Added - Support for Container Instance Service: Configure Linux Capabilities

madanrajhari10 · Nishtha Goel · commit 541e81e3333d · 2024-03-01T18:28:18.000+05:30
diff --git a/examples/container_instances/main.tf b/examples/container_instances/main.tf
@@ -26,7 +26,7 @@ resource "oci_core_network_security_group" "test_network_security_group" {
   vcn_id         = oci_core_vcn.test_vcn.id
   lifecycle {
     ignore_changes = [
-    "defined_tags"]
+      "defined_tags"]
   }
 }
 
@@ -36,7 +36,7 @@ resource "oci_core_vcn" "test_vcn" {
   dns_label      = "testvcn"
   lifecycle {
     ignore_changes = [
-    "defined_tags"]
+      "defined_tags"]
   }
 }
 
@@ -46,11 +46,11 @@ resource "oci_core_subnet" "test_subnet" {
   dns_label      = "testsubnet"
   route_table_id = oci_core_route_table.test_route_table.id
   security_list_ids = [
-  "${oci_core_security_list.test_sec_list.id}"]
+    "${oci_core_security_list.test_sec_list.id}"]
   vcn_id = oci_core_vcn.test_vcn.id
   lifecycle {
     ignore_changes = [
-    "defined_tags"]
+      "defined_tags"]
   }
 }
 
@@ -137,9 +137,9 @@ resource "oci_container_instances_container_instance" "test_container_instance"
     #Optional
     arguments = [
       "-c",
-    "cat /mnt/my_file"]
+      "cat /mnt/my_file"]
     command = [
-    "/bin/sh"]
+      "/bin/sh"]
     display_name = "displayName"
     environment_variables = {
       "environment" = "variable"
@@ -194,6 +194,10 @@ resource "oci_container_instances_container_instance" "test_container_instance"
       is_root_file_system_readonly   = true
       run_as_group                   = 10
       run_as_user                    = 10
+      capabilities {
+        add_capabilities = ["CAP_CHOWN", "CAP_KILL"]
+        drop_capabilities = ["ALL"]
+      }
     }
   }
   shape = "CI.Standard.E4.Flex"
@@ -226,11 +230,11 @@ resource "oci_container_instances_container_instance" "test_container_instance"
 
     #Optional
     nameservers = [
-    "8.8.8.8"]
+      "8.8.8.8"]
     options = [
-    "options"]
+      "options"]
     searches = [
-    "search domain"]
+      "search domain"]
   }
   freeform_tags = {
     "bar-key" = "foo-value"
diff --git a/internal/integrationtest/container_instances_container_instance_test.go b/internal/integrationtest/container_instances_container_instance_test.go
@@ -155,6 +155,7 @@ var (
 		"vcpus_limit":         acctest.Representation{RepType: acctest.Optional, Create: `1`},
 	}
 	ContainerInstancesContainerInstanceContainersSecurityContextRepresentation = map[string]interface{}{
+		"capabilities":                   acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerInstancesContainerInstanceContainersSecurityContextCapabilitiesRepresentation},
 		"is_non_root_user_check_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`},
 		"is_root_file_system_readonly":   acctest.Representation{RepType: acctest.Optional, Create: `false`},
 		"run_as_group":                   acctest.Representation{RepType: acctest.Optional, Create: `10`},
@@ -205,6 +206,10 @@ var (
 		"name":  acctest.Representation{RepType: acctest.Optional, Create: `name`},
 		"value": acctest.Representation{RepType: acctest.Optional, Create: `value`},
 	}
+	ContainerInstancesContainerInstanceContainersSecurityContextCapabilitiesRepresentation = map[string]interface{}{
+		"add_capabilities":  acctest.Representation{RepType: acctest.Optional, Create: []oci_container_instances.ContainerCapabilityTypeEnum{`addCapabilities`}},
+		"drop_capabilities": acctest.Representation{RepType: acctest.Optional, Create: []oci_container_instances.ContainerCapabilityTypeEnum{`dropCapabilities`}},
+	}
 
