-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add roles resource and permissions datasource #753
Merged
Changes from 11 commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
1dec8cd
add role resource
zippolyte 04f6082
Add permissions datasource
zippolyte 2a08ff0
add test for permissions ds
zippolyte e4ec384
Don't source restricted perms
zippolyte c4280f8
go mod tidy/vendor
zippolyte bb42362
Add test for roles resource and solve restricted perms issue
zippolyte 1b7e0b2
Add test for role datasource filtering
zippolyte 075945d
fix workflow
zippolyte f7f12a2
fix doc and desc
zippolyte 3293c2b
Merge branch 'master' into hippo/rr
zippolyte 06487ae
Update .github/workflows/test.yml
zippolyte 7cadad5
Fix role datasource test
zippolyte 9058afa
Update datadog/data_source_datadog_permissions.go
zippolyte f48ec49
fix panic and rerecord
zippolyte d4502c8
fix replaying by matching body
zippolyte f3bb0be
workaround time.Now since we match on body now
zippolyte a739e29
set time.Now in real provider
zippolyte 2ac3a20
Also rerecord downtime
zippolyte 4ce7495
final recordings
zippolyte 323d915
review
zippolyte c0c297a
fix name
zippolyte 00e811b
new cassette name
zippolyte File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 2020-11-19T10:30:31.704789+01:00 |
451 changes: 451 additions & 0 deletions
451
datadog/cassettes/TestAccDatadogPermissionsDatasource.yaml
Large diffs are not rendered by default.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
datadog/cassettes/TestAccDatadogRoleDatasourceExactMatch.freeze
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 2020-11-19T12:00:56.078914+01:00 |
1,309 changes: 1,309 additions & 0 deletions
1,309
datadog/cassettes/TestAccDatadogRoleDatasourceExactMatch.yaml
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 2020-11-19T11:21:35.461993+01:00 |
2,486 changes: 2,486 additions & 0 deletions
2,486
datadog/cassettes/TestAccDatadogRole_CreateUpdate.yaml
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 2020-11-19T11:43:43.053221+01:00 |
115 changes: 115 additions & 0 deletions
115
datadog/cassettes/TestAccDatadogRole_RestrictedPerm.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| --- | ||
| version: 1 | ||
| interactions: | ||
| - request: | ||
| body: "" | ||
| form: {} | ||
| headers: | ||
| Accept: | ||
| - application/json | ||
| Dd-Operation-Id: | ||
| - ListPermissions | ||
| User-Agent: | ||
| - terraform-provider-datadog/dev (terraform 1.15.0; terraform-cli 0.12.7-sdk) | ||
| datadog-api-client-go/1.0.0-beta.11 (go go1.15.4; os darwin; arch amd64) | ||
| X-Datadog-Parent-Id: | ||
| - "7165266347497469612" | ||
| X-Datadog-Sampling-Priority: | ||
| - "1" | ||
| X-Datadog-Trace-Id: | ||
| - "5872402547522963203" | ||
| url: https://api.datadoghq.com/api/v2/permissions | ||
| method: GET | ||
| response: | ||
| body: '{"data":[{"type":"permissions","id":"984a2bd4-d3b4-11e8-a1ff-a7f660d43029","attributes":{"name":"admin","display_name":"Privileged | ||
| Access","description":"This permission gives you the ability to view and edit | ||
| everything in your Datadog organization that does not have an explicitly defined | ||
| permission. This includes billing and usage, user, key, and organization management. | ||
| This permission is inclusive of all Standard access permissions.","created":"2018-10-19T15:35:23.734317+00:00","group_name":"General","display_type":"other","restricted":false}},{"type":"permissions","id":"984d2f00-d3b4-11e8-a200-bb47109e9987","attributes":{"name":"standard","display_name":"Standard | ||
| Access","description":"This permission gives you the ability to view and edit | ||
| components in your Datadog organization that do not have explicitly defined | ||
| permissions. This includes APM, Events, and other non-Account Management functionality.","created":"2018-10-19T15:35:23.756736+00:00","group_name":"General","display_type":"other","restricted":false}},{"type":"permissions","id":"5e605652-dd12-11e8-9e53-375565b8970e","attributes":{"name":"logs_read_index_data","display_name":"Logs | ||
| Read Index Data","description":"The ability to read all or some log indexes. | ||
| Can be granted in a limited capacity per index from the Logs interface or APIs. | ||
| If granted via the Roles interface or API the permission has global scope.","created":"2018-10-31T13:39:19.727450+00:00","group_name":"Logs","display_type":"read","restricted":false}},{"type":"permissions","id":"62cc036c-dd12-11e8-9e54-db9995643092","attributes":{"name":"logs_modify_indexes","display_name":"Logs | ||
