Merge pull request #16 from marcozj/branch_v0.1.11

Branch v0.1.11

CHANGELOG.md

@@ -1,5 +1,11 @@
 # RELEASE NOTES
 
+## 0.1.11 (Aug 14, 2021)
+
+IMPROVEMENTS:
+
+- **New Resource:** `centrifyvault_role_membership`
+
 ## 0.1.10 (Aug 7, 2021)
 
 BUG FIXES:

GNUmakefile

@@ -4,7 +4,7 @@ WEBSITE_REPO=github.com/hashicorp/terraform-website
 PKG_NAME=centrifyvault
 
 # Local provider install parameter
-version = 0.1.10
+version = 0.1.11
 registry_name = registry.terraform.io
 namespace = marcozj
 bin_name = terraform-provider-$(PKG_NAME)

centrify/provider.go

@@ -112,6 +112,7 @@ func Provider() *schema.Provider {
 		ResourcesMap: map[string]*schema.Resource{
 			"centrifyvault_user":                      resourceUser(),
 			"centrifyvault_role":                      resourceRole(),
+			"centrifyvault_role_membership":           resourceRoleMembership(),
 			"centrifyvault_policyorder":               resourcePolicyLinks(),
 			"centrifyvault_policy":                    resourcePolicy(),
 			"centrifyvault_manualset":                 resourceManualSet(),

centrify/resource_role_membership.go

@@ -0,0 +1,183 @@
+package centrify
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	logger "github.com/marcozj/golang-sdk/logging"
+	vault "github.com/marcozj/golang-sdk/platform"
+	"github.com/marcozj/golang-sdk/restapi"
+)
+
+func resourceRoleMembership() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceRoleMembershipCreate,
+		Read:   resourceRoleMembershipRead,
+		Update: resourceRoleMembershipUpdate,
+		Delete: resourceRoleMembershipDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"role_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "ID of the role",
+			},
+			"member": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Set:      customRoleMemberHash,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "ID of the member",
+						},
+						"name": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Computed:    true,
+							Description: "Name of the member",
+						},
+						"type": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "Type of the member",
+							ValidateFunc: validation.StringInSlice([]string{
+								"User",
+								"Group",
+								"Role",
+							}, false),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceRoleMembershipRead(d *schema.ResourceData, m interface{}) error {
+	logger.Infof("Reading role membership: %s", ResourceIDString(d))
+	client := m.(*restapi.RestClient)
+
+	// Create a role object and populate ID attribute
+	object := vault.NewRoleMembership(client)
+	object.ID = d.Id()
+	object.RoleID = d.Get("role_id").(string)
+	err := object.Read()
+
+	// If the resource does not exist, inform Terraform. We want to immediately
+	// return here to prevent further processing.
+	if err != nil {
+		d.SetId("")
+		return fmt.Errorf(" Error reading role: %v", err)
+	}
+	logger.Debugf("Role from tenant: %v", object)
+
+	schemamap, err := vault.GenerateSchemaMap(object)
+	if err != nil {
+		return err
+	}
+	logger.Debugf("Generated Map for resourceRoleMembershipRead(): %+v", schemamap)
+	for k, v := range schemamap {
+		d.Set(k, v)
+	}
+
+	logger.Infof("Completed reading role membership: %s", object.Name)
+	return nil
+}
+
+func resourceRoleMembershipCreate(d *schema.ResourceData, m interface{}) error {
+	logger.Infof("Beginning role membership creation: %s", ResourceIDString(d))
+
+	// Enable partial state mode
+	d.Partial(true)
+
+	client := m.(*restapi.RestClient)
+
+	// Create a role object and populate all attributes
+	object := vault.NewRoleMembership(client)
+	createUpateGetRoleMembershipData(d, object)
+
+	// Handle role members
+	if len(object.Members) > 0 {
+		resp, err := object.UpdateRoleMembers(object.Members, "Add")
+		if err != nil || !resp.Success {
+			return fmt.Errorf(" Error adding members to role: %v", err)
+		}
+	}
+
+	//d.SetId(d.Get("name").(string))
+	d.SetId(object.RoleID)
+	// Creation completed
+	d.Partial(false)
+	logger.Infof("Creation of role membership completed: %s", object.Name)
+	return resourceRoleMembershipRead(d, m)
+}
+
+func resourceRoleMembershipUpdate(d *schema.ResourceData, m interface{}) error {
+	logger.Infof("Beginning role membership update: %s", ResourceIDString(d))
+
+	// Enable partial state mode
+	d.Partial(true)
+
+	client := m.(*restapi.RestClient)
+	object := vault.NewRoleMembership(client)
+	object.ID = d.Id()
+	createUpateGetRoleMembershipData(d, object)
+
+	// Deal with role members
+	if d.HasChange("member") {
+		old, new := d.GetChange("member")
+		// Remove old members
+		resp, err := object.UpdateRoleMembers(expandRoleMembers(old), "Delete")
+		if err != nil || !resp.Success {
+			return fmt.Errorf(" Failed to remove members from role: %v", err)
+		}
+		// Add new members
+		resp, err = object.UpdateRoleMembers(expandRoleMembers(new), "Add")
+		if err != nil || !resp.Success {
+			return fmt.Errorf(" Failed to add members to role: %v", err)
+		}
+	}
+
+	// We succeeded, disable partial mode. This causes Terraform to save all fields again.
+	d.Partial(false)
+	logger.Infof("Updating of role membership completed: %s", object.Name)
+	return resourceRoleMembershipRead(d, m)
+}
+
+func resourceRoleMembershipDelete(d *schema.ResourceData, m interface{}) error {
+	logger.Infof("Beginning deletion of role membership: %s", ResourceIDString(d))
+	client := m.(*restapi.RestClient)
+
+	object := vault.NewRoleMembership(client)
+	object.ID = d.Id()
+	createUpateGetRoleMembershipData(d, object)
+	// Handle role members
+	if len(object.Members) > 0 {
+		resp, err := object.UpdateRoleMembers(object.Members, "Delete")
+		if err != nil || !resp.Success {
+			return fmt.Errorf(" Failed to remove members from role: %v", err)
+		}
+	}
+
+	d.SetId("")
+	logger.Infof("Deletion of role membership completed: %s", ResourceIDString(d))
+	return nil
+}
+
+func createUpateGetRoleMembershipData(d *schema.ResourceData, object *vault.RoleMembership) error {
+	object.RoleID = d.Get("role_id").(string)
+	object.ID = object.RoleID
+	if v, ok := d.GetOk("member"); ok {
+		object.Members = expandRoleMembers(v)
+	}
+
+	return nil
+}

