cpflow 4.0.1 → 4.1.1

data/lib/core/shell.rb

@@ -5,10 +5,6 @@ class Shell
     attr_reader :tmp_stderr, :verbose
   end
 
-  def self.shell
-    @shell ||= Thor::Shell::Color.new
-  end
-
   def self.use_tmp_stderr
     @tmp_stderr = Tempfile.create
 
@@ -35,6 +31,10 @@ class Shell
     shell.yes?("#{message} (y/N)")
   end
 
+  def self.info(message)
+    shell.say(message)
+  end
+
   def self.warn(message)
     Kernel.warn(color("WARNING: #{message}", :yellow))
   end
@@ -97,4 +97,9 @@ class Shell
       exit(ExitCode::INTERRUPT)
     end
   end
+
+  def self.shell
+    @shell ||= Thor::Shell::Color.new
+  end
+  private_class_method :shell
 end

data/lib/core/terraform_config/agent.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Agent < Base
+    attr_reader :name, :description, :tags
+
+    def initialize(name:, description: nil, tags: nil)
+      super()
+
+      @name = name
+      @description = description
+      @tags = tags
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_agent.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_agent, name do
+        argument :name, name
+        argument :description, description, optional: true
+        argument :tags, tags, optional: true
+      end
+    end
+  end
+end

data/lib/core/terraform_config/audit_context.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class AuditContext < Base
+    attr_reader :name, :description, :tags
+
+    def initialize(name:, description: nil, tags: nil)
+      super()
+
+      @name = name
+      @description = description
+      @tags = tags
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_audit_context.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_audit_context, name do
+        argument :name, name
+        argument :description, description, optional: true
+        argument :tags, tags, optional: true
+      end
+    end
+  end
+end

data/lib/core/terraform_config/base.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative "dsl"
+
+module TerraformConfig
+  class Base
+    include Dsl
+
+    def importable?
+      false
+    end
+
+    def reference
+      raise NotImplementedError if importable?
+    end
+
+    def to_tf
+      raise NotImplementedError
+    end
+
+    def locals
+      {}
+    end
+  end
+end

data/lib/core/terraform_config/dsl.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  module Dsl
+    extend Forwardable
+
+    EXPRESSION_PATTERN = /(var|local|cpln_\w+)\./.freeze
+
+    def_delegators :current_context, :put, :output
+
+    def block(name, *labels)
+      switch_context do
+        put("#{block_declaration(name, labels)} {\n")
+        yield
+        put("}\n")
+      end
+
+      # There is extra indent for whole output that needs to be removed
+      output.unindent
+    end
+
+    def argument(name, value, optional: false, raw: false)
+      return if value.nil? && optional
+
+      content =
+        if value.is_a?(Hash)
+          operator = raw ? ": " : " = "
+          "{\n#{value.map { |n, v| "#{n}#{operator}#{tf_value(v)}" }.join("\n").indent(2)}\n}\n"
+        else
+          "#{tf_value(value)}\n"
+        end
+
+      # remove quotes from expression values
+      content = content.gsub(/("#{EXPRESSION_PATTERN}.*")/) { ::Regexp.last_match(1)[1...-1] }
+
+      put("#{name} = #{content}", indent: 2)
+    end
+
+    private
+
+    def tf_value(value)
+      value = value.to_s if value.is_a?(Symbol)
+
+      case value
+      when String
+        tf_string_value(value)
+      when Hash
+        tf_hash_value(value)
+      else
+        value
+      end
+    end
+
+    def tf_string_value(value)
+      return value if expression?(value)
+      return "\"#{value}\"" unless value.include?("\n")
+
+      "EOF\n#{value.indent(2)}\nEOF"
+    end
+
+    def tf_hash_value(value)
+      JSON.pretty_generate(value.crush)
+          .gsub(/"(\w+)":/) { "#{::Regexp.last_match(1)}:" } # remove quotes from keys
+    end
+
+    def expression?(value)
+      value.match?(/^#{EXPRESSION_PATTERN}/)
+    end
+
+    def block_declaration(name, labels)
+      result = name.to_s
+      return result unless labels.any?
+
+      result + " #{labels.map { |label| tf_value(label) }.join(' ')}"
+    end
+
+    class Context
+      attr_accessor :output
+
+      def initialize
+        @output = ""
+      end
+
+      def put(content, indent: 0)
+        @output += content.to_s.indent(indent)
+      end
+    end
+
+    def switch_context
+      old_context = current_context
+      @current_context = Context.new
+      yield
+    ensure
+      old_context.put(current_context.output, indent: 2)
+      @current_context = old_context
+    end
+
+    def current_context
+      @current_context ||= Context.new
+    end
+  end
+end

