cpflow 4.1.0 → 4.1.1

data/lib/core/terraform_config/generator.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Generator # rubocop:disable Metrics/ClassLength
+    SUPPORTED_TEMPLATE_KINDS = %w[gvc secret identity policy volumeset workload auditctx agent].freeze
+    WORKLOAD_SPEC_KEYS = %i[
+      type
+      containers
+      identity_link
+      default_options
+      local_options
+      rollout_options
+      security_options
+      load_balancer
+      firewall_config
+      support_dynamic_tags
+      job
+    ].freeze
+
+    class InvalidTemplateError < ArgumentError; end
+
+    attr_reader :config, :template
+
+    def initialize(config:, template:)
+      @config = config
+      @template = template.deep_underscore_keys.deep_symbolize_keys
+      validate_template_kind!
+    end
+
+    def tf_configs
+      tf_config.locals.merge(filename => tf_config)
+    end
+
+    private
+
+    def validate_template_kind!
+      return if SUPPORTED_TEMPLATE_KINDS.include?(kind)
+
+      raise InvalidTemplateError, "Unsupported template kind: #{kind}"
+    end
+
+    def filename
+      case kind
+      when "gvc"
+        "gvc.tf"
+      when "workload"
+        "#{template[:name]}.tf"
+      when "auditctx"
+        "audit_contexts.tf"
+      else
+        "#{kind.pluralize}.tf"
+      end
+    end
+
+    def tf_config
+      @tf_config ||= config_class.new(**config_params)
+    end
+
+    def config_class
+      case kind
+      when "volumeset"
+        TerraformConfig::VolumeSet
+      when "auditctx"
+        TerraformConfig::AuditContext
+      else
+        TerraformConfig.const_get(kind.capitalize)
+      end
+    end
+
+    def config_params
+      send("#{kind}_config_params")
+    end
+
+    def gvc_config_params
+      template
+        .slice(:name, :description, :tags)
+        .merge(
+          env: gvc_env,
+          pull_secrets: gvc_pull_secrets,
+          locations: gvc_locations,
+          domain: template.dig(:spec, :domain),
+          load_balancer: template.dig(:spec, :load_balancer)
+        )
+    end
+
+    def identity_config_params
+      template.slice(:name, :description, :tags).merge(gvc: gvc)
+    end
+
+    def secret_config_params
+      template.slice(:name, :description, :type, :data, :tags)
+    end
+
+    def policy_config_params
+      template
+        .slice(:name, :description, :tags, :target, :target_kind, :target_query)
+        .merge(gvc: gvc, target_links: policy_target_links, bindings: policy_bindings)
+    end
+
+    def volumeset_config_params
+      specs = %i[
+        initial_capacity
+        performance_class
+        file_system_type
+        storage_class_suffix
+        snapshots
+        autoscaling
+      ].to_h { |key| [key, template.dig(:spec, key)] }
+
+      template.slice(:name, :description, :tags).merge(gvc: gvc).merge(specs)
+    end
+
+    def auditctx_config_params
+      template.slice(:name, :description, :tags)
+    end
+
+    def agent_config_params
+      template.slice(:name, :description, :tags)
+    end
+
+    def workload_config_params
+      template
+        .slice(:name, :description, :tags)
+        .merge(gvc: gvc)
+        .merge(workload_spec_params)
+    end
+
+    def workload_spec_params # rubocop:disable Metrics/MethodLength
+      WORKLOAD_SPEC_KEYS.to_h do |key|
+        arg_name =
+          case key
+          when :default_options then :options
+          when :firewall_config then :firewall_spec
+          else key
+          end
+
+        value = template.dig(:spec, key)
+
+        if value
+          case key
+          when :local_options
+            value[:location] = value.delete(:location).split("/").last
+          when :security_options
+            value[:file_system_group_id] = value.delete(:filesystem_group_id)
+          end
+        end
+
+        [arg_name, value]
+      end
+    end
+
+    # GVC name matches application name
+    def gvc
+      "cpln_gvc.#{config.app}.name"
+    end
+
+    def gvc_pull_secrets
+      template.dig(:spec, :pull_secret_links)&.map { |secret_link| "cpln_secret.#{secret_link.split('/').last}.name" }
+    end
+
+    def gvc_env
+      template.dig(:spec, :env).to_h { |env_var| [env_var[:name], env_var[:value]] }
+    end
+
+    def gvc_locations
+      template.dig(:spec, :static_placement, :location_links)&.map { |location_link| location_link.split("/").last }
+    end
+
+    def policy_target_links
+      template[:target_links]&.map { |target_link| target_link.split("/").last }
+    end
+
+    def policy_bindings
+      template[:bindings]&.map do |data|
+        principal_links = data.delete(:principal_links)&.map { |link| link.delete_prefix("//") }
+        data.merge(principal_links: principal_links)
+      end
+    end
+
+    def kind
+      @kind ||= template[:kind]
+    end
+  end
+end

