feat: adds security_opts to container config. (#308)

* Add security_opts to container config. Resolves #288 * Fix schema type * Set security_opts to computed as docker modifies after apply * Add label automatically added by TravisCI docker engine to bypass test failure. Co-authored-by: Nolan Woods <nolan_w@sfu.ca>
2025-12-27 18:19:48 -05:00 · 2020-11-15 10:19:19 -07:00 · 2020-11-15 10:19:19 -07:00 · de7c6be58a
commit de7c6be58a
parent cdc0b0a7e8
4 changed files with 17 additions and 0 deletions
--- a/docker/resource_docker_container.go
+++ b/docker/resource_docker_container.go
@ -223,6 +223,15 @@ func resourceDockerContainer() *schema.Resource {
 					},
 				},
 			},
+			"security_opts": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				ForceNew:    true,
+				Computed:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Description: "List of string values to customize labels for MLS systems, such as SELinux. See https://docs.docker.com/engine/reference/run/#security-configuration",
+				Set:         schema.HashString,
+			},
 			"mounts": {
 				Type:        schema.TypeSet,
 				Description: "Specification for mounts to be added to containers created as part of the service",
--- a/docker/resource_docker_container_funcs.go
+++ b/docker/resource_docker_container_funcs.go
@ -272,6 +272,10 @@ func resourceDockerContainerCreate(d *schema.ResourceData, meta interface{}) err
 		hostConfig.Links = stringSetToStringSlice(v.(*schema.Set))
 	}

+	if v, ok := d.GetOk("security_opts"); ok {
+		hostConfig.SecurityOpt = stringSetToStringSlice(v.(*schema.Set))
+	}
+
 	if v, ok := d.GetOk("memory"); ok {
 		hostConfig.Memory = int64(v.(int)) * 1024 * 1024
 	}
@ -618,6 +622,7 @@ func resourceDockerContainerRead(d *schema.ResourceData, meta interface{}) error
 	d.Set("user", container.Config.User)
 	d.Set("dns", container.HostConfig.DNS)
 	d.Set("dns_opts", container.HostConfig.DNSOptions)
+	d.Set("security_opts", container.HostConfig.SecurityOpt)
 	d.Set("dns_search", container.HostConfig.DNSSearch)
 	d.Set("publish_all_ports", container.HostConfig.PublishAllPorts)
 	d.Set("restart", container.HostConfig.RestartPolicy.Name)
--- a/docker/resource_docker_container_test.go
+++ b/docker/resource_docker_container_test.go
@ -1879,6 +1879,8 @@ resource "docker_container" "foo" {
 		drop = ["SYS_ADMIN"]
 	}

+	security_opts = ["apparmor=unconfined", "label=disable"]
+
 	dns = ["8.8.8.8"]
 	dns_opts = ["rotate"]
 	dns_search = ["example.com"]
--- a/website/docs/r/container.html.markdown
+++ b/website/docs/r/container.html.markdown
@ -76,6 +76,7 @@ data is stored in them. See [the docker documentation](https://docs.docker.com/n
  kept running. If false, then as long as the container exists, Terraform
  assumes it is successful.
 * `capabilities` - (Optional, block) See [Capabilities](#capabilities-1) below for details.
+* `security_opts` - (Optional, set of strings) Set of string values to customize labels for MLS systems, such as SELinux. See https://docs.docker.com/engine/reference/run/#security-configuration.
 * `mounts` - (Optional, set of blocks) See [Mounts](#mounts-1) below for details.
 * `tmpfs` - (Optional, map) A map of container directories which should be replaced by `tmpfs mounts`, and their corresponding mount options.
 * `ports` - (Optional, block) See [Ports](#ports-1) below for details.