argocd_project: handles orphaned_resources/ignore, signature_keys (#50)

Author: oboukili

.github/workflows/tests.yml

@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        argocd_version: ["v.1.8.3", "v1.7.11", "v1.6.2"]
+        argocd_version: ["v.1.8.3", "v1.7.11"]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v1

README.md

@@ -138,8 +138,19 @@ resource "argocd_project" "myproject" {
       group = "networking.k8s.io"
       kind  = "Ingress"
     }
-    orphaned_resources = {
+    orphaned_resources {
       warn = true
+
+      ignore {
+        group = "apps/v1"
+        kind  = "Deployment"
+        name  = "ignored1"
+      }
+      ignore {
+        group = "apps/v1"
+        kind  = "Deployment"
+        name  = "ignored2"
+      }
     }
     role {
       name = "testrole"
@@ -173,6 +184,10 @@ resource "argocd_project" "myproject" {
       schedule     = "22 1 5 * *"
       manual_sync  = false
     }
+    signature_keys = [
+      "4AEE18F83AFDEB23",
+      "07E34825A909B250"
+    ]
   }
 }
 

argocd/resource_argocd_project_test.go

@@ -151,8 +151,18 @@ resource "argocd_project" "simple" {
       group = "networking.k8s.io"
       kind  = "Ingress"
     }
-    orphaned_resources = {
+    orphaned_resources {
       warn = true
+      ignore {
+        group = "apps/v1"
+        kind  = "Deployment"
+        name  = "ignored1"
+      }
+      ignore {
+        group = "apps/v1"
+        kind  = "Deployment"
+        name  = "ignored2"
+      }
     }
     sync_window {
       kind = "allow"
@@ -172,6 +182,10 @@ resource "argocd_project" "simple" {
       schedule = "22 1 5 * *"
       manual_sync = false
     }
+    signature_keys = [
+      "4AEE18F83AFDEB23",
+      "07E34825A909B250"
+    ]
   }
 }
 	`, name)

argocd/schema_project.go

@@ -70,9 +70,38 @@ func projectSpecSchema() *schema.Schema {
 					},
 				},
 				"orphaned_resources": {
-					Type:     schema.TypeMap,
+					Type:     schema.TypeSet,
 					Optional: true,
-					Elem:     &schema.Schema{Type: schema.TypeBool},
+					MaxItems: 1,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"warn": {
+								Type:     schema.TypeBool,
+								Optional: true,
+							},
+							"ignore": {
+								Type:     schema.TypeSet,
+								Optional: true,
+								Elem: &schema.Resource{
+									Schema: map[string]*schema.Schema{
+										"group": {
+											Type:         schema.TypeString,
+											ValidateFunc: validateGroupName,
+											Optional:     true,
+										},
+										"kind": {
+											Type:     schema.TypeString,
+											Optional: true,
+										},
+										"name": {
+											Type:     schema.TypeString,
+											Optional: true,
+										},
+									},
+								},
+							},
+						},
+					},
 				},
 				"role": {
 					Type:     schema.TypeList,
@@ -106,6 +135,11 @@ func projectSpecSchema() *schema.Schema {
 					Required: true,
 					Elem:     &schema.Schema{Type: schema.TypeString},
 				},
+				"signature_keys": {
+					Type:     schema.TypeList,
+					Optional: true,
+					Elem:     &schema.Schema{Type: schema.TypeString},
+				},
 				"sync_window": {
 					Type:     schema.TypeList,
 					Optional: true,

argocd/structure_project.go

@@ -55,11 +55,24 @@ func expandProjectSpec(d *schema.ResourceData) (
 			spec.SourceRepos = append(spec.SourceRepos, sr.(string))
 		}
 	}
+	if v, ok := s["signature_keys"]; ok {
+		for _, sk := range v.([]interface{}) {
+			spec.SignatureKeys = append(spec.SignatureKeys, application.SignatureKey{
+				KeyID: sk.(string),
+			})
+		}
+	}
 	if v, ok := s["orphaned_resources"]; ok {
-		if _warn, ok := v.(map[string]interface{})["warn"]; ok {
-			warn := _warn.(bool)
-			spec.OrphanedResources = &application.OrphanedResourcesMonitorSettings{
-				Warn: &warn,
+		spec.OrphanedResources = &application.OrphanedResourcesMonitorSettings{}
+		orphanedResources := v.(*schema.Set).List()
+		if len(orphanedResources) > 0 {
+			if _warn, _ok := orphanedResources[0].(map[string]interface{})["warn"]; _ok {
+				warn := _warn.(bool)
+				spec.OrphanedResources.Warn = &warn
+			}
+			if _ignore, _ok := orphanedResources[0].(map[string]interface{})["ignore"]; _ok {
+				ignore := expandOrphanedResourcesIgnore(_ignore.(*schema.Set))
+				spec.OrphanedResources.Ignore = ignore
 			}
 		}
 	}
@@ -91,6 +104,19 @@ func expandProjectSpec(d *schema.ResourceData) (
 	return spec, nil
 }
 
