Merge pull request #3 from aidy/issuance

aidy · web-flow · commit 2a7b93c2e986 · 2024-11-19T10:26:45.000Z
Add support for jwks service accounts
diff --git a/docs/resources/service_account.md b/docs/resources/service_account.md
@@ -17,12 +17,20 @@ description: |-
 
 ### Required
 
-- `credential_lifetime` (Number)
 - `name` (String)
 - `owner` (String)
-- `public_key` (String)
 - `scopes` (Set of String)
 
+### Optional
+
+- `applications` (Set of String)
+- `audience` (String)
+- `credential_lifetime` (Number)
+- `issuer_url` (String)
+- `jwks_uri` (String)
+- `public_key` (String)
+- `subject` (String)
+
 ### Read-Only
 
 - `id` (String) The ID of this resource.
diff --git a/internal/provider/service_account_resource.go b/internal/provider/service_account_resource.go
@@ -49,16 +49,29 @@ func (r *serviceAccountResource) Schema(_ context.Context, _ resource.SchemaRequ
 				Required:    true,
 				ElementType: types.StringType,
 			},
+			// Agent service account
 			"public_key": schema.StringAttribute{
-				Required: true,
+				Optional: true,
 			},
-			/*
-				"privateKey": schema.StringAttribute{
-					Required: true,
-				},
-			*/
 			"credential_lifetime": schema.Int32Attribute{
-				Required: true,
+				Optional: true,
+			},
+			// Issuer service account (jwks)
+			"jwks_uri": schema.StringAttribute{
+				Optional: true,
+			},
+			"issuer_url": schema.StringAttribute{
+				Optional: true,
+			},
+			"audience": schema.StringAttribute{
+				Optional: true,
+			},
+			"subject": schema.StringAttribute{
+				Optional: true,
+			},
+			"applications": schema.SetAttribute{
+				Optional:    true,
+				ElementType: types.StringType,
 			},
 		},
 	}
@@ -84,13 +97,17 @@ func (r *serviceAccountResource) Configure(_ context.Context, req resource.Confi
 }
 
 type serviceAccountResourceModel struct {
-	ID        types.String   `tfsdk:"id"`
-	Name      types.String   `tfsdk:"name"`
-	Owner     types.String   `tfsdk:"owner"`
-	Scopes    []types.String `tfsdk:"scopes"`
-	PublicKey types.String   `tfsdk:"public_key"`
-	//PrivateKey         types.String   `tfsdk:"privateKey"`
-	CredentialLifetime types.Int32 `tfsdk:"credential_lifetime"`
+	ID                 types.String   `tfsdk:"id"`
+	Name               types.String   `tfsdk:"name"`
+	Owner              types.String   `tfsdk:"owner"`
+	Scopes             []types.String `tfsdk:"scopes"`
+	PublicKey          types.String   `tfsdk:"public_key"`
+	CredentialLifetime types.Int32    `tfsdk:"credential_lifetime"`
+	JwksURI            types.String   `tfsdk:"jwks_uri"`
+	IssuerURL          types.String   `tfsdk:"issuer_url"`
+	Audience           types.String   `tfsdk:"audience"`
+	Subject            types.String   `tfsdk:"subject"`
+	Applications       []types.String `tfsdk:"applications"`
 }
 
 func (r *serviceAccountResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
@@ -106,12 +123,48 @@ func (r *serviceAccountResource) Create(ctx context.Context, req resource.Create
 	}
 
