From 611e6115aecf1791ca46f20607ebb0ac90d519da Mon Sep 17 00:00:00 2001 From: Kit Foster Date: Wed, 22 May 2024 12:46:39 +0200 Subject: [PATCH] Add OPTIONS Allowlist support to vercel terraform provider (#186) * add OPTIONS Allowlist to terraform * tests * descriptions * task docs --- client/deployment_protection.go | 8 +++++ client/project.go | 2 ++ docs/data-sources/project.md | 17 +++++++++ docs/resources/project.md | 17 +++++++++ vercel/data_source_project.go | 17 +++++++++ vercel/data_source_project_test.go | 9 +++++ vercel/deployment_protection.go | 8 +++++ vercel/resource_project.go | 56 ++++++++++++++++++++++++++++++ vercel/resource_project_test.go | 44 ++++++++++++++++++++--- 9 files changed, 174 insertions(+), 4 deletions(-) diff --git a/client/deployment_protection.go b/client/deployment_protection.go index eba07053..bc59c43d 100644 --- a/client/deployment_protection.go +++ b/client/deployment_protection.go @@ -26,3 +26,11 @@ type TrustedIps struct { type ProtectionBypass struct { Scope string `json:"scope"` } + +type OptionsAllowlist struct { + Paths []OptionsAllowlistPath `json:"paths"` +} + +type OptionsAllowlistPath struct { + Value string `json:"value"` +} diff --git a/client/project.go b/client/project.go index a2034b75..8592edd4 100644 --- a/client/project.go +++ b/client/project.go @@ -169,6 +169,7 @@ type ProjectResponse struct { VercelAuthentication *VercelAuthentication `json:"ssoProtection"` PasswordProtection *PasswordProtection `json:"passwordProtection"` TrustedIps *TrustedIps `json:"trustedIps"` + OptionsAllowlist *OptionsAllowlist `json:"optionsAllowlist"` ProtectionBypass map[string]ProtectionBypass `json:"protectionBypass"` AutoExposeSystemEnvVars *bool `json:"autoExposeSystemEnvs"` EnablePreviewFeedback *bool `json:"enablePreviewFeedback"` @@ -261,6 +262,7 @@ type UpdateProjectRequest struct { VercelAuthentication *VercelAuthentication `json:"ssoProtection"` PasswordProtection *PasswordProtectionWithPassword `json:"passwordProtection"` TrustedIps *TrustedIps `json:"trustedIps"` + OptionsAllowlist *OptionsAllowlist `json:"optionsAllowlist"` AutoExposeSystemEnvVars bool `json:"autoExposeSystemEnvs"` EnablePreviewFeedback *bool `json:"enablePreviewFeedback"` AutoAssignCustomDomains bool `json:"autoAssignCustomDomains"` diff --git a/docs/data-sources/project.md b/docs/data-sources/project.md index df938d1b..5170e724 100644 --- a/docs/data-sources/project.md +++ b/docs/data-sources/project.md @@ -58,6 +58,7 @@ output "project_id" { - `id` (String) The ID of this resource. - `ignore_command` (String) When a commit is pushed to the Git repository that is connected with your Project, its SHA will determine if a new Build has to be issued. If the SHA was deployed before, no new Build will be issued. You can customize this behavior with a command that exits with code 1 (new Build needed) or code 0. - `install_command` (String) The install command for this project. If omitted, this value will be automatically detected. +- `options_allowlist` (Attributes) Disable Deployment Protection for CORS preflight `OPTIONS` requests for a list of paths. (see [below for nested schema](#nestedatt--options_allowlist)) - `output_directory` (String) The output directory of the project. When null is used this value will be automatically detected. - `password_protection` (Attributes) Ensures visitors of your Preview Deployments must enter a password in order to gain access. (see [below for nested schema](#nestedatt--password_protection)) - `preview_comments` (Boolean) Whether comments are enabled on your Preview Deployments. @@ -114,6 +115,22 @@ Read-Only: + +### Nested Schema for `options_allowlist` + +Read-Only: + +- `paths` (List of Object) The allowed paths for the OPTIONS Allowlist. Incoming requests will bypass Deployment Protection if they have the method `OPTIONS` and **start with** one of the path values. (see [below for nested schema](#nestedatt--options_allowlist--paths)) + + +### Nested Schema for `options_allowlist.paths` + +Read-Only: + +- `value` (String) + + + ### Nested