feat(teams) add ability to set zones (#374)

Author: filiptubic

sysdig/common.go

@@ -21,6 +21,8 @@ const (
 	SchemaIsActiveKey       = "is_active"
 	SchemaPlatformKey       = "platform"
 	SchemaZonesKey          = "zones"
+	SchemaZonesIDsKey       = "zone_ids"
+	SchemaAllZones          = "all_zones"
 	SchemaScopeKey          = "scope"
 	SchemaScopesKey         = "scopes"
 	SchemaTargetTypeKey     = "target_type"

sysdig/internal/client/v2/model.go

@@ -23,6 +23,8 @@ type Team struct {
 	Filter              string            `json:"filter,omitempty"`
 	NamespaceFilters    *NamespaceFilters `json:"namespaceFilters,omitempty"`
 	DefaultTeam         bool              `json:"default,omitempty"`
+	ZoneIDs             []int             `json:"zoneIds,omitempty"`
+	AllZones            bool              `json:"allZones"`
 }
 
 type NamespaceFilters struct {

sysdig/resource_sysdig_secure_team.go

@@ -2,6 +2,7 @@ package sysdig
 
 import (
 	"context"
+	"fmt"
 	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
 	"strconv"
 	"time"
@@ -22,7 +23,22 @@ func resourceSysdigSecureTeam() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
+		CustomizeDiff: func(ctx context.Context, diff *schema.ResourceDiff, i interface{}) error {
+			plan := diff.GetRawPlan().AsValueMap()
+			zoneIDsPlan := plan[SchemaZonesIDsKey]
+			allZonesPlan := plan[SchemaAllZones]
 
+			var nonEmptyZoneIDs bool
+			if !zoneIDsPlan.IsNull() && len(zoneIDsPlan.AsValueSlice()) > 0 {
+				nonEmptyZoneIDs = true
+			}
+
+			if nonEmptyZoneIDs && allZonesPlan.True() {
+				return fmt.Errorf("if %s is enabled, %s must be omitted", SchemaAllZones, SchemaZonesIDsKey)
+			}
+
+			return nil
+		},
 		Timeouts: &schema.ResourceTimeout{
 			Create: schema.DefaultTimeout(timeout),
 			Update: schema.DefaultTimeout(timeout),
@@ -94,6 +110,18 @@ func resourceSysdigSecureTeam() *schema.Resource {
 				Type:     schema.TypeInt,
 				Computed: true,
 			},
+			SchemaZonesIDsKey: {
+				Optional: true,
+				Type:     schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeInt,
+				},
+			},
+			SchemaAllZones: {
+				Optional: true,
+				Type:     schema.TypeBool,
+				Default:  false,
+			},
 		},
 	}
 }
@@ -164,6 +192,16 @@ func resourceSysdigSecureTeamRead(ctx context.Context, d *schema.ResourceData, m
 	_ = d.Set("default_team", t.DefaultTeam)
 	_ = d.Set("user_roles", userSecureRolesToSet(t.UserRoles))
 
+	err = d.Set(SchemaZonesIDsKey, t.ZoneIDs)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaAllZones, t.AllZones)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
 	if clients.GetClientType() == IBMSecure {
 		resourceSysdigTeamReadIBM(d, &t)
 	}
@@ -225,6 +263,7 @@ func resourceSysdigSecureTeamDelete(ctx context.Context, d *schema.ResourceData,
 func secureTeamFromResourceData(d *schema.ResourceData, clientType ClientType) v2.Team {
 	canUseSysdigCapture := d.Get("use_sysdig_capture").(bool)
 	canUseAwsMetrics := new(bool)
+	allZones := d.Get(SchemaAllZones).(bool)
 	t := v2.Team{
 		Theme:               d.Get("theme").(string),
 		Name:                d.Get("name").(string),
@@ -234,6 +273,7 @@ func secureTeamFromResourceData(d *schema.ResourceData, clientType ClientType) v
 		CanUseSysdigCapture: &canUseSysdigCapture,
 		CanUseAwsMetrics:    canUseAwsMetrics,
 		DefaultTeam:         d.Get("default_team").(bool),
+		AllZones:            allZones,
 	}
 
 	userRoles := make([]v2.UserRoles, 0)
@@ -246,6 +286,12 @@ func secureTeamFromResourceData(d *schema.ResourceData, clientType ClientType) v
 	}
 	t.UserRoles = userRoles
 