 	serviceAccount := tlspc.ServiceAccount{
-		Name:               plan.Name.ValueString(),
-		Owner:              plan.Owner.ValueString(),
-		Scopes:             scopes,
-		PublicKey:          plan.PublicKey.ValueString(),
-		CredentialLifetime: plan.CredentialLifetime.ValueInt32(),
-		AuthenticationType: "rsaKey",
+		Name:   plan.Name.ValueString(),
+		Owner:  plan.Owner.ValueString(),
+		Scopes: scopes,
+	}
+
+	configured := false
+	// Agent type
+	if plan.PublicKey.ValueString() != "" || plan.CredentialLifetime.ValueInt32() > 0 {
+		serviceAccount.PublicKey = plan.PublicKey.ValueString()
+		serviceAccount.CredentialLifetime = plan.CredentialLifetime.ValueInt32()
+		serviceAccount.AuthenticationType = "rsaKey"
+		configured = true
+	}
+
+	// Issuer type
+	if plan.JwksURI.ValueString() != "" || plan.IssuerURL.ValueString() != "" || plan.Audience.ValueString() != "" || plan.Subject.ValueString() != "" || len(plan.Applications) > 0 {
+		if serviceAccount.AuthenticationType == "rsaKey" {
+			resp.Diagnostics.AddError(
+				"Error creating serviceAccount",
+				"Could not create serviceAccount, invalid configuration (both public_key and jwks fields present)",
+			)
+			return
+		}
+		serviceAccount.JwksURI = plan.JwksURI.ValueString()
+		serviceAccount.IssuerURL = plan.IssuerURL.ValueString()
+		serviceAccount.Audience = plan.Audience.ValueString()
+		serviceAccount.Subject = plan.Subject.ValueString()
+		serviceAccount.AuthenticationType = "rsaKeyFederated"
+
+		apps := []string{}
+		for _, v := range plan.Applications {
+			apps = append(apps, v.ValueString())
+		}
+		serviceAccount.Applications = apps
+		configured = true
+	}
+	if !configured {
+		resp.Diagnostics.AddError(
+			"Error creating serviceAccount",
+			"Could not create serviceAccount, invalid configuration (neither public_key or jwks fields present)",
+		)
+		return
 	}
 
 	created, err := r.client.CreateServiceAccount(serviceAccount)
@@ -180,13 +233,49 @@ func (r *serviceAccountResource) Update(ctx context.Context, req resource.Update
 	}
 
 	serviceAccount := tlspc.ServiceAccount{
-		ID:                 state.ID.ValueString(),
-		Name:               plan.Name.ValueString(),
-		Owner:              plan.Owner.ValueString(),
-		Scopes:             scopes,
-		PublicKey:          plan.PublicKey.ValueString(),
-		CredentialLifetime: plan.CredentialLifetime.ValueInt32(),
-		AuthenticationType: "rsaKey",
+		ID:     state.ID.ValueString(),
+		Name:   plan.Name.ValueString(),
+		Owner:  plan.Owner.ValueString(),
+		Scopes: scopes,
+	}
+
+	configured := false
+	// Agent type
+	if plan.PublicKey.ValueString() != "" || plan.CredentialLifetime.ValueInt32() > 0 {
+		serviceAccount.PublicKey = plan.PublicKey.ValueString()
+		serviceAccount.CredentialLifetime = plan.CredentialLifetime.ValueInt32()
+		serviceAccount.AuthenticationType = "rsaKey"
+		configured = true
+	}
+
+	// Issuer type
+	if plan.JwksURI.ValueString() != "" || plan.IssuerURL.ValueString() != "" || plan.Audience.ValueString() != "" || plan.Subject.ValueString() != "" || len(plan.Applications) > 0 {
+		if serviceAccount.AuthenticationType == "rsaKey" {
+			resp.Diagnostics.AddError(
+				"Error creating serviceAccount",
+				"Could not create serviceAccount, invalid configuration (both public_key and jwks fields present)",
+			)
+			return
+		}
+		serviceAccount.JwksURI = plan.JwksURI.ValueString()
+		serviceAccount.IssuerURL = plan.IssuerURL.ValueString()
+		serviceAccount.Audience = plan.Audience.ValueString()
+		serviceAccount.Subject = plan.Subject.ValueString()
+		serviceAccount.AuthenticationType = "rsaKeyFederated"
+
+		apps := []string{}
+		for _, v := range plan.Applications {
+			apps = append(apps, v.ValueString())
+		}
+		serviceAccount.Applications = apps
+		configured = true
+	}
+	if !configured {
+		resp.Diagnostics.AddError(
+			"Error creating serviceAccount",
+			"Could not create serviceAccount, invalid configuration (neither public_key or jwks fields present)",
+		)
+		return
 	}
 
