Skip to content

Commit

Permalink
New resource: wiz_saml_group_mapping (#216)
Browse files Browse the repository at this point in the history
  • Loading branch information
@NerdJeremia
NerdJeremia authored Nov 18, 2024
1 parent 09592dc commit 59fb845
Show file tree
Hide file tree
Showing 10 changed files with 775 additions and 0 deletions.
124 changes: 124 additions & 0 deletions docs/resources/saml_group_mapping.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "wiz_saml_group_mapping Resource - terraform-provider-wiz"
subcategory: ""
description: |-
Configure SAML Group Role Mapping. When using SSO to authenticate with Wiz, you can map group memberships in SAML assertions to Wiz roles across specific scopes.
---

# wiz_saml_group_mapping (Resource)

Configure SAML Group Role Mapping. When using SSO to authenticate with Wiz, you can map group memberships in SAML assertions to Wiz roles across specific scopes.

## Example Usage

```terraform
# Configure SAML Group Role Mapping on a global scope
resource "wiz_saml_group_mapping" "test_global_scope" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "global-reader-group-id"
role = "PROJECT_READER"
}
]
}
# Configure SAML Group Role Mapping for a single project
resource "wiz_saml_group_mapping" "test_single_project" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "admin-group-id"
role = "PROJECT_ADMIN"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786"
]
}
]
}
# Configure SAML Group Role Mapping for multiple projects
resource "wiz_saml_group_mapping" "test_multi_project" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "member-group-id"
role = "PROJECT_MEMBER"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786",
"e7f6542c-81f6-43cf-af48-bdd77f09650d"
]
}
]
}
# Configure multiple SAML Group Role Mappings
resource "wiz_saml_group_mapping" "test_multi_mappings" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "global-reader-group-id"
role = "PROJECT_READER"
},
{
provider_group_id = "admin-group-id"
role = "PROJECT_ADMIN"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786"
]
},
{
provider_group_id = "member-group-id"
role = "PROJECT_MEMBER"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786",
"e7f6542c-81f6-43cf-af48-bdd77f09650d"
]
}
]
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `group_mapping` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--group_mapping))
- `saml_idp_id` (String) Identifier for the Saml Provider

### Read-Only

- `id` (String) Unique tf-internal identifier for the saml group mapping

<a id="nestedblock--group_mapping"></a>
### Nested Schema for `group_mapping`

Required:

- `provider_group_id` (String) Provider group ID
- `role` (String) Wiz Role name

Optional:

- `projects` (List of String) Project mapping

## Import

Import is supported using the following syntax:

```shell
# The id for importing resources has to be in this format: 'mapping|<saml_idp_id>|<provider_group_id>:<project_ids>:<role>#...'.
# Import with saml mapping to multiple projects
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a,ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_READER"

