Skip to content

Commit

Permalink
Merge pull request #274 from jfrog/fix-license-policy-performance-wit…
Browse files Browse the repository at this point in the history
…h-large-set

Switch license attributes from TypeSet to TypeList
  • Loading branch information
alexhung authored Nov 19, 2024
2 parents 25f8f73 + 41d15be commit f6f33a3
Show file tree
Hide file tree
Showing 26 changed files with 139 additions and 51 deletions.
11 changes: 10 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,19 @@
## 3.0.0 (November 20, 2024). Tested on Artifactory 7.98.8 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.5

BREAKING CHANGES:

* provider: Deprecated attribute `check_license` is removed.

BUG FIXES:

* resource/xray_license_policy: Switch `allowed_licenses` and `banned_licenses` attribute type from `TypeSet` to `TypeList` to resolve performance issue with large number of licenses. Add validation to ensure `allowed_licenses` and `banned_licenses` attributes cannot be set at the same time. Issue: [#262](https://github.com/jfrog/terraform-provider-xray/issues/262) and [#271](https://github.com/jfrog/terraform-provider-xray/issues/271) PR: [#274](https://github.com/jfrog/terraform-provider-xray/issues/274)

## 2.13.2 (November 11, 2024). Tested on Artifactory 7.98.8 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.5

BUG FIXES:

* resource/xray_security_policy: Fix "Provider produced inconsistent result after apply" error after resource creation. Issue: [#265](https://github.com/jfrog/terraform-provider-xray/issues/265) PR: [#268](https://github.com/jfrog/terraform-provider-xray/issues/268)


## 2.13.1 (October 31, 2024). Tested on Artifactory 7.98.7 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.4

BUG FIXES:
Expand Down
1 change: 0 additions & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -537,7 +537,6 @@ provider "xray" {
### Optional

- `access_token` (String, Sensitive) This is a bearer token that can be given to you by your admin under `Identity and Access`
- `check_license` (Boolean, Deprecated) Toggle for pre-flight checking of Artifactory Pro and Enterprise license. Default to `true`.
- `oidc_provider_name` (String) OIDC provider name. See [Configure an OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more details.
- `tfc_credential_tag_name` (String) Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details.
- `url` (String) URL of Xray. This can also be sourced from the `XRAY_URL` or `JFROG_URL` environment variable. Default to 'http://localhost:8081' if not set.
6 changes: 3 additions & 3 deletions docs/resources/license_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ Optional:
- `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled. Default value is `0`
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
- `custom_severity` (String) The severity of violation to be triggered if the `criteria` are met.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
Expand All @@ -157,8 +157,8 @@ Optional:
Optional:

- `allow_unknown` (Boolean) A violation will be generated for artifacts with unknown licenses (`true` or `false`).
- `allowed_licenses` (Set of String) A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `banned_licenses` (Set of String) A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `allowed_licenses` (List of String) A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `banned_licenses` (List of String) A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `multi_license_permissive` (Boolean) Do not generate a violation if at least one license is valid in cases whereby multiple licenses were detected on the component.

## Import
Expand Down
2 changes: 1 addition & 1 deletion docs/resources/operational_risk_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ Optional:
- `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled. Default value is `0`
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
Expand Down
8 changes: 4 additions & 4 deletions docs/resources/security_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ Optional:
- `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled. Default value is `0`
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
Expand All @@ -185,15 +185,15 @@ Optional:

Optional:

- `applicable_cves_only` (Boolean) Default value is `false`. Mark to skip CVEs that are not applicable in the context of the artifact. The contextual analysis operation might be long and affect build time if the `fail_build` action is set.
- `applicable_cves_only` (Boolean) Mark to skip CVEs that are not applicable in the context of the artifact. The contextual analysis operation might be long and affect build time if the `fail_build` action is set.

~>Only supported by JFrog Advanced Security
- `cvss_range` (Block List) The CVSS score range to apply to the rule. This is used for a fine-grained control, rather than using the predefined severities. The score range is based on CVSS v3 scoring, and CVSS v2 score is CVSS v3 score is not available. (see [below for nested schema](#nestedblock--rule--criteria--cvss_range))
- `exposures` (Block List) Creates policy rules for specific exposures.

