fix: NetworkPolicy type per namespace must be the same for all the pr…

…ojects in the same namespace
sparkfabrik · Jan 10, 2025 · 5d29e7e · 5d29e7e
1 parent cade243
commit 5d29e7e
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,12 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.20.1] - 2025-01-10
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-cloud-native-drupal-resources/compare/0.20.0...0.20.1)
+
+- Fix NetworkPolicy configuration to guarantee that there is only one NetworkPolicy type per namespace.
+
 ## [0.20.0] - 2024-12-19
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-cloud-native-drupal-resources/compare/0.19.0...0.20.0)
@@ -24,7 +30,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-cloud-native-drupal-resources/compare/0.17.1...0.18.0)
 
-- Add more complete outputs. 
+- Add more complete outputs.
 
 ## [0.17.1] - 2024-11-27
 
@@ -127,7 +133,6 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - Add support for global tags to be passed to buckets.
 - Upgraded module `terraform-google-gcp-application-bucket-creation-helper` to version `0.7.0`.
 
-
 ## [0.7.0] - 2023-07-27
 
 [Compare with previous version](https://www.github.com/sparkfabrik/terraform-google-gcp-cloud-native-drupal-resources/compare/0.6.0...0.7.0)

diff --git a/main.tf b/main.tf
@@ -55,6 +55,15 @@ locals {
       network_policy = p.network_policy
     }
   ]
+
+  distinct_namespaces = distinct([for p in var.drupal_projects_list : p.kubernetes_namespace == null ? "${p.project_name}-${p.gitlab_project_id}-${p.release_branch_name}" : p.kubernetes_namespace])
+
+  # NetworkPolicy per namespace. The variable validation guarantees that there is only one NetworkPolicy type per namespace.
+  network_policy_per_namespace = {
+    for i in local.distinct_namespaces : i => [
+      for p in var.drupal_projects_list : p.network_policy if(p.kubernetes_namespace == null ? "${p.project_name}-${p.gitlab_project_id}-${p.release_branch_name}" : p.kubernetes_namespace) == i
+    ][0]
+  }
 }
 
 # Add new databases and users to the CloudSQL master instance.
@@ -95,13 +104,9 @@ resource "kubernetes_namespace" "namespace" {
   }
 }
 
-locals {
-  unique_namespaces = toset([for p in local.namespace_list : p.namespace if p.network_policy != ""])
-}
-
 resource "kubernetes_network_policy_v1" "this" {
   for_each = {
-    for p in local.namespace_list : p.namespace => p.network_policy if contains(local.unique_namespaces, p.namespace)
+    for namespace, network_policy in local.network_policy_per_namespace : namespace => network_policy if network_policy != ""
   }
 
   metadata {

diff --git a/outputs.tf b/outputs.tf
@@ -141,8 +141,6 @@ output "cloudsql_dumps_bucket_name" {
 output "namespaces_network_policy" {
   description = "Namespaces with network policy enabled."
   value = {
-    "isolated" : { for obj in local.namespace_list : obj.namespace => obj.project_name if obj.network_policy == "isolated" },
-    "restricted" : { for obj in local.namespace_list : obj.namespace => obj.project_name if obj.network_policy == "restricted" },
-    "none" : { for obj in local.namespace_list : obj.namespace => obj.project_name if obj.network_policy == "" }
+    for namespace, network_policy in local.network_policy_per_namespace : namespace => network_policy == "" ? "none" : network_policy
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -101,6 +101,17 @@ variable "drupal_projects_list" {
     error_message = "The project name is invalid. Must be 6 to 16 characters long, with only lowercase letters, numbers, hyphens and underscores if the database must be created by the module or 6 to 23 characters long if we pass database_host database_user_name and database_name to the module. If a network policy is specified, it must be 'isolated' or 'restricted'."
   }
 
+  validation {
+    condition = alltrue([
+      for ns, np in {
+        for i in distinct([for p in var.drupal_projects_list : p.kubernetes_namespace == null ? "${p.project_name}-${p.gitlab_project_id}-${p.release_branch_name}" : p.kubernetes_namespace]) : i => distinct([
+          for p in var.drupal_projects_list : p.network_policy if(p.kubernetes_namespace == null ? "${p.project_name}-${p.gitlab_project_id}-${p.release_branch_name}" : p.kubernetes_namespace) == i
+        ])
+      } : length(np) == 1
+    ])
+    error_message = "The NetworkPolicy type must be the same for all projects in the same namespace."
+  }
+
   validation {
     condition = alltrue([
       for p in var.drupal_projects_list :