feat: resource service account oidc identity

OctopusDeployLabs · Nov 20, 2024 · 25c7f53 · 25c7f53
1 parent 51ec30c
commit 25c7f53
Show file tree

Hide file tree

Showing 6 changed files with 267 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/OctopusDeploy/terraform-provider-octopusdeploy
 go 1.21
 
 require (
-	github.com/OctopusDeploy/go-octopusdeploy/v2 v2.55.0
+	github.com/OctopusDeploy/go-octopusdeploy/v2 v2.60.0
 	github.com/OctopusSolutionsEngineering/OctopusTerraformTestFramework v0.0.0-20240729041805-46db6fb717b4
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637

diff --git a/go.sum b/go.sum
@@ -22,6 +22,7 @@ github.com/OctopusDeploy/go-octodiff v1.0.0 h1:U+ORg6azniwwYo+O44giOw6TiD5USk8S4
 github.com/OctopusDeploy/go-octodiff v1.0.0/go.mod h1:Mze0+EkOWTgTmi8++fyUc6r0aLZT7qD9gX+31t8MmIU=
 github.com/OctopusDeploy/go-octopusdeploy/v2 v2.55.0 h1:kX6qRRy8AgbqTiYdenqVNe69pGhntwJGEgJx9rtn9/8=
 github.com/OctopusDeploy/go-octopusdeploy/v2 v2.55.0/go.mod h1:ggvOXzMnq+w0pLg6C9zdjz6YBaHfO3B3tqmmB7JQdaw=
+github.com/OctopusDeploy/go-octopusdeploy/v2 v2.60.0/go.mod h1:ggvOXzMnq+w0pLg6C9zdjz6YBaHfO3B3tqmmB7JQdaw=
 github.com/OctopusSolutionsEngineering/OctopusTerraformTestFramework v0.0.0-20240729041805-46db6fb717b4 h1:QfbVf0bOIRMp/WHAWsuVDB7KHoWnRsGbvDuOf2ua7k4=
 github.com/OctopusSolutionsEngineering/OctopusTerraformTestFramework v0.0.0-20240729041805-46db6fb717b4/go.mod h1:Oq9KbiRNDBB5jFmrwnrgLX0urIqR/1ptY18TzkqXm7M=
 github.com/ProtonMail/go-crypto v1.1.0-alpha.2 h1:bkyFVUP+ROOARdgCiJzNQo2V2kiB97LyUpzH9P6Hrlg=

diff --git a/octopusdeploy_framework/framework_provider.go b/octopusdeploy_framework/framework_provider.go
@@ -114,6 +114,7 @@ func (p *octopusDeployFrameworkProvider) Resources(ctx context.Context) []func()
 		NewTentacleCertificateResource,
 		NewScriptModuleResource,
 		NewUserResource,
+		NewServiceAccountOIDCIdentity,
 	}
 }
 

