Merge pull request #306 from aquasecurity/SAAS-28333-tp-fix-aquasec-role-mapping-sass-resource-and-datasource

Refactor aquasec_role_mapping_sass (resource and datasource), Refactor sso.go

Author: semyonmor

aquasec/data_role_mapping_saas_test.go

@@ -0,0 +1,48 @@
+package aquasec
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAquasecRolesMappingSaasDatasource(t *testing.T) {
+	if !isSaasEnv() {
+		t.Skip("Skipping SaaS roles mapping data source test - not a SaaS environment")
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckAquasecRolesMappingSaasBasicConfig(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAquasecRolesMappingSaasExists("data.aquasec_roles_mapping_saas.test"),
+					resource.TestCheckResourceAttrSet("data.aquasec_roles_mapping_saas.test", "roles_mapping.#"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAquasecRolesMappingSaasBasicConfig() string {
+	return `
+	data "aquasec_roles_mapping_saas" "test" {}
+	`
+}
+
+func testAccCheckAquasecRolesMappingSaasExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set for %s", n)
+		}
+		return nil
+	}
+}

aquasec/data_role_mapping_sass.go

@@ -60,6 +60,7 @@ func dataRolesMappingSaasRead(ctx context.Context, d *schema.ResourceData, m int
 	} else {
 		return diag.FromErr(err)
 	}
+	d.SetId("aquasec_roles_mapping_saas_list")
 	return nil
 }
 

aquasec/resource_role.go

@@ -87,7 +87,7 @@ func resourceRoleRead(d *schema.ResourceData, m interface{}) error {
 		return err
 	}
 
-	d.Set("name", r.Name)
+	d.Set("role_name", r.Name)
 	d.Set("updated_at", r.UpdatedAt)
 	d.Set("author", r.Author)
 	d.Set("role_name", r.Name)

aquasec/resource_role_mapping_saas.go

@@ -53,20 +53,34 @@ func resourceRoleMappingSaasRead(ctx context.Context, d *schema.ResourceData, m
 	ac := m.(*client.Client)
 
 	r, err := ac.GetRoleMappingSaas(d.Id())
-	if err == nil {
-		d.Set("role_mapping_id", r.Id)
-		d.Set("created", r.Created)
-		d.Set("account_id", r.AccountId)
-	} else {
+	if err != nil {
 		if strings.Contains(err.Error(), "404") {
 			d.SetId("")
-		} else {
-			return diag.FromErr(err)
+			return nil
 		}
+		return diag.FromErr(err)
+	}
+
+	if err := d.Set("role_mapping_id", r.Id); err != nil {
+		return diag.FromErr(err)
+	}
+	if err := d.Set("created", r.Created); err != nil {
+		return diag.FromErr(err)
+	}
+	if err := d.Set("account_id", r.AccountId); err != nil {
+		return diag.FromErr(err)
+	}
+	if err := d.Set("csp_role", r.CspRole); err != nil {
+		return diag.FromErr(err)
 	}
+	if err := d.Set("saml_groups", r.SamlGroups); err != nil {
+		return diag.FromErr(err)
+	}
+
 	return nil
 }
 
+
 func resourceRoleMappingSaasCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	c := m.(*client.Client)
 