Schema for `password_protection` diff --git a/docs/resources/project.md b/docs/resources/project.md index 1984bbd9..1c2fdf12 100644 --- a/docs/resources/project.md +++ b/docs/resources/project.md @@ -70,6 +70,7 @@ resource "vercel_project" "example" { - `git_repository` (Attributes) The Git Repository that will be connected to the project. When this is defined, any pushes to the specified connected Git Repository will be automatically deployed. This requires the corresponding Vercel for [Github](https://vercel.com/docs/concepts/git/vercel-for-github), [Gitlab](https://vercel.com/docs/concepts/git/vercel-for-gitlab) or [Bitbucket](https://vercel.com/docs/concepts/git/vercel-for-bitbucket) plugins to be installed. (see [below for nested schema](#nestedatt--git_repository)) - `ignore_command` (String) When a commit is pushed to the Git repository that is connected with your Project, its SHA will determine if a new Build has to be issued. If the SHA was deployed before, no new Build will be issued. You can customize this behavior with a command that exits with code 1 (new Build needed) or code 0. - `install_command` (String) The install command for this project. If omitted, this value will be automatically detected. +- `options_allowlist` (Attributes) Disable Deployment Protection for CORS preflight `OPTIONS` requests for a list of paths. (see [below for nested schema](#nestedatt--options_allowlist)) - `output_directory` (String) The output directory of the project. If omitted, this value will be automatically detected. - `password_protection` (Attributes) Ensures visitors of your Preview Deployments must enter a password in order to gain access. (see [below for nested schema](#nestedatt--password_protection)) - `preview_comments` (Boolean) Whether to enable comments on your Preview Deployments. If omitted, comments are controlled at the team level (default behaviour). @@ -144,6 +145,22 @@ Read-Only: + +### Nested Schema for `options_allowlist` + +Required: + +- `paths` (Attributes Set) The allowed paths for the OPTIONS Allowlist. Incoming requests will bypass Deployment Protection if they have the method `OPTIONS` and **start with** one of the path values. (see [below for nested schema](#nestedatt--options_allowlist--paths)) + + +### Nested Schema for `options_allowlist.paths` + +Required: + +- `value` (String) The path prefix to compare with the incoming request path. + + + ### Nested Schema for `password_protection` diff --git a/vercel/data_source_project.go b/vercel/data_source_project.go index 2a2eddf8..8c0ad477 100644 --- a/vercel/data_source_project.go +++ b/vercel/data_source_project.go @@ -220,6 +220,21 @@ For more detailed information, please see the [Vercel documentation](https://ver }, }, }, + "options_allowlist": schema.SingleNestedAttribute{ + Description: "Disable Deployment Protection for CORS preflight `OPTIONS` requests for a list of paths.", + Computed: true, + Attributes: map[string]schema.Attribute{ + "paths": schema.ListAttribute{ + Description: "The allowed paths for the OPTIONS Allowlist. Incoming requests will bypass Deployment Protection if they have the method `OPTIONS` and **start with** one of the path values.", + Computed: true, + ElementType: types.ObjectType{ + AttrTypes: map[string]attr.Type{ + "value": types.StringType, + }, + }, + }, + }, + }, "id": schema.StringAttribute{ Computed: true, }, @@ -320,6 +335,7 @@ type ProjectDataSource struct { VercelAuthentication *VercelAuthentication `tfsdk:"vercel_authentication"` PasswordProtection *PasswordProtection `tfsdk:"password_protection"` TrustedIps *TrustedIps `tfsdk:"trusted_ips"` + OptionsAllowlist *OptionsAllowlist `tfsdk:"options_allowlist"` ProtectionBypassForAutomation types.Bool `tfsdk:"protection_bypass_for_automation"` AutoExposeSystemEnvVars types.Bool `tfsdk:"automatically_expose_system_environment_variables"` GitComments types.Object `tfsdk:"git_comments"` @@ -375,6 +391,7 @@ func convertResponseToProjectDataSource(ctx context.Context, response client.Pro VercelAuthentication: project.VercelAuthentication, PasswordProtection: pp, TrustedIps: project.TrustedIps, + OptionsAllowlist: project.OptionsAllowlist, AutoExposeSystemEnvVars: types.BoolPointerValue(response.AutoExposeSystemEnvVars), ProtectionBypassForAutomation: project.ProtectionBypassForAutomation, GitComments: project.GitComments, diff --git a/vercel/data_source_project_test.go b/vercel/data_source_project_test.go index f70f38d8..34234140 100644 --- a/vercel/data_source_project_test.go +++ b/vercel/data_source_project_test.go @@ -35,6 +35,8 @@ func TestAcc_ProjectDataSource(t *testing.T) { }), resource.TestCheckResourceAttr("data.vercel_project.test", "trusted_ips.deployment_type", "only_production_deployments"), resource.TestCheckResourceAttr("data.vercel_project.test", "trusted_ips.protection_mode", "trusted_ip_required"), + resource.TestCheckResourceAttr("data.vercel_project.test", "options_allowlist.paths.#", "1"), + resource.TestCheckResourceAttr("data.vercel_project.test", "options_allowlist.paths.0.value", "/api"), resource.TestCheckTypeSetElemNestedAttrs("data.vercel_project.test", "environment.*", map[string]string{ "key": "foo", @@ -86,6 +88,13 @@ resource "vercel_project" "test" { deployment_type = "only_production_deployments" protection_mode = "trusted_ip_required" } + options_allowlist = { + paths = [ + { + value = "/api" + } + ] + } %s environment = [ { diff --git a/vercel/deployment_protection.go b/vercel/deployment_protection.go index 6bb8f354..f5eb1558 100644 --- a/vercel/deployment_protection.go +++ b/vercel/deployment_protection.go @@ -28,3 +28,11 @@ type TrustedIps struct { type ProtectionBypass struct { Scope types.String `tfsdk:"scope"` } + +type OptionsAllowlist struct { + Paths []OptionsAllowlistPath `tfsdk:"paths"` +} + +type OptionsAllowlistPath struct { + Value types.String `tfsdk:"value"` +} diff --git a/vercel/resource_project.go b/vercel/resource_project.go index f5920914..1cf04cdf 100644 --- a/vercel/resource_project.go +++ b/vercel/resource_project.go @@ -300,6 +300,28 @@ At this time you cannot use a Vercel Project resource with in-line ` + "`environ }, }, }, + "options_allowlist": schema.SingleNestedAttribute{ + Description: "Disable Deployment Protection for CORS preflight `OPTIONS` requests for a list of paths.", + Optional: true, + Attributes: map[string]schema.Attribute{ + "paths": schema.SetNestedAttribute{ + Description: "The allowed paths for the OPTIONS Allowlist. Incoming requests will bypass Deployment Protection if they have the method `OPTIONS` and **start with** one of the path values.", + Required: true, + PlanModifiers: []planmodifier.Set{setplanmodifier.UseStateForUnknown()}, + NestedObject: schema.NestedAttributeObject{ + Attributes: map[string]schema.Attribute{ + "value": schema.StringAttribute{ + Description: "The path prefix to compare with the incoming request path.", + Required: true, + }, + }, + }, + Validators: []validator.Set{ + stringSetMinCount(1), + }, + }, + }, + }, "id": schema.StringAttribute{ Computed: true, PlanModifiers: []planmodifier.String{stringplanmodifier.UseStateForUnknown()}, @@ -425,6 +447,7 @@ type Project struct { VercelAuthentication *VercelAuthentication `tfsdk:"vercel_authentication"` PasswordProtection *PasswordProtectionWithPassword `tfsdk:"password_protection"` TrustedIps *TrustedIps `tfsdk:"trusted_ips"` + OptionsAllowlist *OptionsAllowlist `tfsdk:"options_allowlist"` ProtectionBypassForAutomation types.Bool `tfsdk:"protection_bypass_for_automation"` ProtectionBypassForAutomationSecret types.String `tfsdk:"protection_bypass_for_automation_secret"` AutoExposeSystemEnvVars types.Bool `tfsdk:"automatically_expose_system_environment_variables"` @@ -459,6 +482,7 @@ func (p Project) RequiresUpdateAfterCreation() bool { return p.PasswordProtection != nil || p.VercelAuthentication != nil || p.TrustedIps != nil || + p.OptionsAllowlist != nil || !p.AutoExposeSystemEnvVars.IsNull() || p.GitComments.IsNull() || !p.PreviewComments.IsNull() || @@ -581,6 +605,7 @@ func (p *Project) toUpdateProjectRequest(ctx context.Context, oldName