| Modify Indexes","description":"The ability to read and modify all indexes in | ||
| your account. This includes the ability to grant the Logs Read Index Data and | ||
| Logs Write Exclusion Filter permission to other roles, for some or all indexes. | ||
| This permission also grants global Log Index Read and Log Exclusion Filter Write | ||
| implicitly.","created":"2018-10-31T13:39:27.148615+00:00","group_name":"Logs","display_type":"other","restricted":false}},{"type":"permissions","id":"6f66600e-dd12-11e8-9e55-7f30fbb45e73","attributes":{"name":"logs_live_tail","display_name":"Logs | ||
| Live Tail Access","description":"The ability to view the live tail feed for | ||
| all log indexes, even if otherwise specifically restricted.","created":"2018-10-31T13:39:48.292879+00:00","group_name":"Logs","display_type":"read","restricted":false}},{"type":"permissions","id":"7d7c98ac-dd12-11e8-9e56-93700598622d","attributes":{"name":"logs_write_exclusion_filters","display_name":"Logs | ||
| Write Exclusion Filters","description":"The ability to add and change exclusion | ||
| filters for all or some log indexes. Can be granted in a limited capacity per | ||
| index to specific roles via the Logs interface or API. If granted from the Roles | ||
| interface or API, the permission has global scope.","created":"2018-10-31T13:40:11.926613+00:00","group_name":"Logs","display_type":"write","restricted":false}},{"type":"permissions","id":"811ac4ca-dd12-11e8-9e57-676a7f0beef9","attributes":{"name":"logs_write_pipelines","display_name":"Logs | ||
| Write Pipelines","description":"The ability to add and change log pipeline configurations, | ||
| including the ability to grant the Logs Write Processors permission to other | ||
| roles, for some or all pipelines. This permission also grants global Log Processor | ||
| Write implicitly.","created":"2018-10-31T13:40:17.996379+00:00","group_name":"Logs","display_type":"other","restricted":false}},{"type":"permissions","id":"84aa3ae4-dd12-11e8-9e58-a373a514ccd0","attributes":{"name":"logs_write_processors","display_name":"Log | ||
| Write Processors","description":"The ability to add and change some or all log | ||
| processor configurations. Can be granted in a limited capacity per pipeline | ||
| to specific roles via the Logs interface or API. If granted via the Roles interface | ||
| or API the permission has global scope.","created":"2018-10-31T13:40:23.969725+00:00","group_name":"Logs","display_type":"write","restricted":false}},{"type":"permissions","id":"87b00304-dd12-11e8-9e59-cbeb5f71f72f","attributes":{"name":"logs_write_archives","display_name":"Logs | ||
| Archives","description":"The ability to add and edit log archive locations.","created":"2018-10-31T13:40:29.040786+00:00","group_name":"Logs","display_type":"write","restricted":false}},{"type":"permissions","id":"1a92ede2-6cb2-11e9-99c6-2b3a4a0cdf0a","attributes":{"name":"logs_public_config_api","display_name":"Logs | ||
| Public Config API","description":"The ability to access and edit logs configurations | ||
| via the API.","created":"2019-05-02T08:13:01.731092+00:00","group_name":"Logs","display_type":"other","restricted":false}},{"type":"permissions","id":"979df720-aed7-11e9-99c6-a7eb8373165a","attributes":{"name":"logs_generate_metrics","display_name":"Log | ||
| Generate Metrics","description":"The ability to create custom metrics from logs.","created":"2019-07-25T12:27:39.640758+00:00","group_name":"Logs","display_type":"other","restricted":false}},{"type":"permissions","id":"d90f6830-d3d8-11e9-a77a-b3404e5e9ee2","attributes":{"name":"dashboards_read","display_name":"Dashboards","description":"The | ||
| ability to view dashboards.","created":"2019-09-10T14:39:51.955175+00:00","group_name":"Dashboards","display_type":"read","restricted":true}},{"type":"permissions","id":"d90f6831-d3d8-11e9-a77a-4fd230ddbc6a","attributes":{"name":"dashboards_write","display_name":"Dashboards","description":"The | ||
| ability to create and change dashboards.","created":"2019-09-10T14:39:51.962944+00:00","group_name":"Dashboards","display_type":"write","restricted":false}},{"type":"permissions","id":"d90f6832-d3d8-11e9-a77a-bf8a2607f864","attributes":{"name":"dashboards_public_share","display_name":"Dashboards | ||
