goharbor / terraform-provider-harbor Goto Github PK

We have existing project that we want to gradually migrate to this provider. For public projects, we can create robot accounts like this

data "harbor_project" "project" {
name = var.harbor_project_name
}

resource "harbor_robot_account" "account" {
name = var.harbor_robot_account_name
description = var.harbor_robot_account_description
project_id = data.harbor_project.project.id
actions = ["pull","read"]
}

For private projects, I get following error

Error: strconv.ParseBool: parsing "": invalid syntax

Is it my hands (I am terraform noob), or actual bug? I am using harbor admin account

It is defined as model https://github.com/BESTSELLER/terraform-provider-harbor/blob/274944faf4073369032bdc1d12979073138f8b75/models/replications.go#L15
but not defined in provider https://github.com/BESTSELLER/terraform-provider-harbor/blob/274944faf4073369032bdc1d12979073138f8b75/provider/resource_replication.go#L12

Hello,

When I note ldap_search_password and I check connectivity, I get this log in Harbor :
2021-03-05T12:35:44Z [ERROR] [/lib/http/error.go:54]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"LDAP connect fail, error: LDAP Result Code 206 "Empty password not allowed by the client": ldap: empty password not allowed by the client"}]}

• Version 1.2.2

When I create event_based replication, Harbor doesn't launch a replication if there is no event.
Could be great to have in the replication resource definition a "launch replication" property which launch a replication after a create or an update of the replication object.

Hi.
We have some problems with internal users, provider crashes when we try to add a new user to a project.
tf code which provide error

resource "harbor_project_member" "project_member" {
  project_id    = harbor_project.project["core"].id
  name          = "core"
  role          = "developer"
  type          = "internal"
}

Plan is generated without any problem but when we try to apply it we got crash and following error https://gist.github.com/pcheliniy/b68acdecc697cfc88e40dd06a6ca2818
provider version: 0.1.1
api_version: 2
harbor doesn't have clair and trivy components (I'm not sure but I guess it can be connected to the problem)
vulnerability scanning for project also disabled (we tried to enable it but it didn't help)

Describe the bug

The robot prefix is hardcoded to robot$.

https://github.com/BESTSELLER/terraform-provider-harbor/blob/54c1a0fe9cb30c554ffcb20dee09a33af67976ee/provider/resource_robot_account.go#L117

Since Harbor 2.2.0 (current only a release candidate), it's possible to adjust this value in the harbor instance configuration. Thus, the hardcoded value in the provider leads to an issue when another prefix is chosen. Syncing the state leads to the recreation of robot accounts each time terraform apply is executed.

To Reproduce
Steps to reproduce the behavior:

1. Go to Habor Web interface as an admin (Harbor version >= 2.2.0)
2. Click on Administration -> Configuration -> System Settings
3. Set "Robot Name Prefix" to something which is not robot$
4. Save the changes
5. Apply a terraform configuration with a robot account.

Here, the prefix robot_ was chosen:

  # module.harbor_prod.harbor_robot_account.npp-robot must be replaced
-/+ resource "harbor_robot_account" "npp-robot" {
      ~ id          = "/projects/3/robots/102" -> (known after apply)
      ~ name        = "robot_npp+npp" -> "npp" # forces replacement
      ~ project_id  = "/projects/0" -> "/projects/3" # forces replacement
      ~ robot_id    = "102" -> (known after apply)
      + token       = (sensitive value)
        # (2 unchanged attributes hidden)
    }

Expected behavior
Any prefix should work and not lead to replacing the robot account in terraform.

Thanks for your work on this project!

Is your feature request related to a problem? Please describe.
Currently, I can't specify Limited guest in the string type role of project_member_group and project_member_user

Error: "role" must be either projectadmin, developer, guest or master, got: limitedguest

Describe the solution you'd like
Support limited guest on role

Describe alternatives you've considered
There is no terraform alternative, but manually set this up on portal

Additional context

2.0.1 build failed

@wrighbr can you check why? thanks

Hello,
We have a Harbor instance running behind an OIDC provider/SSO. When I am trying to import or provision any object, I am constantly getting 401 UNAUTHORIZED even though username/password is correct.