data/lib/core/terraform_config/generator.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Generator # rubocop:disable Metrics/ClassLength
+    SUPPORTED_TEMPLATE_KINDS = %w[gvc secret identity policy volumeset workload auditctx agent].freeze
+    WORKLOAD_SPEC_KEYS = %i[
+      type
+      containers
+      identity_link
+      default_options
+      local_options
+      rollout_options
+      security_options
+      load_balancer
+      firewall_config
+      support_dynamic_tags
+      job
+    ].freeze
+
+    class InvalidTemplateError < ArgumentError; end
+
+    attr_reader :config, :template
+
+    def initialize(config:, template:)
+      @config = config
+      @template = template.deep_underscore_keys.deep_symbolize_keys
+      validate_template_kind!
+    end
+
+    def tf_configs
+      tf_config.locals.merge(filename => tf_config)
+    end
+
+    private
+
+    def validate_template_kind!
+      return if SUPPORTED_TEMPLATE_KINDS.include?(kind)
+
+      raise InvalidTemplateError, "Unsupported template kind: #{kind}"
+    end
+
+    def filename
+      case kind
+      when "gvc"
+        "gvc.tf"
+      when "workload"
+        "#{template[:name]}.tf"
+      when "auditctx"
+        "audit_contexts.tf"
+      else
+        "#{kind.pluralize}.tf"
+      end
+    end
+
+    def tf_config
+      @tf_config ||= config_class.new(**config_params)
+    end
+
+    def config_class
+      case kind
+      when "volumeset"
+        TerraformConfig::VolumeSet
+      when "auditctx"
+        TerraformConfig::AuditContext
+      else
+        TerraformConfig.const_get(kind.capitalize)
+      end
+    end
+
+    def config_params
+      send("#{kind}_config_params")
+    end
+
+    def gvc_config_params
+      template
+        .slice(:name, :description, :tags)
+        .merge(
+          env: gvc_env,
+          pull_secrets: gvc_pull_secrets,
+          locations: gvc_locations,
+          domain: template.dig(:spec, :domain),
+          load_balancer: template.dig(:spec, :load_balancer)
+        )
+    end
+
+    def identity_config_params
+      template.slice(:name, :description, :tags).merge(gvc: gvc)
+    end
+
+    def secret_config_params
+      template.slice(:name, :description, :type, :data, :tags)
+    end
+
+    def policy_config_params
+      template
+        .slice(:name, :description, :tags, :target, :target_kind, :target_query)
+        .merge(gvc: gvc, target_links: policy_target_links, bindings: policy_bindings)
+    end
+
+    def volumeset_config_params
+      specs = %i[
+        initial_capacity
+        performance_class
+        file_system_type
+        storage_class_suffix
+        snapshots
+        autoscaling
+      ].to_h { |key| [key, template.dig(:spec, key)] }
+
+      template.slice(:name, :description, :tags).merge(gvc: gvc).merge(specs)
+    end
+
+    def auditctx_config_params
+      template.slice(:name, :description, :tags)
+    end
+
+    def agent_config_params
+      template.slice(:name, :description, :tags)
+    end
+
+    def workload_config_params
+      template
+        .slice(:name, :description, :tags)
+        .merge(gvc: gvc)
+        .merge(workload_spec_params)
+    end
+
+    def workload_spec_params # rubocop:disable Metrics/MethodLength
+      WORKLOAD_SPEC_KEYS.to_h do |key|
+        arg_name =
+          case key
+          when :default_options then :options
+          when :firewall_config then :firewall_spec
+          else key
+          end
+
+        value = template.dig(:spec, key)
+
+        if value
+          case key
+          when :local_options
+            value[:location] = value.delete(:location).split("/").last
+          when :security_options
+            value[:file_system_group_id] = value.delete(:filesystem_group_id)
+          end
+        end
+
+        [arg_name, value]
+      end
+    end
+
+    # GVC name matches application name
+    def gvc
+      "cpln_gvc.#{config.app}.name"
+    end
+
+    def gvc_pull_secrets
+      template.dig(:spec, :pull_secret_links)&.map { |secret_link| "cpln_secret.#{secret_link.split('/').last}.name" }
+    end
+
+    def gvc_env
+      template.dig(:spec, :env).to_h { |env_var| [env_var[:name], env_var[:value]] }
+    end
+
+    def gvc_locations
+      template.dig(:spec, :static_placement, :location_links)&.map { |location_link| location_link.split("/").last }
+    end
+
+    def policy_target_links
+      template[:target_links]&.map { |target_link| target_link.split("/").last }
+    end
+
+    def policy_bindings
+      template[:bindings]&.map do |data|
+        principal_links = data.delete(:principal_links)&.map { |link| link.delete_prefix("//") }
+        data.merge(principal_links: principal_links)
+      end
+    end
+
+    def kind
+      @kind ||= template[:kind]
+    end
+  end
+end

