From 39fe8deb79c5d2bcbf2335d13fef33ec49244ddd Mon Sep 17 00:00:00 2001 From: domenicsim1 <87625140+domenicsim1@users.noreply.github.com> Date: Thu, 21 Nov 2024 14:58:55 +1100 Subject: [PATCH] feat: service account OIDC Identity resource (#821) --- .../service_account_oidc_identity.md | 32 +++++ .../service_account_oidc_identity.md | 29 ++++ go.mod | 2 +- go.sum | 4 +- ...atasource_service_account_oidc_identity.go | 57 ++++++++ octopusdeploy_framework/framework_provider.go | 2 + .../resource_service_account_oidc_identity.go | 127 ++++++++++++++++++ ...urce_service_account_oidc_identity_test.go | 87 ++++++++++++ .../schemas/service_account_oidc_identity.go | 81 +++++++++++ 9 files changed, 418 insertions(+), 3 deletions(-) create mode 100644 docs/data-sources/service_account_oidc_identity.md create mode 100644 docs/resources/service_account_oidc_identity.md create mode 100644 octopusdeploy_framework/datasource_service_account_oidc_identity.go create mode 100644 octopusdeploy_framework/resource_service_account_oidc_identity.go create mode 100644 octopusdeploy_framework/resource_service_account_oidc_identity_test.go create mode 100644 octopusdeploy_framework/schemas/service_account_oidc_identity.go diff --git a/docs/data-sources/service_account_oidc_identity.md b/docs/data-sources/service_account_oidc_identity.md new file mode 100644 index 00000000..13da6999 --- /dev/null +++ b/docs/data-sources/service_account_oidc_identity.md @@ -0,0 +1,32 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "octopusdeploy_service_account_oidc_identity Data Source - terraform-provider-octopusdeploy" +subcategory: "" +description: |- + +--- + +# octopusdeploy_service_account_oidc_identity (Data Source) + + + + + + +## Schema + +### Required + +- `service_account_id` (String) ID of the user associated to this identity + +### Optional + +- `id` (String) The unique ID for this resource. + +### Read-Only + +- `issuer` (String) OIDC issuer url +- `name` (String) Name of the user associated to this identity +- `subject` (String) OIDC subject claims + + diff --git a/docs/resources/service_account_oidc_identity.md b/docs/resources/service_account_oidc_identity.md new file mode 100644 index 00000000..eedfcda2 --- /dev/null +++ b/docs/resources/service_account_oidc_identity.md @@ -0,0 +1,29 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "octopusdeploy_service_account_oidc_identity Resource - terraform-provider-octopusdeploy" +subcategory: "" +description: |- + This resource manages manages OIDC service account for the associated user +--- + +# octopusdeploy_service_account_oidc_identity (Resource) + +This resource manages manages OIDC service account for the associated user + + + + +## Schema + +### Required + +- `issuer` (String) OIDC issuer url +- `name` (String) The name of this resource. +- `service_account_id` (String) ID of the user to associate this identity to +- `subject` (String) OIDC subject claims + +### Read-Only + +- `id` (String) The unique ID for this resource. + + diff --git a/go.mod b/go.mod index 8dcc68c2..7e10c51b 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/OctopusDeploy/terraform-provider-octopusdeploy go 1.21 require ( - github.com/OctopusDeploy/go-octopusdeploy/v2 v2.55.0 + github.com/OctopusDeploy/go-octopusdeploy/v2 v2.60.0 github.com/OctopusSolutionsEngineering/OctopusTerraformTestFramework v0.0.0-20240729041805-46db6fb717b4 github.com/google/uuid v1.6.0 github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637 diff --git a/go.sum b/go.sum index 7a39471c..d8eeb086 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/Microsoft/hcsshim v0.12.4 h1:Ev7YUMHAHoWNm+aDSPzc5W9s6E2jyL1szpVDJeZ/ github.com/Microsoft/hcsshim v0.12.4/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ= github.com/OctopusDeploy/go-octodiff v1.0.0 