Code

terraform {
  required_providers {
    harbor = {
      source = "BESTSELLER/harbor"
      version = "2.0.5"
    }
  }
}

provider "harbor" {
  url      = "URL"
  username = "USERNAME"
  password = "PASSWORD"
}

resource "harbor_project" "mbd-otr-de" {}

Output

Error: [ERROR] unexpected status code got: 401 expected: 200
 {"errors":[{"code":"UNAUTHORIZED","message":"UnAuthorized"}]}

Describe the bug
When setting gc to Daily, it is saved to daily (lowercase). So all terraform plan detect field to be modified

Expected behavior
Do not set gc type to lowercase

Describe the bug
While destroying the project resource using terraform destroy which is replicated once as per cron schedule, I am unable to destroy the project resource.

To Reproduce

1. create a project.

resource "harbor_project" "main" {
  name                   = "jenkins"
  public                 = true
  vulnerability_scanning = true
}

2. create registry and replication for the same project.

resource "harbor_registry" "pull" {
  provider_name = "docker-hub"
  name          = "DockerHub"
  endpoint_url  = "https://hub.docker.com"
}

resource "harbor_replication" "replication_pull" {
  name     = "Jenkins"
  action   = "pull"
  schedule = "0 0 2 * * *"
  filters {
    name     = "jenkins/jenkins"
    tag      = "2.*.{0,1,2,3,4,5,6,7,8,9}-lts-jdk11"
    resource = "image"
  }
  registry_id = harbor_registry.pull.registry_id

3. run replicate from GUI and then run terraform destroy

Expected behavior
terraform should be able to destroy the project resource.

Screenshots

Describe the bug
When trying to create a retention policy, I'm getting the following error:

{"errors":[{"code":"METHOD_NOT_ALLOWED","message":"method PUT is not allowed, but [POST] are"}]}

To Reproduce
Steps to reproduce the behavior:

resource "harbor_project" "test" {
    name                    = "test"
    public                  = true
    vulnerability_scanning  = false
    enable_content_trust    = false
}


resource "harbor_retention_policy" "test" {
     scope = harbor_project.test.id
     schedule = "daily"
     rule {
         n_days_since_last_push = 30
         repo_matching = "**"
         tag_matching = "**"
     }
}

Expected behavior
Policy gets created.

Additional context

terraform version
Terraform v0.14.7
+ provider registry.terraform.io/bestseller/harbor v3.1.0

Harbor Version v2.2.0-ec0ba116

Is your feature request related to a problem? Please describe.
Being able to configure tag immutability rules for projects through Terraform would be very useful.

Describe the solution you'd like
An option to define tag immutability rules for a Harbor project.

Describe alternatives you've considered
Using the API / UI.

Hello,

I try to get data object information for library project by this way:

data "harbor_project" "main" {
    name    = "library" 
}

output "project_id" {
    value = data.harbor_project.main.id
}

but I got this error:

Error: strconv.ParseBool: parsing "": invalid syntax

  on template.tf line 49, in data "harbor_project" "main":
  49: data "harbor_project" "main" {

• version : 2.0.5

Describe the bug
When setting retention rules to tag_excluding, rule is created but without decoration.

Expected behavior
Add tag_excluding management

Additional context
In client/retention.go, tag_matching is tested but not tag_excluding

Is your feature request related to a problem? Please describe.
It's not possible to configure with this TF provider, garbage collect on Harbor

Describe the solution you'd like
Be able to configure this with Terraform :

Harbor v2.2.0 adds project name to name of the robot account causing replacement on next apply

  # harbor_robot_account.account must be replaced
-/+ resource "harbor_robot_account" "account" {
      ~ id          = "/projects/24/robots/2951" -> (known after apply)
      ~ name        = "vera+read" -> "read" # forces replacement
      ~ project_id  = "/projects/0" -> "/projects/24" # forces replacement
      ~ robot_id    = "2951" -> (known after apply)
      + token       = (sensitive value)
        # (2 unchanged attributes hidden)
    }

Change in robot controller

	name := r.Name
	// for the project level robot, set the name pattern as projectname+robotname, and + is a illegal character.
	if r.Level == LEVELPROJECT {
		name = fmt.Sprintf("%s+%s", r.ProjectName, r.Name)
	}

Hi,
When I use a custom cron, it is applied at every launch of Terraform
Because of this :
https://github.com/BESTSELLER/terraform-provider-harbor/blob/6973f96dba6f3af50eb4e61bfdacf38490264d77/provider/resource_garbage_collection.go#L66
which is set to "custom"

Is your feature request related to a problem? Please describe.
Harbor 2.2.0 (current only a release candidate) added the feature of System Level Robot Accounts. It would be beneficial when those accounts could be managed with this provider, too.