# Import with mapping to single project
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER"

# Import with global mapping
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7::PROJECT_READER"

# Import with multiple group mappings
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER#12345678-1234-1234-1234-123456789012:ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_WRITER"
```
12 changes: 12 additions & 0 deletions examples/resources/wiz_saml_group_mapping/import.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# The id for importing resources has to be in this format: 'mapping|<saml_idp_id>|<provider_group_id>:<project_ids>:<role>#...'.
# Import with saml mapping to multiple projects
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a,ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_READER"

# Import with mapping to single project
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER"

# Import with global mapping
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7::PROJECT_READER"

# Import with multiple group mappings
terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER#12345678-1234-1234-1234-123456789012:ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_WRITER"
65 changes: 65 additions & 0 deletions examples/resources/wiz_saml_group_mapping/resource.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Configure SAML Group Role Mapping on a global scope
resource "wiz_saml_group_mapping" "test_global_scope" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "global-reader-group-id"
role = "PROJECT_READER"
}
]
}

# Configure SAML Group Role Mapping for a single project
resource "wiz_saml_group_mapping" "test_single_project" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "admin-group-id"
role = "PROJECT_ADMIN"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786"
]
}
]
}

# Configure SAML Group Role Mapping for multiple projects
resource "wiz_saml_group_mapping" "test_multi_project" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "member-group-id"
role = "PROJECT_MEMBER"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786",
"e7f6542c-81f6-43cf-af48-bdd77f09650d"
]
}
]
}

# Configure multiple SAML Group Role Mappings
resource "wiz_saml_group_mapping" "test_multi_mappings" {
saml_idp_id = "test-saml-identity-provider"
group_mappings = [
{
provider_group_id = "global-reader-group-id"
role = "PROJECT_READER"
},
{
provider_group_id = "admin-group-id"
role = "PROJECT_ADMIN"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786"
]
},
{
provider_group_id = "member-group-id"
role = "PROJECT_MEMBER"
projects = [
"ee25cc95-82b0-4543-8934-5bc655b86786",
"e7f6542c-81f6-43cf-af48-bdd77f09650d"
]
}
]
}
2 changes: 2 additions & 0 deletions internal/acceptance/common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,6 @@ const (
TcCloudConfigRule TestCase = "CLOUD_CONFIG_RULE"
// TcProjectCloudAccountLink test case
TcProjectCloudAccountLink = "PROJECT_CLOUD_ACCOUNT_LINK"
// TcSAMLGroupMapping test case
TcSAMLGroupMapping TestCase = "SAML_GROUP_MAPPING"
)
2 changes: 2 additions & 0 deletions internal/acceptance/provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ func testAccPreCheck(t *testing.T, tc TestCase) {
envVars = append(commonEnvVars, "WIZ_PROJECT_ID")
case TcProjectCloudAccountLink:
envVars = append(commonEnvVars, "WIZ_PROJECT_ID", "WIZ_SUBSCRIPTION_ID")
case TcSAMLGroupMapping:
envVars = append(commonEnvVars, "WIZ_PROJECT_ID", "WIZ_PROVIDER_GROUP_ID", "WIZ_SAML_IDP_ID")
default:
t.Fatalf("unknown testCase: %s", tc)
}
Expand Down
56 changes: 56 additions & 0 deletions internal/acceptance/resource_saml_group_mapping_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
package acceptance

import (
"fmt"
"os"
"testing"

"github.com/hashicorp/terraform-plugin-testing/helper/resource"
)

func TestAccResourceWizSAMLGroupMapping_basic(t *testing.T) {
samlIdpID := os.Getenv("WIZ_SAML_IDP_ID")
providerGroupID := os.Getenv("WIZ_PROVIDER_GROUP_ID")
projectID := os.Getenv("WIZ_PROJECT_ID")

resource.UnitTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t, TcSAMLGroupMapping) },
ProviderFactories: providerFactories,
Steps: []resource.TestStep{
{
Config: testResourceWizSAMLGroupMappingBasic(samlIdpID, providerGroupID, projectID),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(
"wiz_saml_group_mapping.foo",
"saml_idp_id",
samlIdpID,
),
resource.TestCheckResourceAttr(
"wiz_saml_group_mapping.foo",
"group_mapping.0.provider_group_id",
providerGroupID,
),
resource.TestCheckResourceAttr(
"wiz_saml_group_mapping.foo",
"group_mapping.0.projects.0",
projectID,
),
),
},
},
})
}

func testResourceWizSAMLGroupMappingBasic(samlIdpID string, providerGroupID string, projectID string) string {
return fmt.Sprintf(`
resource "wiz_saml_group_mapping" "foo" {
saml_idp_id = "%s"
group_mapping {
provider_group_id = "%s"
role = "PROJECT_READER"
projects = [
"%s"
]
}
}`, samlIdpID, providerGroupID, projectID)
}
1 change: 1 addition & 0 deletions internal/provider/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,7 @@ yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/
"wiz_report_graph_query": resourceWizReportGraphQuery(),
"wiz_project": resourceWizProject(),
"wiz_saml_idp": resourceWizSAMLIdP(),
"wiz_saml_group_mapping": resourceWizSAMLGroupMapping(),
"wiz_security_framework": resourceWizSecurityFramework(),
"wiz_service_account": resourceWizServiceAccount(),
"wiz_user": resourceWizUser(),
Expand Down
Loading

0 comments on commit 59fb845

Please sign in to comment.