Preserve comments in acl file #227
Labels
enhancement
New feature or request
Comments
|
Using Perhaps the ask here is having the Terraform provider use the same parsing design as the GitOps tool, which uses github.com/tailscale/hujson not encoding/json. This ensures that all HuJSON comments are preserved. |
|
perhaps a good middle ground would be to add a I read the ACL policy via the api, then merge specific parts over the top to programmatically add rules. If there was a |
|
Based on a brief internal discussion, we think a reasonable way forward would be to add a new field to the To simplify ongoing maintenance related to keeping the ACL schema in sync between Tailscale management plane and the Terraform provider, the contents of this field will not be parsed or interpreted by the provider. It will be validated against the validate ACL API endpoint, and will be written verbatim as HuJSON, with all comments and markup preserved. We're planning to call this field Please comment on this issue if you have any feedback on this. |
|
How would one work with HuJSON in terraform though? jsondecode will either error on the comments, or remove them, which means this can't be used in a way that preserves the comments unless you only use it a string? |
We would use a templated string - as mentioned in the earlier comment - it would still be validated on the tailscale api endpoint - but could potentially not be valid hujson. |
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 12, 2024
Per [docs](https://github.com/tailscale/tailscale/blob/main/api.md): > The HTTP status code will be '200' if the request was well formed and > there were no server errors, even in the case of failing tests or an > invalid ACL. Look at the response body to determine whether there was a > problem within your ACL or tests: Updates tailscale/terraform-provider-tailscale#227
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 12, 2024
Updates tailscale/terraform-provider-tailscale#227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 12, 2024
Updates tailscale/terraform-provider-tailscale#227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 12, 2024
Updates tailscale/terraform-provider-tailscale#227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 14, 2024
Per [docs](https://github.com/tailscale/tailscale/blob/main/api.md): > The HTTP status code will be '200' if the request was well formed and > there were no server errors, even in the case of failing tests or an > invalid ACL. Look at the response body to determine whether there was a > problem within your ACL or tests: Updates tailscale/terraform-provider-tailscale#227
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 14, 2024
Updates tailscale/terraform-provider-tailscale#227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
to tailscale/tailscale-client-go
that referenced
this issue
Feb 14, 2024
Updates tailscale/terraform-provider-tailscale#227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
that referenced
this issue
Feb 14, 2024
The `acl` argument of the `tailscale_acl` resource can now be a HuJSON string. Instead of unmarshalling it into an `ACL` message of the [API client](https://github.com/tailscale/tailscale-client-go) just to have the client serialize it into JSON again, policy content gets passed to the Tailscale API verbatim. This allows users to define their policy as HuJSON strings, with comments being preserved. Since JSON is a subset of HuJSON, this is backwards compatible, so I am not adding a separate field for this as has been previously suggested in #227. Validation is now performed by calling the [Validate and test policy file](https://github.com/tailscale/tailscale/blob/main/api.md#validate-and-test-policy-file) API, which will help catch any semantic errors in the policy at `terraform plan` stage (for example, when a syntactically correct policy contains configuration that is not supported by the Tailnet's current [pricing plan](https://tailscale.com/pricing)). Finally, this will also allow users to use new fields in the policy without requiring a new release of the Terraform provider. I've also added a new `hujson` field to the `tailscale_acl` data resource that shows current policy as a HuJSON string. Fixes #331 Fixes #227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
that referenced
this issue
Feb 14, 2024
The `acl` argument of the `tailscale_acl` resource can now be a HuJSON string. Instead of unmarshalling `acl` into an `ACL` struct of the [API client](https://github.com/tailscale/tailscale-client-go) just to have the client serialize it into JSON again, policy content gets passed to the Tailscale API verbatim. This allows users to define their policy as HuJSON strings, with comments being preserved. Since JSON is a subset of HuJSON, this is backwards compatible, so I am not adding a separate field for this as has been previously suggested in #227. Validation is now performed by calling the [Validate and test policy file](https://github.com/tailscale/tailscale/blob/main/api.md#validate-and-test-policy-file) API, which will help catch any semantic errors in the policy at `terraform plan` stage (for example, when a syntactically correct policy contains configuration that is not supported by the Tailnet's current [pricing plan](https://tailscale.com/pricing)). Finally, this will also allow users to use new fields in the policy without requiring a new release of the Terraform provider. I've also added a new `hujson` field to the `tailscale_acl` data resource that shows current policy as a HuJSON string. Fixes #331 Fixes #227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