docs/index.md

@@ -86,6 +86,7 @@ The Provider supports OAuth2 and DMC authentication methods.
 | Federated Group | [`centrifyvault_federatedgroup`](./resources/federatedgroup.md) | [`centrifyvault_federatedgroup`](./data-sources/federatedgroup.md) |
 | Centrify Directory User | [`centrifyvault_user`](./resources/user.md) | [`centrifyvault_user`](./data-sources/user.md) |
 | Role | [`centrifyvault_role`](./resources/role.md) | [`centrifyvault_role`](./data-sources/role.md) |
+| Role Membership | [`centrifyvault_role_membership`](./resources/role_membership.md) | |
 | Authentication Profile | [`centrifyvault_authenticationprofile`](./resources/authenticationprofile.md) | [`centrifyvault_authenticationprofile`](./data-sources/authenticationprofile.md) |
 | Password Profile | [`centrifyvault_passwordprofile`](./resources/passwordprofile.md) | [`centrifyvault_passwordprofile`](./data-sources/passwordprofile.md) |
 | Connector | | [`centrifyvault_connector`](./connector.md) |

docs/resources/cloudprovider.md

@@ -51,4 +51,4 @@ Cloud Provider can be imported using the resource `id`, e.g.
 terraform import centrifyvault_cloudprovider.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `sets` aren't support in import process.
+**Limitation:** `permission` and `sets` aren't supported in import process.

docs/resources/desktopapp.md

@@ -81,4 +81,4 @@ Desktop App can be imported using the resource `id`, e.g.
 terraform import centrifyvault_desktopapp.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `sets` aren't support in import process.
+**Limitation:** `permission` and `sets` aren't supported in import process.

docs/resources/globalgroupmappings.md

@@ -6,6 +6,8 @@ subcategory: "Settings"
 
 This resource allows you to create/update/delete global federated group mapping.
 