data/lib/core/terraform_config/gvc.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Gvc < Base
+    attr_reader :name, :description, :tags, :domain, :locations, :pull_secrets, :env, :load_balancer
+
+    def initialize( # rubocop:disable Metrics/ParameterLists
+      name:,
+      description: nil,
+      tags: nil,
+      domain: nil,
+      locations: nil,
+      pull_secrets: nil,
+      env: nil,
+      load_balancer: nil
+    )
+      super()
+
+      @name = name
+      @description = description
+      @tags = tags
+      @domain = domain
+      @locations = locations
+      @pull_secrets = pull_secrets
+      @env = env
+      @load_balancer = load_balancer&.deep_underscore_keys&.deep_symbolize_keys
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_gvc.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_gvc, name do
+        argument :name, name
+        argument :description, description, optional: true
+        argument :tags, tags, optional: true
+
+        argument :domain, domain, optional: true
+        argument :locations, locations, optional: true
+        argument :pull_secrets, pull_secrets, optional: true
+        argument :env, env, optional: true
+
+        load_balancer_tf
+      end
+    end
+
+    private
+
+    def load_balancer_tf
+      return if load_balancer.nil?
+
+      block :load_balancer do
+        argument :dedicated, load_balancer.fetch(:dedicated)
+        argument :trusted_proxies, load_balancer.fetch(:trusted_proxies, nil), optional: true
+      end
+    end
+  end
+end

data/lib/core/terraform_config/identity.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Identity < Base
+    attr_reader :gvc, :name, :description, :tags
+
+    def initialize(gvc:, name:, description: nil, tags: nil)
+      super()
+
+      @gvc = gvc
+      @name = name
+      @description = description
+      @tags = tags
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_identity.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_identity, name do
+        argument :gvc, gvc
+
+        argument :name, name
+        argument :description, description, optional: true
+
+        argument :tags, tags, optional: true
+      end
+    end
+  end
+end

data/lib/core/terraform_config/local_variable.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class LocalVariable < Base
+    VARIABLE_NAME_REGEX = /\A[a-zA-Z][a-zA-Z0-9_]*\z/.freeze
+
+    attr_reader :variables
+
+    def initialize(**variables)
+      super()
+
+      @variables = variables
+      validate_variables!
+    end
+
+    def to_tf
+      block :locals do
+        variables.each do |var, value|
+          argument var, value
+        end
+      end
+    end
+
+    private
+
+    def validate_variables!
+      raise ArgumentError, "Variables cannot be empty" if variables.empty?
+    end
+  end
+end