aquasec/resource_role_mapping_saas_test.go

@@ -0,0 +1,103 @@
+package aquasec
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aquasecurity/terraform-provider-aquasec/client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+const (
+	testRoleMappingSaasResourceName = "aquasec_role_mapping_saas.test"
+)
+
+func TestAccAquasecRoleMappingSaas_basic(t *testing.T) {
+	if !isSaasEnv() {
+		t.Skip("Skipping role mapping SaaS test - not a SaaS environment")
+	}
+
+	roleName := acctest.RandomWithPrefix("tf-role")
+	permSetName := acctest.RandomWithPrefix("tf-pset")
+	samlGroups := []string{"DevTeam", "SecTeam"}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckRoleMappingSaasDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccRoleMappingSaasConfig(permSetName, roleName, samlGroups),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckRoleMappingSaasExists(testRoleMappingSaasResourceName),
+					resource.TestCheckResourceAttr(testRoleMappingSaasResourceName, "csp_role", roleName),
+					resource.TestCheckResourceAttr(testRoleMappingSaasResourceName, "saml_groups.#", "2"),
+				),
+			},
+			{
+				ResourceName:      testRoleMappingSaasResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccRoleMappingSaasConfig(permSetName, roleName string, groups []string) string {
+	groupsStr := ""
+	for _, g := range groups {
+		groupsStr += fmt.Sprintf("\"%s\", ", g)
+	}
+	groupsStr = groupsStr[:len(groupsStr)-2]
+
+	return fmt.Sprintf(`
+resource "aquasec_permission_set_saas" "ps" {
+  name        = "%s"
+  description = "TF-generated permission set"
+  actions     = ["account_mgmt.groups.read"]
+}
+
+resource "aquasec_role" "r" {
+  role_name   = "%s"
+  description = "TF-generated role"
+  permission  = aquasec_permission_set_saas.ps.name
+  scopes      = ["Global"]
+}
+
+resource "aquasec_role_mapping_saas" "test" {
+  saml_groups = [%s]
+  csp_role    = aquasec_role.r.role_name
+}
+`, permSetName, roleName, groupsStr)
+}
+
+func testAccCheckRoleMappingSaasExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Resource not found in state: %s", n)
+		}
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("ID not set for resource: %s", n)
+		}
+		cli := testAccProvider.Meta().(*client.Client)
+		_, err := cli.GetRoleMappingSaas(rs.Primary.ID)
+		return err
+	}
+}
+
+func testAccCheckRoleMappingSaasDestroy(s *terraform.State) error {
+	cli := testAccProvider.Meta().(*client.Client)
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aquasec_role_mapping_saas" {
+			continue
+		}
+		_, err := cli.GetRoleMappingSaas(rs.Primary.ID)
+		if err == nil {
+			return fmt.Errorf("role mapping %q still exists", rs.Primary.ID)
+		}
+	}
+	return nil
+}

