Merge pull request #286 from aquasecurity/SLK-88696-tp-add-support-for-rbac-v-3-permission-sets

feat(permission_set_saas): create resource, datasource, example, docs

Author: semyonmor

aquasec/data_permissions_sets_saas.go

@@ -0,0 +1,75 @@
+package aquasec
+
+import (
+    "context"
+    "fmt"
+    "math/rand"
+
+    "github.com/aquasecurity/terraform-provider-aquasec/client"
+    "github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+    "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourcePermissionsSetsSaas() *schema.Resource {
+    return &schema.Resource{
+        Description: "The data source `aquasec_permissions_sets_saas` provides a method to query all permissions within Aqua SaaS platform",
+        ReadContext: dataPermissionsSetsSaasRead,
+        Schema: map[string]*schema.Schema{
+            "permissions_sets": {
+                Type:     schema.TypeList,
+                Computed: true,
+                Elem: &schema.Resource{
+                    Schema: map[string]*schema.Schema{
+                        "name": {
+                            Type:        schema.TypeString,
+                            Description: "Name of the permission set",
+                            Computed:    true,
+                        },
+                        "description": {
+                            Type:        schema.TypeString,
+                            Description: "Description of the permission set",
+                            Computed:    true,
+                        },
+                        "actions": {
+                            Type:        schema.TypeList,
+                            Description: "List of allowed actions",
+                            Computed:    true,
+                            Elem: &schema.Schema{
+                                Type: schema.TypeString,
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    }
+}
+
+func dataPermissionsSetsSaasRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+    c := m.(*client.Client)
+    permissionsSets, err := c.GetPermissionSetsSaas()
+    if err != nil {
+        return diag.FromErr(err)
+    }
+
+    id := ""
+    ps := make([]interface{}, len(permissionsSets))
+
+    for i, permissionsSet := range permissionsSets {
+        id = id + permissionsSet.Name
+        p := make(map[string]interface{})
+        p["name"] = permissionsSet.Name
+        p["description"] = permissionsSet.Description
+        p["actions"] = permissionsSet.Actions
+        ps[i] = p
+    }
+
+    if id == "" {
+        id = fmt.Sprintf("no-permissions-found-%d", rand.Int())
+    }
+    d.SetId(id)
+    if err := d.Set("permissions_sets", ps); err != nil {
+        return diag.FromErr(err)
+    }
+    return nil
+}

aquasec/data_permissions_sets_saas_test.go

@@ -0,0 +1,120 @@
+package aquasec
+
+import (
+    "fmt"
+    "testing"
+
+    "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+    "github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAquasecPermissionsSetSaasDatasource(t *testing.T) {
+    if !isSaasEnv() {
+        t.Skip("Skipping permission set test because its not a SaaS environment")
+    }
+
+    resource.Test(t, resource.TestCase{
+        PreCheck:  func() { testAccPreCheck(t) },
+        Providers: testAccProviders,
+        Steps: []resource.TestStep{
+            {
+                Config: testAccCheckAquasecPermissionsSetSaasBasicConfig(),
+                Check: resource.ComposeTestCheckFunc(
+                    // Check that the data source was created
+                    testAccCheckAquasecPermissionsSetSaasExists("data.aquasec_permissions_sets_saas.test"),
+                    // Check list attribute is populated
+                    resource.TestCheckResourceAttrSet("data.aquasec_permissions_sets_saas.test", "permissions_sets.#"),
+                    // Custom check for data validity
+                    testAccCheckPermissionsSetSaasAttributes("data.aquasec_permissions_sets_saas.test"),
+                ),
+            },
+        },
+    })
+}
+
+func TestAquasecPermissionsSetSaasDatasource_Structure(t *testing.T) {
+    if !isSaasEnv() {
+        t.Skip("Skipping permission set test because its not a SaaS environment")
+    }
+
+    resource.Test(t, resource.TestCase{
+        PreCheck:  func() { testAccPreCheck(t) },
+        Providers: testAccProviders,
+        Steps: []resource.TestStep{
+            {
+                Config: testAccCheckAquasecPermissionsSetSaasBasicConfig(),
+                Check: resource.ComposeTestCheckFunc(
+                    // Verify ID exists
+                    resource.TestCheckResourceAttrSet(
+                        "data.aquasec_permissions_sets_saas.test",
+                        "id",
+                    ),
+                    // Verify permissions_sets list exists
+                    resource.TestCheckResourceAttrSet(
+                        "data.aquasec_permissions_sets_saas.test",
+                        "permissions_sets.#",
+                    ),
+                ),
+            },
+        },
+    })
+}
+
+// Basic Config
+func testAccCheckAquasecPermissionsSetSaasBasicConfig() string {
+    return `
+    data "aquasec_permissions_sets_saas" "test" {
+    }
+    `
+}
+
+// Check data source exists
+func testAccCheckAquasecPermissionsSetSaasExists(n string) resource.TestCheckFunc {
+    return func(s *terraform.State) error {
+        rs, ok := s.RootModule().Resources[n]
+        if !ok {
+            return fmt.Errorf("Not found: %s", n)
+        }
+
+        if rs.Primary.ID == "" {
+            return fmt.Errorf("No ID is set")
+        }
+
+        return nil
+    }
+}
+
+// Check attributes match schema
+func testAccCheckPermissionsSetSaasAttributes(resourceName string) resource.TestCheckFunc {
+    return func(s *terraform.State) error {
+        rs, ok := s.RootModule().Resources[resourceName]
+        if !ok {
+            return fmt.Errorf("Not found: %s", resourceName)
+        }
+
+        numSets, ok := rs.Primary.Attributes["permissions_sets.#"]
+        if !ok {
+            return fmt.Errorf("No permissions_sets found")
+        }
+
+        // If we have permission sets, verify their structure
+        if numSets != "0" {
+            // Get the first permission set and verify required attributes
+            if name, ok := rs.Primary.Attributes["permissions_sets.0.name"]; !ok || name == "" {
+                return fmt.Errorf("permissions_sets.0.name is empty or missing")
+            }
+
+            if desc, exists := rs.Primary.Attributes["permissions_sets.0.description"]; exists {
+                if desc == "" {
+                    return fmt.Errorf("permissions_sets.0.description is empty")
+                }
+            }
+
+            if _, ok := rs.Primary.Attributes["permissions_sets.0.actions.#"]; !ok {
+                return fmt.Errorf("permissions_sets.0.actions is missing")
+            }
+        }
+
+        return nil
+    }
+}

