From 0bab7f1ab77d0ea640454d1365de2585c48a4c2c Mon Sep 17 00:00:00 2001 From: Emanuele Date: Fri, 28 Jul 2023 12:20:56 +0200 Subject: [PATCH] feat(teams) Add the ability to assign CustomRoles to users in teams (#383) * add custom role data source * add documentation * change from string to set * removed validation because it is done on BE side * update documentation * replace string with constants * update documentation * fixed typo in constants * use randomText instead of acctest.RandStringFromCharSet * validate errors while setting resource data * fix doc --- sysdig/data_source_sysdig_custom_role.go | 83 +++++++++++++++++++ sysdig/data_source_sysdig_custom_role_test.go | 53 ++++++++++++ sysdig/provider.go | 1 + sysdig/resource_sysdig_monitor_team.go | 7 +- sysdig/resource_sysdig_secure_team.go | 8 +- website/docs/d/custom_role.md | 35 ++++++++ website/docs/r/monitor_team.md | 14 +++- website/docs/r/secure_team.md | 14 +++- 8 files changed, 202 insertions(+), 13 deletions(-) create mode 100644 sysdig/data_source_sysdig_custom_role.go create mode 100644 sysdig/data_source_sysdig_custom_role_test.go create mode 100644 website/docs/d/custom_role.md diff --git a/sysdig/data_source_sysdig_custom_role.go b/sysdig/data_source_sysdig_custom_role.go new file mode 100644 index 00000000..72e747db --- /dev/null +++ b/sysdig/data_source_sysdig_custom_role.go @@ -0,0 +1,83 @@ +package sysdig + +import ( + "context" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "strconv" + "time" +) + +func dataSourceSysdigCustomRole() *schema.Resource { + timeout := 5 * time.Minute + + return &schema.Resource{ + ReadContext: dataSourceSysdigCustomRoleRead, + + Timeouts: &schema.ResourceTimeout{ + Read: schema.DefaultTimeout(timeout), + }, + + Schema: map[string]*schema.Schema{ + SchemaNameKey: { + Type: schema.TypeString, + Required: true, + }, + SchemaDescriptionKey: { + Type: schema.TypeString, + Computed: true, + }, + SchemaMonitorPermKey: { + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + SchemaSecurePermKey: { + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + } +} + +func dataSourceSysdigCustomRoleRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics { + client, err := m.(SysdigClients).sysdigCommonClientV2() + if err != nil { + return diag.FromErr(err) + } + + name := d.Get(SchemaNameKey).(string) + + customRole, err := client.GetCustomRoleByName(ctx, name) + if err != nil { + return diag.FromErr(err) + } + + d.SetId(strconv.Itoa(customRole.ID)) + err = d.Set(SchemaNameKey, customRole.Name) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaDescriptionKey, customRole.Description) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaMonitorPermKey, customRole.MonitorPermissions) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaSecurePermKey, customRole.SecurePermissions) + if err != nil { + return diag.FromErr(err) + } + + return nil +} diff --git a/sysdig/data_source_sysdig_custom_role_test.go b/sysdig/data_source_sysdig_custom_role_test.go new file mode 100644 index 00000000..b0d40460 --- /dev/null +++ b/sysdig/data_source_sysdig_custom_role_test.go @@ -0,0 +1,53 @@ +//go:build tf_acc_sysdig_monitor || tf_acc_sysdig_secure + +package sysdig_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + + "github.com/draios/terraform-provider-sysdig/sysdig" +) + +func TestAccCustomRoleDateSource(t *testing.T) { + rText := randomText(10) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheckAnyEnv(t, SysdigMonitorApiTokenEnv, SysdigSecureApiTokenEnv), + ProviderFactories: map[string]func() (*schema.Provider, error){ + "sysdig": func() (*schema.Provider, error) { + return sysdig.Provider(), nil + }, + }, + Steps: []resource.TestStep{ + { + Config: getCustomRole(rText), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckTypeSetElemAttr("data.sysdig_custom_role.custom", "monitor_permissions.*", "token.view"), + resource.TestCheckTypeSetElemAttr("data.sysdig_custom_role.custom", "monitor_permissions.*", "api-token.read"), + resource.TestCheckResourceAttr("data.sysdig_custom_role.custom", "secure_permissions.