data/lib/core/terraform_config/gvc.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Gvc < Base
+    attr_reader :name, :description, :tags, :domain, :locations, :pull_secrets, :env, :load_balancer
+
+    def initialize( # rubocop:disable Metrics/ParameterLists
+      name:,
+      description: nil,
+      tags: nil,
+      domain: nil,
+      locations: nil,
+      pull_secrets: nil,
+      env: nil,
+      load_balancer: nil
+    )
+      super()
+
+      @name = name
+      @description = description
+      @tags = tags
+      @domain = domain
+      @locations = locations
+      @pull_secrets = pull_secrets
+      @env = env
+      @load_balancer = load_balancer&.deep_underscore_keys&.deep_symbolize_keys
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_gvc.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_gvc, name do
+        argument :name, name
+        argument :description, description, optional: true
+        argument :tags, tags, optional: true
+
+        argument :domain, domain, optional: true
+        argument :locations, locations, optional: true
+        argument :pull_secrets, pull_secrets, optional: true
+        argument :env, env, optional: true
+
+        load_balancer_tf
+      end
+    end
+
+    private
+
+    def load_balancer_tf
+      return if load_balancer.nil?
+
+      block :load_balancer do
+        argument :dedicated, load_balancer.fetch(:dedicated)
+        argument :trusted_proxies, load_balancer.fetch(:trusted_proxies, nil), optional: true
+      end
+    end
+  end
+end

data/lib/core/terraform_config/identity.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Identity < Base
+    attr_reader :gvc, :name, :description, :tags
+
+    def initialize(gvc:, name:, description: nil, tags: nil)
+      super()
+
+      @gvc = gvc
+      @name = name
+      @description = description
+      @tags = tags
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_identity.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_identity, name do
+        argument :gvc, gvc
+
+        argument :name, name
+        argument :description, description, optional: true
+
+        argument :tags, tags, optional: true
+      end
+    end
+  end
+end

data/lib/core/terraform_config/local_variable.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class LocalVariable < Base
+    VARIABLE_NAME_REGEX = /\A[a-zA-Z][a-zA-Z0-9_]*\z/.freeze
+
+    attr_reader :variables
+
+    def initialize(**variables)
+      super()
+
+      @variables = variables
+      validate_variables!
+    end
+
+    def to_tf
+      block :locals do
+        variables.each do |var, value|
+          argument var, value
+        end
+      end
+    end
+
+    private
+
+    def validate_variables!
+      raise ArgumentError, "Variables cannot be empty" if variables.empty?
+    end
+  end
+end