Describe the solution you'd like
Adjusting the currently implemented harbor_robot_account resource to allow configuring system level robot accounts as well, or adding a new resource type for system level robots.

Describe alternatives you've considered
Managing system level robot accounts manually and outside of terraform.

Thanks for your work on this project!

Describe the bug

• In the documentation of the registry.md when providing the argument access_key is giving issues, I went to code and analyzed the go template and saw that the argument should be access_secret instead of access_key.

https://github.com/BESTSELLER/terraform-provider-harbor/blob/c949b465c46aa82b331541cab9fe44fcf5b02545/provider/resource_registry.go#L36

https://github.com/BESTSELLER/terraform-provider-harbor/blob/master/docs/resources/registry.md which has a line

• access_key - (Optional) The password / access keys / token for the external container register

Describe the bug
When a resource is not found (manually deleted for example), terraform apply failed.
According to terraform doc :
When you create something in Terraform but delete it manually, Terraform should gracefully handle it. If the API returns an error when the resource doesn't exist, the read function should check to see if the resource is available first. If the resource isn't available, the function should set the ID to an empty string so Terraform "destroys" the resource in state. The following code snippet is an example of how this can be implemented; you do not need to add this to your configuration for this tutorial.

Expected behavior
Resource must be recreated is not found

Hi.
Thanks a lot for your provider.
Do you have any plans to write a resource for creating internal users?

Describe the bug

When updating from a previous version of this provider to v2.0.10, terraform apply could fail, if quota_per_project_enable is set to false in Harbor.

To Reproduce

1. Have a Harbor 2.0 installation set-up with v0.6.2 of terraform-provider-harbor
2. have quota_per_project_enable set to false in Harbor
3. Create a few projects in harbor using the provider
4. Update Harbor to 2.2 and use v2.0.10 of terraform-provider-harbor
5. Run the terraform stack again
6. The following error occurs

   Error: [ERROR] unexpected status code got: 404 expected: 200
    \{"errors":[ {"code":"NOT_FOUND","message":"quota 5 not found"}
   ]}
   

Expected behavior

Terraform runs as before – and applies any necessary changes without errors.

Additional context

The underlying problem is that since 9fbab5e it is asumed, that a resource /quotas/5 exists. This is not the case if quota_per_project_enable is false.

There is also no way to add a quota resource for an existing project in harbor (there is no POST endpoint)

It seems the issue can not be fixed without removing and recreating all existing projects. This would involve either dropping or migrating all container images in this project.

Possible Solution

The easy solution is to allow the PUT /quotas/{id} request to fail silently when storage_quota is set to -1 anyway. Maybe add an error description if it is set to a value, but quota_per_project_enable is not enabled.

The better solution could be to detect if quota_per_project_enable is enabled in harbor and act accordingly.

It would be good if we can create resource harbor_group. We are managing Harbor users via LDAP groups, so we cannot use this provider for this purposes.

Currently we are not able to set project quotas for project via this terraform provider.

I have specified resource for replication policy below, when I apply it, the replication policy is created in web UI, but the name in section Source resource filter is empty even it is specified in resource. It should be test/**.

resource "harbor_replication" "test" {
  name        = "test"
  action      = "push"
  registry_id = harbor_registry.test-harbor.registry_id
  override    = true
  enabled     = true
  filters {
    name      = "test/**"
    resource = "artifact"
  }
}

Harbor version: v2.1.1-5f52168e

Terraform version: v0.14.3

Describe the bug
Hi, when I create Harbor project for the first time with terraform, I am assigning to the project project quota of 5 GB. Everything is working fine, but then when I want to change the value of project quota to different value, terraform tells me that one resource is updated, but when I go to Harbor UI, project quota is not updated.

