Merge pull request #96 from vmware/vasundharas/rectify-security-policy-templates

Shreyas Sreenivas · web-flow · commit 65cb41df1964 · 2022-11-23T17:04:00.000+05:30
Correct resource templates for security policy resource and format the examples and templates
diff --git a/examples/resources/security_policy/resource_cluster_custom_security_policy.tf b/examples/resources/security_policy/resource_cluster_custom_security_policy.tf
@@ -30,7 +30,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security
           max = 5000
         }
 
-        allowed_volumes              = [
+        allowed_volumes = [
           "configMap",
           "nfs",
           "vsphereVolume"
@@ -89,7 +89,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security
         }
 
         linux_capabilities {
-          allowed_capabilities       = [
+          allowed_capabilities = [
             "CHOWN",
             "IPC_LOCK"
           ]
@@ -100,15 +100,15 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security
 
         allowed_host_paths {
           path_prefix = "p1"
-          read_only  = true
+          read_only   = true
         }
         allowed_host_paths {
           path_prefix = "p2"
-          read_only  = false
+          read_only   = false
         }
         allowed_host_paths {
           path_prefix = "p3"
-          read_only  = true
+          read_only   = true
         }
 
         allowed_se_linux_options {
@@ -126,7 +126,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security
         }
 
         seccomp {
-          allowed_profiles        = [
+          allowed_profiles = [
             "Localhost"
           ]
           allowed_localhost_files = [
diff --git a/examples/resources/security_policy/resource_cluster_group_baseline_security_policy.tf b/examples/resources/security_policy/resource_cluster_group_baseline_security_policy.tf
@@ -24,7 +24,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_baseline_
       match_expressions {
         key      = "component"
         operator = "In"
-        values   = [
+        values = [
           "api-server",
           "agent-gateway"
         ]
diff --git a/examples/resources/security_policy/resource_cluster_group_custom_security_policy.tf b/examples/resources/security_policy/resource_cluster_group_custom_security_policy.tf
@@ -28,7 +28,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se
           max = 5000
         }
 
-        allowed_volumes              = [
+        allowed_volumes = [
           "configMap",
           "nfs",
           "vsphereVolume"
@@ -87,7 +87,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se
         }
 
         linux_capabilities {
-          allowed_capabilities       = [
+          allowed_capabilities = [
             "CHOWN",
             "IPC_LOCK"
           ]
@@ -98,15 +98,15 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se
 
         allowed_host_paths {
           path_prefix = "p1"
-          read_only  = true
+          read_only   = true
         }
         allowed_host_paths {
           path_prefix = "p2"
-          read_only  = false
+          read_only   = false
         }
         allowed_host_paths {
           path_prefix = "p3"
-          read_only  = true
+          read_only   = true
         }
 
         allowed_se_linux_options {
@@ -124,8 +124,8 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se
         }
 
         seccomp {
-          allowed_profiles        = [
-          "Localhost"
+          allowed_profiles = [
+            "Localhost"
           ]
           allowed_localhost_files = [
             "profiles/audit.json",
@@ -139,7 +139,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se
       match_expressions {
         key      = "component"
         operator = "In"
-        values   = [
+        values = [
           "api-server",
           "agent-gateway"
         ]
diff --git a/examples/resources/security_policy/resource_cluster_strict_security_policy.tf b/examples/resources/security_policy/resource_cluster_strict_security_policy.tf
@@ -26,7 +26,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_strict_security
       match_expressions {
         key      = "component"
         operator = "NotIn"
-        values   = [
+        values = [
           "api-server",
           "agent-gateway"
         ]
diff --git a/examples/resources/security_policy/resource_organization_custom_security_policy.tf b/examples/resources/security_policy/resource_organization_custom_security_policy.tf
@@ -28,7 +28,7 @@ resource "tanzu-mission-control_security_policy" "organization_scoped_custom_sec
           max = 5000
         }
 