data/lib/core/terraform_config/policy.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Policy < Base # rubocop:disable Metrics/ClassLength
+    TARGET_KINDS = %w[
+      agent auditctx cloudaccount domain group gvc identity image ipset kubernetes location
+      org policy quota secret serviceaccount task user volumeset workload
+    ].freeze
+
+    GVC_REQUIRED_TARGET_KINDS = %w[identity workload volumeset].freeze
+
+    attr_reader :name, :description, :tags, :target_kind, :gvc, :target, :target_links, :target_query, :bindings
+
+    def initialize( # rubocop:disable Metrics/ParameterLists, Metrics/MethodLength
+      name:,
+      description: nil,
+      tags: nil,
+      target_kind: nil,
+      gvc: nil,
+      target: nil,
+      target_links: nil,
+      target_query: nil,
+      bindings: nil
+    )
+      super()
+
+      @name = name
+      @description = description
+      @tags = tags
+
+      @target_kind = target_kind
+      validate_target_kind!
+
+      @gvc = gvc
+      validate_gvc!
+
+      @target = target
+      @target_links = target_links
+
+      @target_query = target_query&.deep_underscore_keys&.deep_symbolize_keys
+      @bindings = bindings&.map { |data| data.deep_underscore_keys.deep_symbolize_keys }
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_policy.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_policy, name do
+        argument :name, name
+
+        %i[description tags target_kind gvc target target_links].each do |arg_name|
+          argument arg_name, send(arg_name), optional: true
+        end
+
+        bindings_tf
+        target_query_tf
+      end
+    end
+
+    private
+
+    def validate_target_kind!
+      return if target_kind.nil? || TARGET_KINDS.include?(target_kind.to_s)
+
+      raise ArgumentError, "Invalid target kind given - #{target_kind}"
+    end
+
+    def validate_gvc!
+      return unless GVC_REQUIRED_TARGET_KINDS.include?(target_kind.to_s) && gvc.nil?
+
+      raise ArgumentError, "`gvc` is required for `#{target_kind}` target kind"
+    end
+
+    def bindings_tf
+      return if bindings.nil?
+
+      bindings.each do |binding_data|
+        block :binding do
+          argument :permissions, binding_data.fetch(:permissions, nil), optional: true
+          argument :principal_links, binding_data.fetch(:principal_links, nil), optional: true
+        end
+      end
+    end
+
+    def target_query_tf
+      return if target_query.nil?
+
+      fetch_type = target_query.fetch(:fetch, nil)
+      validate_fetch_type!(fetch_type) if fetch_type
+
+      block :target_query do
+        argument :fetch, fetch_type, optional: true
+        target_query_spec_tf
+      end
+    end
+
+    def validate_fetch_type!(fetch_type)
+      return if %w[links items].include?(fetch_type.to_s)
+
+      raise ArgumentError, "Invalid fetch type - #{fetch_type}. Should be either `links` or `items`"
+    end
+
+    def target_query_spec_tf
+      spec = target_query.fetch(:spec, nil)
+      return if spec.nil?
+
+      match_type = spec.fetch(:match, nil)
+      validate_match_type!(match_type) if match_type
+
+      block :spec do
+        argument :match, match_type, optional: true
+
+        target_query_spec_terms_tf(spec)
+      end
+    end
+
+    def validate_match_type!(match_type)
+      return if %w[all any none].include?(match_type.to_s)
+
+      raise ArgumentError, "Invalid match type - #{match_type}. Should be either `all`, `any` or `none`"
+    end
+
+    def target_query_spec_terms_tf(spec)
+      terms = spec.fetch(:terms, nil)
+      return if terms.nil?
+
+      terms.each do |term|
+        validate_term!(term)
+
+        block :terms do
+          %i[op property rel tag value].each do |arg_name|
+            argument arg_name, term.fetch(arg_name, nil), optional: true
+          end
+        end
+      end
+    end
+
+    def validate_term!(term)
+      return if (%i[property rel tag] & term.keys).count == 1
+
+      raise ArgumentError,
+            "Each term in `target_query.spec.terms` must contain exactly one of the following attributes: " \
+            "`property`, `rel`, or `tag`."
+    end
+  end
+end

data/lib/core/terraform_config/provider.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Provider < Base
+    attr_reader :name, :options
+
+    def initialize(name:, **options)
+      super()
+
+      @name = name
+      @options = options
+    end
+
+    def to_tf
+      block :provider, name do
+        options.each do |option, value|
+          argument option, value
+        end
+      end
+    end
+  end
+end