h1:U+ORg6azniwwYo+O44giOw6TiD5USk8S4VDhOQ0Ven0= github.com/OctopusDeploy/go-octodiff v1.0.0/go.mod h1:Mze0+EkOWTgTmi8++fyUc6r0aLZT7qD9gX+31t8MmIU= -github.com/OctopusDeploy/go-octopusdeploy/v2 v2.55.0 h1:kX6qRRy8AgbqTiYdenqVNe69pGhntwJGEgJx9rtn9/8= -github.com/OctopusDeploy/go-octopusdeploy/v2 v2.55.0/go.mod h1:ggvOXzMnq+w0pLg6C9zdjz6YBaHfO3B3tqmmB7JQdaw= +github.com/OctopusDeploy/go-octopusdeploy/v2 v2.60.0 h1:9j4IQ1UcAuaTytlBzQ7Mmoy/dLtofYfSGNiM22+sLXs= +github.com/OctopusDeploy/go-octopusdeploy/v2 v2.60.0/go.mod h1:ggvOXzMnq+w0pLg6C9zdjz6YBaHfO3B3tqmmB7JQdaw= github.com/OctopusSolutionsEngineering/OctopusTerraformTestFramework v0.0.0-20240729041805-46db6fb717b4 h1:QfbVf0bOIRMp/WHAWsuVDB7KHoWnRsGbvDuOf2ua7k4= github.com/OctopusSolutionsEngineering/OctopusTerraformTestFramework v0.0.0-20240729041805-46db6fb717b4/go.mod h1:Oq9KbiRNDBB5jFmrwnrgLX0urIqR/1ptY18TzkqXm7M= github.com/ProtonMail/go-crypto v1.1.0-alpha.2 h1:bkyFVUP+ROOARdgCiJzNQo2V2kiB97LyUpzH9P6Hrlg= diff --git a/octopusdeploy_framework/datasource_service_account_oidc_identity.go b/octopusdeploy_framework/datasource_service_account_oidc_identity.go new file mode 100644 index 00000000..eac1c4bf --- /dev/null +++ b/octopusdeploy_framework/datasource_service_account_oidc_identity.go @@ -0,0 +1,57 @@ +package octopusdeploy_framework + +import ( + "context" + "github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/serviceaccounts" + "github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/schemas" + "github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/util" + "github.com/hashicorp/terraform-plugin-framework/datasource" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +type serviceAccountOIDCIdentityDataSource struct { + *Config +} + +func NewServiceAccountOIDCIdentityDataSource() datasource.DataSource { + return &serviceAccountOIDCIdentityDataSource{} +} + +func (*serviceAccountOIDCIdentityDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, resp *datasource.MetadataResponse) { + resp.TypeName = util.GetTypeName(schemas.ServiceAccountOIDCIdentityDatasourceName) +} + +func (s *serviceAccountOIDCIdentityDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) { + s.Config = DataSourceConfiguration(req, resp) +} + +func (*serviceAccountOIDCIdentityDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) { + resp.Schema = schemas.ServiceAccountOIDCIdentitySchema{}.GetDatasourceSchema() +} + +func (s *serviceAccountOIDCIdentityDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) { + var err error + var data schemas.OIDCServiceAccountDatasourceSchemaModel + resp.Diagnostics.Append(req.Config.Get(ctx, &data)...) + if resp.Diagnostics.HasError() { + return + } + + oidcIdentity, err := serviceaccounts.GetOIDCIdentityByID(s.Client, data.ServiceAccountID.ValueString(), data.ID.ValueString()) + if err != nil { + resp.Diagnostics.AddError("unable to load service account OIDC Identity", err.Error()) + return + } + + updateServiceAccountOIDCDataModel(oidcIdentity, &data) + + resp.Diagnostics.Append(resp.State.Set(ctx, &data)...) +} + +func updateServiceAccountOIDCDataModel(request *serviceaccounts.OIDCIdentity, model *schemas.OIDCServiceAccountDatasourceSchemaModel) { + model.Name = types.StringValue(request.Name) + model.Issuer = types.StringValue(request.Issuer) + model.Subject = types.StringValue(request.Subject) + model.ID = types.StringValue(request.ID) + model.ServiceAccountID = types.StringValue(request.ServiceAccountID) +} diff --git a/octopusdeploy_framework/framework_provider.go b/octopusdeploy_framework/framework_provider.go index b738e4ff..a1cdb241 100644 --- a/octopusdeploy_framework/framework_provider.go +++ b/octopusdeploy_framework/framework_provider.go @@ -84,6 +84,7 @@ func (p *octopusDeployFrameworkProvider) DataSources(ctx context.Context) []func