-        allowed_volumes              = [
+        allowed_volumes = [
           "configMap",
           "nfs",
           "vsphereVolume"
@@ -87,7 +87,7 @@ resource "tanzu-mission-control_security_policy" "organization_scoped_custom_sec
         }
 
         linux_capabilities {
-          allowed_capabilities       = [
+          allowed_capabilities = [
             "CHOWN",
             "IPC_LOCK"
           ]
@@ -98,15 +98,15 @@ resource "tanzu-mission-control_security_policy" "organization_scoped_custom_sec
 
         allowed_host_paths {
           path_prefix = "p1"
-          read_only  = true
+          read_only   = true
         }
         allowed_host_paths {
           path_prefix = "p2"
-          read_only  = false
+          read_only   = false
         }
         allowed_host_paths {
           path_prefix = "p3"
-          read_only  = true
+          read_only   = true
         }
 
         allowed_se_linux_options {
@@ -124,7 +124,7 @@ resource "tanzu-mission-control_security_policy" "organization_scoped_custom_sec
         }
 
         seccomp {
-          allowed_profiles        = [
+          allowed_profiles = [
             "Localhost"
           ]
           allowed_localhost_files = [
@@ -139,7 +139,7 @@ resource "tanzu-mission-control_security_policy" "organization_scoped_custom_sec
       match_expressions {
         key      = "component"
         operator = "In"
-        values   = [
+        values = [
           "api-server",
           "agent-gateway"
         ]
diff --git a/examples/resources/security_policy/resource_organization_strict_security_policy.tf b/examples/resources/security_policy/resource_organization_strict_security_policy.tf
@@ -24,7 +24,7 @@ resource "tanzu-mission-control_security_policy" "organization_scoped_strict_sec
       match_expressions {
         key      = "component"
         operator = "In"
-        values   = [
+        values = [
           "api-server",
           "agent-gateway"
         ]
diff --git a/resource_templates/cluster_group_scoped_baseline_security_policy.tf b/resource_templates/cluster_group_scoped_baseline_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control cluster group scoped baseline security policy entry
 resource "tanzu-mission-control_security_policy" "cluster_group_scoped_baseline_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     cluster_group {
       cluster_group = "<cluster-group-name>" // Required
diff --git a/resource_templates/cluster_group_scoped_custom_security_policy.tf b/resource_templates/cluster_group_scoped_custom_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control cluster group scoped custom security policy entry
 resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     cluster_group {
       cluster_group = "<cluster-group-name>" // Required
diff --git a/resource_templates/cluster_group_scoped_strict_security_policy.tf b/resource_templates/cluster_group_scoped_strict_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control cluster group scoped strict security policy entry
 resource "tanzu-mission-control_security_policy" "cluster_group_scoped_strict_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     cluster_group {
       cluster_group = "<cluster-group-name>" // Required
diff --git a/resource_templates/cluster_scoped_baseline_security_policy.tf b/resource_templates/cluster_scoped_baseline_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control cluster scoped baseline security policy entry
 resource "tanzu-mission-control_security_policy" "cluster_scoped_baseline_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     cluster {
       management_cluster_name = "<management-cluster>" // Required
diff --git a/resource_templates/cluster_scoped_custom_security_policy.tf b/resource_templates/cluster_scoped_custom_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control cluster scoped custom security policy entry
 resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     cluster {
       management_cluster_name = "<management-cluster>" // Required
diff --git a/resource_templates/cluster_scoped_strict_security_policy.tf b/resource_templates/cluster_scoped_strict_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control cluster scoped strict security policy entry
 resource "tanzu-mission-control_security_policy" "cluster_scoped_strict_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     cluster {
       management_cluster_name = "<management-cluster>" // Required
diff --git a/resource_templates/credential_aws_eks.tf b/resource_templates/credential_aws_eks.tf
@@ -10,19 +10,19 @@ resource "tanzu-mission-control_credential" "aws_eks_cred" {
   meta {
     description = "<description of the credential>"
     labels = {
-     "key" : "<value>" ,
+      "key" : "<value>",
     }
   }
 
