Extend valid resources for project-scoped role policy (#207)

* build(deps): bump argo-cd to v2.4.12 from v2.3.0

Support for `ksonnet` was dropped in ArgoCD 2.4. As such, this has been removed from the `argocd_application` resource in this provider as well.

* tests: bump default Kubernetes version to `1.23.12`

`1.19` is long past EOL so we should upgrade the default cluster version. I did consider `1.22` but as this is approaching EOL in 1 month (https://kubernetes.io/releases/), I figured we may as well jump straight to `1.23`.

* tests: bump default ArgoCD version to `2.1.10`

Aligns with the minimum version run by the GitHub Actions.

* feat: extend valid resources for project-scope role policy 

Ensures that role policy can be provisioned for clusters, repositories, exec and logs.

* build(deps): bump `go` to `1.17` from `1.16`

Resolves following build error resulting from dependency updates:

```
../../../go/pkg/mod/github.com/argoproj/argo-cd/[email protected]/pkg/apiclient/apiclient.go:53:2: //go:build comment without // +build comment
```

* build: bump `codeql` actions to `v2`

Spotted a warning at https://github.com/oboukili/terraform-provider-argocd/actions/runs/3151063925/jobs/5124563560 and have upgraded as per https://github.blog/changelog/2022-04-27-code-scanning-deprecation-of-codeql-action-v1/

* build: drop tests for ArgoCD `2.1` and `2.2`

Minimum supported version is now `2.3.x` as per ArgoCD itself.

* tests: add tests for migration of application schema to v2

* chore: update scripts/testacc_prepare_env.sh

Co-authored-by: Olivier Boukili <[email protected]>

* refactor: use `rbacpolicy` for policy action/resource names

Co-authored-by: Olivier Boukili <[email protected]>

Author: onematchfox

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/release.yml

@@ -17,7 +17,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.16
+        go-version: 1.17
 
     - name: Import GPG key
       id: import_gpg

.github/workflows/tests.yml

@@ -14,12 +14,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        argocd_version: ["v2.3.0", "v2.2.5", "v2.1.10"]
+        argocd_version: ["v2.4.12", "v2.3.9"]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v1
         with:
-          go-version: 1.16
+          go-version: 1.17
         id: go
       - name: Restore Go cache
         uses: actions/cache@v1

argocd/features.go

@@ -28,20 +28,20 @@ const (
 	featureClusterMetadata
 	featureRepositoryCertificates
 	featureApplicationHelmSkipCrds
+	featureExecLogsPolicy
 )
 
-var (
-	featureVersionConstraintsMap = map[int]*semver.Version{
-		featureApplicationLevelSyncOptions: semver.MustParse("1.5.0"),
-		featureIgnoreDiffJQPathExpressions: semver.MustParse("2.1.0"),
-		featureRepositoryGet:               semver.MustParse("1.6.0"),
-		featureTokenIDs:                    semver.MustParse("1.5.3"),
-		featureProjectScopedClusters:       semver.MustParse("2.2.0"),
-		featureClusterMetadata:             semver.MustParse("2.2.0"),
-		featureRepositoryCertificates:      semver.MustParse("1.2.0"),
-		featureApplicationHelmSkipCrds:     semver.MustParse("2.3.0"),
-	}
-)
+var featureVersionConstraintsMap = map[int]*semver.Version{
+	featureApplicationLevelSyncOptions: semver.MustParse("1.5.0"),
+	featureIgnoreDiffJQPathExpressions: semver.MustParse("2.1.0"),
+	featureRepositoryGet:               semver.MustParse("1.6.0"),
+	featureTokenIDs:                    semver.MustParse("1.5.3"),
+	featureProjectScopedClusters:       semver.MustParse("2.2.0"),
+	featureClusterMetadata:             semver.MustParse("2.2.0"),
+	featureRepositoryCertificates:      semver.MustParse("1.2.0"),
+	featureApplicationHelmSkipCrds:     semver.MustParse("2.3.0"),
+	featureExecLogsPolicy:              semver.MustParse("2.4.0"),
+}
 
 type ServerInterface struct {
 	ApiClient            *apiclient.Client

argocd/resource_argocd_application.go

@@ -27,7 +27,7 @@ func resourceArgoCDApplication() *schema.Resource {
 		},
 		Schema: map[string]*schema.Schema{
 			"metadata": metadataSchema("applications.argoproj.io"),
-			"spec":     applicationSpecSchemaV1(),
+			"spec":     applicationSpecSchemaV2(),
 			"wait": {
 				Type:        schema.TypeBool,
 				Description: "Upon application creation or update, wait for application health/sync status to be healthy/Synced, upon application deletion, wait for application to be removed, when set to true.",
@@ -41,13 +41,18 @@ func resourceArgoCDApplication() *schema.Resource {
 				Default:     true,
 			},
 		},
-		SchemaVersion: 1,
+		SchemaVersion: 2,
 		StateUpgraders: []schema.StateUpgrader{
 			{
 				Type:    resourceArgoCDApplicationV0().CoreConfigSchema().ImpliedType(),
 				Upgrade: resourceArgoCDApplicationStateUpgradeV0,
 				Version: 0,
 			},
+			{
+				Type:    resourceArgoCDApplicationV1().CoreConfigSchema().ImpliedType(),
+				Upgrade: resourceArgoCDApplicationStateUpgradeV1,
+				Version: 1,
+			},
 		},
 		Timeouts: &schema.ResourceTimeout{
 			Create: schema.DefaultTimeout(5 * time.Minute),
@@ -174,8 +179,7 @@ func resourceArgoCDApplicationCreate(ctx context.Context, d *schema.ResourceData
 	}
 