I can change the project quota manually in Harbor UI, but not with terraform and this provider.

Harbor

• Version: v2.1.3-b6de84c5
• Ubuntu 18.04.5 LTS

Terraform

$ terraform version
Terraform v0.14.3
+ provider registry.terraform.io/bestseller/harbor v1.2.0

Your version of Terraform is out of date! The latest version
is 0.14.4. You can update by downloading from https://www.terraform.io/downloads.htm

I did fresh installation of Harbor v2.1.3. I have used this provider to configure LDAP with local admin account from Harbor.

My configuration of LDAP is following

resource "harbor_config_auth" "ldap" {
  auth_mode             = "ldap_auth"
  ldap_url              = "ldaps://example.local:3269"
  ldap_search_dn        = "CN=service_account,OU=srv,DC=example,DC=local"
  ldap_search_password  = var.ldap_search_password
  ldap_base_dn          = "DC=example,DC=local"
  ldap_uid              = "sAMAccountName"
  ldap_scope            = 2
  ldap_group_base_dn    = "OU=Harbor,OU=Apps,DC=example,DC=local"
  ldap_group_admin_dn   = "CN=App_Harbor_Admins,OU=Harbor,OU=Apps,DC=example,DC=local"
  ldap_group_membership = "memberof"
  ldap_group_gid        = "cn"
  ldap_group_scope      = 2
  ldap_verify_cert      = false
}

When I apply the resource, I receive this error message

Error: [ERROR] unexpected status code got: 400 expected: 200 
 {"errors":[{"code":"BAD_REQUEST","message":"configure item is not defined in metadata, item name: ldap_group_id"}]}

I tried to add metadata ldap_group_id = "" (empty string because I don't know what are valid values) to resource harbor_config_auth, but then I receive this error message

Error: Unsupported argument

  on administration_configuration.tf line 13, in resource "harbor_config_auth" "ldap":
  13:   ldap_group_id        = ""

An argument named "ldap_group_id" is not expected here. Did you mean
"ldap_group_uid"?

Am I doing something wrong? I tried to follow the documentation, but currently I am not possible to configure LDAP via this provider.

Hello,

Describe the solution you'd like
I would like to be able to configure project policy (retention and immutability) :

In new version of Harbor 2.1.x there is possibility to create project as proxy cache by specifying registry. Current configuration of resource harbor_project doesn't support this feature. Will be possible to add this feature? Thanks

Current situation
A robot user can be created but only with a single action

resource "haror_project" "main" {
    name = "main"
}

resource "harbor_robot_account" "account" {
  name        = "${harbor_project.main.name}"
  description = "Robot account used to push images to harbor"
  project_id  = harbor_project.main.id
  action      = "push"
}

In harbor a robot account can be created with more than one action.

• push (docker)
• read (helm)
• create (helm)

Desired situation
Please enable creation of a robot account allowing multiple acctions. For example like this.

resource "haror_project" "main" {
    name = "main"
}

resource "harbor_robot_account" "account" {
  name        = "${harbor_project.main.name}"
  description = "Robot account used to push images to harbor"
  project_id  = harbor_project.main.id
  action      = ["push","create","read"]
}

To be changed
As far as i understood the RobotBodyAccess in RobotBody must be adjusted to send a json with multiple actions instead of a single action like this.

{
  "name": "testrobot",
  "expires_at": -1,
  "description": "t",
  "access": [
    {
      "resource": "/project/3/repository",
      "action": "push"
    },
    {
      "resource": "/project/3/helm-chart",
      "action": "read"
    },
    {
      "resource": "/project/3/helm-chart-version",
      "action": "create"
    }
  ]
}

Current state
The Interrogation Services can be configured to use preconfigured schedules like described here

It can also use custom cron expressions like in the UI and API but it is not mentioned in the documentation.

Request
It would be very good to know this feature is implemented in case you need a more specific cron expression or at a different time during the day.

According this documentation for version of Harbor 2.1.0, supported type roles for project are:

• Limited Guest,
• Guest,
• Developer,
• Maintainer,
• ProjectAdmin.

When I am trying to create user with maintainer role for project, it throws me error:
Error: "role" must be either projectadmin, developer, guest, limitedguest or master, got: maintainer.

