feat: Extend policy validation to support update and delete actions (#522)

* fix(utils.go): allow update and delete actions in validActionPatterns regex

Signed-off-by: pouriyabp <[email protected]>

* Update argocd/utils.go

Co-authored-by: Marco Maurer (-Kilchhofer) <[email protected]>
Signed-off-by: pouriya <[email protected]>

* test: Add test for fine-grained project policies

Signed-off-by: Marco Maurer <[email protected]>

* test: Run TestAccArgoCDProjectWithFineGrainedPolicy only on 2.12+

Signed-off-by: Marco Maurer <[email protected]>

---------

Signed-off-by: pouriyabp <[email protected]>
Signed-off-by: pouriya <[email protected]>
Signed-off-by: Marco Maurer <[email protected]>
Co-authored-by: Marco Maurer (-Kilchhofer) <[email protected]>

Author: pouriyabp

argocd/resource_argocd_project_test.go

@@ -254,6 +254,31 @@ func TestAccArgoCDProjectWithSourceNamespaces(t *testing.T) {
 	})
 }
 
+func TestAccArgoCDProjectWithFineGrainedPolicy(t *testing.T) {
+	name := acctest.RandomWithPrefix("test-acc")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t); testAccPreCheckFeatureSupported(t, features.ProjectFineGrainedPolicy) },
+		ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArgoCDProjectWithFineGrainedPolicy(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"argocd_project.fine_grained_policy",
+						"metadata.0.uid",
+					),
+					resource.TestCheckResourceAttr(
+						"argocd_project.fine_grained_policy",
+						"spec.0.role.0.policies.#",
+						"2",
+					),
+				),
+			},
+		},
+	})
+}
+
 func testAccArgoCDProjectSimple(name string) string {
 	return fmt.Sprintf(`
 resource "argocd_project" "simple" {
@@ -834,3 +859,35 @@ resource "argocd_project" "failure" {
 }
   `, name, name, name)
 }
+
+func testAccArgoCDProjectWithFineGrainedPolicy(name string) string {
+	return fmt.Sprintf(`
+  resource "argocd_project" "fine_grained_policy" {
+    metadata {
+      name      = "%[1]s"
+      namespace = "argocd"
+      labels = {
+        acceptance = "true"
+      }
+    }
+
+    spec {
+      description  = "simple project with fine-grained policies"
+      source_repos = ["*"]
+
+      destination {
+        server    = "https://kubernetes.default.svc"
+        namespace = "default"
+      }
+
+      role {
+        name = "fine-grained"
+        policies = [
+          "p, proj:%[1]s:fine-grained, applications, update/*, %[1]s/*, allow",
+          "p, proj:%[1]s:fine-grained, applications, delete/*/Pod/*/*, %[1]s/*, allow",
+        ]
+      }
+    }
+  }
+	`, name)
+}

argocd/utils.go

@@ -98,6 +98,8 @@ func isValidPolicyAction(action string) bool {
 	}
 	validActionPatterns := []*regexp.Regexp{
 		regexp.MustCompile("action/.*"),
+		regexp.MustCompile("update/.*"),
+		regexp.MustCompile("delete/.*"),
 	}
 
 	if validActions[action] {

internal/features/features.go

@@ -17,6 +17,7 @@ const (
 	ApplicationSetIgnoreApplicationDifferences
 	ApplicationSetTemplatePatch
 	ApplicationKustomizePatches
+	ProjectFineGrainedPolicy
 )
 
 type FeatureConstraint struct {
@@ -35,4 +36,5 @@ var ConstraintsMap = map[Feature]FeatureConstraint{
 	ApplicationSetIgnoreApplicationDifferences: {"application set ignore application differences", semver.MustParse("2.9.0")},
 	ApplicationSetTemplatePatch:                {"application set template patch", semver.MustParse("2.10.0")},
 	ApplicationKustomizePatches:                {"application kustomize patches", semver.MustParse("2.9.0")},
+	ProjectFineGrainedPolicy:                   {"fine-grained policy in project", semver.MustParse("2.12.0")},
 }