mirror of
https://github.com/bpg/terraform-provider-proxmox.git
synced 2025-07-04 21:14:05 +00:00
98e1cff7fe
* refactoring existing cluster / firewall API for better composition * add basic security groups API fix linter errors * add rules API * fix after renaming resourceVirtualEnvironmentClusterIPSet * fix linter errors * make linter happy * even more refactoring * tidy up datasources * in refactoring spree * update examples * fix firewall resource/datasource & client error handling * add ipset(s) datasource * update docs * add security group resource with rules * docs * fix security group update, TODO: rule update * fix after rebase * add rule update, extract common rule schema, refactor group * fix linter errors * bump linter for ci * make alias and ipset reusable * make security group reusable * refactor datasources * add security group datasources * fix linter errors * update docs TODO: documentation for group datasources * add sg docs, update doc index * minor cleanup * fix examples & tests * stub for firewall-level options and rules * extract firewall interface * add firewall options and rules on the cluster level TODO: issues with rule list management * refactor all resources format AGAIN, now more flat, without complex subresources * sort out hierarchy of APIs and remove duplication in API wrappers * bring back security group * finally, working rules * restore cluster firewall option * add containers support * add options * move rules back under security group, update docs * fix vm_id / container_id attrs * add examples * cleanup * more cleanup Release-As: 0.17.0-rc1
492 lines
14 KiB
Go
492 lines
14 KiB
Go
/*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*/
|
|
|
|
package resource
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
|
|
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
|
|
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
|
|
|
|
"github.com/bpg/terraform-provider-proxmox/proxmox"
|
|
"github.com/bpg/terraform-provider-proxmox/proxmox/types"
|
|
"github.com/bpg/terraform-provider-proxmox/proxmoxtf"
|
|
)
|
|
|
|
const (
|
|
dvResourceVirtualEnvironmentUserComment = ""
|
|
dvResourceVirtualEnvironmentUserEmail = ""
|
|
dvResourceVirtualEnvironmentUserEnabled = true
|
|
dvResourceVirtualEnvironmentUserFirstName = ""
|
|
dvResourceVirtualEnvironmentUserKeys = ""
|
|
dvResourceVirtualEnvironmentUserLastName = ""
|
|
|
|
mkResourceVirtualEnvironmentUserACL = "acl"
|
|
mkResourceVirtualEnvironmentUserACLPath = "path"
|
|
mkResourceVirtualEnvironmentUserACLPropagate = "propagate"
|
|
mkResourceVirtualEnvironmentUserACLRoleID = "role_id"
|
|
mkResourceVirtualEnvironmentUserComment = "comment"
|
|
mkResourceVirtualEnvironmentUserEmail = "email"
|
|
mkResourceVirtualEnvironmentUserEnabled = "enabled"
|
|
mkResourceVirtualEnvironmentUserExpirationDate = "expiration_date"
|
|
mkResourceVirtualEnvironmentUserFirstName = "first_name"
|
|
mkResourceVirtualEnvironmentUserGroups = "groups"
|
|
mkResourceVirtualEnvironmentUserKeys = "keys"
|
|
mkResourceVirtualEnvironmentUserLastName = "last_name"
|
|
mkResourceVirtualEnvironmentUserPassword = "password"
|
|
mkResourceVirtualEnvironmentUserUserID = "user_id"
|
|
)
|
|
|
|
func User() *schema.Resource {
|
|
return &schema.Resource{
|
|
Schema: map[string]*schema.Schema{
|
|
mkResourceVirtualEnvironmentUserACL: {
|
|
Type: schema.TypeSet,
|
|
Description: "The access control list",
|
|
Optional: true,
|
|
DefaultFunc: func() (interface{}, error) {
|
|
return []interface{}{}, nil
|
|
},
|
|
Elem: &schema.Resource{
|
|
Schema: map[string]*schema.Schema{
|
|
mkResourceVirtualEnvironmentUserACLPath: {
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "The path",
|
|
},
|
|
mkResourceVirtualEnvironmentUserACLPropagate: {
|
|
Type: schema.TypeBool,
|
|
Optional: true,
|
|
Description: "Whether to propagate to child paths",
|
|
Default: false,
|
|
},
|
|
mkResourceVirtualEnvironmentUserACLRoleID: {