+func expandOrphanedResourcesIgnore(ignore *schema.Set) (
+	result []application.OrphanedResourceKey) {
+	for _, _i := range ignore.List() {
+		i := _i.(map[string]interface{})
+		result = append(result, application.OrphanedResourceKey{
+			Group: i["group"].(string),
+			Kind:  i["kind"].(string),
+			Name:  i["name"].(string),
+		})
+	}
+	return
+}
+
 // Flatten
 
 func flattenProject(p *application.AppProject, d *schema.ResourceData) error {
@@ -118,16 +144,42 @@ func flattenProjectSpec(s application.AppProjectSpec) []map[string]interface{} {
 		"sync_window":                  flattenSyncWindows(s.SyncWindows),
 		"description":                  s.Description,
 		"source_repos":                 s.SourceRepos,
+		"signature_keys":               flattenProjectSignatureKeys(s.SignatureKeys),
 	}
 	return []map[string]interface{}{spec}
 }
 
+func flattenProjectSignatureKeys(keys []application.SignatureKey) (
+	result []string) {
+	for _, key := range keys {
+		result = append(result, key.KeyID)
+	}
+	return
+}
+
 func flattenProjectOrphanedResources(ors *application.OrphanedResourcesMonitorSettings) (
-	result map[string]bool) {
+	result []map[string]interface{}) {
+	r := make(map[string]interface{}, 0)
 	if ors != nil {
-		result = map[string]bool{
-			"warn": *ors.Warn,
+		if ors.Warn != nil {
+			r["warn"] = *ors.Warn
 		}
+		if ors.Ignore != nil {
+			r["ignore"] = flattenProjectOrphanedResourcesIgnore(ors.Ignore)
+			result = append(result, r)
+		}
+	}
+	return
+}
+
+func flattenProjectOrphanedResourcesIgnore(ignore []application.OrphanedResourceKey) (
+	result []map[string]string) {
+	for _, i := range ignore {
+		result = append(result, map[string]string{
+			"group": i.Group,
+			"kind":  i.Kind,
+			"name":  i.Name,
+		})
 	}
 	return
 }

docs/resources/project.md

@@ -45,8 +45,20 @@ resource "argocd_project" "myproject" {
       group = "networking.k8s.io"
       kind  = "Ingress"
     }
-    orphaned_resources = {
+    orphaned_resources {
       warn = true
+
+      ignore {
+        group = "apps/v1"
+        kind  = "Deployment"
+        name  = "ignored1"
+      }
+
+      ignore {
+        group = "apps/v1"
+        kind  = "Deployment"
+        name  = "ignored2"
+      }
     }
     role {
       name = "testrole"
@@ -80,6 +92,10 @@ resource "argocd_project" "myproject" {
       schedule     = "22 1 5 * *"
       manual_sync  = false
     }
+    signature_keys = [
+      "4AEE18F83AFDEB23",
+      "07E34825A909B250"
+    ]
   }
 }
 
@@ -106,13 +122,20 @@ The `spec` block can have the following attributes:
 * `namespace_resource_blacklist` - (Optional) Namespaced-scoped resources allowed to be managed by the project applications, can be repeated multiple times. 
 * `role` - (Optional) can be repeated multiple times. 
 * `sync_window` - (Optional) can be repeated multiple times. 
+* `signature_keys` - (Optional) list of PGP key IDs strings that commits to be synced to must be signed with.
 
 Each `cluster_resource_whitelist` block can have the following attributes:
 * `group` - (Optional) The Kubernetes resource Group to match for.
 * `kind` - (Optional) The Kubernetes resource Kind to match for.
 
-The `orphaned_resources` map can have the following attributes:
-* `warn` - Boolean, defaults to `false`.
+The `orphaned_resources` block can have the following attributes:
+* `warn` - (Optional) Boolean, defaults to `false`.
+* `ignore` - (Optional), set of map of strings, specifies which Group/Kind/Name resource(s) to ignore. Can be repeated multiple times. Structure is documented below.
+
+Each `orphaned_resources/ignore` block can have the following attributes:
+* `group` - (Optional) The Kubernetes resource Group to match for.
+* `kind` - (Optional) The Kubernetes resource Kind to match for.
+* `name` - (Optional) The Kubernetes resource name to match for.
 
 Each `namespace_resource_blacklist` block can have the following attributes:
 * `group` - (Optional) The Kubernetes resource Group to match for.
@@ -133,6 +156,7 @@ Each `sync_window` block can have the following attributes:
 * `namespaces` - (Optional) List of namespaces that the window will apply to.
 * `schedule` - (Optional) Time the window will begin, specified in cron format.
 
+
 ## Import
 
 ArgoCD projects can be imported using an id consisting of `{name}`, e.g.