in internal/elasticsearch/security/role.go [251:466]
func resourceSecurityRolePut(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
client, diags := clients.NewApiClientFromSDKResource(d, meta)
if diags.HasError() {
return diags
}
serverVersion, diags := client.ServerVersion(ctx)
if diags.HasError() {
return diags
}
roleId := d.Get("name").(string)
id, diags := client.ID(ctx, roleId)
if diags.HasError() {
return diags
}
var role models.Role
role.Name = roleId
// Add description to the role
if v, ok := d.GetOk("description"); ok {
// Return an error if the server version is less than the minimum supported version
if serverVersion.LessThan(minSupportedDescriptionVersion) {
return diag.FromErr(fmt.Errorf("'description' is supported only for Elasticsearch v%s and above", minSupportedDescriptionVersion.String()))
}
description := v.(string)
role.Description = &description
}
if v, ok := d.GetOk("applications"); ok {
definedApps := v.(*schema.Set)
applications := make([]models.Application, definedApps.Len())
for i, app := range definedApps.List() {
a := app.(map[string]interface{})
definedPrivs := a["privileges"].(*schema.Set)
privs := make([]string, definedPrivs.Len())
for i, pr := range definedPrivs.List() {
privs[i] = pr.(string)
}
definedRess := a["resources"].(*schema.Set)
ress := make([]string, definedRess.Len())
for i, res := range definedRess.List() {
ress[i] = res.(string)
}
newApp := models.Application{
Name: a["application"].(string),
Privileges: privs,
Resources: ress,
}
applications[i] = newApp
}
role.Applications = applications
}
if v, ok := d.GetOk("global"); ok {
global := make(map[string]interface{})
if err := json.NewDecoder(strings.NewReader(v.(string))).Decode(&global); err != nil {
return diag.FromErr(err)
}
role.Global = global
}
if v, ok := d.GetOk("cluster"); ok {
definedCluster := v.(*schema.Set)
cls := make([]string, definedCluster.Len())
for i, cl := range definedCluster.List() {
cls[i] = cl.(string)
}
role.Cluster = cls
}
if v, ok := d.GetOk("indices"); ok {
definedIndices := v.(*schema.Set)
indices := make([]models.IndexPerms, definedIndices.Len())
for i, idx := range definedIndices.List() {
index := idx.(map[string]interface{})
definedNames := index["names"].(*schema.Set)
names := make([]string, definedNames.Len())
for i, name := range definedNames.List() {
names[i] = name.(string)
}
definedPrivs := index["privileges"].(*schema.Set)
privs := make([]string, definedPrivs.Len())
for i, pr := range definedPrivs.List() {
privs[i] = pr.(string)
}
newIndex := models.IndexPerms{
Names: names,
Privileges: privs,
}
if query := index["query"].(string); query != "" {
newIndex.Query = &query
}
if fieldSec := index["field_security"].([]interface{}); len(fieldSec) > 0 {
fieldSecurity := models.FieldSecurity{}
// there must be only 1 entry
definedFieldSec := fieldSec[0].(map[string]interface{})
// grants
if gr := definedFieldSec["grant"].(*schema.Set); gr != nil {
grants := make([]string, gr.Len())
for i, grant := range gr.List() {
grants[i] = grant.(string)
}
fieldSecurity.Grant = grants
}
// except
if exp := definedFieldSec["except"].(*schema.Set); exp != nil {
excepts := make([]string, exp.Len())
for i, except := range exp.List() {
excepts[i] = except.(string)
}
fieldSecurity.Except = excepts
}
newIndex.FieldSecurity = &fieldSecurity
}
allowRestrictedIndices := index["allow_restricted_indices"].(bool)
newIndex.AllowRestrictedIndices = &allowRestrictedIndices
indices[i] = newIndex
}
role.Indices = indices
}
if v, ok := d.GetOk("remote_indices"); ok {
definedRemoteIndices := v.(*schema.Set)
if definedRemoteIndices.Len() > 0 && serverVersion.LessThan(minSupportedRemoteIndicesVersion) {
return diag.FromErr(fmt.Errorf("'remote_indices' is supported only for Elasticsearch v%s and above", minSupportedRemoteIndicesVersion.String()))
}
remoteIndices := make([]models.RemoteIndexPerms, definedRemoteIndices.Len())
for i, idx := range definedRemoteIndices.List() {
remoteIndex := idx.(map[string]interface{})
definedRemoteNames := remoteIndex["names"].(*schema.Set)
remoteNames := make([]string, definedRemoteNames.Len())
for i, name := range definedRemoteNames.List() {
remoteNames[i] = name.(string)
}
definedRemoteClusters := remoteIndex["clusters"].(*schema.Set)
remoteClusters := make([]string, definedRemoteClusters.Len())
for i, cluster := range definedRemoteClusters.List() {
remoteClusters[i] = cluster.(string)
}
definedRemotePrivs := remoteIndex["privileges"].(*schema.Set)
remotePrivs := make([]string, definedRemotePrivs.Len())
for i, pr := range definedRemotePrivs.List() {
remotePrivs[i] = pr.(string)
}
newRemoteIndex := models.RemoteIndexPerms{
Names: remoteNames,
Clusters: remoteClusters,
Privileges: remotePrivs,
}
if query := remoteIndex["query"].(string); query != "" {
newRemoteIndex.Query = &query
}
if fieldSec := remoteIndex["field_security"].([]interface{}); len(fieldSec) > 0 {
remoteFieldSecurity := models.FieldSecurity{}
// there must be only 1 entry
definedRemoteFieldSec := fieldSec[0].(map[string]interface{})
// grants
if gr := definedRemoteFieldSec["grant"].(*schema.Set); gr != nil {
grants := make([]string, gr.Len())
for i, grant := range gr.List() {
grants[i] = grant.(string)
}
remoteFieldSecurity.Grant = grants
}
// except
if exp := definedRemoteFieldSec["except"].(*schema.Set); exp != nil {
excepts := make([]string, exp.Len())
for i, except := range exp.List() {
excepts[i] = except.(string)
}
remoteFieldSecurity.Except = excepts
}
newRemoteIndex.FieldSecurity = &remoteFieldSecurity
}
remoteIndices[i] = newRemoteIndex
}
role.RemoteIndices = remoteIndices
}
if v, ok := d.GetOk("metadata"); ok {
metadata := make(map[string]interface{})
if err := json.NewDecoder(strings.NewReader(v.(string))).Decode(&metadata); err != nil {
return diag.FromErr(err)
}
role.Metadata = metadata
}
if v, ok := d.GetOk("run_as"); ok {
definedRuns := v.(*schema.Set)
runs := make([]string, definedRuns.Len())
for i, run := range definedRuns.List() {
runs[i] = run.(string)
}
role.RusAs = runs
}
if diags := elasticsearch.PutRole(ctx, client, &role); diags.HasError() {
return diags
}
d.SetId(id.String())
return resourceSecurityRoleRead(ctx, d, meta)
}