SUMO-192164: Setting FGP on Objects through terraform (#397)

Srujana-Srujana · web-flow · commit b5e9830af633 · 2022-07-25T09:29:31.000-07:00
* SUMO-192164: Setting Permissions on Objects through terraform

* SUMO-192164: Adding error code

* SUMO-192164: Addressing review comments

* SUMO-192164: modifying documentation

* SUMO-192164: indentation
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@ FEATURES:
 * **New Resource:** sumologic_cse_entity_entity_group_configuration (GH-376)
 * **New Resource:** sumologic_cse_inventory_entity_group_configuration (GH-376)
 
+* Add new optional `obj_permission` set to resource/sumologic_monitor for Fine Grain Permission (FGP) support (GH-397)
+
 ## 2.16.2 (June 12, 2022)
 
 BUG FIXES:
diff --git a/sumologic/resource_sumologic_monitors_library_monitor.go b/sumologic/resource_sumologic_monitors_library_monitor.go
@@ -353,6 +353,8 @@ func resourceSumologicMonitorsLibraryMonitor() *schema.Resource {
 				Optional:     true,
 				ValidateFunc: validation.StringLenBetween(1, 512),
 			},
+
+			"obj_permission": GetCmfFgpObjPermSetSchema(),
 		},
 	}
 }
@@ -569,6 +571,16 @@ func resourceSumologicMonitorsLibraryMonitorCreate(d *schema.ResourceData, meta
 			return err
 		}
 
+		permStmts, convErr := ResourceToCmfFgpPermStmts(d, monitorDefinitionID)
+		if convErr != nil {
+			return convErr
+		}
+		_, fgpErr := c.SetCmfFgp(fgpTargetType, CmfFgpRequest{
+			PermissionStatements: permStmts,
+		})
+		if fgpErr != nil {
+			return fgpErr
+		}
 		d.SetId(monitorDefinitionID)
 	}
 	return resourceSumologicMonitorsLibraryMonitorRead(d, meta)
@@ -588,6 +600,18 @@ func resourceSumologicMonitorsLibraryMonitorRead(d *schema.ResourceData, meta in
 		return nil
 	}
 
+	fgpResponse, fgpErr := c.GetCmfFgp(fgpTargetType, monitor.ID)
+	if fgpErr != nil {
+		suppressedErrorCode := HasErrorCode(fgpErr.Error(), []string{"not_implemented_yet", "api_not_enabled"})
+		if suppressedErrorCode == "" {
+			return fgpErr
+		} else {
+			log.Printf("[WARN] FGP Feature has not been enabled yet. Suppressing \"%s\" error under GetCmfFgp operation.", suppressedErrorCode)
+		}
+	} else {
+		CmfFgpPermStmtsSetToResource(d, fgpResponse.PermissionStatements)
+	}
+
 	d.Set("created_by", monitor.CreatedBy)
 	d.Set("created_at", monitor.CreatedAt)
 	d.Set("monitor_type", monitor.MonitorType)
@@ -715,6 +739,43 @@ func resourceSumologicMonitorsLibraryMonitorUpdate(d *schema.ResourceData, meta
 	if err != nil {
 		return err
 	}
+
+	// converting Resource FGP to Struct
+	permStmts, convErr := ResourceToCmfFgpPermStmts(d, monitor.ID)
+	if convErr != nil {
+		return convErr
+	}
+
+	// reading FGP from Backend to reconcile
+	fgpGetResponse, fgpGetErr := c.GetCmfFgp(fgpTargetType, monitor.ID)
+	if fgpGetErr != nil {
+		/*
+		   |errCode         |  len  | logic                   |
+		   |--------------------------------------------------|
+		   |server_error    |   0   | return err at Get       |
+		   |server_error    |   1   | warn; return err at Set |
+		   |not_enabled     |   0   | warn                    |
+		   |not_enabled     |   1   | warn; return err at Set |
+		*/
+		suppressedErrorCode := HasErrorCode(fgpGetErr.Error(), []string{"not_implemented_yet", "api_not_enabled"})
+		if suppressedErrorCode == "" && len(permStmts) == 0 {
+			return fgpGetErr
+		} else {
+			log.Printf("[WARN] FGP Feature has not been enabled yet. Suppressing \"%s\" error under GetCmfFgp operation.", suppressedErrorCode)
+		}
+	}
+
+	if len(permStmts) > 0 || fgpGetResponse != nil {
+		_, fgpSetErr := c.SetCmfFgp(fgpTargetType, CmfFgpRequest{
+			PermissionStatements: ReconcileFgpPermStmtsWithEmptyPerms(
+				permStmts, fgpGetResponse.PermissionStatements,
+			),
+		})
+		if fgpSetErr != nil {
+			return fgpSetErr
+		}
+	}
+
 	updatedMonitor := resourceSumologicMonitorsLibraryMonitorRead(d, meta)
 
 	return updatedMonitor
diff --git a/sumologic/resource_sumologic_monitors_library_monitor_test.go b/sumologic/resource_sumologic_monitors_library_monitor_test.go
@@ -212,6 +212,8 @@ func TestAccSumologicMonitorsLibraryMonitor_create(t *testing.T) {
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "triggers.0.time_range", testTriggers[0].TimeRange),
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "notifications.0.notification.0.connection_type", testNotifications[0].Notification.(EmailNotification).ConnectionType),
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "alert_name", testAlertName),
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "obj_permission.#", "2"),
+					testAccCheckMonitorsLibraryMonitorFGPBackend("sumologic_monitor.test", t, genExpectedPermStmtsMonitor),
 				),
 			},
 		},
@@ -390,6 +392,8 @@ func TestAccSumologicMonitorsLibraryMonitor_update(t *testing.T) {
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "notifications.0.notification.0.connection_type", testNotifications[0].Notification.(EmailNotification).ConnectionType),
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "playbook", testPlaybook),
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "alert_name", testAlertName),
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "obj_permission.#", "2"),
+					testAccCheckMonitorsLibraryMonitorFGPBackend("sumologic_monitor.test", t, genExpectedPermStmtsMonitor),
 				),
 			},
 			{
@@ -408,6 +412,61 @@ func TestAccSumologicMonitorsLibraryMonitor_update(t *testing.T) {
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "notifications.0.notification.0.connection_type", testUpdatedNotifications[0].Notification.(EmailNotification).ConnectionType),
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "playbook", testUpdatedPlaybook),
 					resource.TestCheckResourceAttr("sumologic_monitor.test", "alert_name", testUpdatedAlertName),
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "obj_permission.#", "1"),
+					// 1, instead of 2
+					testAccCheckMonitorsLibraryMonitorFGPBackend("sumologic_monitor.test", t, genExpectedPermStmtsForMonitorUpdate),
+				),
+			},
+		},
+	})
+}
+
+func TestAccSumologicMonitorsLibraryMonitor_driftingCorrectionFGP(t *testing.T) {
+	var monitorsLibraryMonitor MonitorsLibraryMonitor
+	testNameSuffix := acctest.RandString(16)
+	tfResourceKey := "sumologic_monitor.test"
+	testName := "terraform_test_monitor_" + testNameSuffix
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckMonitorsLibraryMonitorDestroy(monitorsLibraryMonitor),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSumologicMonitorsLibraryMonitor(testNameSuffix),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckMonitorsLibraryMonitorExists(tfResourceKey, &monitorsLibraryMonitor, t),
+					testAccCheckMonitorsLibraryMonitorAttributes(tfResourceKey),
+
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "name", testName),
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "description",
+						"terraform_test_monitor_description"),
+
+					resource.TestCheckResourceAttr("sumologic_monitor.test",
+						"obj_permission.#", "2"),
+					testAccCheckMonitorsLibraryMonitorFGPBackend(tfResourceKey, t, genExpectedPermStmtsMonitor),
+					// Emulating Drifting at the Backend
+					testAccEmulateFGPDriftingMonitor(t),
+				),
+				// "After applying this step and refreshing, the plan was not empty"
+				// Non-Empty Plan would occur, after the above step that emulates FGP drifting
+				ExpectNonEmptyPlan: true,
+			},
+			// the following Test Step emulates running "terraform apply" again.
+			// This step would detect and correct Drifting
+			{
+				Config: testAccSumologicMonitorsLibraryMonitor(testNameSuffix),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckMonitorsLibraryMonitorExists(tfResourceKey, &monitorsLibraryMonitor, t),
+					testAccCheckMonitorsLibraryMonitorAttributes(tfResourceKey),
+
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "name", testName),
+					resource.TestCheckResourceAttr("sumologic_monitor.test", "description",
+						"terraform_test_monitor_description"),
+
+					resource.TestCheckResourceAttr("sumologic_monitor.test",
+						"obj_permission.#", "2"),
+					testAccCheckMonitorsLibraryFolderFGPBackend(tfResourceKey, t, genExpectedPermStmtsMonitor),
 				),
 			},
 		},
@@ -523,7 +582,44 @@ resource "sumologic_monitor" "test" {
 	  }
 	playbook = "This is a test playbook"  
 	alert_name =  "Alert from {{Name}}"
-}`, testName)
+	obj_permission {
+        subject_type = "role"
+        subject_id = sumologic_role.tf_test_role_01.id
+        permissions = ["Read","Update","Delete"]
+    }
+    obj_permission {
+        subject_type = "role"
+        subject_id = sumologic_role.tf_test_role_02.id
+        permissions = ["Read"]
+    }
+}
+resource "sumologic_role" "tf_test_role_01" {
+	name        = "tf_test_role_01_%s"
+	description = "Testing resource sumologic_role"
+	capabilities = [
+		"viewAlerts",
+		"viewMonitorsV2",
+		"manageMonitorsV2"
+	]
+}
+resource "sumologic_role" "tf_test_role_02" {
+	name        = "tf_test_role_02_%s"
+	description = "Testing resource sumologic_role"
+	capabilities = [
+		"viewAlerts",
+		"viewMonitorsV2",
+		"manageMonitorsV2"
+	]
+}
+resource "sumologic_role" "tf_test_role_03" {
+	name        = "tf_test_role_03_%s"
+	description = "Testing resource sumologic_role"
+	capabilities = [
+		"viewAlerts",
+		"viewMonitorsV2",
+		"manageMonitorsV2"
+	]
+}`, testName, testName, testName, testName)
 }
 
 func testAccSumologicMonitorsLibraryMonitorUpdate(testName string) string {
@@ -570,7 +666,92 @@ resource "sumologic_monitor" "test" {
 	  }
 	playbook = "This is an updated test playbook"
 	alert_name = "Updated Alert from {{Name}}"
-}`, testName)
+		obj_permission {
+          subject_type = "role"
+          subject_id = sumologic_role.tf_test_role_01.id
+          permissions = ["Read","Update"]
+        }
+}
+resource "sumologic_role" "tf_test_role_01" {
+	name        = "tf_test_role_01_%s"
+	description = "Testing resource sumologic_role"
+	capabilities = [
+		"viewAlerts",
+		"viewMonitorsV2",
+		"manageMonitorsV2"
+	]
+}`, testName, testName)
+}
+
+func testAccEmulateFGPDriftingMonitor(
+	t *testing.T,
+	// expectedFGPFunc func(*terraform.State, string) ([]CmfFgpPermStatement, error),
+) resource.TestCheckFunc {
+
+	return func(s *terraform.State) error {
+
+		monitorTargetId, resIdErr := getResourceID(s, "sumologic_monitor.test")
+		if resIdErr != nil {
+			return resIdErr
+		}
+		role01Id, resIdErr := getResourceID(s, "sumologic_role.tf_test_role_01")
+		if resIdErr != nil {
+			return resIdErr
+		}
+		role02Id, resIdErr := getResourceID(s, "sumologic_role.tf_test_role_02")
+		if resIdErr != nil {
+			return resIdErr
+		}
+		role03Id, resIdErr := getResourceID(s, "sumologic_role.tf_test_role_03")
+		if resIdErr != nil {
+			return resIdErr
+		}
+
+		client := testAccProvider.Meta().(*Client)
+		expectedReadPermStmts := []CmfFgpPermStatement{
+			{SubjectType: "role", SubjectId: role01Id, TargetId: monitorTargetId,
+				Permissions: []string{"Read", "Update"}},
+			{SubjectType: "role", SubjectId: role03Id, TargetId: monitorTargetId,
+				Permissions: []string{"Read"}},
+		}
+		// using an empty Permissions array to achieve the effect of FGP Revocation
+		setFGPPermStmts := append(expectedReadPermStmts,
+			CmfFgpPermStatement{SubjectType: "role", SubjectId: role02Id, TargetId: monitorTargetId,
+				Permissions: []string{}})
+
+		_, setFgpErr := client.SetCmfFgp("monitors", CmfFgpRequest{
+			PermissionStatements: setFGPPermStmts})
+		if setFgpErr != nil {
+			return setFgpErr
+		}
+
+		readfgpResult, readFgpErr := client.GetCmfFgp("monitors", monitorTargetId)
+		if readFgpErr != nil {
+			return readFgpErr
+		}
+
+		var expectedPermStmts []CmfFgpPermStatement
+		expectedPermStmts = append(expectedPermStmts,
+			CmfFgpPermStatement{
+				SubjectId:   role01Id,
+				SubjectType: "role",
+				TargetId:    monitorTargetId,
+				Permissions: []string{"Read", "Update"},
+			},
+			CmfFgpPermStatement{
+				SubjectId:   role03Id,
+				SubjectType: "role",
+				TargetId:    monitorTargetId,
+				Permissions: []string{"Read"},
+			},
+		)
+
+		if !CmfFgpPermStmtSetEqual(readfgpResult.PermissionStatements, expectedPermStmts) {
+			return fmt.Errorf("Permission Statements are different:\n  %+v\n  %+v\n",
+				readfgpResult.PermissionStatements, expectedPermStmts)
+		}
+		return nil
+	}
 }
 
 func exampleMonitorWithTriggerCondition(
@@ -800,3 +981,81 @@ func exampleMetricsMissingDataTriggerCondition(triggerType string) TriggerCondit
 		DetectionMethod: "MetricsMissingDataCondition",
 	}
 }
+
+func genExpectedPermStmtsMonitor(s *terraform.State, targetId string) ([]CmfFgpPermStatement, error) {
+	role01Id, resIdErr := getResourceID(s, "sumologic_role.tf_test_role_01")
+	if resIdErr != nil {
+		return nil, resIdErr
+	}
+	role02Id, resIdErr := getResourceID(s, "sumologic_role.tf_test_role_02")
+	if resIdErr != nil {
+		return nil, resIdErr
+	}
+
+	var expectedPermStmts []CmfFgpPermStatement
+	expectedPermStmts = append(expectedPermStmts,
+		CmfFgpPermStatement{
+			SubjectId:   role01Id,
+			SubjectType: "role",
+			TargetId:    targetId,
+			Permissions: []string{"Read", "Update", "Delete"},
+		},
+		CmfFgpPermStatement{
+			SubjectId:   role02Id,
+			SubjectType: "role",
+			TargetId:    targetId,
+			Permissions: []string{"Read"},
+		},
+	)
+	return expectedPermStmts, nil
+}
+
+func genExpectedPermStmtsForMonitorUpdate(s *terraform.State, targetId string) ([]CmfFgpPermStatement, error) {
+	role01Id, resIdErr := getResourceID(s, "sumologic_role.tf_test_role_01")
+	if resIdErr != nil {
+		return nil, resIdErr
+	}
+
+	var expectedPermStmts []CmfFgpPermStatement
+	expectedPermStmts = append(expectedPermStmts,
+		CmfFgpPermStatement{
+			SubjectId:   role01Id,
+			SubjectType: "role",
+			TargetId:    targetId,
+			Permissions: []string{"Read", "Update"},
+		},
+	)
+	return expectedPermStmts, nil
+}
+
+func testAccCheckMonitorsLibraryMonitorFGPBackend(
+	name string,
+	t *testing.T,
+	expectedFGPFunc func(*terraform.State, string) ([]CmfFgpPermStatement, error),
+) resource.TestCheckFunc {
+
+	return func(s *terraform.State) error {
+		targetId, resIdErr := getResourceID(s, name)
+		if resIdErr != nil {
+			return resIdErr
+		}
+
+		expectedPermStmts, resIdErr := expectedFGPFunc(s, targetId)
+		if resIdErr != nil {
+			return resIdErr
+		}
+
+		client := testAccProvider.Meta().(*Client)
+
+		fgpResult, fgpErr := client.GetCmfFgp("monitors", targetId)
+		if fgpErr != nil {
+			return fgpErr
+		}
+
+		if !CmfFgpPermStmtSetEqual(fgpResult.PermissionStatements, expectedPermStmts) {
+			return fmt.Errorf("Permission Statements are different:\n  %+v\n  %+v\n",
+				fgpResult.PermissionStatements, expectedPermStmts)
+		}
+		return nil
+	}
+}
diff --git a/website/docs/r/monitor.html.markdown b/website/docs/r/monitor.html.markdown