So I assume that the master role was removed and was replaced by maintainer.

Describe the bug
when I configure Harbor with this provider, it disables quota (cf: goharbor/harbor#13509)
I suppose this quota_per_project_enable should be set to true : https://github.com/BESTSELLER/terraform-provider-harbor/blob/00c71183e8bf3b03c4fc582f1309b057316a9ac4/models/config.go#L26

Describe the bug
when is create a replication, replication_policy_id is null
https://github.com/BESTSELLER/terraform-provider-harbor/blob/master/docs/resources/replication.md

Please add description...

Describe the bug
If I create a project manually on Harbor, then add it to terraform, I get this error :

Error: [ERROR] unexpected status code got: 409 expected: 201
 {"errors":[{"code":"CONFLICT","message":"The project named test already exists"}]}

It could be great if it could check before if the project exist

Describe the bug

When creating a harbor_replication with the description argument set, the resulting replication in Harbor has an empty description.

To Reproduce
Steps to reproduce the behavior:

1. Create a new harbor_replication resource with description set to a non-empty string
2. terraform apply
3. View replication in Harbor

Expected behavior

The description argument should be propagated to Harbor.

Describe the bug
2 fields have wrong management

• ldap_group_membership is mapped to ldap_group_attribute_name and must be ldap_group_membership_attribute
• ldat_group_gid is mapped to ldap_group_gid which does not exists in harbor

Expected behavior

• ldap_group_membership must be ldap_group_membership_attribute
• ldat_group_gid must be ldap_group_attribute_name

Describe the bug

Hey first of all: great project!

This bug/feature request is for quay.io support. Note that the enum exists at https://github.com/BESTSELLER/terraform-provider-harbor/blob/41d356fdea6521bf16c594a7246975567baed0ff/client/registry.go#L40 but it is still impossible to create quay registries in Terraform even though it's possible from the UI.

To Reproduce
Define a resource for a quay registry.

resource "harbor_registry" "quay" {
  provider_name = "quay"
  name          = "quay"
  endpoint_url  = "https://quay.io"
}

This will cause:

Error: [ERROR] unexpected status code got: 400 expected: 201 
 {"errors":[{"code":"BAD_REQUEST","message":"the registry is unhealthy"}]}

Note that even if access is setup reasonably (access_id: "json_file" and a valid cli_password/username as per here it will still fail. It will also fail if access_id: "".

Expected behavior
A valid registry

Additional context
Harbor auto-fills the "access_id" in the web UI as "json_file" and throws the same error until the auto-filled value is removed or a valid "access_secret" is passed. In Terraform, I attempted to overwrite this default value with an empty string but that does not work unfortunately.

Describe the bug
I used below code to create registry and replication according to documentation and the filters are populating during the tfplan step but when I see in the UI for the same replication the filters are not present.

To Reproduce
Steps to reproduce the behavior:

provider "harbor" {
  url      = "xxxxx"
  username = "admin"
  password = "xxxx"
}

# registry configuration pull
resource "harbor_registry" "pull" {
  
  provider_name = "docker-hub"
  name          = "Docker Hub"
  endpoint_url  = "https://hub.docker.com"
}

# replication pull based
resource "harbor_replication" "replication_pull" {
  name     = "Jenkins"
  action   = "pull"
  schedule = "0 0 2 * * *"
  filters {
    name     = "jenkins/jenkins"
    tag      = "2.*.{0,1,2,3,4,5,6,7,8,9}-lts-jdk11"
    resource = "image"
  }
  registry_id = harbor_registry.pull.registry_id
}

Use the above configuration with terraform apply

Screenshots

Expected behavior
Filters should reflect in harbor replication.