   spec {
     capability = "<capability-type>"
-    provider = "<provider>"
+    provider   = "<provider>"
     data {
       aws_credential {
         account_id = "<account-id>"
-        iam_role{
-          arn = "<IAM-role-ARN>"
-          ext_id ="external-ID"
+        iam_role {
+          arn    = "<IAM-role-ARN>"
+          ext_id = "external-ID"
         }
       }
     }
diff --git a/resource_templates/credential_dataprotection.tf b/resource_templates/credential_dataprotection.tf
@@ -10,16 +10,16 @@ resource "tanzu-mission-control_credential" "tmc_provisioned_aws_s3_cred" {
   meta {
     description = "<description of the credential>"
     labels = {
-     "key" : "<value>" ,
+      "key" : "<value>",
     }
   }
 
   spec {
     capability = "<capability-type>"
-    provider = "<provider>"
+    provider   = "<provider>"
     data {
       aws_credential {
-        iam_role{
+        iam_role {
           arn = "<IAM-role-ARN>"
         }
       }
diff --git a/resource_templates/credential_image_registry.tf b/resource_templates/credential_image_registry.tf
@@ -10,7 +10,7 @@ resource "tanzu-mission-control_credential" "img_reg_cred" {
   meta {
     description = "<description of the credential>"
     labels = {
-     "key" : "<value>" ,
+      "key" : "<value>",
     }
     annotations = {
       "repository-path" : "<path>"
@@ -19,12 +19,12 @@ resource "tanzu-mission-control_credential" "img_reg_cred" {
 
   spec {
     capability = "<capability-type>"
-    provider = "<provider>"
+    provider   = "<provider>"
     data {
-      key_value{
-        data  = {
+      key_value {
+        data = {
           "registry-url" = "<url>"
-          "ca-cert"  = "<ca-cert>"
+          "ca-cert"      = "<ca-cert>"
         }
       }
     }
diff --git a/resource_templates/credential_proxy.tf b/resource_templates/credential_proxy.tf
@@ -10,21 +10,21 @@ resource "tanzu-mission-control_credential" "proxy_cred" {
   meta {
     description = "<description of the credential>"
     labels = {
-     "key" : "<value>" ,
+      "key" : "<value>",
     }
     annotations = {
-      "httpProxy"  :"<http-proxy-url>",
-      "httpsProxy" :"<https-proxy-url>",
-      "noProxyList":"<no-proxy-list>"
+      "httpProxy" : "<http-proxy-url>",
+      "httpsProxy" : "<https-proxy-url>",
+      "noProxyList" : "<no-proxy-list>"
     }
   }
 
   spec {
     capability = "<capability-type>"
-    provider = "<provider>"
+    provider   = "<provider>"
     data {
-      key_value{
-        data  = {
+      key_value {
+        data = {
           "httpUserName"  = "<username>"
           "httpPassword"  = "<password>"
           "httpsUserName" = "<username>"
diff --git a/resource_templates/credential_tanzu_observability.tf b/resource_templates/credential_tanzu_observability.tf
@@ -10,7 +10,7 @@ resource "tanzu-mission-control_credential" "tanzu_observability_cred" {
   meta {
     description = "<description of the credential>"
     labels = {
-     "key" : "<value>" ,
+      "key" : "<value>",
     }
     annotations = {
       "wavefront.url" : "<url of wavefront instance>"
@@ -19,10 +19,10 @@ resource "tanzu-mission-control_credential" "tanzu_observability_cred" {
 
