add workspace scope for image policy

Author: Vasundharashukla

internal/resources/policy/constants.go

@@ -11,21 +11,9 @@ const (
 	KeyKey                    = "key"
 	OperatorKey               = "operator"
 	ValuesKey                 = "values"
-	ScopeKey                  = "scope"
-	clusterKey                = "cluster"
-	clusterGroupKey           = "cluster_group"
-	organizationKey           = "organization"
 	SpecKey                   = "spec"
 	NameKey                   = "name"
 	InputKey                  = "input"
 	RecipeVersionDefaultValue = "v1"
 	UnknownRecipe             = ""
 )
-
-// Allowed scopes.
-const (
-	UnknownScope Scope = iota
-	ClusterScope
-	ClusterGroupScope
-	OrganizationScope
-)

internal/resources/policy/kind/custom/resource/resource_custom_policy.go

@@ -13,6 +13,7 @@ import (
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy"
 	policykindcustom "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/custom"
 	policyoperations "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/operations"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/scope"
 )
 
 func ResourceCustomPolicy() *schema.Resource {
@@ -23,7 +24,7 @@ func ResourceCustomPolicy() *schema.Resource {
 		DeleteContext: schema.DeleteContextFunc(policyoperations.ResourceOperation(policyoperations.WithResourceName(policykindcustom.ResourceName), policyoperations.WithOperationType(policyoperations.Delete))),
 		Schema:        customPolicySchema,
 		CustomizeDiff: customdiff.All(
-			policy.ValidateScope,
+			scope.ValidateScope,
 			policykindcustom.ValidateInput,
 			policy.ValidateSpecLabelSelectorRequirement,
 		),
@@ -37,7 +38,7 @@ var customPolicySchema = map[string]*schema.Schema{
 		Required:    true,
 		ForceNew:    true,
 	},
-	policy.ScopeKey: policy.ScopeSchema,
-	common.MetaKey:  common.Meta,
-	policy.SpecKey:  policykindcustom.SpecSchema,
+	scope.ScopeKey: scope.ScopeSchema,
+	common.MetaKey: common.Meta,
+	policy.SpecKey: policykindcustom.SpecSchema,
 }

internal/resources/policy/kind/custom/resource/resource_custom_policy_test.go

@@ -37,6 +37,7 @@ var AllowedNameTag = &schema.Schema{
 							Type:        schema.TypeString,
 							Description: "Allowed image names, wildcards are supported(for example: fooservice/*). Empty field is equivalent to *.",
 							Optional:    true,
+							Default:     "",
 						},
 						TagKey: tag,
 					},

internal/resources/policy/kind/image/recipe/allowed_name_tag_schema.go

@@ -37,16 +37,19 @@ var Custom = &schema.Schema{
 							Type:        schema.TypeString,
 							Description: "Allowed image hostnames, wildcards are supported(for example: *.mycompany.com). Empty field is equivalent to *.",
 							Optional:    true,
+							Default:     "",
 						},
 						ImageNameKey: {
 							Type:        schema.TypeString,
 							Description: "Allowed image names, wildcards are supported(for example: fooservice/*). Empty field is equivalent to *.",
 							Optional:    true,
+							Default:     "",
 						},
 						PortKey: {
 							Type:        schema.TypeString,
 							Description: "Allowed port(if presented) of the image hostname, must associate with valid hostname. Wildcards are supported.",
 							Optional:    true,
+							Default:     "",
 						},
 						RequireKey: {
 							Type:        schema.TypeBool,

internal/resources/policy/kind/image/recipe/custom_schema.go

@@ -21,12 +21,14 @@ var tag = &schema.Schema{
 			NegateKey: {
 				Type:        schema.TypeBool,
 				Description: "The negate flag used to exclude certain tag patterns.",
-				Required:    true,
+				Optional:    true,
+				Default:     false,
 			},
 			ValueKey: {
 				Type:        schema.TypeString,
 				Description: "The value (support wildcard) is used to validate against the tag of the image.",
 				Optional:    true,
+				Default:     "",
 			},
 		},
 	},

internal/resources/policy/kind/image/recipe/tag_schema.go

@@ -12,13 +12,14 @@ import (
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/common"
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy"
 	policykindimage "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/image"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/scope"
 )
 
