⭐️ output service account credential (#79)

chris-rock · web-flow · commit e3170be697d9 · 2024-04-28T12:57:47.000+02:00
* ⭐️ output service account credential

* 🧹 update go mod
diff --git a/docs/resources/service_account.md b/docs/resources/service_account.md
@@ -29,12 +29,12 @@ provider "mondoo" {
 }
 
 resource "mondoo_space" "my_space" {
-  name   = "My Space Name"
+  name   = "My Terraform Space"
   org_id = var.mondoo_org
 }
 
 resource "mondoo_service_account" "service_account" {
-  name        = "Service Account Terraform New"
+  name        = "Service Account Terraform"
   description = "Service Account for Terraform"
   roles = [
     "//iam.api.mondoo.app/roles/viewer",
@@ -45,6 +45,18 @@ resource "mondoo_service_account" "service_account" {
     mondoo_space.my_space
   ]
 }
+
+output "service_account_json" {
+  description = "Service Account as JSON"
+  value       = base64decode(mondoo_service_account.service_account.credential)
+  sensitive   = true
+}
+
+output "service_account_base64" {
+  description = "Service Account as Base64"
+  value       = mondoo_service_account.service_account.credential
+  sensitive   = true
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -60,4 +72,5 @@ resource "mondoo_service_account" "service_account" {
 
 ### Read-Only
 
+- `credential` (String, Sensitive) The service account credential in JSON format, base64 encoded. This is the same content when creating service account credentials through the web console.
 - `mrn` (String) The Mondoo Resource Name (MRN) of the created service account.
diff --git a/examples/resources/mondoo_service_account/resource.tf b/examples/resources/mondoo_service_account/resource.tf
@@ -14,12 +14,12 @@ provider "mondoo" {
 }
 
 resource "mondoo_space" "my_space" {
-  name   = "My Space Name"
+  name   = "My Terraform Space"
   org_id = var.mondoo_org
 }
 
 resource "mondoo_service_account" "service_account" {
-  name        = "Service Account Terraform New"
+  name        = "Service Account Terraform"
   description = "Service Account for Terraform"
   roles = [
     "//iam.api.mondoo.app/roles/viewer",
@@ -30,3 +30,16 @@ resource "mondoo_service_account" "service_account" {
     mondoo_space.my_space
   ]
 }
+
+output "service_account_json" {
+  description = "Service Account as JSON"
+  value       = base64decode(mondoo_service_account.service_account.credential)
+  sensitive   = true
+}
+
+output "service_account_base64" {
+  description = "Service Account as Base64"
+  value       = mondoo_service_account.service_account.credential
+  sensitive   = true
+}
+
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.22.2
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-testing v1.7.0
+	github.com/stretchr/testify v1.9.0
 	go.mondoo.com/mondoo-go v0.0.0-20240303102235-bc102d6ef0cb
 )
 
@@ -32,6 +33,7 @@ require (
 	github.com/cli/safeexec v1.0.0 // indirect
 	github.com/cli/shurcooL-graphql v0.0.2 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.2 // indirect
@@ -88,6 +90,7 @@ require (
 	github.com/muesli/termenv v0.12.0 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/posener/complete v1.2.3 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/samber/lo v1.37.0 // indirect
diff --git a/internal/provider/service_account_resource.go b/internal/provider/service_account_resource.go
@@ -5,6 +5,8 @@ package provider
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
@@ -26,6 +28,17 @@ var _ resource.Resource = &ServiceAccountResource{}
 
 var defaultRoles = []string{"//iam.api.mondoo.app/roles/viewer"}
 
+// serviceAccountCredential is a temporary object until the API returns the credential as a string.
+type serviceAccountCredential struct {
+	Mrn         string `json:"mrn,omitempty"`
+	PrivateKey  string `json:"private_key,omitempty"`
+	Certificate string `json:"certificate,omitempty"`
+	ApiEndpoint string `json:"api_endpoint,omitempty"`
+	ScopeMrn    string `json:"scope_mrn,omitempty"`
+	// ParentMrn is deprecated and should not be used, use ScopeMrn instead
+	ParentMrn string `json:"parent_mrn,omitempty"`
+}
+
 func NewServiceAccountResource() resource.Resource {
 	return &ServiceAccountResource{}
 }
@@ -46,6 +59,9 @@ type ServiceAccountResourceModel struct {
 	Name        types.String `tfsdk:"name"`
 	Description types.String `tfsdk:"description"`
 	Roles       types.List   `tfsdk:"roles"`
+
+	// base 64 encoded service account credential
+	Credential types.String `tfsdk:"credential"`
 }
 
 func (r *ServiceAccountResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
@@ -99,6 +115,14 @@ func (r *ServiceAccountResource) Schema(ctx context.Context, req resource.Schema
 					listplanmodifier.UseStateForUnknown(),
 				},
 			},
+			"credential": schema.StringAttribute{
+				Computed:            true,
+				MarkdownDescription: "The service account credential in JSON format, base64 encoded. This is the same content when creating service account credentials through the web console.",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+				Sensitive: true,
+			},
 		},
 	}
 }
@@ -206,7 +230,25 @@ func (r *ServiceAccountResource) Create(ctx context.Context, req resource.Create
 	// Save space mrn into the Terraform state.
 	data.Name = types.StringValue(name)
 	data.Mrn = types.StringValue(string(createMutation.CreateServiceAccount.Mrn))
-	// TODO: add certificate and private key
+
+	// NOTE: this is temporary, we want to change the API to return the credential as a string
+	serviceAccount := serviceAccountCredential{
+		Mrn:         string(createMutation.CreateServiceAccount.Mrn),
+		PrivateKey:  string(createMutation.CreateServiceAccount.PrivateKey),
+		Certificate: string(createMutation.CreateServiceAccount.Certificate),
+		ApiEndpoint: string(createMutation.CreateServiceAccount.ApiEndpoint),
+		ScopeMrn:    string(createMutation.CreateServiceAccount.ScopeMrn),
+		ParentMrn:   string(createMutation.CreateServiceAccount.ScopeMrn),
+	}
+
+	jsonData, err := json.Marshal(serviceAccount)
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to create service account, got error: %s", err))
+		return
+	}
+
+	// set base 64 encoded credential
+	data.Credential = types.StringValue(base64.StdEncoding.EncodeToString(jsonData))
 
 	// Write logs using the tflog package
 	tflog.Trace(ctx, "created a service account resource")