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "The role id",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
mkResourceVirtualEnvironmentUserComment: {
|
|
Type: schema.TypeString,
|
|
Description: "The user comment",
|
|
Optional: true,
|
|
Default: dvResourceVirtualEnvironmentUserComment,
|
|
},
|
|
mkResourceVirtualEnvironmentUserEmail: {
|
|
Type: schema.TypeString,
|
|
Description: "The user's email address",
|
|
Optional: true,
|
|
Default: dvResourceVirtualEnvironmentUserEmail,
|
|
},
|
|
mkResourceVirtualEnvironmentUserEnabled: {
|
|
Type: schema.TypeBool,
|
|
Description: "Whether the user account is enabled",
|
|
Optional: true,
|
|
Default: dvResourceVirtualEnvironmentUserEnabled,
|
|
},
|
|
mkResourceVirtualEnvironmentUserExpirationDate: {
|
|
Type: schema.TypeString,
|
|
Description: "The user account's expiration date",
|
|
Optional: true,
|
|
Default: time.Unix(0, 0).UTC().Format(time.RFC3339),
|
|
ValidateFunc: validation.IsRFC3339Time,
|
|
},
|
|
mkResourceVirtualEnvironmentUserFirstName: {
|
|
Type: schema.TypeString,
|
|
Description: "The user's first name",
|
|
Optional: true,
|
|
Default: dvResourceVirtualEnvironmentUserFirstName,
|
|
},
|
|
mkResourceVirtualEnvironmentUserGroups: {
|
|
Type: schema.TypeSet,
|
|
Description: "The user's groups",
|
|
Optional: true,
|
|
DefaultFunc: func() (interface{}, error) {
|
|
return []string{}, nil
|
|
},
|
|
Elem: &schema.Schema{Type: schema.TypeString},
|
|
},
|
|
mkResourceVirtualEnvironmentUserKeys: {
|
|
Type: schema.TypeString,
|
|
Description: "The user's keys",
|
|
Optional: true,
|
|
Default: dvResourceVirtualEnvironmentUserKeys,
|
|
},
|
|
mkResourceVirtualEnvironmentUserLastName: {
|
|
Type: schema.TypeString,
|
|
Description: "The user's last name",
|
|
Optional: true,
|
|
Default: dvResourceVirtualEnvironmentUserLastName,
|
|
},
|
|
mkResourceVirtualEnvironmentUserPassword: {
|
|
Type: schema.TypeString,
|
|
Description: "The user's password",
|
|
Required: true,
|
|
},
|
|
mkResourceVirtualEnvironmentUserUserID: {
|
|
Type: schema.TypeString,
|
|
Description: "The user id",
|
|
Required: true,
|
|
ForceNew: true,
|
|
},
|
|
},
|
|
CreateContext: userCreate,
|
|
ReadContext: userRead,
|
|
UpdateContext: userUpdate,
|
|
DeleteContext: userDelete,
|
|
}
|
|
}
|
|
|
|
func userCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
|
|
config := m.(proxmoxtf.ProviderConfiguration)
|
|
veClient, err := config.GetVEClient()
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
comment := d.Get(mkResourceVirtualEnvironmentUserComment).(string)
|
|
email := d.Get(mkResourceVirtualEnvironmentUserEmail).(string)
|
|
enabled := types.CustomBool(d.Get(mkResourceVirtualEnvironmentUserEnabled).(bool))
|
|
expirationDate, err := time.Parse(
|
|
time.RFC3339,
|
|
d.Get(mkResourceVirtualEnvironmentUserExpirationDate).(string),
|
|
)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
expirationDateCustom := types.CustomTimestamp(expirationDate)
|
|
firstName := d.Get(mkResourceVirtualEnvironmentUserFirstName).(string)
|
|
groups := d.Get(mkResourceVirtualEnvironmentUserGroups).(*schema.Set).List()
|
|
groupsCustom := make([]string, len(groups))
|
|
|
|
for i, v := range groups {
|
|
groupsCustom[i] = v.(string)
|
|
}
|
|
|
|
keys := d.Get(mkResourceVirtualEnvironmentUserKeys).(string)
|
|
lastName := d.Get(mkResourceVirtualEnvironmentUserLastName).(string)
|
|
password := d.Get(mkResourceVirtualEnvironmentUserPassword).(string)
|
|
userID := d.Get(mkResourceVirtualEnvironmentUserUserID).(string)
|
|
|
|
body := &proxmox.VirtualEnvironmentUserCreateRequestBody{
|
|
Comment: &comment,
|
|
Email: &email,
|
|
Enabled: &enabled,
|
|
ExpirationDate: &expirationDateCustom,
|
|
FirstName: &firstName,
|
|
Groups: groupsCustom,
|
|
ID: userID,
|
|
Keys: &keys,
|
|
LastName: &lastName,
|
|
Password: password,
|
|
}
|
|
|
|
err = veClient.CreateUser(ctx, body)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
d.SetId(userID)
|
|
