ok with no_ip_allowed_on_delete

Author: Mia-Cross

docs/resources/k8s_acl.md

@@ -0,0 +1,78 @@
+---
+subcategory: "Kubernetes"
+page_title: "Scaleway: scaleway_k8s_acl"
+---
+
+# Resource: scaleway_k8s_acl
+
+Creates and manages Scaleway Kubernetes cluster authorized IPs.
+For more information, please refer to the [API documentation](https://www.scaleway.com/en/developers/api/kubernetes/#path-access-control-list-add-new-acls)
+
+## Example Usage
+
+### Basic
+
+```terraform
+resource "scaleway_vpc_private_network" "acl_basic" {}
+
+resource "scaleway_k8s_cluster" "acl_basic" {
+	name = "acl-basic"
+	version = "1.32.2"
+	cni = "cilium"
+	delete_additional_resources = true
+	private_network_id = scaleway_vpc_private_network.acl_basic.id
+}
+
+resource "scaleway_k8s_acl" "acl_basic" {
+	cluster_id = scaleway_k8s_cluster.acl_basic.id
+	acl_rules {
+		ip = "1.2.3.4/32"
+		description = "Allow 1.2.3.4"
+	}
+	acl_rules {
+		scaleway_ranges = true
+		description = "Allow all Scaleway ranges"
+	}
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `cluster_id` - (Required) UUID of the Cluster.
+
+~> **Important:** Updates to `cluster_id` will recreate the ACL.
+
+- `acl_rules` - A list of ACLs (structure is described below)
+
+- `region` - (Defaults to [provider](../index.md#region) `region`) The [region](../guides/regions_and_zones.md#regions) in which the ACL rule should be created.
+
+The `acl_rules` block supports:
+
+- `ip` - (Optional) The IP range to whitelist in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
+
+~> **Important:** If the `ip` field is set, `scaleway_ranges` cannot be set to true in the same rule.
+
+- `scaleway_ranges` - (Optional) Allow access to cluster from all Scaleway ranges as defined in https://www.scaleway.com/en/docs/console/account/reference-content/scaleway-network-information/#ip-ranges-used-by-scaleway.
+Only one rule with this field set to true can be added.
+
+~> **Important:** If the `scaleway_ranges` field is set to true, the `ip` field cannot be set on the same rule.
+
+- `description` - (Optional) A text describing this rule.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `acl_rules.0.id` - The ID of each ACL rule.
+
+~> **Important:** Kubernetes ACL rules' IDs are [regional](../guides/regions_and_zones.md#resource-ids), which means they are of the form `{region}/{id}`, e.g. `fr-par/11111111-1111-1111-1111-111111111111`
+
+## Import
+
+Kubernetes ACLs can be imported using the `{region}/{cluster-id}`, e.g.
+
+```bash
+terraform import scaleway_k8s_acl.acl01 fr-par/11111111-1111-1111-1111-111111111111
+```

internal/services/k8s/acl.go

@@ -41,7 +41,13 @@ func ResourceACL() *schema.Resource {
 				ForceNew:         true,
 				ValidateDiagFunc: verify.IsUUIDorUUIDWithLocality(),
 				DiffSuppressFunc: dsf.Locality,
-				Description:      "Cluster on which the ACL is applied",
+				Description:      "Cluster on which the ACL should be applied",
+			},
+			"no_ip_allowed_on_delete": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Determines whether deleting the resource should allow all IPs again or no IP at all",
 			},
 			"acl_rules": {
 				Type:        schema.TypeList,
@@ -58,7 +64,7 @@ func ResourceACL() *schema.Resource {
 						"scaleway_ranges": {
 							Type:        schema.TypeBool,
 							Optional:    true,
-							Description: "Allow access to cluster from all Scaleway ranges as defined in https://www.scaleway.com/en/docs/console/account/reference-content/scaleway-network-information/#ip-ranges-used-by-scaleway. Only one rule with this field set to true can be added",
+							Description: "Allow access to cluster from all Scaleway ranges as defined in https://www.scaleway.com/en/docs/console/account/reference-content/scaleway-network-information/#ip-ranges-used-by-scaleway. Only one rule with this field set to true can be added.",
 						},
 						"description": {
 							Type:        schema.TypeString,
@@ -143,7 +149,8 @@ func ResourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{})
 		return diag.FromErr(err)
 	}
 
-	_ = d.Set("cluster_id", clusterID)
+	_ = d.Set("cluster_id", regional.NewIDString(region, clusterID))
+	_ = d.Set("region", region)
 	_ = d.Set("acl_rules", flattenACL(acls.Rules))
 
 	return nil
@@ -192,19 +199,23 @@ func ResourceACLDelete(ctx context.Context, d *schema.ResourceData, m interface{
 		return diag.FromErr(err)
 	}
 
-	allIPRange, err := types.ExpandIPNet("0.0.0.0/0")
-	if err != nil {
-		return diag.FromErr(err)
+	rulesToSet := []*k8s.ACLRuleRequest(nil)
+
+	if d.Get("no_ip_allowed_on_delete").(bool) == false {
+		allowedIPs, err := types.ExpandIPNet("0.0.0.0/0")
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		rulesToSet = append(rulesToSet, &k8s.ACLRuleRequest{
+			IP:          &allowedIPs,
+			Description: "Automatically generated after scaleway_k8s_acl resource deletion",
+		})
 	}
 
 	req := &k8s.SetClusterACLRulesRequest{
 		Region:    region,
 		ClusterID: clusterID,
-		ACLs: []*k8s.ACLRuleRequest{
-			{
-				IP: &allIPRange,
-			},
-		},
+		ACLs:      rulesToSet,
 	}
 