Desktop (please complete the following information):

• OS: Linux

Smartphone (please complete the following information):
NA

Additional context
NA

Describe the bug
retention policy are not deleted in harbor but are in the tfstate

  # module.harbor_replication[0].harbor_retention_policy.main[0] will be destroyed
  - resource "harbor_retention_policy" "main" {
      - id       = "/retentions/103" -> null
      - schedule = "daily" -> null
      - scope    = "/projects/531" -> null

      - rule {
          - always_retain          = false -> null
          - disabled               = false -> null
          - most_recently_pulled   = 0 -> null
          - most_recently_pushed   = 0 -> null
          - n_days_since_last_pull = 1 -> null
          - n_days_since_last_push = 0 -> null
          - repo_matching          = "**" -> null
          - tag_matching           = "**" -> null
          - untagged_artifacts     = true -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.harbor_replication[0].harbor_retention_policy.main[0]: Destroying... [id=/retentions/103]
module.harbor_replication[0].harbor_retention_policy.main[0]: Destruction complete after 0s

The retention policy is still there :

And if I re-create it with TF it failed :

  # module.harbor_replication[0].harbor_retention_policy.main[0] will be created
  + resource "harbor_retention_policy" "main" {
      + id       = (known after apply)
      + schedule = "daily"
      + scope    = "/projects/531"

      + rule {
          + always_retain          = false
          + disabled               = false
          + n_days_since_last_pull = 1
          + repo_matching          = "**"
          + tag_matching           = "**"
          + untagged_artifacts     = true
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.harbor_replication[0].harbor_retention_policy.main[0]: Creating...

Error: [ERROR] unexpected status code got: 400 expected: 201 
 {"errors":[{"code":"BAD_REQUEST","message":"project 531 already has retention policy 103"}]}

Is your feature request related to a problem? Please describe.
Hard to tell without going through commits as what has changed between releases

Describe the solution you'd like
A CHANGELOG.md managed that follows KeepAChangeLog.com. Ideally this would be attached to each release's details.

Describe alternatives you've considered
Going through commits

Additional context
See most open source projects for examples.

Hi,
Thanks for this project!
I had the following issue when trying to configure email.

Describe the bug
I tried to use: harbor_config_email, but I got this error and a stacktrace :
panic: interface conversion: interface {} is string, not int

To Reproduce

1. add a harbor_config_email resources with :

email_host
email_port
email_username
email_password
email_from
email_ssl

2. terraform apply

Expected behavior
Email configuration is applied on harbor

Desktop (please complete the following information):

• OS: windows10
• Terraform v0.13.5
• provider registry.terraform.io/bestseller/harbor v0.5.1

Describe the bug
robot_token_expiration is converted to minutes while day is wait.

Expected behavior
Set robot_token_expiration to days

Describe the bug
When importing a project that does not have scanning enabled, an error will occur when trying to import the project. The error goes away after manually configuring the project to enable scanning.

To Reproduce
Steps to reproduce the behavior:

1. Manually create project in Harbor that does not have project scanning enabled
2. Try to import the project utilizing the provider
3. See error. strconv.ParseBool: parsing "": invalid syntax

Expected behavior
Project is successfully imported

Harbor Version: v2.1.1-5f52168e
Provider version: v2.0.10

According this documentation I should be able to import existing registry which already exists in Harbor.

I try this command to import the registry
terraform import harbor_registry.docker_hub /registries/1

It throws me
Error: resource harbor_registry doesn't support import

Describe the solution you'd like
I would like to be able to add labels to projects

Describe the bug
when I do terraform plan or apply I always get this if the project doesn't exist

Error: [ERROR] unexpected status code got: 404 expected: 200
 {"errors":[{"code":"NOT_FOUND","message":"project test not found"}]}

When trying to test the harbor_garbage_collection resource on a local harbor server, it ends with the following error :

$ cat <<EOF >> root.tf
terraform {
  required_version = ">= 0.12"
  required_providers {
    harbor = {
      source  = "BESTSELLER/harbor"
      version = "~> 3.1.1"
    }
  }
}

provider "harbor" {
  url      = "http://localhost:30000"
  username = "admin"
  password = "admin"
}

resource "harbor_garbage_collection" "main" {
  schedule        = "daily"
  delete_untagged = true
}
EOF


$ terraform apply --auto-approve      
harbor_garbage_collection.main: Creating...

Error: unexpected end of JSON input

  on root.tf line 17, in resource "harbor_garbage_collection" "main":
  17: resource "harbor_garbage_collection" "main" {

Desktop (please complete the following information):

• OS: Ubuntu 18.04.5
• Terraform : v0.14.10

Additional context