feat(teams) Add the ability to assign CustomRoles to users in teams (#…

…383) * add custom role data source * add documentation * change from string to set * removed validation because it is done on BE side * update documentation * replace string with constants * update documentation * fixed typo in constants * use randomText instead of acctest.RandStringFromCharSet * validate errors while setting resource data * fix doc
sysdiglabs · Jul 28, 2023 · 0bab7f1 · 0bab7f1
1 parent adcf4be
commit 0bab7f1
Show file tree

Hide file tree

Showing 8 changed files with 202 additions and 13 deletions.
diff --git a/sysdig/data_source_sysdig_custom_role.go b/sysdig/data_source_sysdig_custom_role.go
@@ -0,0 +1,83 @@
+package sysdig
+
+import (
+	"context"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"strconv"
+	"time"
+)
+
+func dataSourceSysdigCustomRole() *schema.Resource {
+	timeout := 5 * time.Minute
+
+	return &schema.Resource{
+		ReadContext: dataSourceSysdigCustomRoleRead,
+
+		Timeouts: &schema.ResourceTimeout{
+			Read: schema.DefaultTimeout(timeout),
+		},
+
+		Schema: map[string]*schema.Schema{
+			SchemaNameKey: {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			SchemaDescriptionKey: {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			SchemaMonitorPermKey: {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			SchemaSecurePermKey: {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+		},
+	}
+}
+
+func dataSourceSysdigCustomRoleRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	client, err := m.(SysdigClients).sysdigCommonClientV2()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	name := d.Get(SchemaNameKey).(string)
+
+	customRole, err := client.GetCustomRoleByName(ctx, name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(strconv.Itoa(customRole.ID))
+	err = d.Set(SchemaNameKey, customRole.Name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaDescriptionKey, customRole.Description)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaMonitorPermKey, customRole.MonitorPermissions)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaSecurePermKey, customRole.SecurePermissions)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
diff --git a/sysdig/data_source_sysdig_custom_role_test.go b/sysdig/data_source_sysdig_custom_role_test.go
@@ -0,0 +1,53 @@
+//go:build tf_acc_sysdig_monitor || tf_acc_sysdig_secure
+
+package sysdig_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+)
+
+func TestAccCustomRoleDateSource(t *testing.T) {
+	rText := randomText(10)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigMonitorApiTokenEnv, SysdigSecureApiTokenEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: getCustomRole(rText),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckTypeSetElemAttr("data.sysdig_custom_role.custom", "monitor_permissions.*", "token.view"),
+					resource.TestCheckTypeSetElemAttr("data.sysdig_custom_role.custom", "monitor_permissions.*", "api-token.read"),
+					resource.TestCheckResourceAttr("data.sysdig_custom_role.custom", "secure_permissions.#", "0"),
+				),
+			},
+		},
+	})
+}
+
+func getCustomRole(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_custom_role" "test" {
+  name = "%s"
+  description = "test"
+
+  permissions {
+    monitor_permissions = ["token.view", "api-token.read"]
+  }
+}
+data "sysdig_custom_role" "custom" {
+  depends_on = [sysdig_custom_role.test]
+  name = sysdig_custom_role.test.name
+}
+`, name)
+}
diff --git a/sysdig/provider.go b/sysdig/provider.go
@@ -174,6 +174,7 @@ func Provider() *schema.Provider {
 			"sysdig_current_user":      dataSourceSysdigCurrentUser(),
 			"sysdig_user":              dataSourceSysdigUser(),
 			"sysdig_secure_connection": dataSourceSysdigSecureConnection(),
+			"sysdig_custom_role":       dataSourceSysdigCustomRole(),
 
 			"sysdig_fargate_workload_agent":                 dataSourceSysdigFargateWorkloadAgent(),
 			"sysdig_monitor_notification_channel_pagerduty": dataSourceSysdigMonitorNotificationChannelPagerduty(),

diff --git a/sysdig/resource_sysdig_monitor_team.go b/sysdig/resource_sysdig_monitor_team.go
@@ -86,10 +86,9 @@ func resourceSysdigMonitorTeam() *schema.Resource {
 							Required: true,
 						},
 						"role": {
-							Type:         schema.TypeString,
-							Optional:     true,
-							Default:      "ROLE_TEAM_STANDARD",
-							ValidateFunc: validation.StringInSlice([]string{"ROLE_TEAM_STANDARD", "ROLE_TEAM_EDIT", "ROLE_TEAM_READ", "ROLE_TEAM_MANAGER"}, false),
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "ROLE_TEAM_STANDARD",
 						},
 					},
 				},

diff --git a/sysdig/resource_sysdig_secure_team.go b/sysdig/resource_sysdig_secure_team.go
@@ -9,7 +9,6 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
 func resourceSysdigSecureTeam() *schema.Resource {
@@ -93,10 +92,9 @@ func resourceSysdigSecureTeam() *schema.Resource {
 						},
 
