feat(rbac): support RBAC resource restriction on rolebinding (#133)

### Motivation

Support RBAC resource restriction on rolebinding


### Examples

```hcl
resource "streamnative_rolebinding" "rb_resource_name_restriction" {
  name         = "rb_resource_name_restriction"
  organization = "o-y8z75"
  cluster_role_name = "topic-producer"
  service_account_names = ["sv-1"]
  resource_name_restriction {
    common_instance = "instance-1"
    common_cluster = "cluster-1"
    common_tenant = "tenant-1"
    common_namespace = "ns-1"
    common_topic = "allPartition('topic-1')"
    pulsar_topic_domain = "persistent"
  }
}

data "streamnative_rolebinding" "rb_resource_name_restriction" {
  depends_on = [streamnative_rolebinding.rb_resource_name_restriction]
  name         = "rb_resource_name_restriction"
  organization = "o-y8z75"
}
```

Author: mattisonchao

cloud/data_source_rolebinding.go

@@ -3,9 +3,12 @@ package cloud
 import (
 	"context"
 	"fmt"
-	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
+
 	"strings"
 
+	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
+	"github.com/streamnative/terraform-provider-streamnative/cloud/rbac"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -67,10 +70,18 @@ func dataSourceRoleBinding() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"resource_name_restriction": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: rbac.GenerateDataRoleBinding(),
+				},
+			},
 			"condition_resource_names": {
 				Type:        schema.TypeList,
 				Computed:    true,
 				Description: descriptions["rolebinding_condition_resource_names"],
+				Deprecated:  "condition_resource_names has deprecated, please use resource_name_restriction instead.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"organization": {
@@ -187,6 +198,14 @@ func DataSourceRoleBindingRead(ctx context.Context, d *schema.ResourceData, meta
 		return diag.FromErr(fmt.Errorf("ERROR_SET_CONDITION: %w", err))
 	}
 
+	if roleBinding.Spec.ResourceNameRestriction != nil {
+		if rawData, updated := rbac.ParseToRaw(roleBinding.Spec.ResourceNameRestriction); updated {
+			if err = d.Set("resource_name_restriction", []interface{}{rawData}); err != nil {
+				return diag.FromErr(fmt.Errorf("ERROR_SET_RESOURCE_NAME_RESTRICTION: %w", err))
+			}
+		}
+	}
+
 	if len(roleBinding.Status.Conditions) >= 1 {
 		for _, condition := range roleBinding.Status.Conditions {
 			if condition.Type == "Ready" && condition.Status == "True" {
@@ -196,6 +215,7 @@ func DataSourceRoleBindingRead(ctx context.Context, d *schema.ResourceData, meta
 			}
 		}
 	}
+
 	d.SetId(fmt.Sprintf("%s/%s", roleBinding.Namespace, roleBinding.Name))
 	return nil
 }

