Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create ACL bindings for kafka #36

Merged
merged 6 commits into from
Oct 11, 2022
Merged

Create ACL bindings for kafka #36

merged 6 commits into from
Oct 11, 2022

Conversation

jackdelahunt
Copy link
Contributor

@jackdelahunt jackdelahunt commented Oct 10, 2022
edited
Loading

This pr adds the functionality of creating ACL bindings for any kafka instance, it adds more options within the kafka resource to achieve this. It also adds a acl resource to use with the need for the kafka resource to be created at the same time.

Verify

Terraform config (main.tf)

terraform {
  required_providers {
    rhoas = {
      source  = "registry.terraform.io/redhat-developer/rhoas"
      version = "0.1.0"
    }
  }
}

provider "rhoas" {
    offline_token = "..."
}
resource "rhoas_service_account" "srvcaccnt" {
  name = "service_account"
}

resource "rhoas_kafka" "instance" {
  name = "instance"
  acl = [
    {
      principal = rhoas_service_account.srvcaccnt.client_id,
      resource_type = "TOPIC",
      resource_name = "topic-1",
      pattern_type = "LITERAL",
      operation_type = "ALL",
      permission_type = "ALLOW",
    },
  ]
}

resource "rhoas_topic" "topic-1" {
  kafka_id = rhoas_kafka.instance.id
  name = "topic-1"
  partitions = 1
}

resource "rhoas_topic" "topic-2" {
  kafka_id = rhoas_kafka.instance.id
  name = "topic-2"
  partitions = 1
}

resource "rhoas_acl" "acl" {
  kafka_id = rhoas_kafka.instance.id
  principal = rhoas_service_account.srvcaccnt.client_id
  resource_type = "TOPIC"
  resource_name = "topic-2"
  pattern_type = "LITERAL"
  operation_type = "ALL"
  permission_type = "ALLOW"
}

Commands

  • make install
  • terraform init
  • terraform apply

Expected Results

  • New kafka created named "instance"
  • Kafka has 2 topics named "topic-1" and "topic-2"
  • New service account created called "service_account" (description in UI)
  • Service account has access to all actions for these to topics in the kafka

dimakis
dimakis reviewed Oct 10, 2022
View reviewed changes
Copy link

@dimakis dimakis left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I just have a couple of comments / questions

rhoas/kafkas/resource_kafka.go Outdated Show resolved Hide resolved
rhoas/kafkas/resource_kafka.go Outdated

// required for api, the user id, service account id or * works
// when appended to User:
principal = "User:" + principal
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any validation to check if the user passes the principal in as User:blah or user:blah or user: blah, you get my point, in the TF script?
in those cases wouldn't the principal come out as User:User:blah ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we just need to set a standard for these inputs and consider anything outside of that not valid. If we define that the user must enter the client_id or user id in the principal field then starting it with User: is automatically not supported.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my preference here would be to have a little validation around the prepending of User: here but that is just my own opinion

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would normally agree but... then doing what I am in this pr not impossible but a mess, I am using a service account client id as the principle but I would need to prepend it with User:, this afaik is possible but a pain in terraform

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now i have realized doing this changing of values can cause issues with terraform syncing after create, i avoided it in this pr in a hacky way but something to think about for the future.

dimakis
dimakis reviewed Oct 11, 2022
View reviewed changes
rhoas/kafkas/resource_kafka.go
@@ -265,7 +265,13 @@ func kafkaCreate(ctx context.Context, d *schema.ResourceData, m interface{}) dia

func createACLForKafka(ctx context.Context, api rhoasAPI.Clients, d *schema.ResourceData, kafka *kafkamgmtclient.KafkaRequest) error {

acl, ok := d.Get("acl").([]interface{})
aclInput := d.Get("acl")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great changes

dimakis
dimakis approved these changes Oct 11, 2022
View reviewed changes
Copy link

@dimakis dimakis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,
Great work @jackdelahunt

@jackdelahunt jackdelahunt merged commit b3989a9 into main Oct 11, 2022
@jackdelahunt jackdelahunt deleted the create-acl branch October 11, 2022 14:59
@wtrocki
Copy link
Collaborator

wtrocki commented Oct 11, 2022

Looks good. Sorry for late review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dimakis dimakis dimakis approved these changes

@wtrocki wtrocki Awaiting requested review from wtrocki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jackdelahunt @wtrocki @dimakis