 func ResourceImageRegistryPolicy() *schema.Resource {
 	return &schema.Resource{
 		Schema: imageRegistryPolicySchema,
 		CustomizeDiff: customdiff.All(
-			policy.ValidateScope,
+			scope.ValidateScope,
 			policykindimage.ValidateInput,
 			policy.ValidateSpecLabelSelectorRequirement,
 		),
@@ -32,7 +33,7 @@ var imageRegistryPolicySchema = map[string]*schema.Schema{
 		Required:    true,
 		ForceNew:    true,
 	},
-	policy.ScopeKey: policy.ScopeSchema,
-	common.MetaKey:  common.Meta,
-	policy.SpecKey:  policykindimage.SpecSchema,
+	scope.ScopeKey: scope.ScopeSchema,
+	common.MetaKey: common.Meta,
+	policy.SpecKey: policykindimage.SpecSchema,
 }

internal/resources/policy/kind/image/resource/resource_image_registry_policy.go

@@ -13,6 +13,7 @@ import (
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy"
 	policykindsecurity "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/security"
 	policyoperations "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/operations"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/scope"
 )
 
 func ResourceSecurityPolicy() *schema.Resource {
@@ -23,7 +24,7 @@ func ResourceSecurityPolicy() *schema.Resource {
 		DeleteContext: schema.DeleteContextFunc(policyoperations.ResourceOperation(policyoperations.WithResourceName(policykindsecurity.ResourceName), policyoperations.WithOperationType(policyoperations.Delete))),
 		Schema:        securityPolicySchema,
 		CustomizeDiff: customdiff.All(
-			policy.ValidateScope,
+			scope.ValidateScope,
 			policykindsecurity.ValidateInput,
 			policy.ValidateSpecLabelSelectorRequirement,
 		),
@@ -37,7 +38,7 @@ var securityPolicySchema = map[string]*schema.Schema{
 		Required:    true,
 		ForceNew:    true,
 	},
-	policy.ScopeKey: policy.ScopeSchema,
-	common.MetaKey:  common.Meta,
-	policy.SpecKey:  policykindsecurity.SpecSchema,
+	scope.ScopeKey: scope.ScopeSchema,
+	common.MetaKey: common.Meta,
+	policy.SpecKey: policykindsecurity.SpecSchema,
 }

internal/resources/policy/kind/security/resource/resource_security_policy.go

@@ -26,7 +26,7 @@ import (
 	policyorganizationmodel "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/policy/organization"
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy"
 	policykindsecurity "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/security"
-	scoperesource "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/scope"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/scope"
 	testhelper "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/testing"
 )
 
