Workload ID: Introduce basic rule condition operators (#50940)

* Pull condition operators into a one of * Add wrapper structs to support repeated * Adjust for new protos * Fix tflint * Start fixing tests * Add more test cases * More test cases * Fix marshalling of resource * Fix test in lib/services
gravitational · Jan 10, 2025 · ccc6393 · ccc6393
1 parent e10b956
commit ccc6393
Show file tree

Hide file tree

Showing 15 changed files with 1,317 additions and 162 deletions.
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go
diff --git a/api/proto/teleport/workloadidentity/v1/resource.proto b/api/proto/teleport/workloadidentity/v1/resource.proto
@@ -38,12 +38,46 @@ message WorkloadIdentity {
   WorkloadIdentitySpec spec = 5;
 }
 
+// The attribute casted to a string must be equal to the value.
+message WorkloadIdentityConditionEq {
+  // The value to compare the attribute against.
+  string value = 1;
+}
+
+// The attribute casted to a string must not be equal to the value.
+message WorkloadIdentityConditionNotEq {
+  // The value to compare the attribute against.
+  string value = 1;
+}
+
+// The attribute casted to a string must be in the list of values.
+message WorkloadIdentityConditionIn {
+  // The list of values to compare the attribute against.
+  repeated string values = 1;
+}
+
+// The attribute casted to a string must not be in the list of values.
+message WorkloadIdentityConditionNotIn {
+  // The list of values to compare the attribute against.
+  repeated string values = 1;
+}
+
 // The individual conditions that make up a rule.
 message WorkloadIdentityCondition {
+  reserved 2;
+  reserved "equals";
   // The name of the attribute to evaluate the condition against.
   string attribute = 1;
-  // An exact string that the attribute must match.
-  string equals = 2;
+  oneof operator {
+    // The attribute casted to a string must be equal to the value.
+    WorkloadIdentityConditionEq eq = 3;
+    // The attribute casted to a string must not be equal to the value.
+    WorkloadIdentityConditionNotEq not_eq = 4;
+    // The attribute casted to a string must be in the list of values.
+    WorkloadIdentityConditionIn in = 5;
+    // The attribute casted to a string must not be in the list of values.
+    WorkloadIdentityConditionNotIn not_in = 6;
+  }
 }
 
 // An individual rule that is evaluated during the issuance of a WorkloadIdentity.

diff --git a/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx b/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx
@@ -55,7 +55,38 @@ Optional:
 Optional:
 
 - `attribute` (String) The name of the attribute to evaluate the condition against.
-- `equals` (String) An exact string that the attribute must match.
+- `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq))
+- `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin))
+- `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq))
+- `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in))
+
+### Nested Schema for `spec.rules.allow.conditions.eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
 
 
 

diff --git a/docs/pages/reference/terraform-provider/resources/workload_identity.mdx b/docs/pages/reference/terraform-provider/resources/workload_identity.mdx
@@ -23,7 +23,9 @@ resource "teleport_workload_identity" "example" {
         {
           conditions = [{
             attribute = "user.name"
-            equals    = "noah"
+            eq = {
+              value = "my-user"
+            }
           }]
         }
       ]
@@ -80,7 +82,38 @@ Optional:
 Optional:
 
 - `attribute` (String) The name of the attribute to evaluate the condition against.
-- `equals` (String) An exact string that the attribute must match.
+- `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq))
+- `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin))
+- `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq))
+- `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in))
+
+### Nested Schema for `spec.rules.allow.conditions.eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
 
 
 

diff --git a/integrations/terraform/examples/resources/teleport_workload_identity/resource.tf b/integrations/terraform/examples/resources/teleport_workload_identity/resource.tf
@@ -9,7 +9,9 @@ resource "teleport_workload_identity" "example" {
         {
           conditions = [{
             attribute = "user.name"
-            equals    = "noah"
+            eq = {
+              value = "my-user"
+            }
           }]
         }
       ]

diff --git a/integrations/terraform/testlib/fixtures/workload_identity_0_create.tf b/integrations/terraform/testlib/fixtures/workload_identity_0_create.tf
@@ -9,7 +9,9 @@ resource "teleport_workload_identity" "test" {
         {
           conditions = [{
             attribute = "user.name"
-            equals    = "foo"
+            eq = {
+              value = "foo"
+            }
           }]
         }
       ]

diff --git a/integrations/terraform/testlib/fixtures/workload_identity_1_update.tf b/integrations/terraform/testlib/fixtures/workload_identity_1_update.tf
@@ -9,7 +9,9 @@ resource "teleport_workload_identity" "test" {
         {
           conditions = [{
             attribute = "user.name"
-            equals    = "foo"
+            eq = {
+              value = "foo"
+            }
           }]
         }
       ]

diff --git a/integrations/terraform/testlib/workload_identity_test.go b/integrations/terraform/testlib/workload_identity_test.go
@@ -55,7 +55,7 @@ func (s *TerraformSuiteOSS) TestWorkloadIdentity() {
 					resource.TestCheckResourceAttr(name, "kind", "workload_identity"),
 					resource.TestCheckResourceAttr(name, "spec.spiffe.id", "/test"),
 					resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.attribute", "user.name"),
-					resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.equals", "foo"),
+					resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.eq.value", "foo"),
 				),
 			},
 			{
@@ -68,7 +68,7 @@ func (s *TerraformSuiteOSS) TestWorkloadIdentity() {
 					resource.TestCheckResourceAttr(name, "kind", "workload_identity"),
 					resource.TestCheckResourceAttr(name, "spec.spiffe.id", "/test/updated"),
 					resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.attribute", "user.name"),
-					resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.equals", "foo"),
+					resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.eq.value", "foo"),
 				),
 			},
 			{
@@ -101,7 +101,11 @@ func (s *TerraformSuiteOSS) TestImportWorkloadIdentity() {
 						Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{
 							{
 								Attribute: "user.name",
-								Equals:    "foo",
+								Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{
+									Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{
+										Value: "foo",
+									},
+								},
 							},
 						},
 					},
@@ -133,7 +137,7 @@ func (s *TerraformSuiteOSS) TestImportWorkloadIdentity() {
 					require.Equal(t, types.KindWorkloadIdentity, state[0].Attributes["kind"])
 					require.Equal(t, "/test", state[0].Attributes["spec.spiffe.id"])
 					require.Equal(t, "user.name", state[0].Attributes["spec.rules.allow.0.conditions.0.attribute"])
-					require.Equal(t, "foo", state[0].Attributes["spec.rules.allow.0.conditions.0.equals"])
+					require.Equal(t, "foo", state[0].Attributes["spec.rules.allow.0.conditions.0.eq.value"])
 
 					return nil
 				},