+	zonesData := d.Get("zone_ids").([]interface{})
+	t.ZoneIDs = make([]int, len(zonesData))
+	for i, z := range zonesData {
+		t.ZoneIDs[i] = z.(int)
+	}
+
 	if clientType == IBMSecure {
 		teamFromResourceDataIBM(d, &t)
 	}

sysdig/resource_sysdig_secure_team_test.go

@@ -5,18 +5,16 @@ package sysdig_test
 import (
 	"fmt"
 	"github.com/draios/terraform-provider-sysdig/buildinfo"
+	"regexp"
 	"testing"
 
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/draios/terraform-provider-sysdig/sysdig"
 )
 
 func TestAccSecureTeam(t *testing.T) {
-	rText := func() string { return acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) }
-
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv, SysdigIBMSecureAPIKeyEnv),
 		ProviderFactories: map[string]func() (*schema.Provider, error){
@@ -26,17 +24,29 @@ func TestAccSecureTeam(t *testing.T) {
 		},
 		Steps: []resource.TestStep{
 			{
-				Config: secureTeamWithName(rText()),
+				Config: secureTeamWithName(randomText(10)),
 			},
 			{
-				Config: secureTeamMinimumConfiguration(rText()),
+				Config: secureTeamMinimumConfiguration(randomText(10)),
 			},
 			{
-				Config: secureTeamWithPlatformMetricsIBM(rText()),
+				Config: secureTeamWithPlatformMetricsIBM(randomText(10)),
 				SkipFunc: func() (bool, error) {
 					return !buildinfo.IBMSecure, nil
 				},
 			},
+			{
+				Config: secureTeamWithPostureZones(randomText(10)),
+			},
+			{
+				Config: secureTeamWithPostureZonesAndAllZones(randomText(10)),
+				ExpectError: regexp.MustCompile(
+					fmt.Sprintf("if %s is enabled, %s must be omitted",
+						sysdig.SchemaAllZones,
+						sysdig.SchemaZonesIDsKey,
+					),
+				),
+			},
 			{
 				ResourceName:      "sysdig_secure_team.sample",
 				ImportState:       true,
@@ -72,3 +82,28 @@ resource "sysdig_secure_team" "sample" {
   ibm_platform_metrics = "foo in (\"0\") and bar in (\"3\")"
 }`, name)
 }
+
+func secureTeamWithPostureZones(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_posture_zone" "z1" {
+  name = "Zone-%[1]s"
+}
+
+resource "sysdig_secure_team" "sample" {
+  name     = "sample-%[1]s"
+  zone_ids = [sysdig_secure_posture_zone.z1.id]
+}`, name)
+}
+
+func secureTeamWithPostureZonesAndAllZones(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_posture_zone" "z1" {
+  name = "Zone-%[1]s"
+}
+
+resource "sysdig_secure_team" "sample" {
+  name      = "sample-%[1]s"
+  zone_ids  = [sysdig_secure_posture_zone.z1.id]
+  all_zones = true
+}`, name)
+}

website/docs/index.md

@@ -234,12 +234,14 @@ When IBM Workload Protection resources are to be created, this authentication mu
 > - `sysdig_monitor_alert_promql`
 > - `sysdig_monitor_alert_anomaly`
 > - `sysdig_monitor_alert_group_outlier`
+> - `sysdig_secure_posture_zone`
 > 
 > And data sources:
 > - `sysdig_monitor_notification_channel_pagerduty`
 > - `sysdig_monitor_notification_channel_email`
 > - `sysdig_current_user`
 > - `sysdig_secure_notification_channel`
+> - `sysdig_secure_posture_policies`
 
 ###  Others
 * `extra_headers` - (Optional) Defines extra HTTP headers that will be added to the client

website/docs/r/secure_team.md

@@ -57,6 +57,10 @@ data "sysdig_current_user" "me" {
                  Administrators of the account will be automatically added
                  to every new created team, so they don't need to be added as a
                  resource in the Terraform manifest.
+
+* `zone_ids` - (Optional) List of zone IDs attached to the team. If `all_zones` is specified this argument needs to be omitted.
+
+* `all_zones` - (Optional) Attach all zones to the team. If this argument is enabled then `zone_ids` needs to be omitted.
 
 ### User Role Argument Reference