@@ -73,21 +73,21 @@ func TestAcceptanceForSecurityPolicyResource(t *testing.T) {
 						t.Skip("KUBECONFIG env var is not set for cluster scoped security policy acceptance test")
 					}
 				},
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.ClusterScope, policykindsecurity.BaselineRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.ClusterScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.ClusterScope, policykindsecurity.BaselineRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.ClusterScope),
 			},
 			{
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.ClusterGroupScope, policykindsecurity.BaselineRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.ClusterGroupScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.ClusterGroupScope, policykindsecurity.BaselineRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.ClusterGroupScope),
 			},
 			{
 				PreConfig: func() {
 					if testConfig.ScopeHelperResources.OrgID == "" {
 						t.Skip("ORG_ID env var is not set for organization scoped security policy acceptance test")
 					}
 				},
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.OrganizationScope, policykindsecurity.BaselineRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.OrganizationScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.OrganizationScope, policykindsecurity.BaselineRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.OrganizationScope),
 			},
 		},
 	},
@@ -108,21 +108,21 @@ func TestAcceptanceForSecurityPolicyResource(t *testing.T) {
 						t.Skip("KUBECONFIG env var is not set for cluster scoped security policy acceptance test")
 					}
 				},
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.ClusterScope, policykindsecurity.CustomRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.ClusterScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.ClusterScope, policykindsecurity.CustomRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.ClusterScope),
 			},
 			{
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.ClusterGroupScope, policykindsecurity.CustomRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.ClusterGroupScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.ClusterGroupScope, policykindsecurity.CustomRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.ClusterGroupScope),
 			},
 			{
 				PreConfig: func() {
 					if testConfig.ScopeHelperResources.OrgID == "" {
 						t.Skip("ORG_ID env var is not set for organization scoped security policy acceptance test")
 					}
 				},
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.OrganizationScope, policykindsecurity.CustomRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.OrganizationScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.OrganizationScope, policykindsecurity.CustomRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.OrganizationScope),
 			},
 		},
 	},
@@ -143,21 +143,21 @@ func TestAcceptanceForSecurityPolicyResource(t *testing.T) {
 						t.Skip("KUBECONFIG env var is not set for cluster scoped security policy acceptance test")
 					}
 				},
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.ClusterScope, policykindsecurity.StrictRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.ClusterScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.ClusterScope, policykindsecurity.StrictRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.ClusterScope),
 			},
 			{
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.ClusterGroupScope, policykindsecurity.StrictRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.ClusterGroupScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.ClusterGroupScope, policykindsecurity.StrictRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.ClusterGroupScope),
 			},
 			{
 				PreConfig: func() {
 					if testConfig.ScopeHelperResources.OrgID == "" {
 						t.Skip("ORG_ID env var is not set for organization scoped security policy acceptance test")
 					}
 				},
-				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(policy.OrganizationScope, policykindsecurity.StrictRecipe),
-				Check:  testConfig.checkSecurityPolicyResourceAttributes(policy.OrganizationScope),
+				Config: testConfig.getTestSecurityPolicyResourceBasicConfigValue(scope.OrganizationScope, policykindsecurity.StrictRecipe),
+				Check:  testConfig.checkSecurityPolicyResourceAttributes(scope.OrganizationScope),
 			},
 		},
 	},
@@ -167,7 +167,7 @@ func TestAcceptanceForSecurityPolicyResource(t *testing.T) {
 	t.Log("all security policy resource acceptance tests complete!")
 }
 
-func (testConfig *testAcceptanceConfig) getTestSecurityPolicyResourceBasicConfigValue(scope policy.Scope, recipe policykindsecurity.Recipe) string {
+func (testConfig *testAcceptanceConfig) getTestSecurityPolicyResourceBasicConfigValue(scope scope.Scope, recipe policykindsecurity.Recipe) string {
 	helperBlock, scopeBlock := testConfig.ScopeHelperResources.GetTestPolicyResourceHelperAndScope(scope)
 	inputBlock := testConfig.getTestSecurityPolicyResourceInput(recipe)
 
@@ -357,29 +357,29 @@ func (testConfig *testAcceptanceConfig) getTestSecurityPolicyResourceInput(recip
 }
 
 // checkSecurityPolicyResourceAttributes checks for security policy creation along with meta attributes.
-func (testConfig *testAcceptanceConfig) checkSecurityPolicyResourceAttributes(scope policy.Scope) resource.TestCheckFunc {
+func (testConfig *testAcceptanceConfig) checkSecurityPolicyResourceAttributes(scopeType scope.Scope) resource.TestCheckFunc {
 	var check = []resource.TestCheckFunc{
-		testConfig.verifySecurityPolicyResourceCreation(scope),
+		testConfig.verifySecurityPolicyResourceCreation(scopeType),
 		resource.TestCheckResourceAttr(testConfig.SecurityPolicyResourceName, "name", testConfig.SecurityPolicyName),
 	}
 
-	switch scope {
-	case policy.ClusterScope:
+	switch scopeType {
+	case scope.ClusterScope:
 		check = append(check, resource.TestCheckResourceAttr(testConfig.SecurityPolicyResourceName, "scope.0.cluster.0.name", testConfig.ScopeHelperResources.Cluster.Name))
-	case policy.ClusterGroupScope:
+	case scope.ClusterGroupScope:
 		check = append(check, resource.TestCheckResourceAttr(testConfig.SecurityPolicyResourceName, "scope.0.cluster_group.0.cluster_group", testConfig.ScopeHelperResources.ClusterGroup.Name))
-	case policy.OrganizationScope:
+	case scope.OrganizationScope:
 		check = append(check, resource.TestCheckResourceAttr(testConfig.SecurityPolicyResourceName, "scope.0.organization.0.organization", testConfig.ScopeHelperResources.OrgID))
-	case policy.UnknownScope:
-		log.Printf("[ERROR]: No valid scope type block found: minimum one valid scope type block is required among: %v. Please check the schema.", strings.Join(policy.ScopesAllowed[:], `, `))
+	case scope.UnknownScope:
+		log.Printf("[ERROR]: No valid scope type block found: minimum one valid scope type block is required among: %v. Please check the schema.", strings.Join(scope.ScopesAllowed[:], `, `))
 	}
 
 	check = append(check, policy.MetaResourceAttributeCheck(testConfig.SecurityPolicyResourceName)...)
 
 	return resource.ComposeTestCheckFunc(check...)
 }
 
-func (testConfig *testAcceptanceConfig) verifySecurityPolicyResourceCreation(scope policy.Scope) resource.TestCheckFunc {
+func (testConfig *testAcceptanceConfig) verifySecurityPolicyResourceCreation(scopeType scope.Scope) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		if testConfig.Provider == nil {
 			return fmt.Errorf("provider not initialised")
@@ -406,13 +406,13 @@ func (testConfig *testAcceptanceConfig) verifySecurityPolicyResourceCreation(sco
 			return errors.Wrap(err, "unable to set the context")
 		}
 
-		switch scope {
-		case policy.ClusterScope:
+		switch scopeType {
+		case scope.ClusterScope:
 			fn := &policyclustermodel.VmwareTanzuManageV1alpha1ClusterPolicyFullName{
 				ClusterName:           testConfig.ScopeHelperResources.Cluster.Name,
-				ManagementClusterName: scoperesource.AttachedValue,
+				ManagementClusterName: scope.AttachedValue,
 				Name:                  testConfig.SecurityPolicyName,
-				ProvisionerName:       scoperesource.AttachedValue,
+				ProvisionerName:       scope.AttachedValue,
 			}
 
 			resp, err := config.TMCConnection.ClusterPolicyResourceService.ManageV1alpha1ClusterPolicyResourceServiceGet(fn)
@@ -423,7 +423,7 @@ func (testConfig *testAcceptanceConfig) verifySecurityPolicyResourceCreation(sco
 			if resp == nil {
 				return errors.Wrapf(err, "cluster scoped security policy resource is empty, resource: %s", testConfig.SecurityPolicyResourceName)
 			}
-		case policy.ClusterGroupScope:
+		case scope.ClusterGroupScope:
 			fn := &policyclustergroupmodel.VmwareTanzuManageV1alpha1ClustergroupPolicyFullName{
 				ClusterGroupName: testConfig.ScopeHelperResources.ClusterGroup.Name,
 				Name:             testConfig.SecurityPolicyName,
@@ -437,7 +437,7 @@ func (testConfig *testAcceptanceConfig) verifySecurityPolicyResourceCreation(sco
 			if resp == nil {
 				return errors.Wrapf(err, "cluster group scoped security policy resource is empty, resource: %s", testConfig.SecurityPolicyResourceName)
 			}
-		case policy.OrganizationScope:
+		case scope.OrganizationScope:
 			fn := &policyorganizationmodel.VmwareTanzuManageV1alpha1OrganizationPolicyFullName{
 				OrgID: testConfig.ScopeHelperResources.OrgID,
 				Name:  testConfig.SecurityPolicyName,
@@ -451,8 +451,8 @@ func (testConfig *testAcceptanceConfig) verifySecurityPolicyResourceCreation(sco
 			if resp == nil {
 				return errors.Wrapf(err, "organization scoped security policy resource is empty, resource: %s", testConfig.SecurityPolicyResourceName)
 			}
-		case policy.UnknownScope:
-			return errors.Errorf("[ERROR]: No valid scope type block found: minimum one valid scope type block is required among: %v. Please check the schema.", strings.Join(policy.ScopesAllowed[:], `, `))
+		case scope.UnknownScope:
+			return errors.Errorf("[ERROR]: No valid scope type block found: minimum one valid scope type block is required among: %v. Please check the schema.", strings.Join(scope.ScopesAllowed[:], `, `))
 		}
 
 		return nil