Merge pull request #1234 from hashicorp/mr/pprv_policy_set_api

policy_set data and resource change to include attributes from PPRV
hashicorp · Feb 1, 2024 · b6edd1b · b6edd1b
2 parents f9d0b1a + a51a7d4
commit b6edd1b
Show file tree

Hide file tree

Showing 7 changed files with 317 additions and 28 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ FEATURES:
 * **New Data Source**: `d/tfe_registry_providers` is a new data source to retrieve information about public and private providers in the private registry, by @tmatilai [1185](https://github.com/hashicorp/terraform-provider-tfe/pull/1185)
 * **New Resource**: `r/tfe_sentinel_version` adds the ability for admins to configure settings for sentinel versions ([#1202](https://github.com/hashicorp/terraform-provider-tfe/pull/1202))
 * **New Resource**: `r/tfe_opa_version` adds the ability for admins to configure settings for OPA versions ([#1202](https://github.com/hashicorp/terraform-provider-tfe/pull/1202))
+* `r/tfe_policy_set`: Add `agent_enabled` and `policy_tool_version` attributes to allow setting a policy runtime version to the policy set, by @mrinalirao [1234](https://github.com/hashicorp/terraform-provider-tfe/pull/1234)
+* `d/tfe_policy_set`: Add `agent_enabled` and `policy_tool_version` attributes to get the policy runtime version of a policy set, by @mrinalirao [1234](https://github.com/hashicorp/terraform-provider-tfe/pull/1234) 
 
 BUG FIXES:
 

diff --git a/internal/provider/data_source_policy_set.go b/internal/provider/data_source_policy_set.go
@@ -53,6 +53,18 @@ func dataSourceTFEPolicySet() *schema.Resource {
 				Optional:    true,
 			},
 
+			"agent_enabled": {
+				Description: "Whether the policy set is executed in the TFC agent. True by default for OPA policies",
+				Type:        schema.TypeBool,
+				Computed:    true,
+			},
+
+			"policy_tool_version": {
+				Description: "The policy tool version to run the policy evaluation against",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+
 			"policies_path": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -146,6 +158,7 @@ func dataSourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error
 				d.Set("description", policySet.Description)
 				d.Set("global", policySet.Global)
 				d.Set("policies_path", policySet.PoliciesPath)
+				d.Set("agent_enabled", policySet.AgentEnabled)
 
 				if policySet.Kind != "" {
 					d.Set("kind", policySet.Kind)
@@ -155,6 +168,10 @@ func dataSourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error
 					d.Set("overridable", policySet.Overridable)
 				}
 
+				if policySet.PolicyToolVersion != "" {
+					d.Set("policy_tool_version", policySet.PolicyToolVersion)
+				}
+
 				var vcsRepo []interface{}
 				if policySet.VCSRepo != nil {
 					vcsRepo = append(vcsRepo, map[string]interface{}{

diff --git a/internal/provider/data_source_policy_set_test.go b/internal/provider/data_source_policy_set_test.go
@@ -43,6 +43,60 @@ func TestAccTFEPolicySetDataSource_basic(t *testing.T) {
 						"data.tfe_policy_set.bar", "organization", org.Name),
 					resource.TestCheckResourceAttr(
 						"data.tfe_policy_set.bar", "policy_ids.#", "1"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "agent_enabled", "false"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "workspace_ids.#", "1"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "excluded_workspace_ids.#", "1"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "project_ids.#", "1"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "vcs_repo.#", "0"),
+				),
+			},
+		},
+	},
+	)
+}
+
+func TestAccTFEPolicySetDataSource_pinnedPolicyRuntimeVersion(t *testing.T) {
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sha := genSentinelSha(t, "secret", "data")
+	version := genSafeRandomSentinelVersion()
+
+	org, orgCleanup := createBusinessOrganization(t, tfeClient)
+	t.Cleanup(orgCleanup)
+
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		CheckDestroy: testAccCheckTFESentinelVersionDestroy,
+		Providers:    testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEPolicySetDataSourceConfig_pinnedPolicyRuntimeVersion(org.Name, rInt, version, sha),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet("data.tfe_policy_set.bar", "id"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "name", fmt.Sprintf("tst-policy-set-%d", rInt)),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "description", "Policy Set"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "global", "false"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "organization", org.Name),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "policy_ids.#", "1"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "agent_enabled", "true"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "policy_tool_version", version),
 					resource.TestCheckResourceAttr(
 						"data.tfe_policy_set.bar", "workspace_ids.#", "1"),
 					resource.TestCheckResourceAttr(
@@ -65,17 +119,21 @@ func TestAccTFEPolicySetDataSourceOPA_basic(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	sha := genSentinelSha(t, "secret", "data")
+	version := genSafeRandomOPAVersion()
+
 	org, orgCleanup := createBusinessOrganization(t, tfeClient)
 	t.Cleanup(orgCleanup)
 