| Share","description":"The ability to share dashboards externally.","created":"2019-09-10T14:39:51.967094+00:00","group_name":"Dashboards","display_type":"other","restricted":false}},{"type":"permissions","id":"4441648c-d8b1-11e9-a77a-1b899a04b304","attributes":{"name":"monitors_read","display_name":"Monitors","description":"The | ||
| ability to view monitors.","created":"2019-09-16T18:39:07.744297+00:00","group_name":"Monitors","display_type":"read","restricted":true}},{"type":"permissions","id":"48ef71ea-d8b1-11e9-a77a-93f408470ad0","attributes":{"name":"monitors_write","display_name":"Monitors","description":"The | ||
| ability to change, mute, and delete individual monitors.","created":"2019-09-16T18:39:15.597109+00:00","group_name":"Monitors","display_type":"write","restricted":false}},{"type":"permissions","id":"4d87d5f8-d8b1-11e9-a77a-eb9c8350d04f","attributes":{"name":"monitors_downtime","display_name":"Monitors | ||
| Manage Downtimes","description":"The ability to set downtimes for your organization. | ||
| A user with this permission can suppress alerts from any monitor using a downtime, | ||
| even if they do not have permission to edit those monitors explicitly.","created":"2019-09-16T18:39:23.306702+00:00","group_name":"Monitors","display_type":"other","restricted":false}},{"type":"permissions","id":"1af86ce4-7823-11ea-93dc-d7cad1b1c6cb","attributes":{"name":"logs_read_data","display_name":"Logs | ||
| Read Data","description":"The ability to read log data. Can be restricted with | ||
| restriction queries.","created":"2020-04-06T16:24:35.989108+00:00","group_name":"Logs","display_type":"read","restricted":false}},{"type":"permissions","id":"b382b982-8535-11ea-93de-2bf1bdf20798","attributes":{"name":"logs_read_archives","display_name":"Logs | ||
| Archives","description":"The ability to read logs archives location and use | ||
| it for rehydration.","created":"2020-04-23T07:40:27.966133+00:00","group_name":"Logs","display_type":"read","restricted":false}},{"type":"permissions","id":"7314eb20-aa58-11ea-95e2-6fb6e4a451d5","attributes":{"name":"security_monitoring_rules_read","display_name":"Detection | ||
| Rules","description":"The ability to read Detection rules.","created":"2020-06-09T13:52:25.279909+00:00","group_name":"Security | ||
| Monitoring","display_type":"read","restricted":false}},{"type":"permissions","id":"7b516476-aa58-11ea-95e2-93718cd56369","attributes":{"name":"security_monitoring_rules_write","display_name":"Detection | ||
| Rules","description":"The ability to create and edit Detection rules.","created":"2020-06-09T13:52:39.099413+00:00","group_name":"Security | ||
| Monitoring","display_type":"write","restricted":false}},{"type":"permissions","id":"80de1ec0-aa58-11ea-95e2-aff381626d5d","attributes":{"name":"security_monitoring_signals_read","display_name":"Security | ||
| Signals","description":"The ability to view Security signals.","created":"2020-06-09T13:52:48.410398+00:00","group_name":"Security | ||
| Monitoring","display_type":"read","restricted":false}},{"type":"permissions","id":"9ac1d8cc-e707-11ea-aa2d-73d37e989a9d","attributes":{"name":"user_access_invite","display_name":"Invite | ||
| User","description":"Allows users to invite other users to your organization.","created":"2020-08-25T19:17:23.539701+00:00","group_name":"User | ||
| Access","display_type":"other","restricted":false}},{"type":"permissions","id":"9de604d8-e707-11ea-aa2d-93f1a783b3a3","attributes":{"name":"user_access_manage","display_name":"Access | ||
| Management","description":"Grants the permission to disable users, manage user | ||
| roles and SAML-to-role mappings.","created":"2020-08-25T19:17:28.810412+00:00","group_name":"User | ||
| Access","display_type":"other","restricted":false}},{"type":"permissions","id":"07c3c146-f7f8-11ea-acf6-0bd62b9ae60e","attributes":{"name":"logs_write_historical_view","display_name":"Logs | ||
| Historical View","description":"The capability to rehydrate logs from Archives.","created":"2020-09-16T08:38:44.242076+00:00","group_name":"Logs","display_type":"write","restricted":false}},{"type":"permissions","id":"6ba32d22-0e1a-11eb-ba44-bf9a5aafaa39","attributes":{"name":"logs_write_facets","display_name":"Logs | ||
| Facets","description":"The capability to create or edit logs facets.","created":"2020-10-14T12:40:20.271908+00:00","group_name":"Logs","display_type":"write","restricted":false}}]}' | ||
| headers: | ||
| Cache-Control: | ||
| - no-cache | ||
| Connection: | ||
| - keep-alive | ||
| Content-Security-Policy: | ||