string) (r PasswordProtection: p.PasswordProtection.toUpdateProjectRequest(), VercelAuthentication: p.VercelAuthentication.toUpdateProjectRequest(), TrustedIps: p.TrustedIps.toUpdateProjectRequest(), + OptionsAllowlist: p.OptionsAllowlist.toUpdateProjectRequest(), AutoExposeSystemEnvVars: p.AutoExposeSystemEnvVars.ValueBool(), EnablePreviewFeedback: p.PreviewComments.ValueBoolPointer(), AutoAssignCustomDomains: p.AutoAssignCustomDomains.ValueBool(), @@ -758,6 +783,23 @@ func (t *TrustedIps) toUpdateProjectRequest() *client.TrustedIps { } } +func (t *OptionsAllowlist) toUpdateProjectRequest() *client.OptionsAllowlist { + if t == nil { + return nil + } + + var paths = []client.OptionsAllowlistPath{} + for _, path := range t.Paths { + paths = append(paths, client.OptionsAllowlistPath{ + Value: path.Value.ValueString(), + }) + } + + return &client.OptionsAllowlist{ + Paths: paths, + } +} + /* * In the Vercel API the following fields are coerced to null during project creation @@ -937,6 +979,19 @@ func convertResponseToProject(ctx context.Context, response client.ProjectRespon } } + var oal *OptionsAllowlist + if response.OptionsAllowlist != nil { + var paths []OptionsAllowlistPath + for _, path := range response.OptionsAllowlist.Paths { + paths = append(paths, OptionsAllowlistPath{ + Value: types.StringValue(path.Value), + }) + } + oal = &OptionsAllowlist{ + Paths: paths, + } + } + var env []attr.Value for _, e := range environmentVariables { target := []attr.Value{} @@ -1029,6 +1084,7 @@ func convertResponseToProject(ctx context.Context, response client.ProjectRespon PasswordProtection: pp, VercelAuthentication: va, TrustedIps: tip, + OptionsAllowlist: oal, ProtectionBypassForAutomation: protectionBypass, ProtectionBypassForAutomationSecret: protectionBypassSecret, AutoExposeSystemEnvVars: types.BoolPointerValue(response.AutoExposeSystemEnvVars), diff --git a/vercel/resource_project_test.go b/vercel/resource_project_test.go index 8081205c..8e83f7c7 100644 --- a/vercel/resource_project_test.go +++ b/vercel/resource_project_test.go @@ -166,7 +166,7 @@ func TestAcc_ProjectWithVercelAuthAndPasswordProtectionAndTrustedIps(t *testing. CheckDestroy: testAccProjectDestroy("vercel_project.enabled_to_start", testTeam()), Steps: []resource.TestStep{ { - Config: testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIps(projectSuffix, teamIDConfig()), + Config: testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIpsAndOptionsAllowlist(projectSuffix, teamIDConfig()), Check: resource.ComposeAggregateTestCheckFunc( testAccProjectExists("vercel_project.enabled_to_start", testTeam()), resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "vercel_authentication.deployment_type", "all_deployments"), @@ -179,6 +179,8 @@ func TestAcc_ProjectWithVercelAuthAndPasswordProtectionAndTrustedIps(t *testing. }), resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "trusted_ips.deployment_type", "all_deployments"), resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "trusted_ips.protection_mode", "trusted_ip_optional"), + resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "options_allowlist.paths.#", "1"), + resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "options_allowlist.paths.0.value", "/foo"), resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "protection_bypass_for_automation", "true"), resource.TestCheckResourceAttrSet("vercel_project.enabled_to_start", "protection_bypass_for_automation_secret"), testAccProjectExists("vercel_project.disabled_to_start", testTeam()), @@ -198,12 +200,14 @@ func TestAcc_ProjectWithVercelAuthAndPasswordProtectionAndTrustedIps(t *testing. }), resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "trusted_ips.deployment_type", "only_production_deployments"), resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "trusted_ips.protection_mode", "trusted_ip_required"), + resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "options_allowlist.paths.