Skip to content

feat(engines): add usable_by for filtering valid service subtypes for resource access#143

Merged
tjholm merged 1 commit intomainfrom
feat/usable-by
Nov 4, 2025
Merged

feat(engines): add usable_by for filtering valid service subtypes for resource access#143
tjholm merged 1 commit intomainfrom
feat/usable-by

Conversation

@tjholm
Copy link
Member

@tjholm tjholm commented Nov 4, 2025

No description provided.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 4, 2025
edited
Loading

📝 Walkthrough

Walkthrough

This change introduces service access validation for Terraform resources. A UsableBy field was added to ResourceBlueprint to declare which service subtypes can access a resource, along with a ValidateServiceAccess method that verifies access permissions. When UsableBy is empty, all access is permitted for backward compatibility. Runtime validation was integrated into the bucket and database resource handlers to enforce these access controls during resource configuration.

Pre-merge checks

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Description check ❓ Inconclusive No description was provided by the author. Add a pull request description explaining the purpose, implementation details, and any relevant context for these changes.
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding a UsableBy field to filter which service subtypes can access resources.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
engines/terraform/resource_handler.go (1)

249-256: LGTM: Database access validation correctly enforced

The validation follows the same pattern as buckets, ensuring consistent access control across resource types.

The validation logic is duplicated between bucket and database handlers (lines 155-162 and 249-256). Consider extracting to a helper function if similar validation is added for additional resource types:

func (td *TerraformDeployment) validateServiceResourceAccess(
    appSpec *app_spec_schema.Application,
    spec *ResourceBlueprint,
    serviceName, resourceName, resourceType string,
) error {
    serviceIntent, ok := appSpec.ServiceIntents[serviceName]
    if !ok {
        return fmt.Errorf("could not validate access to %s %s: service %s not found in application spec", resourceType, resourceName, serviceName)
    }
    return spec.ValidateServiceAccess(serviceIntent.GetSubType(), resourceName, resourceType)
}
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9c73ca0 and 1625041.

📒 Files selected for processing (3)
  • engines/terraform/platform.go (3 hunks)
  • engines/terraform/platform_test.go (1 hunks)
  • engines/terraform/resource_handler.go (2 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
engines/terraform/platform_test.go (1)
engines/terraform/platform.go (1)
  • ResourceBlueprint (369-375)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Security Scan
  • GitHub Check: Build (windows-latest, amd64)
🔇 Additional comments (4)
engines/terraform/platform.go (2)

374-374: LGTM: Access control field added

The UsableBy field enables declarative service access restrictions on resources. The omitempty tags ensure backward compatibility.

397-411: LGTM: Validation logic is correct

The method correctly implements backward-compatible validation:

  • Empty/nil UsableBy permits all service types
  • Clear error messages include both the denied subtype and allowed list
engines/terraform/platform_test.go (1)

9-98: LGTM: Comprehensive test coverage

The table-driven tests thoroughly validate:

  • Backward compatibility (nil/empty UsableBy)
  • Allow/deny logic for service subtypes
  • Error message content and formatting
engines/terraform/resource_handler.go (1)

155-162: Approve bucket access validation; verify topic resource scope

The bucket validation logic (lines 155–162) is correctly implemented. However, TopicIntents and a corresponding processTopicResources function do not appear in the codebase. Verify whether topic resources are in scope for this PR—if they are planned, they would need the same access validation pattern as buckets and databases.

@tjholm tjholm merged commit ef5d652 into main Nov 4, 2025
12 checks passed
@tjholm tjholm deleted the feat/usable-by branch November 4, 2025 22:46
@nitric-bot
Copy link

nitric-bot commented Nov 4, 2025

🎉 This PR is included in version 0.6.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@davemooreuws davemooreuws davemooreuws approved these changes

@raksiv raksiv raksiv approved these changes

@HomelessDinosaur HomelessDinosaur Awaiting requested review from HomelessDinosaur

@jyecusch jyecusch Awaiting requested review from jyecusch

Assignees

@jyecusch jyecusch

@davemooreuws davemooreuws

@HomelessDinosaur HomelessDinosaur

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tjholm @nitric-bot @davemooreuws @raksiv @jyecusch @HomelessDinosaur