cloud/rbac/rbac.go

@@ -0,0 +1,137 @@
+package rbac
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	cloudv1alpha1 "github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
+)
+
+const resourceNotSet = "__RESOURCE_UNSET__"
+
+type iteratorProcessor func(reflect.Value, string) error
+
+func iterateStructWithProcessor(s reflect.Value, prefix string, processor iteratorProcessor) error {
+	if s.Kind() != reflect.Struct {
+		return fmt.Errorf("expected a struct reflect.Value, got %s", s.Kind())
+	}
+	sType := s.Type()
+	for i := 0; i < sType.NumField(); i++ {
+		field := sType.Field(i)
+		fieldValue := s.Field(i)
+		flagName := strings.ToLower(field.Name)
+		if jsonTag := field.Tag.Get("json"); jsonTag != "" {
+			parts := strings.Split(jsonTag, ",")
+			if parts[0] != "" {
+				flagName = parts[0]
+			}
+		}
+		fullFlagName := prefix + flagName
+		if fieldValue.Kind() == reflect.Ptr {
+			if fieldValue.IsNil() {
+				elem := fieldValue.Type().Elem()
+				if elem.Kind() == reflect.Struct {
+					fieldValue.Set(reflect.New(fieldValue.Type().Elem()))
+				}
+			}
+			switch fieldValue.Type().Elem().Kind() {
+			case reflect.Struct:
+				if err := iterateStructWithProcessor(fieldValue.Elem(), fullFlagName+"_", processor); err != nil {
+					return err
+				}
+			case reflect.String:
+				break
+			default:
+				return fmt.Errorf("expected a struct pointer to a struct pointer, got %s", fieldValue.Elem().Kind())
+			}
+			if err := processor(fieldValue, strings.ToLower(fullFlagName)); err != nil {
+				return err
+			}
+		} else {
+			return fmt.Errorf("unsupported field type (not a pointer) for %s: %s", strings.ToLower(fullFlagName), fieldValue.Kind())
+		}
+	}
+	return nil
+}
+
+func ParseToResourceNameRestriction(rawData map[string]interface{}) (*cloudv1alpha1.ResourceNameRestriction, bool) {
+	restriction := &cloudv1alpha1.ResourceNameRestriction{}
+	updated := false
+	if err := iterateStructWithProcessor(reflect.ValueOf(restriction).Elem(), "", func(fieldValue reflect.Value, fullName string) error {
+		if value, exist := rawData[fullName]; exist {
+			if reflect.TypeOf(value).Kind() == reflect.String {
+				vstr := value.(string)
+				if vstr != resourceNotSet {
+					updated = true
+					if fieldValue.IsNil() {
+						fieldValue.Set(reflect.New(fieldValue.Type().Elem()))
+					}
+					fieldValue.Elem().SetString(vstr)
+				}
+			}
+		}
+		pointedToValue := fieldValue.Elem()
+		if pointedToValue.Kind() == reflect.Struct && pointedToValue.IsZero() {
+			fieldValue.Set(reflect.Zero(fieldValue.Type()))
+		}
+		return nil
+	}); err != nil {
+		panic(err)
+	}
+	return restriction, updated
+}
+
+func ParseToRaw(restriction *cloudv1alpha1.ResourceNameRestriction) (map[string]interface{}, bool) {
+	dc := restriction.DeepCopy()
+	m := make(map[string]interface{})
+	updated := false
+	if err := iterateStructWithProcessor(reflect.ValueOf(dc).Elem(), "", func(fieldValue reflect.Value, fullName string) error {
+		if (fieldValue.Kind() == reflect.Ptr && !fieldValue.IsNil()) && fieldValue.Elem().Kind() == reflect.String {
+			updated = true
+			m[fullName] = fieldValue.Elem().String()
+		}
+		return nil
+	}); err != nil {
+		panic(err)
+	}
+	return m, updated
+}
+
+func GenerateResourceRoleBinding() map[string]*schema.Schema {
+	schemas := make(map[string]*schema.Schema)
+	restriction := &cloudv1alpha1.ResourceNameRestriction{}
+	if err := iterateStructWithProcessor(reflect.ValueOf(restriction).Elem(), "", func(fieldValue reflect.Value, fullName string) error {
+		pointedToValue := fieldValue.Type().Elem()
+		if pointedToValue.Kind() == reflect.String {
+			schemas[fullName] = &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  resourceNotSet,
+			}
+		}
+		return nil
+	}); err != nil {
+		panic(err)
+	}
+	return schemas
+}
+
+func GenerateDataRoleBinding() map[string]*schema.Schema {
+	schemas := make(map[string]*schema.Schema)
+	restriction := &cloudv1alpha1.ResourceNameRestriction{}
+	if err := iterateStructWithProcessor(reflect.ValueOf(restriction).Elem(), "", func(fieldValue reflect.Value, fullName string) error {
+		pointedToValue := fieldValue.Type().Elem()
+		if pointedToValue.Kind() == reflect.String {
+			schemas[fullName] = &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			}
+		}
+		return nil
+	}); err != nil {
+		panic(err)
+	}
+	return schemas
+}