#", "0"), + ), + }, + }, + }) +} + +func getCustomRole(name string) string { + return fmt.Sprintf(` +resource "sysdig_custom_role" "test" { + name = "%s" + description = "test" + + permissions { + monitor_permissions = ["token.view", "api-token.read"] + } +} +data "sysdig_custom_role" "custom" { + depends_on = [sysdig_custom_role.test] + name = sysdig_custom_role.test.name +} +`, name) +} diff --git a/sysdig/provider.go b/sysdig/provider.go index d3983c17..9f5d3d3d 100644 --- a/sysdig/provider.go +++ b/sysdig/provider.go @@ -174,6 +174,7 @@ func Provider() *schema.Provider { "sysdig_current_user": dataSourceSysdigCurrentUser(), "sysdig_user": dataSourceSysdigUser(), "sysdig_secure_connection": dataSourceSysdigSecureConnection(), + "sysdig_custom_role": dataSourceSysdigCustomRole(), "sysdig_fargate_workload_agent": dataSourceSysdigFargateWorkloadAgent(), "sysdig_monitor_notification_channel_pagerduty": dataSourceSysdigMonitorNotificationChannelPagerduty(), diff --git a/sysdig/resource_sysdig_monitor_team.go b/sysdig/resource_sysdig_monitor_team.go index 76b53076..1ff9fbd5 100644 --- a/sysdig/resource_sysdig_monitor_team.go +++ b/sysdig/resource_sysdig_monitor_team.go @@ -86,10 +86,9 @@ func resourceSysdigMonitorTeam() *schema.Resource { Required: true, }, "role": { - Type: schema.TypeString, - Optional: true, - Default: "ROLE_TEAM_STANDARD", - ValidateFunc: validation.StringInSlice([]string{"ROLE_TEAM_STANDARD", "ROLE_TEAM_EDIT", "ROLE_TEAM_READ", "ROLE_TEAM_MANAGER"}, false), + Type: schema.TypeString, + Optional: true, + Default: "ROLE_TEAM_STANDARD", }, }, }, diff --git a/sysdig/resource_sysdig_secure_team.go b/sysdig/resource_sysdig_secure_team.go index 444a2d99..8b202ef7 100644 --- a/sysdig/resource_sysdig_secure_team.go +++ b/sysdig/resource_sysdig_secure_team.go @@ -9,7 +9,6 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" ) func resourceSysdigSecureTeam() *schema.Resource { @@ -93,10 +92,9 @@ func resourceSysdigSecureTeam() *schema.Resource { }, "role": { - Type: schema.TypeString, - Optional: true, - Default: "ROLE_TEAM_STANDARD", - ValidateFunc: validation.StringInSlice([]string{"ROLE_TEAM_STANDARD", "ROLE_TEAM_EDIT", "ROLE_TEAM_READ", "ROLE_TEAM_MANAGER"}, false), + Type: schema.TypeString, + Optional: true, + Default: "ROLE_TEAM_STANDARD", }, }, }, diff --git a/website/docs/d/custom_role.md b/website/docs/d/custom_role.md new file mode 100644 index 00000000..f724aed5 --- /dev/null +++ b/website/docs/d/custom_role.md @@ -0,0 +1,35 @@ +--- +subcategory: "Sysdig Platform" +layout: "sysdig" +page_title: "Sysdig: sysdig_custom_role" +description: |- + Retrieves information about a custom role from the name +--- + +# Data Source: sysdig_custom_role + +Retrieves information about a custom role from the name. + +-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository. + +## Example Usage + +```terraform +data "sysdig_custom_role" "custom_role" { + name = "CustomRoleName" +} +``` + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The custom role's ID. + +* `name` - The custom role's name. + +* `description` - The custom role's description. + +* `monitor_permissions` - The custom role's monitor permissions. + +* `secure_permissions` - The custom role's secure permissions. diff --git a/website/docs/r/monitor_team.md b/website/docs/r/monitor_team.md index cfe737dd..b81d4c4b 100644 --- a/website/docs/r/monitor_team.md +++ b/website/docs/r/monitor_team.md @@ -31,10 +31,19 @@ resource "sysdig_monitor_team" "devops" { email = "john.doe@example.com" role = "ROLE_TEAM_STANDARD" } + + user_roles { + email = "john.smith@example.com" + role = data.sysdig_custom_role.custom_role.id + } } data "sysdig_current_user" "me" { } + +data "sysdig_custom_role" "custom_role" { + name = "CustomRoleName" +} ``` ## Argument Reference @@ -78,8 +87,9 @@ data "sysdig_current_user" "me" { * `email` - (Required) The email of the user in the group. * `role` - (Optional) The role for the user in this group. - Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER. - Default: ROLE_TEAM_STANDARD. + Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER or CustomRole ID.
+ Default: ROLE_TEAM_STANDARD.
+ Note: CustomRole ID can be referenced from `sysdig_custom_role` resource or `sysdig_custom_role` data source ## Attributes Reference diff --git a/website/docs/r/secure_team.md b/website/docs/r/secure_team.md index d924120c..cc0cc8ee 100644 --- a/website/docs/r/secure_team.md +++ b/website/docs/r/secure_team.md @@ -27,10 +27,19 @@ resource "sysdig_secure_team" "devops" { email = "john.doe@example.com" role = "ROLE_TEAM_STANDARD" } + + user_roles { + email = "john.smith@example.com" + role = data.sysdig_custom_role.custom_role.id + } } data "sysdig_current_user" "me" { } + +data "sysdig_custom_role" "custom_role" { + name = "CustomRoleName" +} ``` ## Argument Reference @@ -67,8 +76,9 @@ data "sysdig_current_user" "me" { * `email` - (Required) The email of the user in the group. * `role` - (Optional) The role for the user in this group. - Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER. - Default: ROLE_TEAM_STANDARD. + Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER or CustomRole ID.
+ Default: ROLE_TEAM_STANDARD.
+ Note: CustomRole ID can be referenced from `sysdig_custom_role` resource or `sysdig_custom_role` data source ## Attributes Reference