diff --git a/octopusdeploy_framework/resource_service_account_oidc_identity.go b/octopusdeploy_framework/resource_service_account_oidc_identity.go
@@ -0,0 +1,124 @@
+package octopusdeploy_framework
+
+import (
+	"context"
+	"github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/serviceaccounts"
+	"github.com/OctopusDeploy/terraform-provider-octopusdeploy/internal/errors"
+	"github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/schemas"
+	"github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/util"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+var _ resource.Resource = &ServiceAccountOIDCIdentity{}
+
+type ServiceAccountOIDCIdentity struct {
+	*Config
+}
+
+func NewServiceAccountOIDCIdentity() resource.Resource {
+	return &ServiceAccountOIDCIdentity{}
+}
+
+func (s *ServiceAccountOIDCIdentity) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = util.GetTypeName(schemas.ServiceAccountOIDCIdentityResourceName)
+}
+
+func (s *ServiceAccountOIDCIdentity) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schemas.ServiceAccountOIDCIdentitySchema{}.GetResourceSchema()
+}
+
+func (s *ServiceAccountOIDCIdentity) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	s.Config = ResourceConfiguration(req, resp)
+}
+func (s *ServiceAccountOIDCIdentity) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan schemas.OIDCServiceAccountSchemaModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	identityRequest := mapServiceAccountOIDCModelToRequest(&plan)
+	identityCreateResponse, err := serviceaccounts.AddOIDCIdentity(s.Client, identityRequest)
+	if err != nil {
+		resp.Diagnostics.AddError("Error creating OIDC identity", err.Error())
+	}
+	identityResponse, err := serviceaccounts.GetOIDCIdentityByID(s.Client, identityRequest.ServiceAccountID, identityCreateResponse.ID)
+	if err != nil {
+		resp.Diagnostics.AddError("Error creating OIDC identity", err.Error())
+	}
+
+	updateServiceAccountOIDCModel(identityResponse, &plan)
+	resp.Diagnostics.Append(resp.State.Set(ctx, &plan)...)
+}
+
+func (s *ServiceAccountOIDCIdentity) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var state schemas.OIDCServiceAccountSchemaModel
+	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	identityResponse, err := serviceaccounts.GetOIDCIdentityByID(s.Client, state.ServiceAccountID.ValueString(), state.ID.ValueString())
+	if err != nil {
+		if err := errors.ProcessApiErrorV2(ctx, resp, state, err, "service account OIDC identity"); err != nil {
+			resp.Diagnostics.AddError("Error reading service account OIDC identity", err.Error())
+		}
+		return
+	}
+
+	updateServiceAccountOIDCModel(identityResponse, &state)
+	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
+}
+
+func (s *ServiceAccountOIDCIdentity) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var plan schemas.OIDCServiceAccountSchemaModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	identityRequest := mapServiceAccountOIDCModelToRequest(&plan)
+
+	err := serviceaccounts.UpdateOIDCIdentity(s.Client, identityRequest)
+	if err != nil {
+		resp.Diagnostics.AddError("Error updating service account OIDC identity", err.Error())
+		return
+	}
+	identityResponse, err := serviceaccounts.GetOIDCIdentityByID(s.Client, identityRequest.ServiceAccountID, identityRequest.ID)
+	if err != nil {
+		resp.Diagnostics.AddError("Error creating OIDC identity", err.Error())
+	}
+
+	updateServiceAccountOIDCModel(identityResponse, &plan)
+	resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
+}
+
+func (s *ServiceAccountOIDCIdentity) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var state schemas.OIDCServiceAccountSchemaModel
+	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	err := serviceaccounts.DeleteOIDCIdentityByID(s.Client, state.ServiceAccountID.ValueString(), state.ID.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError("Error deleting service account OIDC identity", err.Error())
+		return
+	}
+}
+
+func mapServiceAccountOIDCModelToRequest(model *schemas.OIDCServiceAccountSchemaModel) *serviceaccounts.OIDCIdentity {
+	identity := serviceaccounts.NewOIDCIdentity(model.ServiceAccountID.ValueString(), model.Name.ValueString(), model.Issuer.ValueString(), model.Subject.ValueString())
+	identity.ID = model.ID.ValueString()
+	identity.Name = model.Name.ValueString()
+
+	return identity
+}
+
+func updateServiceAccountOIDCModel(request *serviceaccounts.OIDCIdentity, model *schemas.OIDCServiceAccountSchemaModel) {
+	model.Name = types.StringValue(request.Name)
+	model.Issuer = types.StringValue(request.Issuer)
+	model.Subject = types.StringValue(request.Subject)
+	model.ID = types.StringValue(request.ID)
+	model.ServiceAccountID = types.StringValue(request.ServiceAccountID)
+}
diff --git a/octopusdeploy_framework/resource_service_account_oidc_identity_test.go b/octopusdeploy_framework/resource_service_account_oidc_identity_test.go
@@ -0,0 +1,89 @@
+package octopusdeploy_framework
+
+import (
+	"fmt"
+	"github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/serviceaccounts"