#", "1"), + resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "options_allowlist.paths.0.value", "/bar"), resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "protection_bypass_for_automation", "true"), resource.TestCheckResourceAttrSet("vercel_project.enabled_to_update", "protection_bypass_for_automation_secret"), ), }, { - Config: testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIpsUpdated(projectSuffix, teamIDConfig()), + Config: testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIpsAndOptionsAllowlistUpdated(projectSuffix, teamIDConfig()), Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttr("vercel_project.enabled_to_start", "vercel_authentication.deployment_type", "standard_protection"), resource.TestCheckNoResourceAttr("vercel_project.enabled_to_start", "password_protection"), @@ -221,6 +225,8 @@ func TestAcc_ProjectWithVercelAuthAndPasswordProtectionAndTrustedIps(t *testing. }), resource.TestCheckResourceAttr("vercel_project.disabled_to_start", "trusted_ips.deployment_type", "standard_protection"), resource.TestCheckResourceAttr("vercel_project.disabled_to_start", "trusted_ips.protection_mode", "trusted_ip_required"), + resource.TestCheckResourceAttr("vercel_project.disabled_to_start", "options_allowlist.paths.#", "1"), + resource.TestCheckResourceAttr("vercel_project.disabled_to_start", "options_allowlist.paths.0.value", "/foo"), resource.TestCheckResourceAttr("vercel_project.disabled_to_start", "protection_bypass_for_automation", "true"), resource.TestCheckResourceAttrSet("vercel_project.disabled_to_start", "protection_bypass_for_automation_secret"), @@ -235,6 +241,8 @@ func TestAcc_ProjectWithVercelAuthAndPasswordProtectionAndTrustedIps(t *testing. resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "trusted_ips.deployment_type", "all_deployments"), resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "trusted_ips.protection_mode", "trusted_ip_optional"), resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "protection_bypass_for_automation", "false"), + resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "options_allowlist.paths.#", "1"), + resource.TestCheckResourceAttr("vercel_project.enabled_to_update", "options_allowlist.paths.0.value", "/bar"), resource.TestCheckNoResourceAttr("vercel_project.enabled_to_update", "protection_bypass_for_automation_secret"), ), }, @@ -378,7 +386,7 @@ resource "vercel_project" "test" { `, projectSuffix, teamID) } -func testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIps(projectSuffix, teamID string) string { +func testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIpsAndOptionsAllowlist(projectSuffix, teamID string) string { return fmt.Sprintf(` resource "vercel_project" "enabled_to_start" { name = "test-acc-protection-one-%[1]s" @@ -400,6 +408,13 @@ resource "vercel_project" "enabled_to_start" { deployment_type = "all_deployments" protection_mode = "trusted_ip_optional" } + options_allowlist = { + paths = [ + { + value = "/foo" + } + ] + } protection_bypass_for_automation = true } @@ -431,12 +446,19 @@ resource "vercel_project" "enabled_to_update" { ] deployment_type = "only_production_deployments" } + options_allowlist = { + paths = [ + { + value = "/bar" + } + ] + } protection_bypass_for_automation = true } `, projectSuffix, teamID) } -func testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIpsUpdated(projectSuffix, teamID string) string { +func testAccProjectConfigWithVercelAuthAndPasswordAndTrustedIpsAndOptionsAllowlistUpdated(projectSuffix, teamID string) string { return fmt.Sprintf(` resource "vercel_project" "enabled_to_start" { name = "test-acc-protection-one-%[1]s" @@ -462,6 +484,13 @@ resource "vercel_project" "disabled_to_start" { ] deployment_type = "standard_protection" } + options_allowlist = { + paths = [ + { + value = "/foo" + } + ] + } protection_bypass_for_automation = true } @@ -485,6 +514,13 @@ resource "vercel_project" "enabled_to_update" { deployment_type = "all_deployments" protection_mode = "trusted_ip_optional" } + options_allowlist = { + paths = [ + { + value = "/bar" + } + ] + } protection_bypass_for_automation = false } `, projectSuffix, teamID)