 	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:  func() { testAccPreCheck(t) },
-		Providers: testAccProviders,
+		PreCheck:     func() { testAccPreCheck(t) },
+		CheckDestroy: testAccCheckTFEOPAVersionDestroy,
+		Providers:    testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccTFEPolicySetDataSourceConfigOPA_basic(org.Name, rInt),
+				Config: testAccTFEPolicySetDataSourceConfigOPA_basic(org.Name, rInt, version, sha),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttrSet("data.tfe_policy_set.bar", "id"),
 					resource.TestCheckResourceAttr(
@@ -88,6 +146,8 @@ func TestAccTFEPolicySetDataSourceOPA_basic(t *testing.T) {
 						"data.tfe_policy_set.bar", "organization", org.Name),
 					resource.TestCheckResourceAttr(
 						"data.tfe_policy_set.bar", "kind", "opa"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "agent_enabled", "true"),
 					resource.TestCheckResourceAttr(
 						"data.tfe_policy_set.bar", "overridable", "true"),
 					resource.TestCheckResourceAttr(
@@ -147,6 +207,8 @@ func TestAccTFEPolicySetDataSource_vcs(t *testing.T) {
 						"data.tfe_policy_set.bar", "global", "false"),
 					resource.TestCheckResourceAttr(
 						"data.tfe_policy_set.bar", "kind", "sentinel"),
+					resource.TestCheckResourceAttr(
+						"data.tfe_policy_set.bar", "agent_enabled", "false"),
 					resource.TestCheckResourceAttr(
 						"data.tfe_policy_set.bar", "organization", org.Name),
 					resource.TestCheckResourceAttr(
@@ -225,15 +287,79 @@ resource "tfe_workspace_policy_set_exclusion" "foobar" {
 data "tfe_policy_set" "bar" {
   name = tfe_policy_set.foobar.name
   organization = local.organization_name
+  depends_on=[tfe_policy_set.foobar, tfe_project_policy_set.foobar, tfe_workspace_policy_set_exclusion.foobar]
 }`, organization, rInt, rInt, rInt)
 }
 
-func testAccTFEPolicySetDataSourceConfigOPA_basic(organization string, rInt int) string {
+func testAccTFEPolicySetDataSourceConfig_pinnedPolicyRuntimeVersion(organization string, rInt int, version string, sha string) string {
+	return fmt.Sprintf(`
+locals {
+  organization_name = "%s"
+}
+
+
+resource "tfe_sentinel_version" "foobar" {
+  version = "%s"
+  url = "https://www.hashicorp.com"
+  sha = "%s"
+}
+
+resource "tfe_workspace" "foobar" {
+  name         = "workspace-foo-%d"
+  organization = local.organization_name
+}
+
+resource "tfe_project" "foobar" {
+  name         = "project-foo-%d"
+  organization = local.organization_name
+}
+
+resource "tfe_sentinel_policy" "foo" {
+  name         = "policy-foo"
+  policy       = "main = rule { true }"
+  organization = local.organization_name
+}
+
+resource "tfe_policy_set" "foobar" {
+  name         = "tst-policy-set-%d"
+  description  = "Policy Set"
+  organization = local.organization_name
+  agent_enabled = true
+  policy_tool_version = "%s"
+  policy_ids   = [tfe_sentinel_policy.foo.id]
+  workspace_ids = [tfe_workspace.foobar.id]
+}
+
+resource "tfe_project_policy_set" "foobar" {
+	policy_set_id = tfe_policy_set.foobar.id
+	project_id = tfe_project.foobar.id
+}
+
+resource "tfe_workspace_policy_set_exclusion" "foobar" {
+	policy_set_id = tfe_policy_set.foobar.id
+	workspace_id = tfe_workspace.foobar.id
+}
+
+data "tfe_policy_set" "bar" {
+  name = tfe_policy_set.foobar.name
+  organization = local.organization_name
+  depends_on=[tfe_policy_set.foobar, tfe_project_policy_set.foobar, tfe_workspace_policy_set_exclusion.foobar]
+}`, organization, version, sha, rInt, rInt, rInt, version)
+}
+
+func testAccTFEPolicySetDataSourceConfigOPA_basic(organization string, rInt int, version string, sha string) string {
 	return fmt.Sprintf(`
 locals {
   organization_name = "%s"
 }
 