|
|
aclParsed := d.Get(mkResourceVirtualEnvironmentUserACL).(*schema.Set).List()
|
|
|
|
for _, v := range aclParsed {
|
|
aclDelete := types.CustomBool(false)
|
|
aclEntry := v.(map[string]interface{})
|
|
aclPropagate := types.CustomBool(
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPropagate].(bool),
|
|
)
|
|
|
|
aclBody := &proxmox.VirtualEnvironmentACLUpdateRequestBody{
|
|
Delete: &aclDelete,
|
|
Path: aclEntry[mkResourceVirtualEnvironmentUserACLPath].(string),
|
|
Propagate: &aclPropagate,
|
|
Roles: []string{aclEntry[mkResourceVirtualEnvironmentUserACLRoleID].(string)},
|
|
Users: []string{userID},
|
|
}
|
|
|
|
err := veClient.UpdateACL(ctx, aclBody)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
}
|
|
|
|
return userRead(ctx, d, m)
|
|
}
|
|
|
|
func userRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
|
|
config := m.(proxmoxtf.ProviderConfiguration)
|
|
veClient, err := config.GetVEClient()
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
userID := d.Id()
|
|
user, err := veClient.GetUser(ctx, userID)
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "HTTP 404") {
|
|
d.SetId("")
|
|
|
|
return nil
|
|
}
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
acl, err := veClient.GetACL(ctx)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
var aclParsed []interface{}
|
|
|
|
for _, v := range acl {
|
|
if v.Type == "user" && v.UserOrGroupID == userID {
|
|
aclEntry := map[string]interface{}{}
|
|
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPath] = v.Path
|
|
|
|
if v.Propagate != nil {
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPropagate] = bool(*v.Propagate)
|
|
} else {
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPropagate] = false
|
|
}
|
|
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLRoleID] = v.RoleID
|
|
|
|
aclParsed = append(aclParsed, aclEntry)
|
|
}
|
|
}
|
|
|
|
var diags diag.Diagnostics
|
|
|
|
err = d.Set(mkResourceVirtualEnvironmentUserACL, aclParsed)
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.Comment != nil {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserComment, user.Comment)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserComment, "")
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.Email != nil {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserEmail, user.Email)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserEmail, "")
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.Enabled != nil {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserEnabled, user.Enabled)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserEnabled, true)
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.ExpirationDate != nil {
|
|
err = d.Set(
|
|
mkResourceVirtualEnvironmentUserExpirationDate,
|
|
time.Time(*user.ExpirationDate).Format(time.RFC3339),
|
|
)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserExpirationDate, time.Unix(0, 0).UTC().Format(time.RFC3339))
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.FirstName != nil {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserFirstName, user.FirstName)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserFirstName, "")
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
groups := schema.NewSet(schema.HashString, []interface{}{})
|
|
|
|
if user.Groups != nil {
|
|
for _, v := range *user.Groups {
|
|
groups.Add(v)
|
|
}
|
|
}
|
|
|
|
err = d.Set(mkResourceVirtualEnvironmentUserGroups, groups)
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.Keys != nil {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserKeys, user.Keys)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserKeys, "")
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
if user.LastName != nil {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserLastName, user.LastName)
|
|
} else {
|
|
err = d.Set(mkResourceVirtualEnvironmentUserLastName, "")
|
|
}
|
|
diags = append(diags, diag.FromErr(err)...)