data/lib/core/terraform_config/policy.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Policy < Base # rubocop:disable Metrics/ClassLength
+    TARGET_KINDS = %w[
+      agent auditctx cloudaccount domain group gvc identity image ipset kubernetes location
+      org policy quota secret serviceaccount task user volumeset workload
+    ].freeze
+
+    GVC_REQUIRED_TARGET_KINDS = %w[identity workload volumeset].freeze
+
+    attr_reader :name, :description, :tags, :target_kind, :gvc, :target, :target_links, :target_query, :bindings
+
+    def initialize( # rubocop:disable Metrics/ParameterLists, Metrics/MethodLength
+      name:,
+      description: nil,
+      tags: nil,
+      target_kind: nil,
+      gvc: nil,
+      target: nil,
+      target_links: nil,
+      target_query: nil,
+      bindings: nil
+    )
+      super()
+
+      @name = name
+      @description = description
+      @tags = tags
+
+      @target_kind = target_kind
+      validate_target_kind!
+
+      @gvc = gvc
+      validate_gvc!
+
+      @target = target
+      @target_links = target_links
+
+      @target_query = target_query&.deep_underscore_keys&.deep_symbolize_keys
+      @bindings = bindings&.map { |data| data.deep_underscore_keys.deep_symbolize_keys }
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_policy.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_policy, name do
+        argument :name, name
+
+        %i[description tags target_kind gvc target target_links].each do |arg_name|
+          argument arg_name, send(arg_name), optional: true
+        end
+
+        bindings_tf
+        target_query_tf
+      end
+    end
+
+    private
+
+    def validate_target_kind!
+      return if target_kind.nil? || TARGET_KINDS.include?(target_kind.to_s)
+
+      raise ArgumentError, "Invalid target kind given - #{target_kind}"
+    end
+
+    def validate_gvc!
+      return unless GVC_REQUIRED_TARGET_KINDS.include?(target_kind.to_s) && gvc.nil?
+
+      raise ArgumentError, "`gvc` is required for `#{target_kind}` target kind"
+    end
+
+    def bindings_tf
+      return if bindings.nil?
+
+      bindings.each do |binding_data|
+        block :binding do
+          argument :permissions, binding_data.fetch(:permissions, nil), optional: true
+          argument :principal_links, binding_data.fetch(:principal_links, nil), optional: true
+        end
+      end
+    end
+
+    def target_query_tf
+      return if target_query.nil?
+
+      fetch_type = target_query.fetch(:fetch, nil)
+      validate_fetch_type!(fetch_type) if fetch_type
+
+      block :target_query do
+        argument :fetch, fetch_type, optional: true
+        target_query_spec_tf
+      end
+    end
+
+    def validate_fetch_type!(fetch_type)
+      return if %w[links items].include?(fetch_type.to_s)
+
+      raise ArgumentError, "Invalid fetch type - #{fetch_type}. Should be either `links` or `items`"
+    end
+
+    def target_query_spec_tf
+      spec = target_query.fetch(:spec, nil)
+      return if spec.nil?
+
+      match_type = spec.fetch(:match, nil)
+      validate_match_type!(match_type) if match_type
+
+      block :spec do
+        argument :match, match_type, optional: true
+
+        target_query_spec_terms_tf(spec)
+      end
+    end
+
+    def validate_match_type!(match_type)
+      return if %w[all any none].include?(match_type.to_s)
+
+      raise ArgumentError, "Invalid match type - #{match_type}. Should be either `all`, `any` or `none`"
+    end
+
+    def target_query_spec_terms_tf(spec)
+      terms = spec.fetch(:terms, nil)
+      return if terms.nil?
+
+      terms.each do |term|
+        validate_term!(term)
+
+        block :terms do
+          %i[op property rel tag value].each do |arg_name|
+            argument arg_name, term.fetch(arg_name, nil), optional: true
+          end
+        end
+      end
+    end
+
+    def validate_term!(term)
+      return if (%i[property rel tag] & term.keys).count == 1
+
+      raise ArgumentError,
+            "Each term in `target_query.spec.terms` must contain exactly one of the following attributes: " \
+            "`property`, `rel`, or `tag`."
+    end
+  end
+end

data/lib/core/terraform_config/provider.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Provider < Base
+    attr_reader :name, :options
+
+    def initialize(name:, **options)
+      super()
+
+      @name = name
+      @options = options
+    end
+
+    def to_tf
+      block :provider, name do
+        options.each do |option, value|
+          argument option, value
+        end
+      end
+    end
+  end
+end

data/lib/core/terraform_config/required_provider.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class RequiredProvider < Base
+    attr_reader :name, :org, :options
+
+    def initialize(name:, org:, **options)
+      super()
+
+      @name = name
+      @org = org
+      @options = options
+    end
+
+    def to_tf
+      block :terraform do
+        block :required_providers do
+          argument name, options
+        end
+      end
+    end
+  end
+end