 	err := r.client.UpdateServiceAccount(serviceAccount)
diff --git a/internal/tlspc/tlspc.go b/internal/tlspc/tlspc.go
@@ -85,7 +85,7 @@ func (c *Client) GetUser(email string) (*User, error) {
 	var users Users
 	err = json.Unmarshal(body, &users)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(body))
 	}
 	if len(users.Users) != 1 {
 		return nil, fmt.Errorf("Unexpected number of users returned (%d)", len(users.Users))
@@ -122,7 +122,7 @@ func (c *Client) CreateTeam(team Team) (*Team, error) {
 	var created Team
 	err = json.Unmarshal(respBody, &created)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if created.ID == "" {
 		return nil, fmt.Errorf("Didn't create a team; response was: %s", string(respBody))
@@ -146,7 +146,7 @@ func (c *Client) GetTeam(id string) (*Team, error) {
 	var team Team
 	err = json.Unmarshal(respBody, &team)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if team.ID == "" {
 		return nil, fmt.Errorf("Didn't find a Team; response was: %s", string(respBody))
@@ -191,7 +191,7 @@ func (c *Client) UpdateTeam(team Team) (*Team, error) {
 	var updated Team
 	err = json.Unmarshal(respBody, &updated)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if updated.ID == "" {
 		return nil, fmt.Errorf("Didn't get a Team ID; response was: %s", string(respBody))
@@ -227,7 +227,7 @@ func (c *Client) AddTeamOwners(id string, owners []string) (*Team, error) {
 	var updated Team
 	err = json.Unmarshal(respBody, &updated)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if updated.ID == "" {
 		return nil, fmt.Errorf("Didn't get a Team ID; response was: %s", string(respBody))
@@ -259,7 +259,7 @@ func (c *Client) RemoveTeamOwners(id string, owners []string) (*Team, error) {
 	var updated Team
 	err = json.Unmarshal(respBody, &updated)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if updated.ID == "" {
 		return nil, fmt.Errorf("Didn't get a Team ID; response was: %s", string(respBody))
@@ -291,11 +291,16 @@ type ServiceAccount struct {
 	Name               string   `json:"name"`
 	Owner              string   `json:"owner"`
 	Scopes             []string `json:"scopes"`
-	CredentialLifetime int32    `json:"credentialLifetime"`
-	PublicKey          string   `json:"publicKey"`
-	AuthenticationType string   `json:"authenticationType"`
-	OciAccountName     string   `json:"ociAccountName"`
-	OciRegistryToken   string   `json:"ociRegistryToken"`
+	CredentialLifetime int32    `json:"credentialLifetime,omitempty"`
+	PublicKey          string   `json:"publicKey,omitempty"`
+	AuthenticationType string   `json:"authenticationType,omitempty"`
+	OciAccountName     string   `json:"ociAccountName,omitempty"`
+	OciRegistryToken   string   `json:"ociRegistryToken,omitempty"`
+	JwksURI            string   `json:"jwksURI,omitempty"`
+	IssuerURL          string   `json:"issuerURL,omitempty"`
+	Audience           string   `json:"audience,omitempty"`
+	Subject            string   `json:"subject,omitempty"`
+	Applications       []string `json:"applications,omitempty"`
 }
 
 func (c *Client) CreateServiceAccount(sa ServiceAccount) (*ServiceAccount, error) {
@@ -318,7 +323,7 @@ func (c *Client) CreateServiceAccount(sa ServiceAccount) (*ServiceAccount, error
 	var created ServiceAccount
 	err = json.Unmarshal(respBody, &created)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if created.ID == "" {
 		return nil, fmt.Errorf("Didn't create a service account; response was: %s", string(respBody))
@@ -342,7 +347,7 @@ func (c *Client) GetServiceAccount(id string) (*ServiceAccount, error) {
 	var sa ServiceAccount
 	err = json.Unmarshal(respBody, &sa)
 	if err != nil {
-		return nil, fmt.Errorf("Error decoding response: %s", err)
+		return nil, fmt.Errorf("Error decoding response: %s", string(respBody))
 	}
 	if sa.ID == "" {
 		return nil, fmt.Errorf("Didn't find a Service Account; response was: %s", string(respBody))
