Merge pull request #84 from jetstack/teams_sso

Add support for SSO group assignment in Teams

Author: aidy

docs/resources/team.md

@@ -17,6 +17,13 @@ resource "tlspc_team" "app_team_1" {
   name   = "App Team 1"
   role   = "PLATFORM_ADMIN"
   owners = [data.tlspc_user.owner.id]
+  user_matching_rules = [
+    {
+      claim_name = "adGroups"
+      operator   = "CONTAINS"
+      value      = "Venafi"
+    }
+  ]
 }
 ```
 
@@ -34,6 +41,25 @@ resource "tlspc_team" "app_team_1" {
     * RESOURCE_OWNER
     * GUEST
 
+### Optional
+
+- `user_matching_rules` (Attributes Set) List of rules to add members via SSO claims. Please refer to the [documentation](https://docs.venafi.cloud/vcs-platform/r-team-membership-rule-guidelines/) for detailed rule configuration. (see [below for nested schema](#nestedatt--user_matching_rules))
+
 ### Read-Only
 
 - `id` (String) The ID of this resource.
+
+<a id="nestedatt--user_matching_rules"></a>
+### Nested Schema for `user_matching_rules`
+
+Required:
+
+- `claim_name` (String) The SSO property that this rule acts on
+- `operator` (String) The operator of this rule, valid options:
+    * EQUALS
+    * NOT_EQUALS
+    * CONTAINS
+    * NOT_CONTAINS
+    * STARTS_WITH
+    * ENDS_WITH
+- `value` (String) The value to check for

examples/resources/tlspc_team/resource.tf

@@ -2,4 +2,11 @@ resource "tlspc_team" "app_team_1" {
   name   = "App Team 1"
   role   = "PLATFORM_ADMIN"
   owners = [data.tlspc_user.owner.id]
+  user_matching_rules = [
+    {
+      claim_name = "adGroups"
+      operator   = "CONTAINS"
+      value      = "Venafi"
+    }
+  ]
 }

go.mod

@@ -19,6 +19,7 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-plugin v1.6.3 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/hashicorp/terraform-plugin-framework-validators v0.18.0 // indirect
 	github.com/hashicorp/terraform-plugin-go v0.27.0 // indirect
 	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.5 // indirect

go.sum

@@ -46,6 +46,8 @@ github.com/hashicorp/terraform-plugin-framework v1.15.0 h1:LQ2rsOfmDLxcn5EeIwdXF
 github.com/hashicorp/terraform-plugin-framework v1.15.0/go.mod h1:hxrNI/GY32KPISpWqlCoTLM9JZsGH3CyYlir09bD/fI=
 github.com/hashicorp/terraform-plugin-framework-jsontypes v0.2.0 h1:SJXL5FfJJm17554Kpt9jFXngdM6fXbnUnZ6iT2IeiYA=
 github.com/hashicorp/terraform-plugin-framework-jsontypes v0.2.0/go.mod h1:p0phD0IYhsu9bR4+6OetVvvH59I6LwjXGnTVEr8ox6E=
+github.com/hashicorp/terraform-plugin-framework-validators v0.18.0 h1:OQnlOt98ua//rCw+QhBbSqfW3QbwtVrcdWeQN5gI3Hw=
+github.com/hashicorp/terraform-plugin-framework-validators v0.18.0/go.mod h1:lZvZvagw5hsJwuY7mAY6KUz45/U6fiDR0CzQAwWD0CA=
 github.com/hashicorp/terraform-plugin-go v0.27.0 h1:ujykws/fWIdsi6oTUT5Or4ukvEan4aN9lY+LOxVP8EE=
 github.com/hashicorp/terraform-plugin-go v0.27.0/go.mod h1:FDa2Bb3uumkTGSkTFpWSOwWJDwA7bf3vdP3ltLDTH6o=
 github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0=

internal/provider/team_resource.go

@@ -6,14 +6,17 @@ package provider
 import (
 	"context"
 	"fmt"
+	"reflect"
 
 	"terraform-provider-tlspc/internal/tlspc"
 
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
@@ -62,6 +65,35 @@ func (r *teamResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				ElementType:         types.StringType,
 				MarkdownDescription: "List of user ids",
 			},
+			"user_matching_rules": schema.SetNestedAttribute{
+				Optional:            true,
+				MarkdownDescription: "List of rules to add members via SSO claims. Please refer to the [documentation](https://docs.venafi.cloud/vcs-platform/r-team-membership-rule-guidelines/) for detailed rule configuration.",
+				NestedObject: schema.NestedAttributeObject{
+					Attributes: map[string]schema.Attribute{
+						"claim_name": schema.StringAttribute{
+							Required:            true,
+							MarkdownDescription: "The SSO property that this rule acts on",
+						},
+						"operator": schema.StringAttribute{
+							Required: true,
+							MarkdownDescription: `The operator of this rule, valid options:
+    * EQUALS
+    * NOT_EQUALS
+    * CONTAINS
+    * NOT_CONTAINS
+    * STARTS_WITH
+    * ENDS_WITH`,
+							Validators: []validator.String{
+								stringvalidator.OneOf("EQUALS", "NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "STARTS_WITH", "ENDS_WITH"),
+							},
+						},
+						"value": schema.StringAttribute{
+							Required:            true,
+							MarkdownDescription: "The value to check for",
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -86,10 +118,17 @@ func (r *teamResource) Configure(_ context.Context, req resource.ConfigureReques
 }
 
 type teamResourceModel struct {
-	ID     types.String   `tfsdk:"id"`
-	Name   types.String   `tfsdk:"name"`
-	Role   types.String   `tfsdk:"role"`
-	Owners []types.String `tfsdk:"owners"`
+	ID                types.String       `tfsdk:"id"`
+	Name              types.String       `tfsdk:"name"`
+	Role              types.String       `tfsdk:"role"`
+	Owners            []types.String     `tfsdk:"owners"`
+	UserMatchingRules []userMatchingRule `tfsdk:"user_matching_rules"`
+}
+
+type userMatchingRule struct {
+	ClaimName types.String `tfsdk:"claim_name"`
+	Operator  types.String `tfsdk:"operator"`
+	Value     types.String `tfsdk:"value"`
 }
 
 func (r *teamResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
@@ -105,11 +144,21 @@ func (r *teamResource) Create(ctx context.Context, req resource.CreateRequest, r
 		owners = append(owners, v.ValueString())
 	}
 
+	umr := []tlspc.UserMatchingRule{}
+	for _, v := range plan.UserMatchingRules {
+		umr = append(umr, tlspc.UserMatchingRule{
+			ClaimName: v.ClaimName.ValueString(),
+			Operator:  v.Operator.ValueString(),
+			Value:     v.Value.ValueString(),
+		})
+	}
+
 	team := tlspc.Team{
-		Name:    plan.Name.ValueString(),
-		Role:    plan.Role.ValueString(),
-		Owners:  owners,
-		Members: []string{},
+		Name:              plan.Name.ValueString(),
+		Role:              plan.Role.ValueString(),
+		Owners:            owners,
+		Members:           []string{},
+		UserMatchingRules: umr,
 	}
 
 	created, err := r.client.CreateTeam(team)
@@ -153,6 +202,17 @@ func (r *teamResource) Read(ctx context.Context, req resource.ReadRequest, resp
 	}
 	state.Owners = owners
 
+	umr := []userMatchingRule{}
+	for _, v := range team.UserMatchingRules {
+		umr = append(umr, userMatchingRule{
+			ClaimName: types.StringValue(v.ClaimName),
+			Operator:  types.StringValue(v.Operator),
+			Value:     types.StringValue(v.Value),
+		})
+	}
+
+	state.UserMatchingRules = umr
+
 	diags = resp.State.Set(ctx, state)
 	resp.Diagnostics.Append(diags...)
 }
@@ -171,11 +231,20 @@ func (r *teamResource) Update(ctx context.Context, req resource.UpdateRequest, r
 		return
 	}
 
-	if state.Name != plan.Name || state.Role != plan.Role {
+	if state.Name != plan.Name || state.Role != plan.Role || !reflect.DeepEqual(state.UserMatchingRules, plan.UserMatchingRules) {
+		umr := []tlspc.UserMatchingRule{}
+		for _, v := range plan.UserMatchingRules {
+			umr = append(umr, tlspc.UserMatchingRule{
+				ClaimName: v.ClaimName.ValueString(),
+				Operator:  v.Operator.ValueString(),
+				Value:     v.Value.ValueString(),
+			})
+		}
 		team := tlspc.Team{
-			ID:   state.ID.ValueString(),
-			Name: plan.Name.ValueString(),
-			Role: plan.Role.ValueString(),
+			ID:                state.ID.ValueString(),
+			Name:              plan.Name.ValueString(),
+			Role:              plan.Role.ValueString(),
+			UserMatchingRules: umr,
 		}
 		_, err := r.client.UpdateTeam(team)
 		if err != nil {

internal/tlspc/tlspc.go

@@ -102,11 +102,18 @@ func (c *Client) GetUser(email string) (*User, error) {
 }
 
 type Team struct {
-	ID      string   `json:"id,omitempty"`
-	Name    string   `json:"name"`
-	Role    string   `json:"role"`
-	Owners  []string `json:"owners"`
-	Members []string `json:"members"`
+	ID                string             `json:"id,omitempty"`
+	Name              string             `json:"name"`
+	Role              string             `json:"role"`
+	Owners            []string           `json:"owners"`
+	Members           []string           `json:"members"`
+	UserMatchingRules []UserMatchingRule `json:"userMatchingRules,omitempty"`
+}
+
+type UserMatchingRule struct {
+	ClaimName string `json:"claimName"`
+	Operator  string `json:"operator"`
+	Value     string `json:"value"`
 }
 
 func (c *Client) CreateTeam(team Team) (*Team, error) {
@@ -163,8 +170,9 @@ func (c *Client) GetTeam(id string) (*Team, error) {
 }
 
 type updateTeam struct {
-	Name string `json:"name"`
-	Role string `json:"role"`
+	Name              string             `json:"name"`
+	Role              string             `json:"role"`
+	UserMatchingRules []UserMatchingRule `json:"userMatchingRules,omitempty"`
 }
 
 func (c *Client) UpdateTeam(team Team) (*Team, error) {
@@ -176,8 +184,9 @@ func (c *Client) UpdateTeam(team Team) (*Team, error) {
 	path := c.Path(`%s/v1/teams/` + id)
 
 	update := updateTeam{
-		Name: team.Name,
-		Role: team.Role,
+		Name:              team.Name,
+		Role:              team.Role,
+		UserMatchingRules: team.UserMatchingRules,
 	}
 	body, err := json.Marshal(update)
 	if err != nil {