that referenced
this issue
Feb 14, 2024
The `acl` argument of the `tailscale_acl` resource can now be a HuJSON string. Instead of unmarshalling `acl` into an `ACL` struct of the [API client](https://github.com/tailscale/tailscale-client-go) just to have the client serialize it into JSON again, policy content gets passed to the Tailscale API verbatim. This allows users to define their policy as HuJSON strings, with comments being preserved. Since JSON is a subset of HuJSON, this is backwards compatible, so I am not adding a separate field for this as has been previously suggested in #227. Validation is now performed by calling the [Validate and test policy file](https://github.com/tailscale/tailscale/blob/main/api.md#validate-and-test-policy-file) API, which will help catch any semantic errors in the policy at `terraform plan` stage (for example, when a syntactically correct policy contains configuration that is not supported by the Tailnet's current [pricing plan](https://tailscale.com/pricing)). Finally, this will also allow users to use new fields in the policy without requiring a new release of the Terraform provider. I've also added a new `hujson` field to the `tailscale_acl` data resource that shows current policy as a HuJSON string. Fixes #331 Fixes #227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
that referenced
this issue
Feb 14, 2024
The `acl` argument of the `tailscale_acl` resource can now be a HuJSON string. Instead of unmarshalling `acl` into an `ACL` struct of the [API client](https://github.com/tailscale/tailscale-client-go) just to have the client serialize it into JSON again, policy content gets passed to the Tailscale API verbatim. This allows users to define their policy as HuJSON strings, with comments being preserved. Since JSON is a subset of HuJSON, this is backwards compatible, so I am not adding a separate field for this as has been previously suggested in #227. Validation is now performed by calling the [Validate and test policy file](https://github.com/tailscale/tailscale/blob/main/api.md#validate-and-test-policy-file) API, which will help catch any semantic errors in the policy at `terraform plan` stage (for example, when a syntactically correct policy contains configuration that is not supported by the Tailnet's current [pricing plan](https://tailscale.com/pricing)). Finally, this will also allow users to use new fields in the policy without requiring a new release of the Terraform provider. I've also added a new `hujson` field to the `tailscale_acl` data resource that shows current policy as a HuJSON string. Fixes #331 Fixes #227 Signed-off-by: Anton Tolchanov <[email protected]>
knyar
added a commit
that referenced
this issue
Feb 15, 2024
The `acl` argument of the `tailscale_acl` resource can now be a HuJSON string. Instead of unmarshalling `acl` into an `ACL` struct of the [API client](https://github.com/tailscale/tailscale-client-go) just to have the client serialize it into JSON again, policy content gets passed to the Tailscale API verbatim. This allows users to define their policy as HuJSON strings, with comments being preserved. Since JSON is a subset of HuJSON, this is backwards compatible, so I am not adding a separate field for this as has been previously suggested in #227. Validation is now performed by calling the [Validate and test policy file](https://github.com/tailscale/tailscale/blob/main/api.md#validate-and-test-policy-file) API, which will help catch any semantic errors in the policy at `terraform plan` stage (for example, when a syntactically correct policy contains configuration that is not supported by the Tailnet's current [pricing plan](https://tailscale.com/pricing)). Finally, this will also allow users to use new fields in the policy without requiring a new release of the Terraform provider. I've also added a new `hujson` field to the `tailscale_acl` data resource that shows current policy as a HuJSON string. Fixes #331 Fixes #227 Signed-off-by: Anton Tolchanov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The
tailscale_aclstandardizes theaclinput which removes all comments in the file.Describe the solution you'd like
It would be helpful to preserve comments in the ACL file to help Tailscale admins better understand the ACL output in the Admin Console.
Example
This ACL resource:
Becomes this in the admin console:
{ "acls": [ { "action": "accept", "src": [ "*" ], "dst": [ "*:*" ] } ] }The text was updated successfully, but these errors were encountered: