feat(group mapping): added new group_mapping_config resource (#363)

Shadow649 · web-flow · commit adc14977ca10 · 2023-06-07T10:02:09.000+02:00
* added new group_mapping_config resource

* fixed lint errors

* addressed code review comments
diff --git a/sysdig/internal/client/v2/group_mapping_config.go b/sysdig/internal/client/v2/group_mapping_config.go
@@ -0,0 +1,74 @@
+package v2
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+)
+
+var GroupMappingConfigNotFound = errors.New("group mapping configuration not found")
+
+const (
+	GroupMappingConfigPath = "%s/api/groupmappings/settings"
+)
+
+type GroupMappingConfigInterface interface {
+	Base
+	UpdateGroupMappingConfig(ctx context.Context, gmc *GroupMappingConfig) (*GroupMappingConfig, error)
+	GetGroupMappingConfig(ctx context.Context) (*GroupMappingConfig, error)
+}
+
+func (client *Client) UpdateGroupMappingConfig(ctx context.Context, gmc *GroupMappingConfig) (*GroupMappingConfig, error) {
+	payload, err := Marshal(gmc)
+	if err != nil {
+		return nil, err
+	}
+
+	response, err := client.requester.Request(ctx, http.MethodPut, client.UpdateGroupMappingConfigURL(), payload)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, client.ErrorFromResponse(response)
+	}
+
+	updated, err := Unmarshal[GroupMappingConfig](response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return &updated, nil
+}
+
+func (client *Client) GetGroupMappingConfig(ctx context.Context) (*GroupMappingConfig, error) {
+	response, err := client.requester.Request(ctx, http.MethodGet, client.GetGroupMappingConfigURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		if response.StatusCode == http.StatusNotFound {
+			return nil, GroupMappingConfigNotFound
+		}
+		return nil, client.ErrorFromResponse(response)
+	}
+
+	gmc, err := Unmarshal[GroupMappingConfig](response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return &gmc, nil
+}
+
+func (client *Client) UpdateGroupMappingConfigURL() string {
+	return fmt.Sprintf(GroupMappingConfigPath, client.config.url)
+}
+
+func (client *Client) GetGroupMappingConfigURL() string {
+	return fmt.Sprintf(GroupMappingConfigPath, client.config.url)
+}
diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go
@@ -113,6 +113,11 @@ type GroupMapping struct {
 	Weight     int      `json:"weight,omitempty"`
 }
 
+type GroupMappingConfig struct {
+	NoMappingStrategy             string `json:"noMappingStrategy"`
+	DifferentTeamSameRoleStrategy string `json:"differentRolesSameTeamStrategy"`
+}
+
 type alertWrapper struct {
 	Alert Alert `json:"alert"`
 }
diff --git a/sysdig/internal/client/v2/sysdig.go b/sysdig/internal/client/v2/sysdig.go
@@ -19,6 +19,7 @@ type SysdigRequest struct {
 type SysdigCommon interface {
 	Common
 	GroupMappingInterface
+	GroupMappingConfigInterface
 }
 
 type SysdigMonitor interface {
diff --git a/sysdig/provider.go b/sysdig/provider.go
@@ -74,8 +74,9 @@ func Provider() *schema.Provider {
 			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
-			"sysdig_user":          resourceSysdigUser(),
-			"sysdig_group_mapping": resourceSysdigGroupMapping(),
+			"sysdig_user":                 resourceSysdigUser(),
+			"sysdig_group_mapping":        resourceSysdigGroupMapping(),
+			"sysdig_group_mapping_config": resourceSysdigGroupMappingConfig(),
 