+
+resource "tfe_opa_version" "foobar" {
+  version = "%s"
+  url = "https://www.hashicorp.com"
+  sha = "%s"
+}
+
 resource "tfe_workspace" "foobar" {
   name         = "workspace-foo-%d"
   organization = local.organization_name
@@ -249,6 +375,8 @@ resource "tfe_policy_set" "foobar" {
   description  = "Policy Set"
   organization = local.organization_name
   kind         = "opa"
+  agent_enabled = true
+  policy_tool_version = "%s"
   overridable  = true
   workspace_ids = [tfe_workspace.foobar.id]
 }
@@ -267,7 +395,8 @@ data "tfe_policy_set" "bar" {
   name = tfe_policy_set.foobar.name
   organization = local.organization_name
   kind = "opa"
-}`, organization, rInt, rInt, rInt)
+  depends_on=[tfe_policy_set.foobar, tfe_project_policy_set.foobar, tfe_workspace_policy_set_exclusion.foobar]
+}`, organization, version, sha, rInt, rInt, rInt, version)
 }
 
 func testAccTFEPolicySetDataSourceConfig_vcs(organization string, rInt int) string {

diff --git a/internal/provider/resource_tfe_policy_set.go b/internal/provider/resource_tfe_policy_set.go
@@ -75,6 +75,20 @@ func resourceTFEPolicySet() *schema.Resource {
 				Default:  false,
 			},
 
+			"agent_enabled": {
+				Description: "Whether the policy set is executed in the TFC agent. True by default for OPA policies",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+			},
+
+			"policy_tool_version": {
+				Description: "The policy tool version to run the policy evaluation against",
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+			},
+
 			"policies_path": {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -171,6 +185,14 @@ func resourceTFEPolicySetCreate(d *schema.ResourceData, meta interface{}) error
 		options.Overridable = tfe.Bool(vOverridable.(bool))
 	}
 
+	if vAgentEnabled, ok := d.GetOk("agent_enabled"); ok {
+		options.AgentEnabled = tfe.Bool(vAgentEnabled.(bool))
+	}
+
+	if vPolicyToolVersion, ok := d.GetOk("policy_tool_version"); ok {
+		options.PolicyToolVersion = tfe.String(vPolicyToolVersion.(string))
+	}
+
 	if desc, ok := d.GetOk("description"); ok {
 		options.Description = tfe.String(desc.(string))
 	}
@@ -243,6 +265,7 @@ func resourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("description", policySet.Description)
 	d.Set("global", policySet.Global)
 	d.Set("policies_path", policySet.PoliciesPath)
+	d.Set("agent_enabled", policySet.AgentEnabled)
 
 	if policySet.Organization != nil {
 		d.Set("organization", policySet.Organization.Name)
@@ -257,6 +280,10 @@ func resourceTFEPolicySetRead(d *schema.ResourceData, meta interface{}) error {
 		d.Set("overridable", policySet.Overridable)
 	}
 
+	if policySet.PolicyToolVersion != "" {
+		d.Set("policy_tool_version", policySet.PolicyToolVersion)
+	}
+
 	// Set VCS policy set options.
 	var vcsRepo []interface{}
 	if policySet.VCSRepo != nil {
@@ -330,7 +357,7 @@ func resourceTFEPolicySetUpdate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	// Don't bother updating the policy set's attributes if they haven't changed
-	if d.HasChange("name") || d.HasChange("description") || d.HasChange("global") || d.HasChange("vcs_repo") || d.HasChange("overridable") {
+	if d.HasChange("name") || d.HasChange("description") || d.HasChange("global") || d.HasChange("vcs_repo") || d.HasChange("overridable") || d.HasChange("agent_enabled") || d.HasChange("policy_tool_version") {
 		// Create a new options struct.
 		options := tfe.PolicySetUpdateOptions{
 			Name:   tfe.String(name),
@@ -346,6 +373,15 @@ func resourceTFEPolicySetUpdate(d *schema.ResourceData, meta interface{}) error
 			options.Overridable = tfe.Bool(o)
 		}
 
+		if d.HasChange("agent_enabled") {
+			o := d.Get("agent_enabled").(bool)
+			options.AgentEnabled = tfe.Bool(o)
+		}
+
+		if policyToolVersion, ok := d.GetOk("policy_tool_version"); ok {
+			options.PolicyToolVersion = tfe.String(policyToolVersion.(string))
+		}
+
 		if v, ok := d.GetOk("vcs_repo"); ok {
 			vcsRepo := v.([]interface{})[0].(map[string]interface{})