data/lib/core/terraform_config/secret.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+module TerraformConfig
+  class Secret < Base # rubocop:disable Metrics/ClassLength
+    REQUIRED_DATA_KEYS = {
+      "aws" => %i[secret_key access_key],
+      "azure-connector" => %i[url code],
+      "ecr" => %i[secret_key access_key repos],
+      "keypair" => %i[secret_key],
+      "nats-account" => %i[account_id private_key],
+      "opaque" => %i[payload],
+      "tls" => %i[key cert],
+      "userpass" => %i[username password],
+      "dictionary" => []
+    }.freeze
+
+    attr_reader :name, :type, :data, :description, :tags
+
+    def initialize(name:, type:, data:, description: nil, tags: nil)
+      super()
+
+      @name = name
+      @type = type
+      @description = description
+      @tags = tags
+      @data = prepare_data(type: type, data: data)
+    end
+
+    def importable?
+      true
+    end
+
+    def reference
+      "cpln_secret.#{name}"
+    end
+
+    def to_tf
+      block :resource, :cpln_secret, name do
+        argument :name, name
+        argument :description, description, optional: true
+        argument :tags, tags, optional: true
+
+        secret_data
+      end
+    end
+
+    private
+
+    def prepare_data(type:, data:)
+      return data unless data.is_a?(Hash)
+
+      data.deep_underscore_keys.deep_symbolize_keys.tap do |prepared_data|
+        validate_required_data_keys!(type: type, data: prepared_data)
+      end
+    end
+
+    def validate_required_data_keys!(type:, data:)
+      required_keys = REQUIRED_DATA_KEYS[type] || []
+      missing_keys = required_keys - data.keys
+      raise ArgumentError, "Missing required data keys for #{type}: #{missing_keys.join(', ')}" if missing_keys.any?
+    end
+
+    def secret_data
+      case type
+      when "azure-sdk", "dictionary", "docker", "gcp"
+        argument type.underscore, data, optional: true
+      when "azure-connector", "aws", "ecr", "keypair", "nats-account", "opaque", "tls", "userpass"
+        send("#{type.underscore}_tf")
+      else
+        raise "Invalid secret type given - #{type}"
+      end
+    end
+
+    def aws_tf
+      aws_based_tf(:aws)
+    end
+
+    def ecr_tf
+      aws_based_tf(:ecr, repos: data.fetch(:repos))
+    end
+
+    def azure_connector_tf
+      block :azure_connector do
+        argument :url, data.fetch(:url)
+        argument :code, data.fetch(:code)
+      end
+    end
+
+    def keypair_tf
+      block :keypair do
+        argument :secret_key, data.fetch(:secret_key)
+        argument :public_key, data.fetch(:public_key, nil), optional: true
+        argument :passphrase, data.fetch(:passphrase, nil), optional: true
+      end
+    end
+
+    def nats_account_tf
+      block :nats_account do
+        argument :account_id, data.fetch(:account_id)
+        argument :private_key, data.fetch(:private_key)
+      end
+    end
+
+    def opaque_tf
+      block :opaque do
+        argument :payload, data.fetch(:payload)
+        argument :encoding, data.fetch(:encoding, nil), optional: true
+      end
+    end
+
+    def tls_tf
+      block :tls do
+        argument :key, data.fetch(:key)
+        argument :cert, data.fetch(:cert)
+        argument :chain, data.fetch(:chain, nil), optional: true
+      end
+    end
+
+    def userpass_tf
+      block :userpass do
+        argument :username, data.fetch(:username)
+        argument :password, data.fetch(:password)
+        argument :encoding, data.fetch(:encoding, nil), optional: true
+      end
+    end
+
+    def aws_based_tf(name, **kwargs)
+      block name do
+        argument :secret_key, data.fetch(:secret_key)
+        argument :access_key, data.fetch(:access_key)
+        argument :role_arn, data.fetch(:role_arn, nil), optional: true
+        argument :external_id, data.fetch(:external_id, nil), optional: true
+
+        kwargs.each { |key, value| argument key, value }
+      end
+    end
+  end
+end