 			"sysdig_secure_custom_policy":                  resourceSysdigSecureCustomPolicy(),
 			"sysdig_secure_managed_policy":                 resourceSysdigSecureManagedPolicy(),
diff --git a/sysdig/resource_sysdig_group_mapping_config.go b/sysdig/resource_sysdig_group_mapping_config.go
@@ -0,0 +1,116 @@
+package sysdig
+
+import (
+	"context"
+	"time"
+
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceSysdigGroupMappingConfig() *schema.Resource {
+	timeout := 5 * time.Minute
+	return &schema.Resource{
+		ReadContext:   resourceSysdigGroupMappingConfigRead,
+		CreateContext: resourceSysdigGroupMappingConfigCreate,
+		UpdateContext: resourceSysdigGroupMappingConfigUpdate,
+		DeleteContext: resourceSysdigGroupMappingConfigDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(timeout),
+			Update: schema.DefaultTimeout(timeout),
+			Read:   schema.DefaultTimeout(timeout),
+			Delete: schema.DefaultTimeout(timeout),
+		},
+		Schema: map[string]*schema.Schema{
+			"no_mapping_strategy": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"different_team_same_role_strategy": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+		},
+	}
+}
+
+func resourceSysdigGroupMappingConfigRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	client, err := m.(SysdigClients).sysdigCommonClientV2()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	groupMappingConfig, err := client.GetGroupMappingConfig(ctx)
+	if err != nil {
+		if err == v2.GroupMappingConfigNotFound {
+			return nil
+		}
+		return diag.FromErr(err)
+	}
+
+	err = groupMappingConfigToResourceData(groupMappingConfig, d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceSysdigGroupMappingConfigCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	client, err := m.(SysdigClients).sysdigCommonClientV2()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	groupMappingConfig := groupMappingConfigFromResourceData(d)
+	_, err = client.UpdateGroupMappingConfig(ctx, groupMappingConfig)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId("conflicts_resolution_strategies")
+
+	resourceSysdigGroupMappingConfigRead(ctx, d, m)
+
+	return nil
+}
+
+func resourceSysdigGroupMappingConfigUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	client, err := m.(SysdigClients).sysdigCommonClientV2()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	groupMappingConfig := groupMappingConfigFromResourceData(d)
+	_, err = client.UpdateGroupMappingConfig(ctx, groupMappingConfig)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	resourceSysdigGroupMappingConfigRead(ctx, d, m)
+
+	return nil
+}
+
+func resourceSysdigGroupMappingConfigDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	return nil
+}
+
+func groupMappingConfigToResourceData(groupMappingConfig *v2.GroupMappingConfig, d *schema.ResourceData) error {
+	err := d.Set("no_mapping_strategy", groupMappingConfig.NoMappingStrategy)
+	if err != nil {
+		return err
+	}
+	return d.Set("different_team_same_role_strategy", groupMappingConfig.DifferentTeamSameRoleStrategy)
+}
+
+func groupMappingConfigFromResourceData(d *schema.ResourceData) *v2.GroupMappingConfig {
+	return &v2.GroupMappingConfig{
+		NoMappingStrategy:             d.Get("no_mapping_strategy").(string),
+		DifferentTeamSameRoleStrategy: d.Get("different_team_same_role_strategy").(string),
+	}
+}
diff --git a/sysdig/resource_sysdig_group_mapping_config_test.go b/sysdig/resource_sysdig_group_mapping_config_test.go
@@ -0,0 +1,72 @@
+//go:build tf_acc_sysdig_monitor
+
+package sysdig_test
+
+import (
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"testing"
+)
+
+func TestAccGroupMappingConfig(t *testing.T) {
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigMonitorApiTokenEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: groupMappingConfigDefault(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"sysdig_group_mapping_config.default",
+						"no_mapping_strategy",
+						"UNAUTHORIZED",
+					),
+					resource.TestCheckResourceAttr(
+						"sysdig_group_mapping_config.default",
+						"different_team_same_role_strategy",
+						"UNAUTHORIZED",
+					),
+				),
+			},
+			{
+				Config: groupMappingConfigUpdate(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"sysdig_group_mapping_config.default",
+						"no_mapping_strategy",
+						"DEFAULT_TEAM_DEFAULT_ROLE",
+					),
+				),
+			},
+			{
+				ResourceName:      "sysdig_group_mapping_config.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func groupMappingConfigDefault() string {
+	return `
+resource "sysdig_group_mapping_config" "default" {
+  no_mapping_strategy = "UNAUTHORIZED"
+  different_team_same_role_strategy = "UNAUTHORIZED"
+}
+`
+}
+
+func groupMappingConfigUpdate() string {
+	return `
+resource "sysdig_group_mapping_config" "default" {
+  no_mapping_strategy = "DEFAULT_TEAM_DEFAULT_ROLE"
+  different_team_same_role_strategy = "UNAUTHORIZED"
+}
+`
+}
diff --git a/website/docs/r/group_mapping_config.md b/website/docs/r/group_mapping_config.md
@@ -0,0 +1,44 @@
+---
+subcategory: "Sysdig Platform"
+layout: "sysdig"
+page_title: "Sysdig: sysdig_group_mapping_config"
+description: |-
+  Sets the group mapping conflicts resolution strategies in Sysdig.
+---
+
+# Resource: sysdig_group_mapping_config
+
+Sets the group mapping conflicts resolution strategies in Sysdig.
+
+> **Warning**
+> This resource is global and is allowed to have only one configuration per customer
+
+The `sysdig_group_mapping_config` behaves differently from normal resources, in that Terraform does not destroy this resource.
+On resource destruction, Terraform performs no actions in Sysdig.
+
+## Example Usage
+
+```terraform
+resource "sysdig_group_mapping_config" "resolution_strategies" {
+  no_mapping_strategy = "UNAUTHORIZED"
+  different_team_same_role_strategy = "UNAUTHORIZED"
+}
+```
+
+## Argument Reference
+
+* `no_mapping_strategy` - (Required) Sets how the system behaves when no group mapping information received from the IdP or Group information received, but the user is not a member of any mapped group. Possible values are: `UNAUTHORIZED`, `DEFAULT_TEAM_DEFAULT_ROLE`
+
+* `different_team_same_role_strategy` - (Required) Sets how the system behaves when conflicting group mapping information received. Possible values are: `UNAUTHORIZED`, `FIRST_MATCH`, `WEIGHTED`
+
+## Attributes Reference
+
+No additional attributes are exported.
+
+## Import
+
+Sysdig group mapping config can be imported, e.g.
+
+```
+$ terraform import sysdig_group_mapping_config.resolution_strategies conflicts_resolution_strategies
+```

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,11 @@ type GroupMapping struct {`
`113`	`113`	Weight int `json:"weight,omitempty"`
`114`	`114`	`}`
`115`	`115`
	`116`	`+type GroupMappingConfig struct {`
	`117`	+ NoMappingStrategy string `json:"noMappingStrategy"`
	`118`	+ DifferentTeamSameRoleStrategy string `json:"differentRolesSameTeamStrategy"`
	`119`	`+}`
	`120`	`+`
`116`	`121`	`type alertWrapper struct {`
`117`	`122`	Alert Alert `json:"alert"`
`118`	`123`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ type SysdigRequest struct {`
`19`	`19`	`type SysdigCommon interface {`
`20`	`20`	`Common`
`21`	`21`	`GroupMappingInterface`
	`22`	`+ GroupMappingConfigInterface`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`type SysdigMonitor interface {`