cloud/rbac/rbac_test.go

@@ -0,0 +1,62 @@
+package rbac
+
+import (
+	"testing"
+
+	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/utils/ptr"
+)
+
+func TestParser(t *testing.T) {
+	restriction := &v1alpha1.ResourceNameRestriction{
+		Common: &v1alpha1.CommonAttributes{
+			Organization: ptr.To("org-1"),
+			Instance:     ptr.To("ins-1"),
+			Cluster:      ptr.To("cluster-1"),
+			Tenant:       ptr.To("tenant-1"),
+			Namespace:    ptr.To("namespace-1"),
+			Topic:        ptr.To("topic-1"),
+		},
+		Pulsar: &v1alpha1.PulsarAttributes{
+			Topic: &v1alpha1.PulsarTopicAttributes{
+				Domain: ptr.To("domain-1"),
+			},
+			Subscription: &v1alpha1.PulsarSubscriptionAttributes{
+				Name: ptr.To("subscription-1"),
+			},
+		},
+		Cloud: &v1alpha1.CloudAttributes{
+			Apikey: &v1alpha1.CloudApiKeyAttributes{
+				Name: ptr.To("api-key-1"),
+			},
+		},
+	}
+
+	raw, updated := ParseToRaw(restriction)
+	assert.True(t, updated)
+	assert.NotNil(t, raw)
+	parsedRestriction, updated := ParseToResourceNameRestriction(raw)
+	assert.True(t, updated)
+	assert.NotNil(t, parsedRestriction)
+	assert.EqualValues(t, restriction, parsedRestriction)
+}
+
+func TestParserIgnoreUnset(t *testing.T) {
+	raw := map[string]interface{}{
+		"common_organization":      "org-1",
+		"common_instance":          "ins-1",
+		"common_cluster":           "cluster-1",
+		"cloud_apikey_name":        resourceNotSet,
+		"pulsar_subscription_name": resourceNotSet,
+	}
+	parsedRestriction, updated := ParseToResourceNameRestriction(raw)
+	assert.True(t, updated)
+	assert.EqualValues(t, &v1alpha1.ResourceNameRestriction{
+		Common: &v1alpha1.CommonAttributes{
+			Organization: ptr.To("org-1"),
+			Instance:     ptr.To("ins-1"),
+			Cluster:      ptr.To("cluster-1"),
+		},
+	}, parsedRestriction)
+}

cloud/resource_rolebinding.go

@@ -3,13 +3,14 @@ package cloud
 import (
 	"context"
 	"fmt"
-	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
 	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
+	"github.com/streamnative/terraform-provider-streamnative/cloud/rbac"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -91,11 +92,20 @@ func resourceRoleBinding() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"resource_name_restriction": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: rbac.GenerateResourceRoleBinding(),
+				},
+			},
 			"condition_resource_names": {
 				ConflictsWith: []string{"condition_cel"},
 				Type:          schema.TypeList,
 				Optional:      true,
 				Description:   descriptions["rolebinding_condition_resource_names"],
+				Deprecated:    "condition_resource_names has deprecated, please use resource_name_restriction instead.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"organization": {
@@ -168,6 +178,7 @@ func resourceRoleBindingCreate(ctx context.Context, d *schema.ResourceData, m in
 	predefinedRoleName := d.Get("cluster_role_name").(string)
 	serviceAccountNames := d.Get("service_account_names").([]interface{})
 	userNames := d.Get("user_names").([]interface{})
+	resourceNameRestriction := d.Get("resource_name_restriction").([]interface{})
 
 	clientSet, err := getClientSet(getFactoryFromMeta(m))
 	if err != nil {
@@ -214,6 +225,12 @@ func resourceRoleBindingCreate(ctx context.Context, d *schema.ResourceData, m in
 		}
 	}
 