   spec {
     capability = "<capability-type>"
-    provider = "<provider>"
+    provider   = "<provider>"
     data {
-      key_value{
-        data  = {
+      key_value {
+        data = {
           "wavefront.token" = "<wavefront api token>"
         }
       }
diff --git a/resource_templates/organization_scoped_baseline_security_policy.tf b/resource_templates/organization_scoped_baseline_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control organization scoped baseline security policy entry
 resource "tanzu-mission-control_security_policy" "organization_scoped_baseline_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     organization {
       organization = "<organization-id>" // Required
diff --git a/resource_templates/organization_scoped_custom_security_policy.tf b/resource_templates/organization_scoped_custom_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control organization scoped custom security policy entry
 resource "tanzu-mission-control_security_policy" "organization_scoped_custom_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     organization {
       organization = "<organization-id>" // Required
diff --git a/resource_templates/organization_scoped_strict_security_policy.tf b/resource_templates/organization_scoped_strict_security_policy.tf
@@ -1,5 +1,7 @@
 // Create/ Delete/ Update Tanzu Mission Control organization scoped strict security policy entry
 resource "tanzu-mission-control_security_policy" "organization_scoped_strict_security_policy" {
+  name = "<security-policy-name>"
+
   scope {
     organization {
       organization = "<organization-id>" // Required

