iamclient.go

Documentation: github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/iam/iamclient

     1  // Copyright 2022 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package iamclient
    16  
    17  import (
    18  	"context"
    19  	"fmt"
    20  	"regexp"
    21  
    22  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/apis/iam/v1beta1"
    23  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/dcl/conversion"
    24  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/servicemapping/servicemappingloader"
    25  
    26  	mmdcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
    27  	dcliam "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/iam"
    28  	tfschema "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
    29  	"k8s.io/apimachinery/pkg/runtime/schema"
    30  	"sigs.k8s.io/controller-runtime/pkg/client"
    31  	klog "sigs.k8s.io/controller-runtime/pkg/log"
    32  )
    33  
    34  const (
    35  	ProjectKind            = "Project"
    36  	ResourceManagerGroup   = "resourcemanager.cnrm.cloud.google.com"
    37  	ResourceManagerVersion = "v1beta1"
    38  
    39  	SQLInstanceKind = "SQLInstance"
    40  	SQLGroup        = "sql.cnrm.cloud.google.com"
    41  	SQLVersion      = "v1beta1"
    42  
    43  	LoggingLogSinkKind = "LoggingLogSink"
    44  	LoggingGroup       = "logging.cnrm.cloud.google.com"
    45  	LoggingVersion     = "v1beta1"
    46  
    47  	IAMServiceAccountKind = "IAMServiceAccount"
    48  	IAMGroup              = "iam.cnrm.cloud.google.com"
    49  	IAMVersion            = "v1beta1"
    50  
    51  	SerivceIdentityKind = "ServiceIdentity"
    52  	ServiceUsageGroup   = "serviceusage.cnrm.cloud.google.com"
    53  	ServiceUsageVersion = "v1beta1"
    54  )
    55  
    56  var (
    57  	NotFoundError = fmt.Errorf("IAM resource does not exist")
    58  	logger        = klog.Log.WithName("iamclient")
    59  
    60  	ProjectGVK = schema.GroupVersionKind{
    61  		Group:   ResourceManagerGroup,
    62  		Version: ResourceManagerVersion,
    63  		Kind:    ProjectKind,
    64  	}
    65  	SQLInstanceGVK = schema.GroupVersionKind{
    66  		Group:   SQLGroup,
    67  		Version: SQLVersion,
    68  		Kind:    SQLInstanceKind,
    69  	}
    70  	LoggingLogSinkGVK = schema.GroupVersionKind{
    71  		Group:   LoggingGroup,
    72  		Version: LoggingVersion,
    73  		Kind:    LoggingLogSinkKind,
    74  	}
    75  	IAMServiceAccountGVK = schema.GroupVersionKind{
    76  		Group:   IAMGroup,
    77  		Version: IAMVersion,
    78  		Kind:    IAMServiceAccountKind,
    79  	}
    80  	ServiceIdentityGVK = schema.GroupVersionKind{
    81  		Group:   ServiceUsageGroup,
    82  		Version: ServiceUsageVersion,
    83  		Kind:    SerivceIdentityKind,
    84  	}
    85  )
    86  
    87  // idTemplateVarsRegex is a regex used to match named tokens in an id template
    88  // (e.g. "{{project}}" and "{{name}}" in "projects/{{project}}/global/networks/{{name}}"
    89  var idTemplateVarsRegex = regexp.MustCompile(`{{[a-z]([a-zA-Z0-9\-_.]*[a-zA-Z0-9])?}}`)
    90  
    91  type IAMClient struct {
    92  	TFIAMClient  *TFIAMClient
    93  	DCLIAMClient *DCLIAMClient
    94  }
    95  
    96  func New(tfProvider *tfschema.Provider,
    97  	smLoader *servicemappingloader.ServiceMappingLoader,
    98  	kubeClient client.Client,
    99  	converter *conversion.Converter,
   100  	dclConfig *mmdcl.Config) *IAMClient {
   101  	tfIAMClient := TFIAMClient{
   102  		kubeClient: kubeClient,
   103  		provider:   tfProvider,
   104  		smLoader:   smLoader,
   105  	}
   106  	dclIAMClient := DCLIAMClient{
