-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource: Add LBAC for datasources data_source_config_lbac_rules
#1797
Resource: Add LBAC for datasources data_source_config_lbac_rules
#1797
Conversation
In order to lower resource usage and have a faster runtime, PRs will not run Cloud tests automatically. |
data_source_lbac_rules
data_source_lbac_rules
data_source_lbac_rules
Hey there, is there an ETA when this feature will be shipped? Or is there anything that still needs to be done? |
@undefinedhuman we are working on the backend side of things for this. So this will wait for clear resource handling |
Thank you very much! |
What's the status of this? I was using teamHttpHeaders to configure lbac via the grafana_datasource_config, but that seems to be broken after these 2 are merged:
Now I am no longer able to manage my loki lbac rules via terraform, resulting in new onboarded teams to have full query access to my log datasource. |
9d782ee
to
0f08921
Compare
0f08921
to
dbe2076
Compare
dbe2076
to
692ac09
Compare
data_source_lbac_rules
data_source_config_lbac_rules
eb413b9
to
0c46185
Compare
0c46185
to
26e8f05
Compare
ec3db57
to
fb29a0a
Compare
0869822
to
3b3c344
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly looks good, but I've added a few questions.
}) | ||
} | ||
|
||
# TODO: add back 5th of dec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commended out code block also appears in the docs, so we should really remember to uncomment the code before we do the next Terraform release.
Or maybe just track this as an action item in an issue rather than having it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
il track it in an item instead 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
internal/resources/grafana/resource_data_source_config_lbac_rules.go
Outdated
Show resolved
Hide resolved
internal/resources/grafana/resource_data_source_config_lbac_rules.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, I've added some small comments, but once those are fixed it looks ready to me 👌
Manages LBAC rules for a data source. | ||
!> Warning: The resource is experimental and will be subject to change. This resource manages the entire LBAC rules tree, and will overwrite any existing rules. | ||
Official documentation https://grafana.com/docs/grafana/latest/administration/data-source-management/teamlbac/HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/datasource_lbac_rules/ | ||
This resource requires Grafana >=11.4.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we actually need to set it to 11.5.0 - 11.4.0 will not include the changes that we need (see this internal thread).
|
||
json_data_encoded = jsonencode({ | ||
authType = "default" | ||
## basicAuthPassword = "<>" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this line needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's not needed at all. just showing that you need to have a password to connect with the datasource from basicAuth
type LBACRule struct { | ||
TeamID types.String `tfsdk:"team_id"` | ||
TeamUID types.String `tfsdk:"team_uid"` | ||
Rules []types.String `tfsdk:"rules"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this actually used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait it is unused, i should really start to make my structs private on first creation. how do you spot this? with the linter
}, | ||
"rules": schema.StringAttribute{ | ||
Required: true, | ||
Description: "JSON-encoded LBAC rules for the data source. Map of team IDs to lists of rule strings.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description: "JSON-encoded LBAC rules for the data source. Map of team IDs to lists of rule strings.", | |
Description: "JSON-encoded LBAC rules for the data source. Map of team UIDs to lists of rule strings.", |
) | ||
|
||
func TestAccDataSourceConfigLBACRules_basic(t *testing.T) { | ||
testutils.CheckEnterpriseTestsEnabled(t, ">=11.4.0") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should also be 11.5.0.
dd4f1cf
to
fd76b29
Compare
Tested feature fully ✅ :
This feature would be issued together with the release of Grafana version 11.5 in 28th of January |
why/what
We have seen that users would love to provision their lbac rules using terraform. this implements a experimental feature that will be highly developed. this is the first part of LBAC rules resource for terraform.
dependancies:
teamHttpHeaders
in the json read path for data source #1857 ✅write
path ofteamHttpHeaders
in the json encoding #1856 ✅go.mod
Update to latest openapi spec #1905 ✅ability to run
terraform plan, terraform apply and terraform destroy of the rules resource
Example terraform:
why is this difficult
lbac for datasources terraform resource, why is it a bit tricky?
the bidirection of
lbac_rules -> data_source:jsonData
, meaning we are updating the jsondata with another resource impacting another resourceproposals and thought process
there is no ID for the json field
teamHttpHeaders
data_source_config
resource morethis is a resource that will be heavily used
grafana_data_source_permission_item
for this. as it suits well for how we would like to setup this resourceresource_data_source_config_lbac_rules
proposal of all rules combined into one resource
benefits
tradeoffs
proposal of each rule being a resource
benefits
tradeoffs
proposal of embedding it into a resource and then add it to the json
benefits:
tradeoff
It's a tradeoff of where you want the complexity to be. In Grafana with a new way to store this, or in the provider extracting it from json data, and possibly running into versioning issues.
I guess the less complex option is to leave everything as-is, isn't it? Have people manage those new fields in the existing json data? Perhaps provide a datasource helper for this, if the value is not trivial to build/represent
run tests via
GRAFANA_VERSION=11.1.0 GRAFANA_URL=http://localhost:3000 GRAFANA_AUTH=admin:admin TESTARGS="-run TestAccDataSourceLBAC_inOrg" make testacc-enterprise
The
teamHttpHeaders
resource is a datasource json field.epic
basically this introduced a way to add/update a datasource json field
lbac-api
here is the doc for it. https://grafana.com/docs/grafana/latest/administration/data-source-management/teamlbac/
next steps
improvements: