CID-517 - Add child_org_id to Batch Update Enterprise Group Role Bindings (#664)

Support role bindings for enterprise groups

Author: oskarwojciski

castai/resource_enterprise_role_binding.go

@@ -417,7 +417,7 @@ func buildBatchCreateRoleBindingRequest(data *schema.ResourceData, enterpriseID
 		return nil, fmt.Errorf("reading role binding data: %w", err)
 	}
 
-	definition := buildRoleBindingDefinition(roleBinding)
+	definition := buildRoleBindingDefinition(roleBinding, enterpriseID)
 
 	request := organization_management.BatchCreateEnterpriseRoleBindingsRequest{
 		EnterpriseId: enterpriseID,
@@ -442,7 +442,7 @@ func buildBatchUpdateRoleBindingRequest(data *schema.ResourceData, enterpriseID,
 		return nil, fmt.Errorf("reading role binding data: %w", err)
 	}
 
-	definition := buildRoleBindingDefinition(roleBinding)
+	definition := buildRoleBindingDefinition(roleBinding, enterpriseID)
 
 	request := organization_management.BatchUpdateEnterpriseRoleBindingsRequest{
 		EnterpriseId: enterpriseID,
@@ -460,14 +460,20 @@ func buildBatchUpdateRoleBindingRequest(data *schema.ResourceData, enterpriseID,
 	return &request, nil
 }
 
-func buildRoleBindingDefinition(roleBinding EnterpriseRoleBinding) organization_management.RoleBindingDefinition {
+func buildRoleBindingDefinition(roleBinding EnterpriseRoleBinding, enterpriseID string) organization_management.RoleBindingDefinition {
 	subjects := convertEnterpriseRoleBindingSubjectsToSDK(roleBinding.Subjects)
 	scopes := convertEnterpriseRoleBindingScopesToSDK(roleBinding.Scopes)
 
 	definition := organization_management.RoleBindingDefinition{
 		RoleId: lo.ToPtr(roleBinding.RoleID),
 	}
 
+	// When the role binding targets a child organization, set ChildOrganizationId so the
+	// API validates role_id against the child org's roles instead of the enterprise's roles.
+	if roleBinding.OrganizationID != enterpriseID {
+		definition.ChildOrganizationId = lo.ToPtr(roleBinding.OrganizationID)
+	}
+
 	if len(subjects) > 0 {
 		definition.Subjects = &subjects
 	}

castai/resource_enterprise_role_binding_test.go

@@ -129,7 +129,8 @@ func TestResourceEnterpriseRoleBindingCreateContext(t *testing.T) {
 						Name:        "engineering-viewer",
 						Description: lo.ToPtr("Engineering viewer role binding"),
 						Definition: organization_management.RoleBindingDefinition{
-							RoleId: lo.ToPtr(roleID),
+							RoleId:              lo.ToPtr(roleID),
+							ChildOrganizationId: lo.ToPtr(organizationID1),
 							Subjects: &[]organization_management.Subject{
 								{
 									User: &organization_management.UserSubject{
@@ -511,6 +512,121 @@ func TestResourceEnterpriseRoleBindingCreateContext(t *testing.T) {
 		r.True(result.HasError())
 		r.Contains(result[0].Summary, "at least one scope (organization or cluster) must be defined")
 	})
+
+	t.Run("when organization_id differs from enterprise_id then ChildOrganizationId is set in definition", func(t *testing.T) {
+		t.Parallel()
+		r := require.New(t)
+		mockClient := mockOrganizationManagement.NewMockClientWithResponsesInterface(gomock.NewController(t))
+
+		ctx := context.Background()
+		provider := &ProviderConfig{
+			organizationManagementClient: mockClient,
+		}
+
+		enterpriseID := uuid.NewString()
+		childOrgID := uuid.NewString() // different from enterpriseID
+		roleBindingID := uuid.NewString()
+		roleID := uuid.NewString()
+		userID := uuid.NewString()
+
+		expectedCreateRequest := organization_management.BatchCreateEnterpriseRoleBindingsRequest{
+			EnterpriseId: enterpriseID,
+			Requests: []organization_management.BatchCreateEnterpriseRoleBindingsRequestCreateRoleBindingRequest{
+				{
+					OrganizationId: childOrgID,
+					RoleBinding: organization_management.BatchCreateEnterpriseRoleBindingsRequestRoleBinding{
+						Name:        "child-org-binding",
+						Description: lo.ToPtr(""),
+						Definition: organization_management.RoleBindingDefinition{
+							RoleId:              lo.ToPtr(roleID),
+							ChildOrganizationId: lo.ToPtr(childOrgID),
+							Subjects: &[]organization_management.Subject{
+								{
+									User: &organization_management.UserSubject{Id: userID},
+								},
+							},
+							Scopes: &[]organization_management.Scope{
+								{
+									Organization: &organization_management.OrganizationScope{Id: childOrgID},
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		mockClient.EXPECT().
+			EnterpriseAPIBatchCreateEnterpriseRoleBindingsWithResponse(gomock.Any(), enterpriseID, expectedCreateRequest).
+			Return(&organization_management.EnterpriseAPIBatchCreateEnterpriseRoleBindingsResponse{
+				Body:         nil,
+				HTTPResponse: &http.Response{StatusCode: http.StatusOK},
+				JSON200: &organization_management.BatchCreateEnterpriseRoleBindingsResponse{
+					RoleBindings: &[]organization_management.RoleBinding{
+						{
+							Id:             lo.ToPtr(roleBindingID),
+							Name:           lo.ToPtr("child-org-binding"),
+							OrganizationId: lo.ToPtr(childOrgID),
+							Definition: &organization_management.RoleBindingDefinition{
+								RoleId:              lo.ToPtr(roleID),
+								ChildOrganizationId: lo.ToPtr(childOrgID),
+								Subjects: &[]organization_management.Subject{
+									{User: &organization_management.UserSubject{Id: userID}},
+								},
+								Scopes: &[]organization_management.Scope{
+									{Organization: &organization_management.OrganizationScope{Id: childOrgID}},
+								},
+							},
+						},
+					},
+				},
+			}, nil)
+
+		stateValue := cty.ObjectVal(map[string]cty.Value{
+			FieldEnterpriseRoleBindingEnterpriseID:   cty.StringVal(enterpriseID),
+			FieldEnterpriseRoleBindingOrganizationID: cty.StringVal(childOrgID),
+			FieldEnterpriseRoleBindingName:           cty.StringVal("child-org-binding"),
+			FieldEnterpriseRoleBindingDescription:    cty.StringVal(""),
+			FieldEnterpriseRoleBindingRoleID:         cty.StringVal(roleID),
+			FieldEnterpriseRoleBindingSubjects: cty.ListVal([]cty.Value{
+				cty.ObjectVal(map[string]cty.Value{
+					FieldEnterpriseRoleBindingSubjectUser: cty.ListVal([]cty.Value{
+						cty.ObjectVal(map[string]cty.Value{
+							FieldEnterpriseRoleBindingSubjectID: cty.StringVal(userID),
+						}),
+					}),
+					FieldEnterpriseRoleBindingSubjectServiceAccount: cty.ListValEmpty(cty.Object(map[string]cty.Type{
+						FieldEnterpriseRoleBindingSubjectID: cty.String,
+					})),
+					FieldEnterpriseRoleBindingSubjectGroup: cty.ListValEmpty(cty.Object(map[string]cty.Type{
+						FieldEnterpriseRoleBindingSubjectID: cty.String,
+					})),
+				}),
+			}),
+			FieldEnterpriseRoleBindingScopes: cty.ListVal([]cty.Value{
+				cty.ObjectVal(map[string]cty.Value{
+					FieldEnterpriseRoleBindingScopeOrganization: cty.ListVal([]cty.Value{
+						cty.ObjectVal(map[string]cty.Value{
+							FieldEnterpriseRoleBindingScopeID: cty.StringVal(childOrgID),
+						}),
+					}),
+					FieldEnterpriseRoleBindingScopeCluster: cty.ListValEmpty(cty.Object(map[string]cty.Type{
+						FieldEnterpriseRoleBindingScopeID: cty.String,
+					})),
+				}),
+			}),
+		})
+		state := terraform.NewInstanceStateShimmedFromValue(stateValue, 0)
+
+		resource := resourceEnterpriseRoleBinding()
+		data := resource.Data(state)
+
+		result := resource.CreateContext(ctx, data, provider)
+
+		r.Nil(result)
+		r.False(result.HasError())
+		r.Equal(roleBindingID, data.Id())
+	})
 }
 
 func TestResourceEnterpriseRoleBindingReadContext(t *testing.T) {
@@ -982,7 +1098,8 @@ func TestResourceEnterpriseRoleBindingUpdateContext(t *testing.T) {
 					OrganizationId: organizationID,
 					Description:    lo.ToPtr("Updated description"),
 					Definition: organization_management.RoleBindingDefinition{
-						RoleId: lo.ToPtr(newRoleID),
+						RoleId:              lo.ToPtr(newRoleID),
+						ChildOrganizationId: lo.ToPtr(organizationID),
 						Subjects: &[]organization_management.Subject{
 							{
 								User: &organization_management.UserSubject{
@@ -1238,7 +1355,8 @@ func TestResourceEnterpriseRoleBindingUpdateContext(t *testing.T) {
 					OrganizationId: organizationID,
 					Description:    lo.ToPtr("Test description"),
 					Definition: organization_management.RoleBindingDefinition{
-						RoleId: lo.ToPtr(roleID),
+						RoleId:              lo.ToPtr(roleID),
+						ChildOrganizationId: lo.ToPtr(organizationID),
 						Subjects: &[]organization_management.Subject{
 							{
 								User: &organization_management.UserSubject{
@@ -1419,7 +1537,8 @@ func TestResourceEnterpriseRoleBindingUpdateContext(t *testing.T) {
 					OrganizationId: organizationID,
 					Description:    lo.ToPtr("Test description"),
 					Definition: organization_management.RoleBindingDefinition{
-						RoleId: lo.ToPtr(roleID),
+						RoleId:              lo.ToPtr(roleID),
+						ChildOrganizationId: lo.ToPtr(organizationID),
 						Subjects: &[]organization_management.Subject{
 							{
 								User: &organization_management.UserSubject{

castai/resource_omni_cluster.go

@@ -124,7 +124,7 @@ func (r *omniClusterResource) Read(ctx context.Context, req resource.ReadRequest
 	organizationID := state.OrganizationID.ValueString()
 	clusterID := state.ID.ValueString()
 
-	apiResp, err := client.ClustersAPIGetClusterWithResponse(ctx, organizationID, clusterID)
+	apiResp, err := client.ClustersAPIGetClusterWithResponse(ctx, organizationID, clusterID, nil)
 	if err != nil {
 		resp.Diagnostics.AddError("Failed to read omni cluster", err.Error())
 		return

castai/resource_omni_cluster_test.go

@@ -45,7 +45,7 @@ func testAccCheckOmniClusterDestroy(s *terraform.State) error {
 		organizationID := rs.Primary.Attributes["organization_id"]
 		clusterID := rs.Primary.ID
 
-		response, err := client.ClustersAPIGetClusterWithResponse(ctx, organizationID, clusterID)
+		response, err := client.ClustersAPIGetClusterWithResponse(ctx, organizationID, clusterID, nil)
 		if err != nil {
 			return err
 		}