NewScriptModuleDataSource, NewTenantProjectDataSource, NewUsersDataSource, + NewServiceAccountOIDCIdentityDataSource, NewWorkersDataSource, } } @@ -124,6 +125,7 @@ func (p *octopusDeployFrameworkProvider) Resources(ctx context.Context) []func() NewSSHConnectionWorkerResource, NewScriptModuleResource, NewUserResource, + NewServiceAccountOIDCIdentity, } } diff --git a/octopusdeploy_framework/resource_service_account_oidc_identity.go b/octopusdeploy_framework/resource_service_account_oidc_identity.go new file mode 100644 index 00000000..4370833f --- /dev/null +++ b/octopusdeploy_framework/resource_service_account_oidc_identity.go @@ -0,0 +1,127 @@ +package octopusdeploy_framework + +import ( + "context" + "github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/serviceaccounts" + "github.com/OctopusDeploy/terraform-provider-octopusdeploy/internal/errors" + "github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/schemas" + "github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/util" + "github.com/hashicorp/terraform-plugin-framework/resource" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +var _ resource.Resource = &ServiceAccountOIDCIdentity{} + +type ServiceAccountOIDCIdentity struct { + *Config +} + +func NewServiceAccountOIDCIdentity() resource.Resource { + return &ServiceAccountOIDCIdentity{} +} + +func (s *ServiceAccountOIDCIdentity) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) { + resp.TypeName = util.GetTypeName(schemas.ServiceAccountOIDCIdentityResourceName) +} + +func (s *ServiceAccountOIDCIdentity) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) { + resp.Schema = schemas.ServiceAccountOIDCIdentitySchema{}.GetResourceSchema() +} + +func (s *ServiceAccountOIDCIdentity) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) { + s.Config = ResourceConfiguration(req, resp) +} +func (s *ServiceAccountOIDCIdentity) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { + var plan schemas.OIDCServiceAccountSchemaModel + resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + identityRequest := mapServiceAccountOIDCModelToRequest(&plan) + identityCreateResponse, err := serviceaccounts.AddOIDCIdentity(s.Client, identityRequest) + if err != nil { + resp.Diagnostics.AddError("Error creating OIDC identity", err.Error()) + return + } + identityResponse, err := serviceaccounts.GetOIDCIdentityByID(s.Client, identityRequest.ServiceAccountID, identityCreateResponse.ID) + if err != nil { + resp.Diagnostics.AddError("Error creating OIDC identity", err.Error()) + return + } + + updateServiceAccountOIDCModel(identityResponse, &plan) + resp.Diagnostics.Append(resp.State.Set(ctx, &plan)...) +} + +func (s *ServiceAccountOIDCIdentity) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) { + var state schemas.OIDCServiceAccountSchemaModel + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + + identityResponse, err := serviceaccounts.GetOIDCIdentityByID(s.Client, state.ServiceAccountID.ValueString(), state.ID.ValueString()) + if err != nil { + if err := errors.ProcessApiErrorV2(ctx, resp, state, err, "service account OIDC identity"); err != nil { + resp.Diagnostics.AddError("Error reading service account OIDC identity", err.Error()) + } + return + } + + updateServiceAccountOIDCModel(identityResponse, &state) + resp.Diagnostics.Append(resp.State.Set(ctx, state)...) +} + +func (s *ServiceAccountOIDCIdentity) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) { + var plan schemas.OIDCServiceAccountSchemaModel + resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + + identityRequest := mapServiceAccountOIDCModelToRequest(&plan) + + err := serviceaccounts.UpdateOIDCIdentity(s.Client, identityRequest) + if err != nil { + resp.Diagnostics.AddError("Error updating service account OIDC identity", err.Error()) + return + } + identityResponse, err := serviceaccounts.GetOIDCIdentityByID(s.Client, identityRequest.ServiceAccountID, identityRequest.ID) + if