feat: Add secure CloudAccount resource (#111)

* add secure cloudAccount resource

* use correct json field

* correct query param, mark field as computed

* clear ID on read error

Author: nkraemer-sysdig

go.mod

@@ -6,13 +6,10 @@ require (
 	cloud.google.com/go v0.76.0 // indirect
 	cloud.google.com/go/storage v1.13.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
-	github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/aws/aws-sdk-go v1.37.10 // indirect
 	github.com/fatih/color v1.12.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637
 	github.com/hashicorp/go-hclog v0.16.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -24,7 +21,6 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.7.0
 	github.com/hashicorp/yamux v0.0.0-20210707203944-259a57b3608c // indirect
 	github.com/jmespath/go-jmespath v0.4.0
-	github.com/keybase/go-crypto v0.0.0-20161004153544-93f5b35093ba // indirect
 	github.com/klauspost/compress v1.11.7 // indirect
 	github.com/mattn/go-isatty v0.0.13 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect

go.sum

@@ -52,6 +52,11 @@ type SysdigSecureClient interface {
 	GetVulnerabilityExceptionByID(context.Context, string, string) (*VulnerabilityException, error)
 	DeleteVulnerabilityException(context.Context, string, string) error
 	UpdateVulnerabilityException(context.Context, string, *VulnerabilityException) (*VulnerabilityException, error)
+
+	CreateCloudAccount(context.Context, *CloudAccount) (*CloudAccount, error)
+	GetCloudAccountById(context.Context, string) (*CloudAccount, error)
+	DeleteCloudAccount(context.Context, string) error
+	UpdateCloudAccount(context.Context, string, *CloudAccount) (*CloudAccount, error)
 }
 
 func WithExtraHeaders(client SysdigSecureClient, extraHeaders map[string]string) SysdigSecureClient {

sysdig/internal/client/secure/client.go

@@ -0,0 +1,86 @@
+package secure
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+func (client *sysdigSecureClient) cloudAccountURL(includeExternalID bool) string {
+	if includeExternalID {
+		return fmt.Sprintf("%s/api/cloud/v2/accounts?includeExternalID=true", client.URL)
+	}
+	return fmt.Sprintf("%s/api/cloud/v2/accounts", client.URL)
+}
+
+func (client *sysdigSecureClient) cloudAccountByIdURL(accountID string, includeExternalID bool) string {
+	if includeExternalID {
+		return fmt.Sprintf("%s/api/cloud/v2/accounts/%s?includeExternalID=true", client.URL, accountID)
+	}
+	return fmt.Sprintf("%s/api/cloud/v2/accounts/%s", client.URL, accountID)
+}
+
+func (client *sysdigSecureClient) CreateCloudAccount(ctx context.Context, cloudAccount *CloudAccount) (*CloudAccount, error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodPost, client.cloudAccountURL(true), cloudAccount.ToJSON())
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusCreated {
+		err = errorFromResponse(response)
+		return nil, err
+	}
+
+	bodyBytes, _ := ioutil.ReadAll(response.Body)
+	return CloudAccountFromJSON(bodyBytes), nil
+}
+
+func (client *sysdigSecureClient) GetCloudAccountById(ctx context.Context, accountID string) (*CloudAccount, error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodGet, client.cloudAccountByIdURL(accountID, true), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, errorFromResponse(response)
+	}
+
+	bodyBytes, err := ioutil.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return CloudAccountFromJSON(bodyBytes), nil
+}
+
+func (client *sysdigSecureClient) DeleteCloudAccount(ctx context.Context, accountID string) error {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodDelete, client.cloudAccountByIdURL(accountID, false), nil)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK {
+		return errorFromResponse(response)
+	}
+	return nil
+}
+
+func (client *sysdigSecureClient) UpdateCloudAccount(ctx context.Context, accountID string, cloudAccount *CloudAccount) (*CloudAccount, error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodPut, client.cloudAccountByIdURL(accountID, true), cloudAccount.ToJSON())
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		err = errorFromResponse(response)
+		return nil, err
+	}
+
+	bodyBytes, _ := ioutil.ReadAll(response.Body)
+	return CloudAccountFromJSON(bodyBytes), nil
+}

sysdig/internal/client/secure/cloud_account.go

@@ -360,3 +360,25 @@ func VulnerabilityExceptionFromJSON(body []byte) *VulnerabilityException {
 
 	return &result
 }
+
+// -------- CloudAccount --------
+
+type CloudAccount struct {
+	AccountID     string `json:"accountId"`
+	Provider      string `json:"provider"`
+	Alias         string `json:"alias"`
+	RoleAvailable bool   `json:"roleAvailable"`
+	ExternalID    string `json:"externalId,omitempty"`
+}
+
+func (e *CloudAccount) ToJSON() io.Reader {
+	payload, _ := json.Marshal(*e)
+	return bytes.NewBuffer(payload)
+}
+
+func CloudAccountFromJSON(body []byte) *CloudAccount {
+	var result CloudAccount
+	json.Unmarshal(body, &result)
+
+	return &result
+}

sysdig/internal/client/secure/models.go

@@ -70,6 +70,7 @@ func Provider() *schema.Provider {
 			"sysdig_secure_macro":                          resourceSysdigSecureMacro(),
 			"sysdig_secure_vulnerability_exception":        resourceSysdigSecureVulnerabilityException(),
 			"sysdig_secure_vulnerability_exception_list":   resourceSysdigSecureVulnerabilityExceptionList(),
+			"sysdig_secure_cloud_account":                  resourceSysdigSecureCloudAccount(),
 