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security`
`30`	`30`	`max = 5000`
`31`	`31`	`}`
`32`	`32`
`33`		`- allowed_volumes = [`
	`33`	`+ allowed_volumes = [`
`34`	`34`	`"configMap",`
`35`	`35`	`"nfs",`
`36`	`36`	`"vsphereVolume"`
`@@ -89,7 +89,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`linux_capabilities {`
`92`		`- allowed_capabilities = [`
	`92`	`+ allowed_capabilities = [`
`93`	`93`	`"CHOWN",`
`94`	`94`	`"IPC_LOCK"`
`95`	`95`	`]`
`@@ -100,15 +100,15 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security`
`100`	`100`
`101`	`101`	`allowed_host_paths {`
`102`	`102`	`path_prefix = "p1"`
`103`		`- read_only = true`
	`103`	`+ read_only = true`
`104`	`104`	`}`
`105`	`105`	`allowed_host_paths {`
`106`	`106`	`path_prefix = "p2"`
`107`		`- read_only = false`
	`107`	`+ read_only = false`
`108`	`108`	`}`
`109`	`109`	`allowed_host_paths {`
`110`	`110`	`path_prefix = "p3"`
`111`		`- read_only = true`
	`111`	`+ read_only = true`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`allowed_se_linux_options {`
`@@ -126,7 +126,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_custom_security`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`seccomp {`
`129`		`- allowed_profiles = [`
	`129`	`+ allowed_profiles = [`
`130`	`130`	`"Localhost"`
`131`	`131`	`]`
`132`	`132`	`allowed_localhost_files = [`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_baseline_`
`24`	`24`	`match_expressions {`
`25`	`25`	`key = "component"`
`26`	`26`	`operator = "In"`
`27`		`- values = [`
	`27`	`+ values = [`
`28`	`28`	`"api-server",`
`29`	`29`	`"agent-gateway"`
`30`	`30`	`]`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se`
`28`	`28`	`max = 5000`
`29`	`29`	`}`
`30`	`30`
`31`		`- allowed_volumes = [`
	`31`	`+ allowed_volumes = [`
`32`	`32`	`"configMap",`
`33`	`33`	`"nfs",`
`34`	`34`	`"vsphereVolume"`
`@@ -87,7 +87,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`linux_capabilities {`
`90`		`- allowed_capabilities = [`
	`90`	`+ allowed_capabilities = [`
`91`	`91`	`"CHOWN",`
`92`	`92`	`"IPC_LOCK"`
`93`	`93`	`]`
`@@ -98,15 +98,15 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se`
`98`	`98`
`99`	`99`	`allowed_host_paths {`
`100`	`100`	`path_prefix = "p1"`
`101`		`- read_only = true`
	`101`	`+ read_only = true`
`102`	`102`	`}`
`103`	`103`	`allowed_host_paths {`
`104`	`104`	`path_prefix = "p2"`
`105`		`- read_only = false`
	`105`	`+ read_only = false`
`106`	`106`	`}`
`107`	`107`	`allowed_host_paths {`
`108`	`108`	`path_prefix = "p3"`
`109`		`- read_only = true`
	`109`	`+ read_only = true`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`allowed_se_linux_options {`
`@@ -124,8 +124,8 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`seccomp {`
`127`		`- allowed_profiles = [`
`128`		`- "Localhost"`
	`127`	`+ allowed_profiles = [`
	`128`	`+ "Localhost"`
`129`	`129`	`]`
`130`	`130`	`allowed_localhost_files = [`
`131`	`131`	`"profiles/audit.json",`
`@@ -139,7 +139,7 @@ resource "tanzu-mission-control_security_policy" "cluster_group_scoped_custom_se`
`139`	`139`	`match_expressions {`
`140`	`140`	`key = "component"`
`141`	`141`	`operator = "In"`
`142`		`- values = [`
	`142`	`+ values = [`
`143`	`143`	`"api-server",`
`144`	`144`	`"agent-gateway"`
`145`	`145`	`]`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ resource "tanzu-mission-control_security_policy" "cluster_scoped_strict_security`
`26`	`26`	`match_expressions {`
`27`	`27`	`key = "component"`
`28`	`28`	`operator = "NotIn"`
`29`		`- values = [`
	`29`	`+ values = [`
`30`	`30`	`"api-server",`
`31`	`31`	`"agent-gateway"`
`32`	`32`	`]`
Original file line number	Diff line number	Diff line change
`@@ -10,19 +10,19 @@ resource "tanzu-mission-control_credential" "aws_eks_cred" {`
`10`	`10`	`meta {`
`11`	`11`	`description = "<description of the credential>"`
`12`	`12`	`labels = {`
`13`		`- "key" : "<value>" ,`
	`13`	`+ "key" : "<value>",`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`spec {`
`18`	`18`	`capability = "<capability-type>"`
`19`		`- provider = "<provider>"`
	`19`	`+ provider = "<provider>"`
`20`	`20`	`data {`
`21`	`21`	`aws_credential {`
`22`	`22`	`account_id = "<account-id>"`
`23`		`- iam_role{`
`24`		`- arn = "<IAM-role-ARN>"`
`25`		`- ext_id ="external-ID"`
	`23`	`+ iam_role {`
	`24`	`+ arn = "<IAM-role-ARN>"`
	`25`	`+ ext_id = "external-ID"`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,16 +10,16 @@ resource "tanzu-mission-control_credential" "tmc_provisioned_aws_s3_cred" {`
`10`	`10`	`meta {`
`11`	`11`	`description = "<description of the credential>"`
`12`	`12`	`labels = {`
`13`		`- "key" : "<value>" ,`
	`13`	`+ "key" : "<value>",`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`spec {`
`18`	`18`	`capability = "<capability-type>"`
`19`		`- provider = "<provider>"`
	`19`	`+ provider = "<provider>"`
`20`	`20`	`data {`
`21`	`21`	`aws_credential {`
`22`		`- iam_role{`
	`22`	`+ iam_role {`
`23`	`23`	`arn = "<IAM-role-ARN>"`
`24`	`24`	`}`
`25`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ resource "tanzu-mission-control_credential" "img_reg_cred" {`
`10`	`10`	`meta {`
`11`	`11`	`description = "<description of the credential>"`
`12`	`12`	`labels = {`
`13`		`- "key" : "<value>" ,`
	`13`	`+ "key" : "<value>",`
`14`	`14`	`}`
`15`	`15`	`annotations = {`
`16`	`16`	`"repository-path" : "<path>"`
`@@ -19,12 +19,12 @@ resource "tanzu-mission-control_credential" "img_reg_cred" {`
`19`	`19`
`20`	`20`	`spec {`
`21`	`21`	`capability = "<capability-type>"`
`22`		`- provider = "<provider>"`
	`22`	`+ provider = "<provider>"`
`23`	`23`	`data {`
`24`		`- key_value{`
`25`		`- data = {`
	`24`	`+ key_value {`
	`25`	`+ data = {`
`26`	`26`	`"registry-url" = "<url>"`
`27`		`- "ca-cert" = "<ca-cert>"`
	`27`	`+ "ca-cert" = "<ca-cert>"`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`	`}`