client/role_mapping_saas.go

@@ -0,0 +1,169 @@
+package client
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/pkg/errors"
+
+)
+
+type RoleMappingSaas struct {
+	CspRole    string   `json:"csp_role"`
+	SamlGroups []string `json:"saml_groups"`
+	Id         int      `json:"id"`
+	Created    string   `json:"created"`
+	AccountId  int      `json:"account_id"`
+}
+
+type RoleMappingSaasList struct {
+	Items []RoleMappingSaas `json:"data"`
+}
+
+type RoleMappingSaasResponse struct {
+	RoleMappingSaas RoleMappingSaas `json:"data"`
+}
+
+const roleMappingBasePath = "/api/cspm/v2/samlmappings"
+
+func (cli *Client) GetRoleMappingSaas(id string) (*RoleMappingSaas, error) {
+	if cli.clientType != Saas && cli.clientType != SaasDev {
+		return nil, fmt.Errorf("GetRoleMappingSaas is supported only in Aqua SaaS environment")
+	}
+
+	if err := cli.limiter.Wait(context.Background()); err != nil {
+		return nil, err
+	}
+
+	url := fmt.Sprintf("%s%s/%s", cli.saasUrl, roleMappingBasePath, id)
+	resp, body, errs := cli.gorequest.Clone().Get(url).
+		Set("Authorization", fmt.Sprintf(authHeaderFormat, cli.token)).End()
+
+	if len(errs) > 0 {
+		return nil, fmt.Errorf("failed GET %s: %v", url, errs)
+	}
+	if resp.StatusCode != statusOK {
+		return nil, fmt.Errorf("unexpected status code: %d, response: %s", resp.StatusCode, body)
+	}
+
+	var result RoleMappingSaasResponse
+	if err := json.Unmarshal([]byte(body), &result); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal RoleMappingSaas response")
+	}
+	return &result.RoleMappingSaas, nil
+}
+
+func (cli *Client) GetRolesMappingSaas() (*RoleMappingSaasList, error) {
+	if cli.clientType != Saas && cli.clientType != SaasDev {
+		return nil, fmt.Errorf("GetRolesMappingSaas is supported only in Aqua SaaS environment")
+	}
+
+	if err := cli.limiter.Wait(context.Background()); err != nil {
+		return nil, err
+	}
+
+	url := fmt.Sprintf("%s%s", cli.saasUrl, roleMappingBasePath)
+	resp, body, errs := cli.gorequest.Clone().Get(url).
+		Set("Authorization", fmt.Sprintf(authHeaderFormat, cli.token)).End()
+
+	if len(errs) > 0 {
+		return nil, fmt.Errorf("failed GET %s: %v", url, errs)
+	}
+	if resp.StatusCode != statusOK {
+		return nil, fmt.Errorf("unexpected status code: %d, response: %s", resp.StatusCode, body)
+	}
+
+	var result RoleMappingSaasList
+	if err := json.Unmarshal([]byte(body), &result); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal RoleMappingSaas list")
+	}
+	return &result, nil
+}
+
+func (cli *Client) CreateRoleMappingSaas(saas *RoleMappingSaas) error {
+	if cli.clientType != Saas && cli.clientType != SaasDev {
+		return fmt.Errorf("CreateRoleMappingSaas is supported only in Aqua SaaS environment")
+	}
+
+	if err := cli.limiter.Wait(context.Background()); err != nil {
+		return err
+	}
+
+	url := fmt.Sprintf("%s%s", cli.saasUrl, roleMappingBasePath)
+	saasPayload := map[string]interface{}{
+		"csp_role":     saas.CspRole,
+		"saml_groups": saas.SamlGroups,
+	}
+	payload, _ := json.Marshal(saasPayload)
+
+	resp, body, errs := cli.gorequest.Clone().Post(url).
+		Set("Authorization", fmt.Sprintf(authHeaderFormat, cli.token)).
+		Send(string(payload)).End()
+
+	if len(errs) > 0 {
+		return fmt.Errorf("failed POST %s: %v", url, errs)
+	}
+	if resp.StatusCode != statusCreated {
+		return fmt.Errorf("unexpected status code: %d, response: %s", resp.StatusCode, body)
+	}
+
+	var response RoleMappingSaasResponse
+	if err := json.Unmarshal([]byte(body), &response); err != nil {
+		return errors.Wrap(err, "failed to unmarshal response after creation")
+	}
+	saas.Id = response.RoleMappingSaas.Id
+	saas.Created = response.RoleMappingSaas.Created
+	saas.AccountId = response.RoleMappingSaas.AccountId
+	return nil
+}
+
+func (cli *Client) UpdateRoleMappingSaas(saas *RoleMappingSaas, id string) error {
+	if cli.clientType != Saas && cli.clientType != SaasDev {
+		return fmt.Errorf("UpdateRoleMappingSaas is supported only in Aqua SaaS environment")
+	}
+
+	if err := cli.limiter.Wait(context.Background()); err != nil {
+		return err
+	}
+
+	url := fmt.Sprintf("%s%s/%s", cli.saasUrl, roleMappingBasePath, id)
+	payloadMap := map[string]interface{}{
+		"saml_groups": saas.SamlGroups,
+	}
+	payload, _ := json.Marshal(payloadMap)
+
+	resp, body, errs := cli.gorequest.Clone().Put(url).
+		Set("Authorization", fmt.Sprintf(authHeaderFormat, cli.token)).
+		Send(string(payload)).End()
+
+	if len(errs) > 0 {
+		return fmt.Errorf("failed PUT %s: %v", url, errs)
+	}
+	if resp.StatusCode != statusNoContent {
+		return fmt.Errorf("unexpected status code: %d, response: %s", resp.StatusCode, body)
+	}
+	return nil
+}
+
+func (cli *Client) DeleteRoleMappingSaas(id string) error {
+	if cli.clientType != Saas && cli.clientType != SaasDev {
+		return fmt.Errorf("DeleteRoleMappingSaas is supported only in Aqua SaaS environment")
+	}
+
+	if err := cli.limiter.Wait(context.Background()); err != nil {
+		return err
+	}
+
+	url := fmt.Sprintf("%s%s/%s", cli.saasUrl, roleMappingBasePath, id)
+	resp, body, errs := cli.gorequest.Clone().Delete(url).
+		Set("Authorization", fmt.Sprintf(authHeaderFormat, cli.token)).End()
+
+	if len(errs) > 0 {
+		return fmt.Errorf("failed DELETE %s: %v", url, errs)
+	}
+	if resp.StatusCode != statusOK {
+		return fmt.Errorf("unexpected status code: %d, response: %s", resp.StatusCode, body)
+	}
+	return nil
+}