 						"role": {
-							Type:         schema.TypeString,
-							Optional:     true,
-							Default:      "ROLE_TEAM_STANDARD",
-							ValidateFunc: validation.StringInSlice([]string{"ROLE_TEAM_STANDARD", "ROLE_TEAM_EDIT", "ROLE_TEAM_READ", "ROLE_TEAM_MANAGER"}, false),
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "ROLE_TEAM_STANDARD",
 						},
 					},
 				},

diff --git a/website/docs/d/custom_role.md b/website/docs/d/custom_role.md
@@ -0,0 +1,35 @@
+---
+subcategory: "Sysdig Platform"
+layout: "sysdig"
+page_title: "Sysdig: sysdig_custom_role"
+description: |-
+  Retrieves information about a custom role from the name
+---
+
+# Data Source: sysdig_custom_role
+
+Retrieves information about a custom role from the name.
+
+-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository.
+
+## Example Usage
+
+```terraform
+data "sysdig_custom_role" "custom_role" {
+  name = "CustomRoleName"
+}
+```
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The custom role's ID.
+
+* `name` - The custom role's name.
+
+* `description` - The custom role's description.
+
+* `monitor_permissions` - The custom role's monitor permissions.
+
+* `secure_permissions` - The custom role's secure permissions.
diff --git a/website/docs/r/monitor_team.md b/website/docs/r/monitor_team.md
@@ -31,10 +31,19 @@ resource "sysdig_monitor_team" "devops" {
     email = "[email protected]"
     role = "ROLE_TEAM_STANDARD"
   }
+
+  user_roles {
+    email = "[email protected]"
+    role = data.sysdig_custom_role.custom_role.id
+  }
 }
  
 data "sysdig_current_user" "me" {
 }
+
+data "sysdig_custom_role" "custom_role" {
+  name = "CustomRoleName"
+}
 ```
 
 ## Argument Reference
@@ -78,8 +87,9 @@ data "sysdig_current_user" "me" {
 * `email` - (Required) The email of the user in the group.
 
 * `role` - (Optional) The role for the user in this group.
-           Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER.
-           Default: ROLE_TEAM_STANDARD.
+           Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER or CustomRole ID.<br/>
+           Default: ROLE_TEAM_STANDARD.<br/>
+           Note: CustomRole ID can be referenced from `sysdig_custom_role` resource or `sysdig_custom_role` data source
 
 ## Attributes Reference
 

diff --git a/website/docs/r/secure_team.md b/website/docs/r/secure_team.md
@@ -27,10 +27,19 @@ resource "sysdig_secure_team" "devops" {
     email = "[email protected]"
     role = "ROLE_TEAM_STANDARD"
   }
+
+  user_roles {
+    email = "[email protected]"
+    role = data.sysdig_custom_role.custom_role.id
+  }
 }
  
 data "sysdig_current_user" "me" {
 }
+
+data "sysdig_custom_role" "custom_role" {
+  name = "CustomRoleName"
+}
 ```
 
 ## Argument Reference
@@ -67,8 +76,9 @@ data "sysdig_current_user" "me" {
 * `email` - (Required) The email of the user in the group.
 
 * `role` - (Optional) The role for the user in this group.
-           Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER.
-           Default: ROLE_TEAM_STANDARD.
+           Valid roles are: ROLE_TEAM_STANDARD, ROLE_TEAM_EDIT, ROLE_TEAM_READ, ROLE_TEAM_MANAGER or CustomRole ID.<br/>
+           Default: ROLE_TEAM_STANDARD.<br/>
+           Note: CustomRole ID can be referenced from `sysdig_custom_role` resource or `sysdig_custom_role` data source
 
 ## Attributes Reference