+~> **WARNING:** Multiple `centrifyvault_globalgroupmappings` resources will produce inconsistent behavior! Do NOT use more than once!
+
 ## Example Usage
 
 ```terraform

docs/resources/manualset.md

@@ -54,4 +54,4 @@ Manual Set can be imported using the resource `id`, e.g.
 terraform import centrifyvault_manualset.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `member_permission` aren't support in import process.
+**Limitation:** `permission` and `member_permission` aren't supported in import process.

docs/resources/multiplexedaccount.md

@@ -41,4 +41,4 @@ Multiplexed Account can be imported using the resource `id`, e.g.
 terraform import centrifyvault_multiplexedaccount.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` isn't support in import process.
+**Limitation:** `permission` isn't supported in import process.

docs/resources/role_membership.md

@@ -0,0 +1,63 @@
+---
+subcategory: "Access"
+---
+
+# centrifyvault_role_membership (Resource)
+
+This resource allows you to create/update/delete role membership for either existing or new role.
+
+~> **WARNING:** `centrifyvault_role_membership` will conflict with itself if used more than once with the same role.
+
+~> **NOTE:** Do NOT use both `centrifyvault_role` and `centrifyvault_role_membership` to manage role membership for the same role.
+
+## Example Usage
+
+```terraform
+// Existing federated (virtual) group
+data "centrifyvault_federatedgroup" "fedgroup1" {
+  name = "Okta Infra Admins"
+}
+
+// Existing role whose membership to be managed
+data "centrifyvault_role" "testrole" {
+    name = "Test Role"
+}
+
+// Role membership for exsting role
+resource "centrifyvault_role_membership" "testrolemembers" {
+  role_id = data.centrifyvault_role.testrole.id
+
+  // Existing federated (virtual) group
+  member {
+    id = data.centrifyvault_federatedgroup.fedgroup1.id
+    type = "Group"
+  }
+}
+```
+
+More examples can be found [here](https://github.com/marcozj/terraform-provider-centrifyvault/tree/main/examples/centrifyvault_role_membership)
+
+## Argument Reference
+
+### Required
+
+- `role_id` - (String) ID of the role.
+
+### Optional
+
+- `member` - (Block Set) (see [below reference for member](#reference-for-member))
+
+## [Reference for `member`]
+
+Required:
+
+- `id` - (String) ID of the member.
+- `type` - (String) Type of the member. Can be set to `User`, `Group` or `Role`.
+
+## Import
+
+Role membership can be imported using the resource `id`, e.g.
+
+```shell
+terraform import centrifyvault_role_membership.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```

docs/resources/service.md

@@ -57,4 +57,4 @@ Service can be imported using the resource `id`, e.g.
 terraform import centrifyvault_service.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `set` aren't support in import process.
+**Limitation:** `permission` and `set` aren't supported in import process.

docs/resources/sshkey.md

@@ -43,4 +43,4 @@ SSH Key can be imported using the resource `id`, e.g.
 terraform import centrifyvault_sshkey.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `set` aren't support in import process.
+**Limitation:** `permission` and `set` aren't supported in import process.

docs/resources/user.md

@@ -54,4 +54,4 @@ Centrify Directory User can be imported using the resource `id`, e.g.
 terraform import centrifyvault_user.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `roles` isn't support in import process.
+**Limitation:** `roles` isn't supported in import process.

docs/resources/vaultaccount.md

@@ -75,4 +75,4 @@ Account can be imported using the resource `id`, e.g.
 terraform import centrifyvault_vaultaccount.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `set` aren't support in import process.
+**Limitation:** `permission` and `set` aren't supported in import process.

docs/resources/vaultdatabase.md

@@ -58,4 +58,4 @@ Database can be imported using the resource `id`, e.g.
 terraform import centrifyvault_vaultdatabase.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `set` aren't support in import process.
+**Limitation:** `permission` and `set` aren't supported in import process.

docs/resources/vaultdomain.md

@@ -82,4 +82,4 @@ Domain can be imported using the resource `id`, e.g.
 terraform import centrifyvault_vaultdomain.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `set` aren't support in import process.
+**Limitation:** `permission` and `set` aren't supported in import process.

docs/resources/vaultsecret.md

@@ -47,4 +47,4 @@ Secret can be imported using the resource `id`, e.g.
 terraform import centrifyvault_vaultsecret.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `set` aren't support in import process.
+**Limitation:** `permission` and `set` aren't supported in import process.

docs/resources/vaultsecretfolder.md

@@ -46,4 +46,4 @@ Secret Folder can be imported using the resource `id`, e.g.
 terraform import centrifyvault_vaultsecretfolder.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `member_permission` aren't support in import process.
+**Limitation:** `permission` and `member_permission` aren't supported in import process.

docs/resources/vaultsystem.md

@@ -100,4 +100,4 @@ System can be imported using the resource `id`, e.g.
 terraform import centrifyvault_vaultsystem.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `sets` aren't support in import process.
+**Limitation:** `permission` and `sets` aren't supported in import process.

docs/resources/webapp_generic.md

@@ -79,4 +79,4 @@ Generic Web Application can be imported using the resource `id`, e.g.
 terraform import centrifyvault_webapp_generic.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `sets` aren't support in import process.
+**Limitation:** `permission` and `sets` aren't supported in import process.

docs/resources/webapp_oidc.md

@@ -75,4 +75,4 @@ OpenID Connect Application can be imported using the resource `id`, e.g.
 terraform import centrifyvault_webapp_oidc.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `sets` aren't support in import process.
+**Limitation:** `permission` and `sets` aren't supported in import process.

docs/resources/webapp_saml.md

@@ -87,4 +87,4 @@ SAML Application can be imported using the resource `id`, e.g.
 terraform import centrifyvault_webapp_saml.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 ```
 
-**Limitation:** `permission` and `sets` aren't support in import process.
+**Limitation:** `permission` and `sets` aren't supported in import process.

examples/centrifyvault_role/role_member_with_federatedgroup.tf

@@ -2,7 +2,7 @@
 data "centrifyvault_directoryservice" "federated_dir" {
     // name must be "Federated Directory Service"
     name = "Federated Directory Service"
-    // Avaiable types are: "Centrify Directory", "Active Directory", "Federated Directory", "Google Directory", "LDAP Directory"
+    // Available types are: "Centrify Directory", "Active Directory", "Federated Directory", "Google Directory", "LDAP Directory"
     type = "Federated Directory"
 }