~>Only supported by JFrog Advanced Security (see [below for nested schema](#nestedblock--rule--criteria--exposures))
- `fix_version_dependant` (Boolean) Default value is `false`. Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled.
- `malicious_package` (Boolean) Default value is `false`. Generating a violation on a malicious package.
- `fix_version_dependant` (Boolean) Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled.
- `malicious_package` (Boolean) Generating a violation on a malicious package.
- `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy. Valid values: `All Severities`, `Critical`, `High`, `Medium`, `Low`
- `package_name` (String) The package name to create a rule for
- `package_type` (String) The package type to create a rule for
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
module github.com/jfrog/terraform-provider-xray
module github.com/jfrog/terraform-provider-xray/v3

// if you need to do local dev, literally just uncomment the line below
// replace github.com/jfrog/terraform-provider-shared => ../terraform-provider-shared

go 1.22.7

require (
github.com/go-resty/resty/v2 v2.16.0
github.com/go-resty/resty/v2 v2.15.3
github.com/hashicorp/go-version v1.7.0
github.com/hashicorp/terraform-plugin-docs v0.20.0
github.com/hashicorp/terraform-plugin-framework v1.13.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@ github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+
github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
github.com/go-resty/resty/v2 v2.16.0 h1:qpKalHWI2bpp9BIKlyT8TYWEJXOk1NuKbfiT3RRnzWc=
github.com/go-resty/resty/v2 v2.16.0/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
github.com/go-resty/resty/v2 v2.15.3 h1:bqff+hcqAflpiF591hhJzNdkRsFhlB96CYfBwSFvql8=
github.com/go-resty/resty/v2 v2.15.3/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
Expand Down
2 changes: 1 addition & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (
"log"

"github.com/hashicorp/terraform-plugin-framework/providerserver"
"github.com/jfrog/terraform-provider-xray/pkg/xray"
"github.com/jfrog/terraform-provider-xray/v3/pkg/xray"
)

// Run the docs generation tool, check its repository for more information on how it works and how docs
Expand Down
2 changes: 1 addition & 1 deletion pkg/acctest/test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
"github.com/hashicorp/terraform-plugin-testing/terraform"
"github.com/jfrog/terraform-provider-shared/client"
"github.com/jfrog/terraform-provider-shared/testutil"
"github.com/jfrog/terraform-provider-xray/pkg/xray"
"github.com/jfrog/terraform-provider-xray/v3/pkg/xray"
)

// Provider PreCheck(t) must be called before using this provider instance.
Expand Down
12 changes: 3 additions & 9 deletions pkg/xray/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ import (
"github.com/jfrog/terraform-provider-shared/client"
"github.com/jfrog/terraform-provider-shared/util"
validatorfw_string "github.com/jfrog/terraform-provider-shared/validator/fw/string"
xray_datasource "github.com/jfrog/terraform-provider-xray/pkg/xray/datasource"
xray_resource "github.com/jfrog/terraform-provider-xray/pkg/xray/resource"
xray_datasource "github.com/jfrog/terraform-provider-xray/v3/pkg/xray/datasource"
xray_resource "github.com/jfrog/terraform-provider-xray/v3/pkg/xray/resource"
)

var Version = "2.11.1"
var Version = "3.0.0"
var productId = "terraform-provider-xray/" + Version

// Ensure the implementation satisfies the provider.Provider interface.
Expand All @@ -34,7 +34,6 @@ type XrayProviderModel struct {
AccessToken types.String `tfsdk:"access_token"`
OIDCProviderName types.String `tfsdk:"oidc_provider_name"`
TFCCredentialTagName types.String `tfsdk:"tfc_credential_tag_name"`
CheckLicense types.Bool `tfsdk:"check_license"`
}

// Metadata satisfies the provider.Provider interface for ArtifactoryProvider
Expand Down Expand Up @@ -76,11 +75,6 @@ func (p *XrayProvider) Schema(ctx context.Context, req provider.SchemaRequest, r
},
Description: "Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details.",
},
"check_license": schema.BoolAttribute{
Optional: true,
Description: "Toggle for pre-flight checking of Artifactory Pro and Enterprise license. Default to `true`.",
DeprecationMessage: "Remove this attribute from your provider configuration as it is no longer used and the attribute will be removed in the next major version of the provider.",
},
},
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/hashicorp/terraform-plugin-testing/terraform"
"github.com/jfrog/terraform-provider-shared/testutil"
"github.com/jfrog/terraform-provider-shared/util"
"github.com/jfrog/terraform-provider-xray/pkg/acctest"
"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
"github.com/samber/lo"
)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/hashicorp/terraform-plugin-testing/terraform"
"github.com/jfrog/terraform-provider-shared/testutil"
"github.com/jfrog/terraform-provider-shared/util"
"github.com/jfrog/terraform-provider-xray/pkg/acctest"
"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
"github.com/samber/lo"
)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"github.com/hashicorp/terraform-plugin-testing/helper/resource"
"github.com/jfrog/terraform-provider-shared/testutil"
"github.com/jfrog/terraform-provider-shared/util"
"github.com/jfrog/terraform-provider-xray/pkg/acctest"
"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
"github.com/samber/lo"
)