 			"sysdig_monitor_alert_downtime":                 resourceSysdigMonitorAlertDowntime(),
 			"sysdig_monitor_alert_metric":                   resourceSysdigMonitorAlertMetric(),

sysdig/provider.go

@@ -0,0 +1,133 @@
+package sysdig
+
+import (
+	"context"
+	"time"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig/internal/client/secure"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceSysdigSecureCloudAccount() *schema.Resource {
+	timeout := 5 * time.Minute
+
+	return &schema.Resource{
+		CreateContext: resourceSysdigSecureCloudAccountCreate,
+		UpdateContext: resourceSysdigSecureCloudAccountUpdate,
+		ReadContext:   resourceSysdigSecureCloudAccountRead,
+		DeleteContext: resourceSysdigSecureCloudAccountDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(timeout),
+			Update: schema.DefaultTimeout(timeout),
+			Read:   schema.DefaultTimeout(timeout),
+			Delete: schema.DefaultTimeout(timeout),
+		},
+		Schema: map[string]*schema.Schema{
+			"account_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"cloud_provider": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"alias": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"role_enabled": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+			"external_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceSysdigSecureCloudAccountCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := meta.(SysdigClients).sysdigSecureClient()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	cloudAccount, err := client.CreateCloudAccount(ctx, cloudAccountFromResourceData(d))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(cloudAccount.AccountID)
+	d.Set("account_id", cloudAccount.AccountID)
+	d.Set("cloud_provider", cloudAccount.Provider)
+	d.Set("alias", cloudAccount.Alias)
+	d.Set("role_enabled", cloudAccount.RoleAvailable)
+	d.Set("external_id", cloudAccount.ExternalID)
+
+	return nil
+}
+
+func resourceSysdigSecureCloudAccountRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := meta.(SysdigClients).sysdigSecureClient()
+	if err != nil {
+		d.SetId("")
+		return diag.FromErr(err)
+	}
+
+	cloudAccount, err := client.GetCloudAccountById(ctx, d.Id())
+	if err != nil {
+		d.SetId("")
+		return diag.FromErr(err)
+	}
+
+	d.Set("account_id", cloudAccount.AccountID)
+	d.Set("cloud_provider", cloudAccount.Provider)
+	d.Set("alias", cloudAccount.Alias)
+	d.Set("role_enabled", cloudAccount.RoleAvailable)
+	d.Set("external_id", cloudAccount.ExternalID)
+
+	return nil
+}
+
+func resourceSysdigSecureCloudAccountUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := meta.(SysdigClients).sysdigSecureClient()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	_, err = client.UpdateCloudAccount(ctx, d.Id(), cloudAccountFromResourceData(d))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceSysdigSecureCloudAccountDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := meta.(SysdigClients).sysdigSecureClient()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = client.DeleteCloudAccount(ctx, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	return nil
+}
+
+func cloudAccountFromResourceData(d *schema.ResourceData) *secure.CloudAccount {
+	return &secure.CloudAccount{
+		AccountID:     d.Get("account_id").(string),
+		Provider:      d.Get("cloud_provider").(string),
+		Alias:         d.Get("alias").(string),
+		RoleAvailable: d.Get("role_enabled").(bool),
+	}
+}

sysdig/resource_sysdig_secure_cloud_account.go

@@ -0,0 +1,62 @@
+package sysdig_test
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+)
+
+func TestAccSecureCloudAccount(t *testing.T) {
+	rText := func() string { return acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) }
+	accID := rText()
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" {
+				t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests")
+			}
+		},
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: secureCloudAccountWithID(accID),
+			},
+			{
+				Config: secureCloudAccountMinimumConfiguration(accID),
+			},
+			{
+				ResourceName:      "sysdig_secure_cloud_account.sample",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func secureCloudAccountWithID(accountID string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_cloud_account" "sample" {
+  account_id          = "sample-%s"
+  cloud_provider      = "aws"
+  alias               = "%s"
+  role_enabled        = "false"
+}
+`, accountID, accountID)
+}
+
+func secureCloudAccountMinimumConfiguration(accountID string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_cloud_account" "sample" {
+  account_id      = "sample-%s"
+  cloud_provider  = "aws"
+}`, accountID)
+}