move private_ips as a node attribute + handle 403

Mia-Cross · Mia-Cross · commit 6dc2ff333d27 · 2025-05-15T01:21:32.000+02:00
diff --git a/docs/resources/k8s_pool.md b/docs/resources/k8s_pool.md
@@ -110,13 +110,13 @@ In addition to all arguments above, the following attributes are exported:
     - `public_ip` - The public IPv4. (Deprecated, Please use the official Kubernetes provider and the kubernetes_nodes data source)
     - `public_ip_v6` - The public IPv6. (Deprecated, Please use the official Kubernetes provider and the kubernetes_nodes data source)
     - `status` - The status of the node.
+    - `private_ips` - The list of private IPv4 and IPv6 addresses associated with the node.
+      - `id` - The ID of the IP address resource.
+      - `address` - The private IP address.
 - `created_at` - The creation date of the pool.
 - `updated_at` - The last update date of the pool.
 - `version` - The version of the pool.
 - `current_size` - The size of the pool at the time the terraform state was updated.
-- `private_ips` - The list of private IPv4 addresses associated with the resource.
-    - `id` - The ID of the IPv4 address resource.
-    - `address` - The private IPv4 address.
 
 ## Zone
 
diff --git a/internal/services/ipam/helpers.go b/internal/services/ipam/helpers.go
@@ -74,6 +74,7 @@ type GetResourcePrivateIPsOptions struct {
 	ResourceID       *string
 	ResourceName     *string
 	PrivateNetworkID *string
+	ProjectID        *string
 }
 
 // GetResourcePrivateIPs fetches the private IP addresses of a resource in a private network.
@@ -100,6 +101,11 @@ func GetResourcePrivateIPs(ctx context.Context, m interface{}, region scw.Region
 		if opts.ResourceType != nil {
 			req.ResourceType = *opts.ResourceType
 		}
+
+		// Project ID needs to be specified in order to force the IPAM API to check IAM permissions and send a 403 response code if not authorized
+		if opts.ProjectID != nil {
+			req.ProjectID = opts.ProjectID
+		}
 	}
 
 	resp, err := ipamAPI.ListIPs(req, scw.WithContext(ctx))
diff --git a/internal/services/k8s/helpers_k8s.go b/internal/services/k8s/helpers_k8s.go
@@ -118,3 +118,18 @@ func getNodes(ctx context.Context, k8sAPI *k8s.API, pool *k8s.Pool) ([]map[strin
 
 	return convertNodes(nodes), nil
 }
+
+func getClusterProjectID(ctx context.Context, k8sAPI *k8s.API, pool *k8s.Pool) (string, error) {
+	cluster, err := k8sAPI.GetCluster(&k8s.GetClusterRequest{
+		Region:    pool.Region,
+		ClusterID: pool.ClusterID,
+	}, scw.WithContext(ctx))
+	if err != nil {
+		return "", fmt.Errorf("get pool project ID: error getting cluster %s", pool.ClusterID)
+	}
+
+	if cluster.ProjectID == "" {
+		return "", fmt.Errorf("no project ID found for cluster %s", pool.ClusterID)
+	}
+	return cluster.ProjectID, nil
+}
diff --git a/internal/services/k8s/pool.go b/internal/services/k8s/pool.go
@@ -220,6 +220,25 @@ func ResourcePool() *schema.Resource {
 							Description: "The public IPv6 address of the node",
 							Deprecated:  "Please use the official Kubernetes provider and the kubernetes_nodes data source",
 						},
+						"private_ips": {
+							Type:        schema.TypeList,
+							Computed:    true,
+							Description: "List of private IPv4 and IPv6 addresses associated with the node",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"id": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "The ID of the IP address resource",
+									},
+									"address": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "The private IP address",
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -228,25 +247,6 @@ func ResourcePool() *schema.Resource {
 				Computed:    true,
 				Description: "The status of the pool",
 			},
-			"private_ips": {
-				Type:        schema.TypeList,
-				Computed:    true,
-				Description: "List of private IPv4 addresses associated with the resource",
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"id": {
-							Type:        schema.TypeString,
-							Computed:    true,
-							Description: "The ID of the IPv4 address resource",
-						},
-						"address": {
-							Type:        schema.TypeString,
-							Computed:    true,
-							Description: "The private IPv4 address",
-						},
-					},
-				},
-			},
 		},
 	}
 }
@@ -414,7 +414,6 @@ func ResourceK8SPoolRead(ctx context.Context, d *schema.ResourceData, m interfac
 	_ = d.Set("container_runtime", pool.ContainerRuntime)
 	_ = d.Set("created_at", pool.CreatedAt.Format(time.RFC3339))
 	_ = d.Set("updated_at", pool.UpdatedAt.Format(time.RFC3339))
-	_ = d.Set("nodes", nodes)
 	_ = d.Set("status", pool.Status)
 	_ = d.Set("kubelet_args", flattenKubeletArgs(pool.KubeletArgs))
 	_ = d.Set("region", region)
@@ -426,36 +425,57 @@ func ResourceK8SPoolRead(ctx context.Context, d *schema.ResourceData, m interfac
 		_ = d.Set("placement_group_id", zonal.NewID(pool.Zone, *pool.PlacementGroupID).String())
 	}
 