err != nil { + resp.Diagnostics.AddError("Error creating OIDC identity", err.Error()) + return + } + + updateServiceAccountOIDCModel(identityResponse, &plan) + resp.Diagnostics.Append(resp.State.Set(ctx, plan)...) +} + +func (s *ServiceAccountOIDCIdentity) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { + var state schemas.OIDCServiceAccountSchemaModel + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + + err := serviceaccounts.DeleteOIDCIdentityByID(s.Client, state.ServiceAccountID.ValueString(), state.ID.ValueString()) + if err != nil { + resp.Diagnostics.AddError("Error deleting service account OIDC identity", err.Error()) + return + } +} + +func mapServiceAccountOIDCModelToRequest(model *schemas.OIDCServiceAccountSchemaModel) *serviceaccounts.OIDCIdentity { + identity := serviceaccounts.NewOIDCIdentity(model.ServiceAccountID.ValueString(), model.Name.ValueString(), model.Issuer.ValueString(), model.Subject.ValueString()) + identity.ID = model.ID.ValueString() + identity.Name = model.Name.ValueString() + + return identity +} + +func updateServiceAccountOIDCModel(request *serviceaccounts.OIDCIdentity, model *schemas.OIDCServiceAccountSchemaModel) { + model.Name = types.StringValue(request.Name) + model.Issuer = types.StringValue(request.Issuer) + model.Subject = types.StringValue(request.Subject) + model.ID = types.StringValue(request.ID) + model.ServiceAccountID = types.StringValue(request.ServiceAccountID) +} diff --git a/octopusdeploy_framework/resource_service_account_oidc_identity_test.go b/octopusdeploy_framework/resource_service_account_oidc_identity_test.go new file mode 100644 index 00000000..60639b13 --- /dev/null +++ b/octopusdeploy_framework/resource_service_account_oidc_identity_test.go @@ -0,0 +1,87 @@ +package octopusdeploy_framework + +import ( + "fmt" + "github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/serviceaccounts" + "github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/users" + "github.com/hashicorp/terraform-plugin-testing/helper/acctest" + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "testing" +) + +func TestAccOctopusDeployServiceAccountOIDCIdentity(t *testing.T) { + localName := acctest.RandStringFromCharSet(20, acctest.CharSetAlpha) + prefix := "octopusdeploy_service_account_oidc_identity." + localName + + localUserName := acctest.RandStringFromCharSet(20, acctest.CharSetAlpha) + userPrefix := " octopusdeploy_user." + localUserName + + userData := users.User{ + DisplayName: acctest.RandStringFromCharSet(20, acctest.CharSetAlpha), + EmailAddress: acctest.RandStringFromCharSet(10, acctest.CharSetAlpha) + "@test.com", + Username: acctest.RandStringFromCharSet(20, acctest.CharSetAlpha), + } + + data := serviceaccounts.OIDCIdentity{ + Name: acctest.RandStringFromCharSet(20, acctest.CharSetAlpha), + ServiceAccountID: userPrefix + ".id", + Issuer: "https://token.actions.githubusercontent.com", + Subject: "repo:test/test:environment:test", + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { TestAccPreCheck(t) }, + ProtoV6ProviderFactories: ProtoV6ProviderFactories(), + Steps: []resource.TestStep{ + { + Config: testServiceAccountIdentityConfig(localName, localUserName, data, userData), + Check: resource.ComposeTestCheckFunc( + testScriptModuleExists(prefix), + resource.TestCheckResourceAttr(prefix, "name", data.Name), + resource.TestCheckResourceAttr(prefix, "issuer", data.Issuer), + resource.TestCheckResourceAttr(prefix, "subject", data.Subject), + ), + }, + { + Config: testServiceAccountIdentityUpdate(localName, localUserName, data, userData), + Check: resource.ComposeTestCheckFunc( + testScriptModuleExists(prefix), + resource.TestCheckResourceAttr(prefix, "name", data.Name+"-updated"), + resource.TestCheckResourceAttr(prefix, "issuer", data.Issuer), + resource.TestCheckResourceAttr(prefix, "subject", data.Subject), + ), + }, + }, + }) +} + +func