support endPort on network policy resource (#2494)

* support endPort on network policy resource

* add changelog + doc entry

---------

Co-authored-by: Mauricio Alvarez Leon <[email protected]>

Author: tostieme

.changelog/2494.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+`resource/resource_kubernetes_network_policy_v1`: add support for `end_port`
+```

docs/resources/network_policy.md

@@ -227,6 +227,7 @@ Optional:
 
 - `port` (String) port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
 - `protocol` (String) protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+- `end_port` - (Optional) The end_port indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. Cannot be defined if port is undefined or if port is defined as a named (string) port.
 
 
 

docs/resources/network_policy_v1.md

@@ -227,6 +227,7 @@ Optional:
 
 - `port` (String) port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
 - `protocol` (String) protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+- `end_port` - (Optional) The end_port indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. Cannot be defined if port is undefined or if port is defined as a named (string) port.
 
 
 
@@ -287,6 +288,7 @@ resource "kubernetes_network_policy_v1" "example" {
 }
 ```
 
+
 ## Import
 
 Network policies can be imported using their identifier consisting of `<namespace-name>/<network-policy-name>`, e.g.:

kubernetes/resource_kubernetes_network_policy_v1.go

@@ -25,6 +25,7 @@ var (
 	networkPolicyV1EgressRulePortsDoc       = networking.NetworkPolicyEgressRule{}.SwaggerDoc()["ports"]
 	networkPolicyV1EgressRuleToDoc          = networking.NetworkPolicyEgressRule{}.SwaggerDoc()["to"]
 	networkPolicyV1PortPortDoc              = networking.NetworkPolicyPort{}.SwaggerDoc()["port"]
+	networkPolicyV1PortEndPortDoc           = networking.NetworkPolicyPort{}.SwaggerDoc()["endPort"]
 	networkPolicyV1PortProtocolDoc          = networking.NetworkPolicyPort{}.SwaggerDoc()["protocol"]
 	networkPolicyV1PeerIpBlockDoc           = networking.NetworkPolicyPeer{}.SwaggerDoc()["ipBlock"]
 	ipBlockCidrDoc                          = networking.IPBlock{}.SwaggerDoc()["cidr"]
@@ -72,6 +73,11 @@ func resourceKubernetesNetworkPolicyV1() *schema.Resource {
 													Description: networkPolicyV1PortPortDoc,
 													Optional:    true,
 												},
+												"end_port": {
+													Type:        schema.TypeInt,
+													Description: networkPolicyV1PortEndPortDoc,
+													Optional:    true,
+												},
 												"protocol": {
 													Type:        schema.TypeString,
 													Description: networkPolicyV1PortProtocolDoc,
@@ -149,6 +155,11 @@ func resourceKubernetesNetworkPolicyV1() *schema.Resource {
 													Description: networkPolicyV1PortPortDoc,
 													Optional:    true,
 												},
+												"end_port": {
+													Type:        schema.TypeInt,
+													Description: networkPolicyV1PortEndPortDoc,
+													Optional:    true,
+												},
 												"protocol": {
 													Type:        schema.TypeString,
 													Description: networkPolicyV1PortProtocolDoc,

kubernetes/resource_kubernetes_network_policy_v1_test.go

@@ -108,6 +108,41 @@ func TestAccKubernetesNetworkPolicyV1_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "spec.0.policy_types.0", "Ingress"),
 				),
 			},
+			{
+				Config: testAccKubernetesNetworkPolicyV1Config_endPorts(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesNetworkPolicyV1Exists(resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "metadata.0.annotations.%", "0"),
+					resource.TestCheckResourceAttr(resourceName, "metadata.0.labels.%", "0"),
+					resource.TestCheckResourceAttr(resourceName, "metadata.0.name", name),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.generation"),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.uid"),
+					resource.TestCheckResourceAttr(resourceName, "spec.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.0.match_expressions.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.0.match_expressions.0.key", "name"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.0.match_expressions.0.operator", "In"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.0.match_expressions.0.values.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.0.match_expressions.0.values.1", "webfront"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_selector.0.match_expressions.0.values.0", "api"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.ports.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.ports.0.port", "8126"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.ports.0.protocol", "TCP"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.ports.0.end_port", "9000"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.from.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.from.0.namespace_selector.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.from.0.namespace_selector.0.match_labels.name", "default"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.ingress.0.from.0.pod_selector.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.egress.0.ports.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.egress.0.ports.0.port", "10000"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.egress.0.ports.0.protocol", "TCP"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.egress.0.ports.0.end_port", "65535"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.policy_types.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.policy_types.0", "Ingress"),
+				),
+			},
 			{
 				Config: testAccKubernetesNetworkPolicyV1Config_specModified_allow_all_namespaces(name),
 				Check: resource.ComposeAggregateTestCheckFunc(
@@ -482,6 +517,50 @@ func testAccKubernetesNetworkPolicyV1Config_specModified(name string) string {
 `, name)
 }
 
+func testAccKubernetesNetworkPolicyV1Config_endPorts(name string) string {
+	return fmt.Sprintf(`resource "kubernetes_network_policy_v1" "test" {
+  metadata {
+    name      = "%s"
+    namespace = "default"
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "name"
+        operator = "In"
+        values   = ["webfront", "api"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "8126"
+        protocol = "TCP"
+        end_port = "9000"
+      }
+
+      from {
+        namespace_selector {
+          match_labels = {
+            name = "default"
+          }
+        }
+      }
+    }
+    egress {
+      ports {
+        port     = "10000"
+        protocol = "TCP"
+        end_port = "65535"
+      }
+    }
+    policy_types = ["Ingress"]
+  }
+}
+`, name)
+}
+
 func testAccKubernetesNetworkPolicyV1Config_specModified_allow_all_namespaces(name string) string {
 	return fmt.Sprintf(`resource "kubernetes_network_policy_v1" "test" {
   metadata {

kubernetes/structure_network_policy.go

@@ -10,6 +10,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 // Flatteners
@@ -66,6 +67,9 @@ func flattenNetworkPolicyV1Ports(in []networkingv1.NetworkPolicyPort) []interfac
 		if port.Port != nil {
 			m["port"] = port.Port.String()
 		}
+		if port.EndPort != nil && *port.EndPort != 0 {
+			m["end_port"] = int(*port.EndPort)
+		}
 		if port.Protocol != nil {
 			m["protocol"] = string(*port.Protocol)
 		}
@@ -198,6 +202,9 @@ func expandNetworkPolicyV1Ports(l []interface{}) *[]networkingv1.NetworkPolicyPo
 			val := intstr.Parse(v)
 			policyPorts[i].Port = &val
 		}
+		if v, ok := in["end_port"].(int); ok && v != 0 {
+			policyPorts[i].EndPort = ptr.To(int32(v))
+		}
 		if in["protocol"] != nil && in["protocol"] != "" {
 			v := corev1.Protocol(in["protocol"].(string))
 			policyPorts[i].Protocol = &v