-	var allPrivateIPs []map[string]interface{}
-
-	for _, nodeMap := range nodes {
-		nodeNameInterface, ok := nodeMap["name"]
-		if !ok {
-			continue
-		}
-
-		nodeName, ok := nodeNameInterface.(string)
-		if !ok {
-			continue
-		}
-
-		opts := &ipam.GetResourcePrivateIPsOptions{
-			ResourceName: &nodeName,
-		}
-
-		privateIPs, err := ipam.GetResourcePrivateIPs(ctx, m, region, opts)
-		if err != nil {
-			return diag.FromErr(err)
-		}
-
-		if privateIPs != nil {
-			allPrivateIPs = append(allPrivateIPs, privateIPs...)
+	// Get nodes' private IPs
+	diags := diag.Diagnostics{}
+	projectID, err := getClusterProjectID(ctx, k8sAPI, pool)
+	if err != nil {
+		diags = append(diags, diag.Diagnostic{
+			Severity: diag.Warning,
+			Summary:  "Unable to get nodes private IPs",
+			Detail:   err.Error(),
+		})
+	} else {
+		for i, nodeMap := range nodes {
+			nodeNameInterface, ok := nodeMap["name"]
+			if !ok {
+				continue
+			}
+
+			nodeName, ok := nodeNameInterface.(string)
+			if !ok {
+				continue
+			}
+
+			opts := &ipam.GetResourcePrivateIPsOptions{
+				ResourceName: &nodeName,
+				ProjectID:    &projectID,
+			}
+
+			privateIPs, err := ipam.GetResourcePrivateIPs(ctx, m, region, opts)
+			if err != nil {
+				if httperrors.Is403(err) {
+					diags = append(diags, diag.Diagnostic{
+						Severity: diag.Warning,
+						Summary:  "Unauthorized to read nodes' private IPs, please check your IAM permissions",
+						Detail:   err.Error(),
+					})
+					break
+				} else {
+					diags = append(diags, diag.Diagnostic{
+						Severity: diag.Warning,
+						Summary:  "Unable to get nodes private IPs from IPAM API",
+						Detail:   err.Error(),
+					})
+				}
+			}
+
+			nodes[i]["private_ips"] = privateIPs
 		}
 	}
 
-	_ = d.Set("private_ips", allPrivateIPs)
+	_ = d.Set("nodes", nodes)
 
-	return nil
+	return diags
 }
 
 func ResourceK8SPoolUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
diff --git a/internal/services/k8s/pool_test.go b/internal/services/k8s/pool_test.go
@@ -50,8 +50,8 @@ func TestAccPool_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_k8s_pool.default", "tags.1", "scaleway_k8s_cluster"),
 					resource.TestCheckResourceAttr("scaleway_k8s_pool.default", "tags.2", "default"),
 					testAccCheckK8SPoolServersAreInPrivateNetwork(tt, "scaleway_k8s_cluster.minimal", "scaleway_k8s_pool.default", "scaleway_vpc_private_network.minimal"),
-					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "private_ips.0.id"),
-					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "private_ips.0.address"),
+					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "nodes.0.private_ips.0.id"),
+					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "nodes.0.private_ips.0.address"),
 				),
 			},
 			{
@@ -71,10 +71,10 @@ func TestAccPool_Basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.minimal", "nodes.0.public_ip"), // Deprecated attributes
 					testAccCheckK8SPoolServersAreInPrivateNetwork(tt, "scaleway_k8s_cluster.minimal", "scaleway_k8s_pool.default", "scaleway_vpc_private_network.minimal"),
 					testAccCheckK8SPoolServersAreInPrivateNetwork(tt, "scaleway_k8s_cluster.minimal", "scaleway_k8s_pool.minimal", "scaleway_vpc_private_network.minimal"),
-					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "private_ips.0.id"),
-					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "private_ips.0.address"),
-					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "private_ips.1.id"),
-					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "private_ips.1.address"),
+					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "nodes.0.private_ips.0.id"),
+					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "nodes.0.private_ips.0.address"),
+					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "nodes.0.private_ips.1.id"),
+					resource.TestCheckResourceAttrSet("scaleway_k8s_pool.default", "nodes.0.private_ips.1.address"),
 				),
 			},
 			{

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,7 @@ type GetResourcePrivateIPsOptions struct {`
`74`	`74`	`ResourceID *string`
`75`	`75`	`ResourceName *string`
`76`	`76`	`PrivateNetworkID *string`
	`77`	`+ ProjectID *string`
`77`	`78`	`}`
`78`	`79`
`79`	`80`	`// GetResourcePrivateIPs fetches the private IP addresses of a resource in a private network.`
`@@ -100,6 +101,11 @@ func GetResourcePrivateIPs(ctx context.Context, m interface{}, region scw.Region`
`100`	`101`	`if opts.ResourceType != nil {`
`101`	`102`	`req.ResourceType = *opts.ResourceType`
`102`	`103`	`}`
	`104`	`+`
	`105`	`+ // Project ID needs to be specified in order to force the IPAM API to check IAM permissions and send a 403 response code if not authorized`
	`106`	`+ if opts.ProjectID != nil {`
	`107`	`+ req.ProjectID = opts.ProjectID`
	`108`	`+ }`
`103`	`109`	`}`
`104`	`110`
`105`	`111`	`resp, err := ipamAPI.ListIPs(req, scw.WithContext(ctx))`