Expand Down
2 changes: 1 addition & 1 deletion pkg/xray/resource/resource_xray_custom_issue_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
"github.com/jfrog/terraform-provider-shared/testutil"
"github.com/jfrog/terraform-provider-shared/util"
"github.com/jfrog/terraform-provider-shared/util/sdk"
"github.com/jfrog/terraform-provider-xray/pkg/acctest"
"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
)

func TestAccCustomIssue_UpgradeFromSDKv2(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion pkg/xray/resource/resource_xray_ignore_rule_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
"github.com/jfrog/terraform-provider-shared/client"
"github.com/jfrog/terraform-provider-shared/testutil"
"github.com/jfrog/terraform-provider-shared/util"
"github.com/jfrog/terraform-provider-xray/pkg/acctest"
"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
)

func TestAccIgnoreRule_UpgradeFromSDKv2(t *testing.T) {
Expand Down
24 changes: 16 additions & 8 deletions pkg/xray/resource/resource_xray_license_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ package xray
import (
"context"

"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
"github.com/hashicorp/terraform-plugin-framework/attr"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
Expand Down Expand Up @@ -42,13 +44,13 @@ func (r LicensePolicyResource) toCriteriaAPIModel(ctx context.Context, criteriaE
attrs := criteriaElems[0].(types.Object).Attributes()

var allowedLicenses []string
d := attrs["allowed_licenses"].(types.Set).ElementsAs(ctx, &allowedLicenses, false)
d := attrs["allowed_licenses"].(types.List).ElementsAs(ctx, &allowedLicenses, false)
if d.HasError() {
diags.Append(d...)
}

var bannedLicenses []string
d = attrs["banned_licenses"].(types.Set).ElementsAs(ctx, &bannedLicenses, false)
d = attrs["banned_licenses"].(types.List).ElementsAs(ctx, &bannedLicenses, false)
if d.HasError() {
diags.Append(d...)
}
Expand Down Expand Up @@ -82,8 +84,8 @@ func (r LicensePolicyResource) toAPIModel(ctx context.Context, plan PolicyResour
var licenseCriteriaAttrTypes = lo.Assign(
map[string]attr.Type{
"allow_unknown": types.BoolType,
"allowed_licenses": types.SetType{ElemType: types.StringType},
"banned_licenses": types.SetType{ElemType: types.StringType},
"allowed_licenses": types.ListType{ElemType: types.StringType},
"banned_licenses": types.ListType{ElemType: types.StringType},
"multi_license_permissive": types.BoolType,
},
)
Expand All @@ -97,12 +99,12 @@ func (r *LicensePolicyResource) fromCriteriaAPIModel(ctx context.Context, criter

criteriaSet := types.SetNull(licenseCriteriaSetElementType)
if criteraAPIModel != nil {
allowedLicenses, d := types.SetValueFrom(ctx, types.StringType, criteraAPIModel.AllowedLicenses)
allowedLicenses, d := types.ListValueFrom(ctx, types.StringType, criteraAPIModel.AllowedLicenses)
if d.HasError() {
diags.Append(d...)
}

bannedLicenses, d := types.SetValueFrom(ctx, types.StringType, criteraAPIModel.BannedLicenses)
bannedLicenses, d := types.ListValueFrom(ctx, types.StringType, criteraAPIModel.BannedLicenses)
if d.HasError() {
diags.Append(d...)
}
Expand Down Expand Up @@ -232,14 +234,20 @@ var licenseRuleSetElementType = types.ObjectType{
}

var licensePolicyCriteriaAttrs = map[string]schema.Attribute{
"banned_licenses": schema.SetAttribute{
"banned_licenses": schema.ListAttribute{
ElementType: types.StringType,
Optional: true,
Validators: []validator.List{
listvalidator.ConflictsWith(path.MatchRelative().AtParent().AtName("allowed_licenses")),
},
Description: "A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.",
},
"allowed_licenses": schema.SetAttribute{
"allowed_licenses": schema.ListAttribute{
ElementType: types.StringType,
Optional: true,
Validators: []validator.List{
listvalidator.ConflictsWith(path.MatchRelative().AtParent().AtName("banned_licenses")),
},
Description: "A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.",
},
"allow_unknown": schema.BoolAttribute{
Expand Down
Loading

0 comments on commit f6f33a3

Please sign in to comment.