 	_, err = api.SetClusterACLRules(req, scw.WithContext(ctx))

internal/services/k8s/acl_test.go

@@ -43,6 +43,8 @@ func TestAccACL_Basic(t *testing.T) {
 						}
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "false"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "1"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.scaleway_ranges", "false"),
@@ -64,6 +66,7 @@ func TestAccACL_Basic(t *testing.T) {
 			
 					resource "scaleway_k8s_acl" "acl_basic" {
 						cluster_id = scaleway_k8s_cluster.acl_basic.id
+						no_ip_allowed_on_delete = true
 						acl_rules {
 							ip = "1.2.3.4/32"
 						}
@@ -73,6 +76,8 @@ func TestAccACL_Basic(t *testing.T) {
 						}
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "true"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "2"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.scaleway_ranges", "false"),
@@ -108,6 +113,8 @@ func TestAccACL_Basic(t *testing.T) {
 						}
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "false"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "2"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.scaleway_ranges", "false"),
@@ -131,14 +138,108 @@ func TestAccACL_Basic(t *testing.T) {
 						private_network_id = scaleway_vpc_private_network.acl_basic.id 
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckK8SClusterAllIPsAllowed(tt, "scaleway_k8s_cluster.acl_basic"),
+					testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", "0.0.0.0/0"),
 				),
 			},
 		},
 	})
 }
 
-func testAccCheckK8SClusterAllIPsAllowed(tt *acctest.TestTools, n string) resource.TestCheckFunc {
+func TestAccACL_AllowedIPsOnDelete(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	clusterName := "k8s-acl-allowed-ips-on-delete"
+	latestK8sVersion := testAccK8SClusterGetLatestK8SVersion(tt)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      testAccCheckK8SClusterDestroy(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_vpc_private_network" "acl_basic" {}
+			
+					resource "scaleway_k8s_cluster" "acl_basic" {
+						name = "%s"
+						version = "%s"
+						cni = "cilium"
+						delete_additional_resources = true
+						private_network_id = scaleway_vpc_private_network.acl_basic.id
+					}
+			
+					resource "scaleway_k8s_acl" "acl_basic" {
+						cluster_id = scaleway_k8s_cluster.acl_basic.id
+						no_ip_allowed_on_delete = true
+						acl_rules {
+							ip = "1.2.3.4/32"
+						}
+					}`, clusterName, latestK8sVersion),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "true"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_vpc_private_network" "acl_basic" {}
+			
+					resource "scaleway_k8s_cluster" "acl_basic" {
+						name = "%s"
+						version = "%s"
+						cni = "cilium"
+						delete_additional_resources = true
+						private_network_id = scaleway_vpc_private_network.acl_basic.id
+					}`, clusterName, latestK8sVersion),
+				Check: testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", ""),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_vpc_private_network" "acl_basic" {}
+			
+					resource "scaleway_k8s_cluster" "acl_basic" {
+						name = "%s"
+						version = "%s"
+						cni = "cilium"
+						delete_additional_resources = true
+						private_network_id = scaleway_vpc_private_network.acl_basic.id
+					}
+			
+					resource "scaleway_k8s_acl" "acl_basic" {
+						cluster_id = scaleway_k8s_cluster.acl_basic.id
+						no_ip_allowed_on_delete = false
+						acl_rules {
+							ip = "1.2.3.4/32"
+						}
+					}`, clusterName, latestK8sVersion),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "false"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_vpc_private_network" "acl_basic" {}
+			
+					resource "scaleway_k8s_cluster" "acl_basic" {
+						name = "%s"
+						version = "%s"
+						cni = "cilium"
+						delete_additional_resources = true
+						private_network_id = scaleway_vpc_private_network.acl_basic.id
+					}`, clusterName, latestK8sVersion),
+				Check: testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", "0.0.0.0/0"),
+			},
+		},
+	})
+}
+
+func testAccCheckK8SClusterAllowedIPs(tt *acctest.TestTools, n string, expected string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
 		if !ok {
@@ -167,14 +268,12 @@ func testAccCheckK8SClusterAllIPsAllowed(tt *acctest.TestTools, n string) resour
 		}
 
 		switch {
-		case acls.TotalCount > 1:
-			return fmt.Errorf("unexpected number of ACL rules: %d (expected: 1)", acls.TotalCount)
-		case acls.Rules[0].IP == nil:
-			return fmt.Errorf("unexpected ACL rule: %+v", acls.Rules[0])
-		case acls.Rules[0].IP.String() != "0.0.0.0/0":
-			return fmt.Errorf("unexpected IP in ACL rule: %q (expected \"0.0.0.0/0\")", acls.Rules[0].IP.String())
+		case expected == "" && acls.TotalCount == 0:
+			return nil
+		case expected != "" && acls.TotalCount == 1 && acls.Rules[0].IP != nil && acls.Rules[0].IP.String() == expected:
+			return nil
+		default:
+			return fmt.Errorf("expected 1 ACL rule for subnet %q, got: %+v", expected, acls.Rules)
 		}
-
-		return nil
 	}
 }