+	if resourceNameRestriction != nil && len(resourceNameRestriction) > 0 {
+		if restriction, updated := rbac.ParseToResourceNameRestriction(resourceNameRestriction[0].(map[string]interface{})); updated {
+			rb.Spec.ResourceNameRestriction = restriction
+		}
+	}
+
 	conditionSet(namespace, d, rb)
 
 	if _, err := clientSet.CloudV1alpha1().RoleBindings(namespace).Create(ctx, rb, metav1.CreateOptions{

docs/data-sources/rolebinding.md

@@ -24,9 +24,10 @@ description: |-
 
 - `cluster_role_name` (String) The predefined role name
 - `condition_cel` (String) The conditional role binding CEL(Common Expression Language) expression
-- `condition_resource_names` (List of Object) The list of conditional role binding resource names (see [below for nested schema](#nestedatt--condition_resource_names))
+- `condition_resource_names` (List of Object, Deprecated) The list of conditional role binding resource names (see [below for nested schema](#nestedatt--condition_resource_names))
 - `id` (String) The ID of this resource.
 - `ready` (Boolean) The RoleBinding is ready, it will be set to 'True' after the cluster is ready
+- `resource_name_restriction` (List of Object) (see [below for nested schema](#nestedatt--resource_name_restriction))
 - `service_account_names` (List of String) The list of service accounts that are role binding names
 - `user_names` (List of String) The list of users that are role binding names
 
@@ -45,3 +46,24 @@ Read-Only:
 - `tenant` (String)
 - `topic_domain` (String)
 - `topic_name` (String)
+
+
+<a id="nestedatt--resource_name_restriction"></a>
+### Nested Schema for `resource_name_restriction`
+
+Read-Only:
+
+- `cloud_apikey_name` (String)
+- `cloud_secret_name` (String)
+- `cloud_serviceaccount_name` (String)
+- `common_cluster` (String)
+- `common_instance` (String)
+- `common_namespace` (String)
+- `common_organization` (String)
+- `common_tenant` (String)
+- `common_topic` (String)
+- `kafka_consumergroup_name` (String)
+- `kafka_transaction_id` (String)
+- `pulsar_subscription_name` (String)
+- `pulsar_topic_domain` (String)
+- `schema_subject` (String)

docs/resources/rolebinding.md

@@ -24,7 +24,8 @@ description: |-
 
 - `cluster_role_name` (String) The predefined role name
 - `condition_cel` (String) The conditional role binding CEL(Common Expression Language) expression
-- `condition_resource_names` (Block List) The list of conditional role binding resource names (see [below for nested schema](#nestedblock--condition_resource_names))
+- `condition_resource_names` (Block List, Deprecated) The list of conditional role binding resource names (see [below for nested schema](#nestedblock--condition_resource_names))
+- `resource_name_restriction` (Block List, Max: 1) (see [below for nested schema](#nestedblock--resource_name_restriction))
 - `service_account_names` (List of String) The list of service accounts that are role binding names
 - `user_names` (List of String) The list of users that are role binding names
 
@@ -48,3 +49,24 @@ Optional:
 - `tenant` (String) The conditional role binding resource name - tenant
 - `topic_domain` (String) The conditional role binding resource name - topic domain(persistent/non-persistent)
 - `topic_name` (String) The conditional role binding resource name - topic name
+
+
+<a id="nestedblock--resource_name_restriction"></a>
+### Nested Schema for `resource_name_restriction`
+
+Optional:
+
+- `cloud_apikey_name` (String)
+- `cloud_secret_name` (String)
+- `cloud_serviceaccount_name` (String)
+- `common_cluster` (String)
+- `common_instance` (String)
+- `common_namespace` (String)
+- `common_organization` (String)
+- `common_tenant` (String)
+- `common_topic` (String)
+- `kafka_consumergroup_name` (String)
+- `kafka_transaction_id` (String)
+- `pulsar_subscription_name` (String)
+- `pulsar_topic_domain` (String)
+- `schema_subject` (String)