| - frame-ancestors 'self'; report-uri https://api.datadoghq.com/csp-report | ||
| Content-Type: | ||
| - application/json | ||
| Date: | ||
| - Thu, 19 Nov 2020 10:43:43 GMT | ||
| Dd-Pool: | ||
| - dogweb | ||
| Pragma: | ||
| - no-cache | ||
| Set-Cookie: | ||
| - DD-PSHARD=233; Max-Age=604800; Path=/; expires=Thu, 26-Nov-2020 10:43:43 GMT; | ||
| secure; HttpOnly | ||
| Strict-Transport-Security: | ||
| - max-age=15724800; | ||
| Vary: | ||
| - Accept-Encoding | ||
| X-Content-Type-Options: | ||
| - nosniff | ||
| X-Dd-Debug: | ||
| - xRBFY2Rp8NHDG9Rp4RaGjcqlKnbzhHpETMjn37ZNtmzdKqGU6DeuhyyL4o7jfpVZ | ||
| X-Dd-Version: | ||
| - "35.3397059" | ||
| X-Frame-Options: | ||
| - SAMEORIGIN | ||
| status: 200 OK | ||
| code: 200 | ||
| duration: "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| package datadog | ||
|
|
||
| import ( | ||
| "github.com/hashicorp/terraform-plugin-sdk/helper/schema" | ||
| ) | ||
|
|
||
| func dataSourceDatadogPermissions() *schema.Resource { | ||
| return &schema.Resource{ | ||
| Read: dataSourceDatadogPermissionsRead, | ||
|
|
||
| Schema: map[string]*schema.Schema{ | ||
| // Computed values | ||
| "permissions": { | ||
| Type: schema.TypeMap, | ||
| Computed: true, | ||
| Elem: &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| } | ||
|
|
||
| func dataSourceDatadogPermissionsRead(d *schema.ResourceData, meta interface{}) error { | ||
| providerConf := meta.(*ProviderConfiguration) | ||
| datadogClientV2 := providerConf.DatadogClientV2 | ||
| authV2 := providerConf.AuthV2 | ||
|
|
||
| res, _, err := datadogClientV2.RolesApi.ListPermissions(authV2).Execute() | ||
| if err != nil { | ||
| return translateClientError(err, "error listing permissions") | ||
| } | ||
| perms := res.GetData() | ||
| permsNameToID := make(map[string]string, len(perms)) | ||
| for _, perm := range perms { | ||
| // Don't list restricted permissions, as they cannot be granted/revoked to/from a role | ||
| if !perm.Attributes.GetRestricted() { | ||
| permsNameToID[perm.Attributes.GetName()] = perm.GetId() | ||
| } | ||
zippolyte marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
| d.SetId("datadog-permissions") | ||
zippolyte marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| if err := d.Set("permissions", permsNameToID); err != nil { | ||
| return err | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| package datadog | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| "github.com/hashicorp/terraform-plugin-sdk/helper/resource" | ||
| ) | ||
|
|
||
| func TestAccDatadogPermissionsDatasource(t *testing.T) { | ||
| accProviders, _, cleanup := testAccProviders(t, initRecorder(t)) | ||
| defer cleanup(t) | ||
|
|
||
| resource.ParallelTest(t, resource.TestCase{ | ||
| PreCheck: func() { testAccPreCheck(t) }, | ||
| Providers: accProviders, | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: `data "datadog_permissions" "foo" {}`, | ||
| // Check at least one permission exists | ||
| Check: resource.ComposeTestCheckFunc( | ||
| resource.TestCheckResourceAttr("data.datadog_permissions.foo", "id", "datadog-permissions"), | ||
| resource.TestCheckResourceAttrSet("data.datadog_permissions.foo", "permissions.admin"), | ||
| resource.TestCheckNoResourceAttr("data.datadog_permissions.foo", "permissions.dashboards_read"), | ||
zippolyte marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ), | ||
| }, | ||
| }, | ||
| }) | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think we'd want to add additional fields to this later? I'm wondering if it'd be useful to use schema like:
but that may be a bit of overkill here, wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honestly, I don't know. And I do need this mapping so that it's practical for user to reference in other resources. A list wouldn't allow that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah you're right, we don't want users to have to care about the order of the list...
I just want to make sure will be able to add new fields in the future without compatibility issues if needed. (But maybe we won't need it) Another possibility may be this, though I'm unsure if that means you'd need to know the hash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So in a map I can only have primitive types though
Elem represents the element type. For a TypeMap, it must be a *Schema with a Type that is one of the primitives: TypeString, TypeBool, TypeInt, or TypeFloat