 	app, err = c.Create(ctx, &applicationClient.ApplicationCreateRequest{
-		Application: application.Application{
-
+		Application: &application.Application{
 			ObjectMeta: objectMeta,
 			Spec:       spec,
 			TypeMeta: metav1.TypeMeta{
@@ -299,7 +303,8 @@ func resourceArgoCDApplicationUpdate(ctx context.Context, d *schema.ResourceData
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
-			}}
+			},
+		}
 
 		featureApplicationLevelSyncOptionsSupported, err := server.isFeatureSupported(featureApplicationLevelSyncOptions)
 		if err != nil {

argocd/resource_argocd_cluster_test.go

@@ -34,7 +34,7 @@ func TestAccArgoCDCluster(t *testing.T) {
 					resource.TestCheckResourceAttr(
 						"argocd_cluster.simple",
 						"info.0.server_version",
-						"1.19",
+						"1.23",
 					),
 					resource.TestCheckResourceAttr(
 						"argocd_cluster.simple",
@@ -48,7 +48,7 @@ func TestAccArgoCDCluster(t *testing.T) {
 					),
 				),
 			},
-			//TODO: not working on CI every time
+			// TODO: not working on CI every time
 			// {
 			// 	ResourceName:            "argocd_cluster.simple",
 			// 	ImportState:             true,
@@ -66,7 +66,7 @@ func TestAccArgoCDCluster(t *testing.T) {
 					resource.TestCheckResourceAttr(
 						"argocd_cluster.tls",
 						"info.0.server_version",
-						"1.19",
+						"1.23",
 					),
 					resource.TestCheckResourceAttr(
 						"argocd_cluster.tls",
@@ -104,7 +104,7 @@ func TestAccArgoCDCluster_projectScope(t *testing.T) {
 					),
 				),
 			},
-			//TODO: not working on CI every time
+			// TODO: not working on CI every time
 			// {
 			// 	ResourceName:            "argocd_cluster.project_scope",
 			// 	ImportState:             true,

argocd/resource_argocd_project_test.go

@@ -172,6 +172,56 @@ func TestAccArgoCDProjectUpdateAddRole(t *testing.T) {
 	})
 }
 
+func TestAccArgoCDProjectWithClustersRepositoriesRolePolicy(t *testing.T) {
+	name := acctest.RandomWithPrefix("test-acc")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t); testAccPreCheckFeatureSupported(t, featureProjectScopedClusters) },
+		ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArgoCDProjectWithClustersRepositoriesRolePolicy(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"argocd_project.simple",
+						"metadata.0.uid",
+					),
+				),
+			},
+			{
+				ResourceName:      "argocd_project.simple",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccArgoCDProjectWithLogsExecRolePolicy(t *testing.T) {
+	name := acctest.RandomWithPrefix("test-acc")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t); testAccPreCheckFeatureSupported(t, featureExecLogsPolicy) },
+		ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArgoCDProjectWithExecLogsRolePolicy(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"argocd_project.simple",
+						"metadata.0.uid",
+					),
+				),
+			},
+			{
+				ResourceName:      "argocd_project.simple",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccArgoCDProjectSimple(name string) string {
 	return fmt.Sprintf(`
 resource "argocd_project" "simple" {
@@ -583,3 +633,87 @@ func testAccArgoCDProjectSimpleWithRole(name string) string {
   }
 	`, name, name, name, name, name)
 }
+
+func testAccArgoCDProjectWithClustersRepositoriesRolePolicy(name string) string {
+	return fmt.Sprintf(`
+  resource "argocd_project" "simple" {
+    metadata {
+      name      = "%[1]s"
+      namespace = "argocd"
+      labels = {
+        acceptance = "true"
+      }
+      annotations = {
+        "this.is.a.really.long.nested.key" = "yes, really!"
+      }
+    }
+  
+    spec {
+      description  = "simple project"
+      source_repos = ["*"]
+  
+      destination {
+        name      = "anothercluster"
+        namespace = "bar"
+      }
+      orphaned_resources {
+        warn = true
+        ignore {
+          group = "apps/v1"
+          kind  = "Deployment"
+          name  = "ignored1"
+        }
+      }
+      role {
+        name = "admin"
+        policies = [
+          "p, proj:%[1]s:admin, clusters, get, %[1]s/*, allow",
+          "p, proj:%[1]s:admin, repositories, get, %[1]s/*, allow",
+        ]
+      }
+    }
+  }
+	`, name)
+}
+
+func testAccArgoCDProjectWithExecLogsRolePolicy(name string) string {
+	return fmt.Sprintf(`
+  resource "argocd_project" "simple" {
+    metadata {
+      name      = "%[1]s"
+      namespace = "argocd"
+      labels = {
+        acceptance = "true"
+      }
+      annotations = {
+        "this.is.a.really.long.nested.key" = "yes, really!"
+      }
+    }
+  
+    spec {
+      description  = "simple project"
+      source_repos = ["*"]
+  
+      destination {
+        name      = "anothercluster"
+        namespace = "bar"
+      }
+      orphaned_resources {
+        warn = true
+        ignore {
+          group = "apps/v1"
+          kind  = "Deployment"
+          name  = "ignored1"
+        }
+      }
+      role {
+        name = "admin"
+        policies = [
+          "p, proj:%[1]s:admin, exec, create, %[1]s/*, allow",
+          "p, proj:%[1]s:admin, logs, get, %[1]s/*, allow",
+        ]
+      }
+    }
+  }
+	`, name)
+}