+	"github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/users"
+	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"testing"
+)
+
+func TestAccOctopusDeployServiceAccountOIDCIdentity(t *testing.T) {
+	localName := acctest.RandStringFromCharSet(20, acctest.CharSetAlpha)
+	prefix := "octopusdeploy_service_account_oidc_identity." + localName
+
+	localUserName := acctest.RandStringFromCharSet(20, acctest.CharSetAlpha)
+	userPrefix := " octopusdeploy_user." + localUserName
+
+	userData := users.User{
+		DisplayName:  acctest.RandStringFromCharSet(20, acctest.CharSetAlpha),
+		EmailAddress: acctest.RandStringFromCharSet(10, acctest.CharSetAlpha) + "@test.com",
+		Username:     acctest.RandStringFromCharSet(20, acctest.CharSetAlpha),
+	}
+
+	data := serviceaccounts.OIDCIdentity{
+		Name:             acctest.RandStringFromCharSet(20, acctest.CharSetAlpha),
+		ServiceAccountID: userPrefix + ".id",
+		Issuer:           "https://token.actions.githubusercontent.com",
+		Subject:          "repo:test/test:environment:test",
+	}
+
+	resource.Test(t, resource.TestCase{
+		CheckDestroy:             testScriptModuleCheckDestroy,
+		PreCheck:                 func() { TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: ProtoV6ProviderFactories(),
+		Steps: []resource.TestStep{
+			{
+				Config: testServiceAccountIdentityConfig(localName, localUserName, data, userData),
+				Check: resource.ComposeTestCheckFunc(
+					testScriptModuleExists(prefix),
+					resource.TestCheckResourceAttr(prefix, "name", data.Name),
+					resource.TestCheckResourceAttr(prefix, "service_account_id", data.ServiceAccountID),
+					resource.TestCheckResourceAttr(prefix, "issuer", data.Issuer),
+					resource.TestCheckResourceAttr(prefix, "subject", data.Subject),
+				),
+			},
+			{
+				Config: testServiceAccountIdentityConfig(localName, localUserName, data, userData),
+				Check: resource.ComposeTestCheckFunc(
+					testScriptModuleExists(prefix),
+					resource.TestCheckResourceAttr(prefix, "name", data.Name+"-updated"),
+					resource.TestCheckResourceAttr(prefix, "service_account_id", data.ServiceAccountID),
+					resource.TestCheckResourceAttr(prefix, "issuer", data.Issuer),
+					resource.TestCheckResourceAttr(prefix, "subject", data.Subject),
+				),
+			},
+		},
+	})
+}
+
+func testServiceAccountIdentityConfig(localName string, localUserName string, data serviceaccounts.OIDCIdentity, userData users.User) string {
+	return fmt.Sprintf(`
+	resource "octopusdeploy_user" "%s" {
+		display_name = "%s"
+		email_address = "%s"
+		is_active = true
+		is_service = true
+		username = "%s"
+	}
+	resource "octopusdeploy_service_account_oidc_identity" "%s" {
+		name        = "%s"
+		service_account_id = "%s"
+		issuer = "%s"
+		subject = "%s"
+	}`,
+		localUserName,
+		userData.DisplayName,
+		userData.EmailAddress,
+		userData.Username,
+		localName,
+		data.Name,
+		data.Issuer,
+		data.Subject)
+}
+
+func testServiceAccountIdentityUpdate(localName string, localUserName string, data serviceaccounts.OIDCIdentity, userData users.User) string {
+	data.Name = data.Name + "-updated"
+	return testServiceAccountIdentityUpdate(localName, localUserName, data, userData)
+}
diff --git a/octopusdeploy_framework/schemas/service_account_oidc_identity.go b/octopusdeploy_framework/schemas/service_account_oidc_identity.go
@@ -0,0 +1,51 @@
+package schemas
+
+import (
+	"github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/util"
+	datasourceSchema "github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	resourceSchema "github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+const ServiceAccountOIDCIdentityResourceName = "service_account_oidc_identity"
+
+type ServiceAccountOIDCIdentitySchema struct{}
+
+var _ EntitySchema = ServiceAccountOIDCIdentitySchema{}
+
+func (d ServiceAccountOIDCIdentitySchema) GetResourceSchema() resourceSchema.Schema {
+	return resourceSchema.Schema{
+		Attributes: map[string]resourceSchema.Attribute{
+			"id":   GetIdResourceSchema(),
+			"name": GetNameResourceSchema(true),
+			"service_account_id": util.ResourceString().
+				Description("ID of the user to associate this identity to").
+				Required().
+				PlanModifiers(stringplanmodifier.RequiresReplace()).
+				Build(),
+			"issuer": util.ResourceString().
+				Description("OIDC issuer url").
+				Required().
+				Build(),
+			"subject": util.ResourceString().
+				Description("OIDC subject claims").
+				Required().
+				Build(),
+		},
+		Description: "This resource manages manages OIDC service account for the associated user",
+	}
+}
+
+func (d ServiceAccountOIDCIdentitySchema) GetDatasourceSchema() datasourceSchema.Schema {
+	return datasourceSchema.Schema{}
+}
+
+type OIDCServiceAccountSchemaModel struct {
+	ServiceAccountID types.String `tfsdk:"service_account_id"`
+	Name             types.String `tfsdk:"name"`
+	Issuer           types.String `tfsdk:"issuer"`
+	Subject          types.String `tfsdk:"subject"`
+
+	ResourceModel
+}