testServiceAccountIdentityConfig(localName string, localUserName string, data serviceaccounts.OIDCIdentity, userData users.User) string { + return fmt.Sprintf(` + resource "octopusdeploy_user" "%s" { + display_name = "%s" + email_address = "%s" + is_active = true + is_service = true + username = "%s" + } + resource "octopusdeploy_service_account_oidc_identity" "%s" { + name = "%s" + service_account_id = %s + issuer = "%s" + subject = "%s" + }`, + localUserName, + userData.DisplayName, + userData.EmailAddress, + userData.Username, + localName, + data.Name, + data.ServiceAccountID, + data.Issuer, + data.Subject) +} + +func testServiceAccountIdentityUpdate(localName string, localUserName string, data serviceaccounts.OIDCIdentity, userData users.User) string { + data.Name = data.Name + "-updated" + return testServiceAccountIdentityConfig(localName, localUserName, data, userData) +} diff --git a/octopusdeploy_framework/schemas/service_account_oidc_identity.go b/octopusdeploy_framework/schemas/service_account_oidc_identity.go new file mode 100644 index 00000000..a68aad52 --- /dev/null +++ b/octopusdeploy_framework/schemas/service_account_oidc_identity.go @@ -0,0 +1,81 @@ +package schemas + +import ( + "github.com/OctopusDeploy/terraform-provider-octopusdeploy/octopusdeploy_framework/util" + datasourceSchema "github.com/hashicorp/terraform-plugin-framework/datasource/schema" + resourceSchema "github.com/hashicorp/terraform-plugin-framework/resource/schema" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +const ServiceAccountOIDCIdentityResourceName = "service_account_oidc_identity" +const ServiceAccountOIDCIdentityDatasourceName = "service_account_oidc_identity" + +type ServiceAccountOIDCIdentitySchema struct{} + +var _ EntitySchema = ServiceAccountOIDCIdentitySchema{} + +func (d ServiceAccountOIDCIdentitySchema) GetResourceSchema() resourceSchema.Schema { + return resourceSchema.Schema{ + Attributes: map[string]resourceSchema.Attribute{ + "id": GetIdResourceSchema(), + "name": GetNameResourceSchema(true), + "service_account_id": util.ResourceString(). + Description("ID of the user to associate this identity to"). + Required(). + PlanModifiers(stringplanmodifier.RequiresReplace()). + Build(), + "issuer": util.ResourceString(). + Description("OIDC issuer url"). + Required(). + Build(), + "subject": util.ResourceString(). + Description("OIDC subject claims"). + Required(). + Build(), + }, + Description: "This resource manages manages OIDC service account for the associated user", + } +} + +func (d ServiceAccountOIDCIdentitySchema) GetDatasourceSchema() datasourceSchema.Schema { + return datasourceSchema.Schema{ + Attributes: map[string]datasourceSchema.Attribute{ + "id": GetIdDatasourceSchema(false), + "service_account_id": util.DataSourceString(). + Description("ID of the user associated to this identity"). + Required(). + Build(), + // Response + "name": util.DataSourceString(). + Description("Name of the user associated to this identity"). + Computed(). + Build(), + "issuer": util.DataSourceString(). + Description("OIDC issuer url"). + Computed(). + Build(), + "subject": util.DataSourceString(). + Description("OIDC subject claims"). + Computed(). + Build(), + }, + } +} + +type OIDCServiceAccountSchemaModel struct { + ServiceAccountID types.String `tfsdk:"service_account_id"` + Name types.String `tfsdk:"name"` + Issuer types.String `tfsdk:"issuer"` + Subject types.String `tfsdk:"subject"` + + ResourceModel +} + +type OIDCServiceAccountDatasourceSchemaModel struct { + ID types.String `tfsdk:"id"` + ServiceAccountID types.String `tfsdk:"service_account_id"` + Name types.String `tfsdk:"name"` + Issuer types.String `tfsdk:"issuer"` + Subject types.String `tfsdk:"subject"` +}