-read.privileges: x.name if can(regex("BROWSE", join("",x.actions)))]
}

output "privileges_multiple_repos_example" {
    value = concat([for x in data.nexus_privileges.apt-proxy-read.privileges: x.name if can(regex("ALL|READ", join("",x.actions)))], [for x in data.nexus_privileges.apt-proxy-read.privileges: x.name if can(regex("BROWSE", join("",x.actions)))])
}

In this way, we can get nice filtering based on actions with the usage of RegExp.
Or even combine privileges from different repositories and data sources with the usage of Terraform's concat function.

[Nosmoht]

Hi @fog1985,

can we close the issue and create a new feature request for the privilege filter?

[fog1985]

Hi @fog1985,

can we close the issue and create a new feature request for the privilege filter?

Hi @Nosmoht ,
Sure.
Thank you.