|
|
|
|
return diags
|
|
}
|
|
|
|
func userUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
|
|
config := m.(proxmoxtf.ProviderConfiguration)
|
|
veClient, err := config.GetVEClient()
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
comment := d.Get(mkResourceVirtualEnvironmentUserComment).(string)
|
|
email := d.Get(mkResourceVirtualEnvironmentUserEmail).(string)
|
|
enabled := types.CustomBool(d.Get(mkResourceVirtualEnvironmentUserEnabled).(bool))
|
|
expirationDate, err := time.Parse(
|
|
time.RFC3339,
|
|
d.Get(mkResourceVirtualEnvironmentUserExpirationDate).(string),
|
|
)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
expirationDateCustom := types.CustomTimestamp(expirationDate)
|
|
firstName := d.Get(mkResourceVirtualEnvironmentUserFirstName).(string)
|
|
groups := d.Get(mkResourceVirtualEnvironmentUserGroups).(*schema.Set).List()
|
|
groupsCustom := make([]string, len(groups))
|
|
|
|
for i, v := range groups {
|
|
groupsCustom[i] = v.(string)
|
|
}
|
|
|
|
keys := d.Get(mkResourceVirtualEnvironmentUserKeys).(string)
|
|
lastName := d.Get(mkResourceVirtualEnvironmentUserLastName).(string)
|
|
|
|
body := &proxmox.VirtualEnvironmentUserUpdateRequestBody{
|
|
Comment: &comment,
|
|
Email: &email,
|
|
Enabled: &enabled,
|
|
ExpirationDate: &expirationDateCustom,
|
|
FirstName: &firstName,
|
|
Groups: groupsCustom,
|
|
Keys: &keys,
|
|
LastName: &lastName,
|
|
}
|
|
|
|
userID := d.Id()
|
|
err = veClient.UpdateUser(ctx, userID, body)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
if d.HasChange(mkResourceVirtualEnvironmentUserPassword) {
|
|
password := d.Get(mkResourceVirtualEnvironmentUserPassword).(string)
|
|
err = veClient.ChangeUserPassword(ctx, userID, password)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
}
|
|
|
|
aclArgOld, aclArg := d.GetChange(mkResourceVirtualEnvironmentUserACL)
|
|
aclParsedOld := aclArgOld.(*schema.Set).List()
|
|
|
|
for _, v := range aclParsedOld {
|
|
aclDelete := types.CustomBool(true)
|
|
aclEntry := v.(map[string]interface{})
|
|
aclPropagate := types.CustomBool(
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPropagate].(bool),
|
|
)
|
|
|
|
aclBody := &proxmox.VirtualEnvironmentACLUpdateRequestBody{
|
|
Delete: &aclDelete,
|
|
Path: aclEntry[mkResourceVirtualEnvironmentUserACLPath].(string),
|
|
Propagate: &aclPropagate,
|
|
Roles: []string{aclEntry[mkResourceVirtualEnvironmentUserACLRoleID].(string)},
|
|
Users: []string{userID},
|
|
}
|
|
|
|
err := veClient.UpdateACL(ctx, aclBody)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
}
|
|
|
|
aclParsed := aclArg.(*schema.Set).List()
|
|
|
|
for _, v := range aclParsed {
|
|
aclDelete := types.CustomBool(false)
|
|
aclEntry := v.(map[string]interface{})
|
|
aclPropagate := types.CustomBool(
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPropagate].(bool),
|
|
)
|
|
|
|
aclBody := &proxmox.VirtualEnvironmentACLUpdateRequestBody{
|
|
Delete: &aclDelete,
|
|
Path: aclEntry[mkResourceVirtualEnvironmentUserACLPath].(string),
|
|
Propagate: &aclPropagate,
|
|
Roles: []string{aclEntry[mkResourceVirtualEnvironmentUserACLRoleID].(string)},
|
|
Users: []string{userID},
|
|
}
|
|
|
|
err := veClient.UpdateACL(ctx, aclBody)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
}
|
|
|
|
return userRead(ctx, d, m)
|
|
}
|
|
|
|
func userDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
|
|
config := m.(proxmoxtf.ProviderConfiguration)
|
|
veClient, err := config.GetVEClient()
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
aclParsed := d.Get(mkResourceVirtualEnvironmentUserACL).(*schema.Set).List()
|
|
userID := d.Id()
|
|
|
|
for _, v := range aclParsed {
|
|
aclDelete := types.CustomBool(true)
|
|
aclEntry := v.(map[string]interface{})
|
|
aclPropagate := types.CustomBool(
|
|
aclEntry[mkResourceVirtualEnvironmentUserACLPropagate].(bool),
|
|
)
|
|
|
|
aclBody := &proxmox.VirtualEnvironmentACLUpdateRequestBody{
|
|
Delete: &aclDelete,
|
|
Path: aclEntry[mkResourceVirtualEnvironmentUserACLPath].(string),
|
|
Propagate: &aclPropagate,
|
|
Roles: []string{aclEntry[mkResourceVirtualEnvironmentUserACLRoleID].(string)},
|
|
Users: []string{userID},
|
|
}
|
|
|
|
err := veClient.UpdateACL(ctx, aclBody)
|
|
if err != nil {
|
|
return diag.FromErr(err)
|
|
}
|
|
}
|
|
|
|
err = veClient.DeleteUser(ctx, userID)
|
|
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "HTTP 404") {
|
|
d.SetId("")
|
|
|
|
return nil
|
|
}
|
|
return diag.FromErr(err)
|
|
}
|
|
|
|
d.SetId("")
|
|
|
|
return nil
|
|
}
|