aquasec/provider.go

@@ -93,6 +93,7 @@ func Provider(v string) *schema.Provider {
 			"aquasec_group":             resourceGroup(),
 			"aquasec_user_saas":         resourceUserSaas(),
 			"aquasec_role_mapping_saas": resourceRoleMappingSaas(),
+			"aquasec_permission_set_saas": resourcePermissionSetSaas(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{
 			"aquasec_users":                       dataSourceUsers(),
@@ -123,6 +124,7 @@ func Provider(v string) *schema.Provider {
 			"aquasec_groups":             dataSourceGroups(),
 			"aquasec_users_saas":         dataSourceUsersSaas(),
 			"aquasec_roles_mapping_saas": dataSourceRolesMappingSaas(),
+			"aquasec_permissions_sets_saas": dataSourcePermissionsSetsSaas(),
 		},
 		ConfigureContextFunc: providerConfigure,
 	}

aquasec/resource_permission_set.go

@@ -28,6 +28,7 @@ func resourcePermissionSet() *schema.Resource {
 				Description: "The name of the Permission Set, comprised of alphanumeric characters and '-', '_', ' ', ':', '.', '@', '!', '^'.",
 				Required:    true,
 				ForceNew:    true,
+				ValidateFunc: validateSaasResourceWarning("aquasec_permissions_sets", "aquasec_permission_set_saas"),
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -66,6 +67,7 @@ func resourcePermissionSet() *schema.Resource {
 	}
 }
 
+
 func resourcePermissionSetCreate(d *schema.ResourceData, m interface{}) error {
 	ac := m.(*client.Client)
 	name := d.Get("name").(string)

aquasec/resource_permission_set_saas.go

@@ -0,0 +1,121 @@
+package aquasec
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/terraform-provider-aquasec/client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourcePermissionSetSaas() *schema.Resource {
+	return &schema.Resource{
+		Description: "The `aquasec_permission_set_saas` resource manages your Permission Set within Aqua SaaS environment.",
+		Create:      resourcePermissionSetSaasCreate,
+		Read:        resourcePermissionSetSaasRead,
+		Update:      resourcePermissionSetSaasUpdate,
+		Delete:      resourcePermissionSetSaasDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Description: "Name of the permission set",
+				Required:    true,
+				ForceNew:    true,
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Description: "Description of the permission set",
+				Optional:    true,
+			},
+			"actions": {
+				Type:        schema.TypeList,
+				Description: "List of allowed actions for the permission set",
+				Optional:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+		},
+	}
+}
+
+func resourcePermissionSetSaasCreate(d *schema.ResourceData, m interface{}) error {
+	ac := m.(*client.Client)
+	name := d.Get("name").(string)
+
+	permSet := expandPermissionSetSaas(d)
+	err := ac.CreatePermissionSetSaas(permSet)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(name)
+	return resourcePermissionSetSaasRead(d, m)
+}
+
+func resourcePermissionSetSaasUpdate(d *schema.ResourceData, m interface{}) error {
+	ac := m.(*client.Client)
+
+	if d.HasChanges("description", "actions") {
+		permSet := expandPermissionSetSaas(d)
+		err := ac.UpdatePermissionSetSaas(permSet)
+		if err != nil {
+			return err
+		}
+	}
+
+	return resourcePermissionSetSaasRead(d, m)
+}
+
+func resourcePermissionSetSaasRead(d *schema.ResourceData, m interface{}) error {
+	c := m.(*client.Client)
+
+	permSet, err := c.GetPermissionSetSaas(d.Id())
+	if err != nil {
+		if strings.Contains(fmt.Sprintf("%s", err), "404") {
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	d.Set("name", permSet.Name)
+	d.Set("description", permSet.Description)
+	d.Set("actions", permSet.Actions)
+
+	return nil
+}
+
+func resourcePermissionSetSaasDelete(d *schema.ResourceData, m interface{}) error {
+	ac := m.(*client.Client)
+	name := d.Get("name").(string)
+
+	err := ac.DeletePermissionSetSaas(name)
+	if err != nil {
+		return err
+	}
+
+	d.SetId("")
+	return nil
+}
+
+func expandPermissionSetSaas(d *schema.ResourceData) *client.PermissionSetSaas {
+	permSet := client.PermissionSetSaas{
+		Name:        d.Get("name").(string),
+		Description: d.Get("description").(string),
+	}
+
+	if v, ok := d.GetOk("actions"); ok {
+		rawActions := v.([]interface{})
+		actions := make([]string, len(rawActions))
+		for i, action := range rawActions {
+			actions[i] = action.(string)
+		}
+		permSet.Actions = actions
+	}
+
+	return &permSet
+}