 	CISecurityListTCPEgressSecurityRulesRepresentation = map[string]interface{}{
 		"destination": acctest.Representation{RepType: acctest.Required, Create: `0.0.0.0/0`},
@@ -437,6 +442,9 @@ func TestContainerInstancesContainerInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "containers.0.resource_config.0.memory_limit_in_gbs", "1"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.resource_config.0.vcpus_limit", "1"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.0.add_capabilities.#", "0"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.0.drop_capabilities.#", "0"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.is_non_root_user_check_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.is_root_file_system_readonly", "false"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.run_as_group", "10"),
@@ -514,6 +522,9 @@ func TestContainerInstancesContainerInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "containers.0.resource_config.0.memory_limit_in_gbs", "1"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.resource_config.0.vcpus_limit", "1"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.0.add_capabilities.#", "0"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.0.drop_capabilities.#", "0"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.is_non_root_user_check_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.is_root_file_system_readonly", "false"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.run_as_group", "10"),
@@ -586,6 +597,9 @@ func TestContainerInstancesContainerInstanceResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "containers.0.resource_config.0.memory_limit_in_gbs", "1"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.resource_config.0.vcpus_limit", "1"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.0.add_capabilities.#", "0"),
+				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.capabilities.0.drop_capabilities.#", "0"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.is_non_root_user_check_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.is_root_file_system_readonly", "false"),
 				resource.TestCheckResourceAttr(resourceName, "containers.0.security_context.0.run_as_group", "10"),
diff --git a/internal/service/container_instances/container_instances_container_instance_resource.go b/internal/service/container_instances/container_instances_container_instance_resource.go
@@ -277,6 +277,41 @@ func ContainerInstancesContainerInstanceResource() *schema.Resource {
 									// Required
 
 									// Optional
+									"capabilities": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Computed: true,
+										ForceNew: true,
+										MaxItems: 1,
+										MinItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												// Required
+
+												// Optional
+												"add_capabilities": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Computed: true,
+													ForceNew: true,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"drop_capabilities": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Computed: true,
+													ForceNew: true,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+
+												// Computed
+											},
+										},
+									},
 									"is_non_root_user_check_enabled": {
 										Type:     schema.TypeBool,
 										Optional: true,
@@ -1551,6 +1586,48 @@ func (s *ContainerInstancesContainerInstanceResourceCrud) StopContainerInstance(
 	return tfresource.WaitForResourceCondition(s, retentionPolicyFunc, s.D.Timeout(schema.TimeoutUpdate))
 }
 
+func (s *ContainerInstancesContainerInstanceResourceCrud) mapToContainerCapabilities(fieldKeyFormat string) (oci_container_instances.ContainerCapabilities, error) {
+	result := oci_container_instances.ContainerCapabilities{}
+
+	if addCapabilities, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "add_capabilities")); ok {
+		interfaces := addCapabilities.([]interface{})
+		tmp := make([]oci_container_instances.ContainerCapabilityTypeEnum, len(interfaces))
+		for i := range interfaces {
+			if interfaces[i] != nil {
+				tmp[i], _ = oci_container_instances.GetMappingContainerCapabilityTypeEnum(interfaces[i].(string))
+			}
+		}
+		if len(tmp) != 0 || s.D.HasChange(fmt.Sprintf(fieldKeyFormat, "add_capabilities")) {
+			result.AddCapabilities = tmp
+		}
+	}
+
+	if dropCapabilities, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "drop_capabilities")); ok {
+		interfaces := dropCapabilities.([]interface{})
+		tmp := make([]oci_container_instances.ContainerCapabilityTypeEnum, len(interfaces))
+		for i := range interfaces {
+			if interfaces[i] != nil {
+				tmp[i], _ = oci_container_instances.GetMappingContainerCapabilityTypeEnum(interfaces[i].(string))
+			}
+		}
+		if len(tmp) != 0 || s.D.HasChange(fmt.Sprintf(fieldKeyFormat, "drop_capabilities")) {
+			result.DropCapabilities = tmp
+		}
+	}
+
+	return result, nil
+}
+
+func ContainerCapabilitiesToMap(obj *oci_container_instances.ContainerCapabilities) map[string]interface{} {
+	result := map[string]interface{}{}
+
+	result["add_capabilities"] = obj.AddCapabilities
+
+	result["drop_capabilities"] = obj.DropCapabilities
+
+	return result
+}
+
 func (s *ContainerInstancesContainerInstanceResourceCrud) mapToContainerConfigFile(fieldKeyFormat string) (oci_container_instances.ContainerConfigFile, error) {
 	result := oci_container_instances.ContainerConfigFile{}
 
