From 11a06bae058ed7032afaed3f1133b95f833d8e6e Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Mon, 22 Jan 2024 16:28:37 +0100 Subject: [PATCH] terraform-provider: validate pod ip cidr only on gcp Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .../internal/provider/cluster_resource.go | 13 +++++-- .../provider/cluster_resource_test.go | 35 +++++++++++++++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/terraform-provider-constellation/internal/provider/cluster_resource.go b/terraform-provider-constellation/internal/provider/cluster_resource.go index a0aa232a7..8688c4952 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource.go @@ -215,9 +215,6 @@ func (r *ClusterResource) Schema(_ context.Context, _ resource.SchemaRequest, re MarkdownDescription: "CIDR range of the cluster's pod network. Only required for clusters running on GCP.", Description: "CIDR range of the cluster's pod network. Only required for clusters running on GCP.", Optional: true, - Validators: []validator.String{ - stringvalidator.RegexMatches(cidrRegex, "Pod IP CIDR must be a valid CIDR range."), - }, }, "ip_cidr_service": schema.StringAttribute{ MarkdownDescription: "CIDR range of the cluster's service network.", @@ -673,6 +670,16 @@ func (r *ClusterResource) validateGCPNetworkConfig(ctx context.Context, data *Cl "Pod IP CIDR not allowed", "When csp is not set to 'gcp', setting 'ip_cidr_pod' has no effect.", ) } + + // Pod IP CIDR should be a valid CIDR on GCP + if strings.EqualFold(data.CSP.ValueString(), cloudprovider.GCP.String()) && + !cidrRegex.MatchString(networkCfg.IPCidrPod.ValueString()) { + diags.AddAttributeError( + path.Root("network_config").AtName("ip_pod_cidr"), + "Invalid CIDR range", "Pod IP CIDR must be a valid CIDR range.", + ) + } + return diags } diff --git a/terraform-provider-constellation/internal/provider/cluster_resource_test.go b/terraform-provider-constellation/internal/provider/cluster_resource_test.go index eca1a7c1d..9cc197bb5 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource_test.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource_test.go @@ -453,6 +453,41 @@ func TestAccClusterResource(t *testing.T) { }, }, }, + "gcp pod ip cidr not a valid cidr": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion), + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: fullClusterTestingConfig(t, "gcp") + fmt.Sprintf(` + resource "constellation_cluster" "test" { + csp = "gcp" + name = "constell" + uid = "test" + image = data.constellation_image.bar.image + attestation = data.constellation_attestation.foo.attestation + init_secret = "deadbeef" + master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + out_of_cluster_endpoint = "192.0.2.1" + in_cluster_endpoint = "192.0.2.1" + network_config = { + ip_cidr_node = "0.0.0.0/24" + ip_cidr_service = "0.0.0.0/24" + ip_cidr_pod = "0.0.0.0/xxxx" + } + gcp = { + project_id = "test" + service_account_key = "eyJ0ZXN0IjogInRlc3QifQ==" + } + kubernetes_version = "%s" + constellation_microservice_version = "%s" + } + `, versions.Default, providerVersion), + ExpectError: regexp.MustCompile(`.*Pod IP CIDR must be a valid CIDR range.*`), + }, + }, + }, } for name, tc := range testCases {