   107  		dclClient: &dcliam.Client{
   108  			Config: dclConfig,
   109  		},
   110  		converter:  converter,
   111  		smLoader:   smLoader,
   112  		kubeClient: kubeClient,
   113  	}
   114  	iamClient := IAMClient{
   115  		TFIAMClient:  &tfIAMClient,
   116  		DCLIAMClient: &dclIAMClient,
   117  	}
   118  	return &iamClient
   119  }
   120  
   121  func (c *IAMClient) SetPolicyMember(ctx context.Context, policyMember *v1beta1.IAMPolicyMember) (*v1beta1.IAMPolicyMember, error) {
   122  	if c.isDCLBasedIAMResource(policyMember) {
   123  		return c.DCLIAMClient.SetPolicyMember(ctx, c.TFIAMClient, policyMember)
   124  	}
   125  	return c.TFIAMClient.SetPolicyMember(ctx, policyMember)
   126  }
   127  
   128  func (c *IAMClient) GetPolicyMember(ctx context.Context, policyMember *v1beta1.IAMPolicyMember) (*v1beta1.IAMPolicyMember, error) {
   129  	if c.isDCLBasedIAMResource(policyMember) {
   130  		return c.DCLIAMClient.GetPolicyMember(ctx, c.TFIAMClient, policyMember)
   131  	}
   132  	return c.TFIAMClient.GetPolicyMember(ctx, policyMember)
   133  }
   134  
   135  func (c *IAMClient) DeletePolicyMember(ctx context.Context, policyMember *v1beta1.IAMPolicyMember) error {
   136  	if c.isDCLBasedIAMResource(policyMember) {
   137  		return c.DCLIAMClient.DeletePolicyMember(ctx, c.TFIAMClient, policyMember)
   138  
   139  	}
   140  	return c.TFIAMClient.DeletePolicyMember(ctx, policyMember)
   141  }
   142  
   143  func (c *IAMClient) SetPolicy(ctx context.Context, policy *v1beta1.IAMPolicy) (*v1beta1.IAMPolicy, error) {
   144  	if c.isDCLBasedIAMResource(policy) {
   145  		return c.DCLIAMClient.SetPolicy(ctx, policy)
   146  	}
   147  	return c.TFIAMClient.SetPolicy(ctx, policy)
   148  }
   149  
   150  func (c *IAMClient) GetPolicy(ctx context.Context, policy *v1beta1.IAMPolicy) (*v1beta1.IAMPolicy, error) {
   151  	if c.isDCLBasedIAMResource(policy) {
   152  		return c.DCLIAMClient.GetPolicy(ctx, policy)
   153  	}
   154  	return c.TFIAMClient.GetPolicy(ctx, policy)
   155  }
   156  
   157  func (c *IAMClient) DeletePolicy(ctx context.Context, policy *v1beta1.IAMPolicy) error {
   158  	if c.isDCLBasedIAMResource(policy) {
   159  		return c.DCLIAMClient.DeletePolicy(ctx, policy)
   160  	}
   161  	return c.TFIAMClient.DeletePolicy(ctx, policy)
   162  }
   163  
   164  func (c *IAMClient) SetAuditConfig(ctx context.Context, auditConfig *v1beta1.IAMAuditConfig) (*v1beta1.IAMAuditConfig, error) {
   165  	if c.isDCLBasedIAMResource(auditConfig) {
   166  		return nil, fmt.Errorf("resource with gvk %v does not have AuditConfig support right now", auditConfig.Spec.ResourceReference.GroupVersionKind())
   167  	}
   168  	return c.TFIAMClient.SetAuditConfig(ctx, auditConfig)
   169  }
   170  
   171  func (c *IAMClient) GetAuditConfig(ctx context.Context, auditConfig *v1beta1.IAMAuditConfig) (*v1beta1.IAMAuditConfig, error) {
   172  	if c.isDCLBasedIAMResource(auditConfig) {
   173  		return nil, fmt.Errorf("resource with gvk %v does not have AuditConfig support right now", auditConfig.Spec.ResourceReference.GroupVersionKind())
   174  	}
   175  	return c.TFIAMClient.GetAuditConfig(ctx, auditConfig)
   176  }
   177  
   178  func (c *IAMClient) DeleteAuditConfig(ctx context.Context, auditConfig *v1beta1.IAMAuditConfig) error {
   179  	if c.isDCLBasedIAMResource(auditConfig) {
   180  		return fmt.Errorf("resource with gvk %v does not have AuditConfig support right now", auditConfig.Spec.ResourceReference.GroupVersionKind())
   181  	}
   182  	return c.TFIAMClient.DeleteAuditConfig(ctx, auditConfig)
   183  }
   184
View as plain text