@@ -2427,6 +2504,16 @@ func (s *ContainerInstancesContainerInstanceResourceCrud) mapToCreateSecurityCon
 	switch strings.ToLower(securityContextType) {
 	case strings.ToLower("LINUX"):
 		details := oci_container_instances.CreateLinuxSecurityContextDetails{}
+		if capabilities, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "capabilities")); ok {
+			if tmpList := capabilities.([]interface{}); len(tmpList) > 0 {
+				fieldKeyFormatNextLevel := fmt.Sprintf("%s.%d.%%s", fmt.Sprintf(fieldKeyFormat, "capabilities"), 0)
+				tmp, err := s.mapToContainerCapabilities(fieldKeyFormatNextLevel)
+				if err != nil {
+					return details, fmt.Errorf("unable to convert capabilities, encountered error: %v", err)
+				}
+				details.Capabilities = &tmp
+			}
+		}
 		if isNonRootUserCheckEnabled, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "is_non_root_user_check_enabled")); ok {
 			tmp := isNonRootUserCheckEnabled.(bool)
 			details.IsNonRootUserCheckEnabled = &tmp
@@ -2456,6 +2543,10 @@ func SecurityContextToMap(obj *oci_container_instances.SecurityContext) map[stri
 	case oci_container_instances.LinuxSecurityContext:
 		result["security_context_type"] = "LINUX"
 
+		if v.Capabilities != nil {
+			result["capabilities"] = []interface{}{ContainerCapabilitiesToMap(v.Capabilities)}
+		}
+
 		if v.IsNonRootUserCheckEnabled != nil {
 			result["is_non_root_user_check_enabled"] = bool(*v.IsNonRootUserCheckEnabled)
 		}
diff --git a/website/docs/r/container_instances_container_instance.html.markdown b/website/docs/r/container_instances_container_instance.html.markdown
@@ -63,6 +63,12 @@ resource "oci_container_instances_container_instance" "test_container_instance"
 		security_context {
 
 			#Optional
+			capabilities {
+
+				#Optional
+				add_capabilities = var.container_instance_containers_security_context_capabilities_add_capabilities
+				drop_capabilities = var.container_instance_containers_security_context_capabilities_drop_capabilities
+			}
 			is_non_root_user_check_enabled = var.container_instance_containers_security_context_is_non_root_user_check_enabled
 			is_root_file_system_readonly = var.container_instance_containers_security_context_is_root_file_system_readonly
 			run_as_group = var.container_instance_containers_security_context_run_as_group
@@ -201,6 +207,9 @@ The following arguments are supported:
 
 			A container with a 2.0 vcpusLimit could consume up to 100% of the CPU resources available on the container instance. Values can be fractional. A value of "1.5" means that the container can consume at most the equivalent of 1 and a half logical CPUs worth of CPU capacity. 
 	* `security_context` - (Optional) Security context for container.
+		* `capabilities` - (Optional) Linux Container capabilities to configure capabilities of container. 
+			* `add_capabilities` - (Optional) A list of additional configurable container capabilities. 
+			* `drop_capabilities` - (Optional) A list of container capabilities that can be dropped. 
 		* `is_non_root_user_check_enabled` - (Optional) Indicates if the container must run as a non-root user. If true, the service validates the container image at runtime to ensure that it is not going to run with UID 0 (root) and fails the container instance creation if the validation fails. 
 		* `is_root_file_system_readonly` - (Optional) Determines if the container will have a read-only root file system. Default value is false.
 		* `run_as_group` - (Optional) The group ID (GID) to run the entrypoint process of the container. Uses runtime default if not provided.
