diff --git a/.gitignore b/.gitignore index e1eccddc3..7852ba38e 100644 --- a/.gitignore +++ b/.gitignore @@ -25,6 +25,7 @@ website/node_modules *.iml *.test *.iml +*.vscode website/vendor diff --git a/CHANGELOG.md b/CHANGELOG.md index 6dc63f0a0..0e6bd4bb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ### Fixed - Correctly identify a missing security user ([#101](https://github.com/elastic/terraform-provider-elasticstack/issues/101)) - Support **7.x** Elasticsearch < **7.15** by removing the default `media_type` attribute in the Append processor ([#118](https://github.com/elastic/terraform-provider-elasticstack/pull/118)) +- Add `allow_restricted_indices` setting to security role ([#125](https://github.com/elastic/terraform-provider-elasticstack/issues/125)) ## [0.3.3] - 2023-03-22 ### Fixed diff --git a/docs/resources/elasticsearch_security_role.md b/docs/resources/elasticsearch_security_role.md index 1f7e397f9..a1f3f6947 100644 --- a/docs/resources/elasticsearch_security_role.md +++ b/docs/resources/elasticsearch_security_role.md @@ -99,6 +99,7 @@ Optional: - **field_security** (Block List, Max: 1) The document fields that the owners of the role have read access to. (see [below for nested schema](#nestedblock--indices--field_security)) - **query** (String) A search query that defines the documents the owners of the role have read access to. +- **allow_restricted_indices** (Boolean) Include matching restricted indices in names parameter (usage is strongly discouraged as it can grant unrestricted operations on critical data, make the entire system unstable or leak sensitive information). ### Nested Schema for `indices.field_security` diff --git a/internal/elasticsearch/security/role.go b/internal/elasticsearch/security/role.go index 6183c9dba..e634be592 100644 --- a/internal/elasticsearch/security/role.go +++ b/internal/elasticsearch/security/role.go @@ -126,6 +126,11 @@ func ResourceRole() *schema.Resource { DiffSuppressFunc: utils.DiffJsonSuppress, Optional: true, }, + "allow_restricted_indices": { + Description: "Include matching restricted indices in names parameter. Usage is strongly discouraged as it can grant unrestricted operations on critical data, make the entire system unstable or leak sensitive information.", + Type: schema.TypeBool, + Optional: true, + }, }, }, }, @@ -269,6 +274,10 @@ func resourceSecurityRolePut(ctx context.Context, d *schema.ResourceData, meta i } newIndex.FieldSecurity = &fieldSecurity } + + allowRestrictedIndices := index["allow_restricted_indices"].(bool) + newIndex.AllowRestrictedIndices = &allowRestrictedIndices + indices[i] = newIndex } role.Indices = indices @@ -392,6 +401,7 @@ func flattenIndicesData(indices *[]models.IndexPerms) []interface{} { oi["names"] = index.Names oi["privileges"] = index.Privileges oi["query"] = index.Query + oi["allow_restricted_indices"] = index.AllowRestrictedIndices if index.FieldSecurity != nil { fsec := make(map[string]interface{}) diff --git a/internal/elasticsearch/security/role_test.go b/internal/elasticsearch/security/role_test.go index 657903044..0b587da87 100644 --- a/internal/elasticsearch/security/role_test.go +++ b/internal/elasticsearch/security/role_test.go @@ -24,6 +24,7 @@ func TestAccResourceSecurityRole(t *testing.T) { Config: testAccResourceSecurityRoleCreate(roleName), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("elasticstack_elasticsearch_security_role.test", "name", roleName), + resource.TestCheckResourceAttr("elasticstack_elasticsearch_security_role.test", "indices.0.allow_restricted_indices", "true"), resource.TestCheckTypeSetElemAttr("elasticstack_elasticsearch_security_role.test", "indices.*.names.*", "index1"), resource.TestCheckTypeSetElemAttr("elasticstack_elasticsearch_security_role.test", "indices.*.names.*", "index2"), resource.TestCheckTypeSetElemAttr("elasticstack_elasticsearch_security_role.test", "cluster.*", "all"), @@ -41,6 +42,7 @@ func TestAccResourceSecurityRole(t *testing.T) { resource.TestCheckNoResourceAttr("elasticstack_elasticsearch_security_role.test", "run_as"), resource.TestCheckNoResourceAttr("elasticstack_elasticsearch_security_role.test", "global"), resource.TestCheckNoResourceAttr("elasticstack_elasticsearch_security_role.test", "applications"), + resource.TestCheckNoResourceAttr("elasticstack_elasticsearch_security_role.test", "indices.0.allow_restricted_indices"), ), }, }, @@ -58,8 +60,9 @@ resource "elasticstack_elasticsearch_security_role" "test" { cluster = ["all"] indices { - names = ["index1", "index2"] - privileges = ["all"] + names = ["index1", "index2"] + privileges = ["all"] + allow_restricted_indices = true } applications { diff --git a/internal/models/models.go b/internal/models/models.go index e14f69aa4..92308e430 100644 --- a/internal/models/models.go +++ b/internal/models/models.go @@ -22,10 +22,11 @@ type Role struct { } type IndexPerms struct { - FieldSecurity *FieldSecurity `json:"field_security,omitempty"` - Names []string `json:"names"` - Privileges []string `json:"privileges"` - Query *string `json:"query,omitempty"` + FieldSecurity *FieldSecurity `json:"field_security,omitempty"` + Names []string `json:"names"` + Privileges []string `json:"privileges"` + Query *string `json:"query,omitempty"` + AllowRestrictedIndices *bool `json:"allow_restricted_indices,omitempty"` } type FieldSecurity struct {