Enhance kubernetes audit support

nerzhul · nerzhul · commit 2fc00d92e24f · 2025-09-26T16:49:38.000+02:00
diff --git a/exoscale/resource_exoscale_sks_cluster.go b/exoscale/resource_exoscale_sks_cluster.go
@@ -17,20 +17,20 @@ import (
 )
 
 const (
-	defaultSKSClusterCNI          	    = "calico"
-	defaultSKSClusterServiceLevel 	    = "pro"
-	defaultSKSClusterAuditInitBackoff   = "10s"
+	defaultSKSClusterCNI              = "calico"
+	defaultSKSClusterServiceLevel     = "pro"
+	defaultSKSClusterAuditInitBackoff = "10s"
 
 	sksClusterAddonExoscaleCCM = "exoscale-cloud-controller"
 	sksClusterAddonExoscaleCSI = "exoscale-container-storage-interface"
 	sksClusterAddonMS          = "metrics-server"
 
 	resSKSClusterAttrAddons             = "addons"
 	resSKSClusterAttrAggregationLayerCA = "aggregation_ca"
-	resSKSClusterAttrAuditBearerToken  = "audit_bearer_token"
-	resSKSClusterAttrAuditEnabled	    = "audit_enabled"
-	resSKSClusterAttrAuditEndpoint	    = "audit_endpoint"
-	resSKSClusterAttrAuditInitBackoff	= "audit_initial_backoff"
+	resSKSClusterAttrAuditBearerToken   = "audit_bearer_token"
+	resSKSClusterAttrAuditEnabled       = "audit_enabled"
+	resSKSClusterAttrAuditEndpoint      = "audit_endpoint"
+	resSKSClusterAttrAuditInitBackoff   = "audit_initial_backoff"
 	resSKSClusterAttrAutoUpgrade        = "auto_upgrade"
 	resSKSClusterAttrCNI                = "cni"
 	resSKSClusterAttrControlPlaneCA     = "control_plane_ca"
@@ -82,31 +82,27 @@ func resourceSKSCluster() *schema.Resource {
 			Description: "The CA certificate (in PEM format) for TLS communications between the control plane and the aggregation layer (e.g. `metrics-server`).",
 		},
 		"audit": {
-			Type: schema.TypeList,
-			MaxItems: 1,
-			Optional: true,
-			Computed: true,
+			Type:        schema.TypeList,
+			MaxItems:    1,
+			Optional:    true,
 			Description: "Parameters for Kubernetes Audit configuration (may only be enabled at creation time)",
 			Elem: &schema.Resource{
-				Schema: map[string]*schema.Schema {
-				    resSKSClusterAttrAuditEnabled: {
-						Type: schema.TypeBool,
-						Required: false,
+				Schema: map[string]*schema.Schema{
+					resSKSClusterAttrAuditEnabled: {
+						Type:        schema.TypeBool,
 						Description: "Whether to run the APIServer with the configured Kubernetes Audit",
 					},
 					resSKSClusterAttrAuditEndpoint: {
-						Type: schema.TypeString,
-						Required: true,
+						Type:        schema.TypeString,
+						Required:    true,
 						Description: "The Endpoint URL for the Webserver responsible of processing Audit events",
 					},
 					resSKSClusterAttrAuditInitBackoff: {
-						Type: schema.TypeString,
-						Required: false,
+						Type:        schema.TypeString,
 						Description: "The Initial Backoff to wait before sending data to the remote server (default '10s')",
 					},
 					resSKSClusterAttrAuditBearerToken: {
-						Type: schema.TypeString,
-						Required: false,
+						Type:        schema.TypeString,
 						Description: "The optional bearer token to include in the request header",
 					},
 				},
@@ -393,16 +389,19 @@ func resourceSKSClusterCreate(ctx context.Context, d *schema.ResourceData, meta
 	}
 	createReq.Version = version
 
-	if v, ok := d.GetOk(resSKSClusterAttrAudit(resSKSClusterAttrAuditEndpoint)); ok {
-		createReq.Audit = &v3.SKSAuditCreate{
-			Endpoint: v.(v3.SKSAuditEndpoint),
-		}
+	auditEnabled := d.Get(resSKSClusterAttrAuditEnabled).(bool)
+	if auditEnabled {
+		if v, ok := d.GetOk(resSKSClusterAttrAudit(resSKSClusterAttrAuditEndpoint)); ok {
+			createReq.Audit = &v3.SKSAuditCreate{
+				Endpoint: v.(v3.SKSAuditEndpoint),
+			}
 
-		if v, ok := d.GetOk(resSKSClusterAttrAudit(resSKSClusterAttrAuditBearerToken)); ok {
-			createReq.Audit.BearerToken = v.(v3.SKSAuditBearerToken)
-		}
-		if v, ok := d.GetOk(resSKSClusterAttrAudit(resSKSClusterAttrAuditInitBackoff)); ok {
-			createReq.Audit.InitialBackoff = v.(v3.SKSAuditInitialBackoff)
+			if v, ok := d.GetOk(resSKSClusterAttrAudit(resSKSClusterAttrAuditBearerToken)); ok {
+				createReq.Audit.BearerToken = v.(v3.SKSAuditBearerToken)
+			}
+			if v, ok := d.GetOk(resSKSClusterAttrAudit(resSKSClusterAttrAuditInitBackoff)); ok {
+				createReq.Audit.InitialBackoff = v.(v3.SKSAuditInitialBackoff)
+			}
 		}
 	}
 
@@ -625,8 +624,27 @@ func resourceSKSClusterUpdate(ctx context.Context, d *schema.ResourceData, meta
 		}
 	}
 
-	if d.HasChange(resSKSClusterAttrAuditEndpoint) {
-		// TODO
+	if d.HasChange(resSKSClusterAttrAuditEndpoint) || d.HasChange(resSKSClusterAttrAuditEnabled) ||
+		d.HasChange(resSKSClusterAttrAuditBearerToken) || d.HasChange(resSKSClusterAttrAuditInitBackoff) {
+		enableAudit := d.Get(resSKSClusterAttrAuditEnabled).(bool)
+		updateReq.Audit = &v3.SKSAuditUpdate{
+			Enabled:  &enableAudit,
+			Endpoint: v3.SKSAuditEndpoint(d.Get(resSKSClusterAttrAuditEndpoint).(string)),
+		}
+
+		if enableAudit && updateReq.Audit.Endpoint == "" {
+			return diag.Errorf("cannot enable audit without setting an endpoint")
+		}
+
+		if v, ok := d.GetOk(resSKSClusterAttrAuditBearerToken); ok {
+			updateReq.Audit.BearerToken = v.(v3.SKSAuditBearerToken)
+		}
+
+		if v, ok := d.GetOk(resSKSClusterAttrAuditInitBackoff); ok {
+			updateReq.Audit.InitialBackoff = v.(v3.SKSAuditInitialBackoff)
+		}
+
+		updated = true
 	}
 
 	if updated {
