Merge pull request #226 from yossig-aquasec/ldap_role_mapping

task: Adding support for managing ldap role mapping
aquasecurity · Jan 22, 2023 · ddfe052 · ddfe052
2 parents 78556fe + 85eb299
commit ddfe052
Show file tree

Hide file tree

Showing 6 changed files with 293 additions and 27 deletions.
diff --git a/aquasec/data_roles_mapping.go b/aquasec/data_roles_mapping.go
@@ -62,6 +62,23 @@ func dataSourceRolesMapping() *schema.Resource {
 				},
 				Computed: true,
 			},
+			"ldap": {
+				Type:        schema.TypeSet,
+				Description: "LDAP Authentication",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"role_mapping": {
+							Type:        schema.TypeMap,
+							Description: "Role Mapping is used to define the IdP role that the user will assume in Aqua",
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							Computed: true,
+						},
+					},
+				},
+				Computed: true,
+			},
 		},
 	}
 }
@@ -73,10 +90,19 @@ func dataRolesMappingRead(ctx context.Context, d *schema.ResourceData, m interfa
 		d.Set("saml", flattenSamlRoleMapping(sso.Saml))
 		d.Set("oauth2", flattenOAuth2RoleMapping(sso.OAuth2))
 		d.Set("openid", flattenOpenIdRoleMapping(sso.OpenId))
-		d.SetId("aquasec-rolesMapping")
 	} else {
 		return diag.FromErr(err)
 	}
+
+	ldap, err := c.GetLdap()
+
+	if err == nil {
+		d.Set("ldap", flattenLdapRoleMapping(ldap))
+	} else {
+		return diag.FromErr(err)
+	}
+	d.SetId("aquasec-rolesMapping")
+
 	return nil
 }
 
@@ -103,3 +129,11 @@ func flattenOpenIdRoleMapping(openId client.OpenId) []map[string]interface{} {
 		},
 	}
 }
+
+func flattenLdapRoleMapping(ldap *client.Ldap) []map[string]interface{} {
+	return []map[string]interface{}{
+		{
+			"role_mapping": flattenRoleMap(ldap.RoleMapping),
+		},
+	}
+}
diff --git a/aquasec/resource_role_mapping.go b/aquasec/resource_role_mapping.go
@@ -74,43 +74,79 @@ func resourceRoleMapping() *schema.Resource {
 				Optional: true,
 				MaxItems: 1,
 			},
+			"ldap": {
+				Type:        schema.TypeSet,
+				Description: "LDAP Authentication",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"role_mapping": {
+							Type:        schema.TypeMap,
+							Description: "Role Mapping is used to define the IdP role that the user will assume in Aqua",
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							Required: true,
+							ForceNew: true,
+						},
+					},
+				},
+				Optional: true,
+				MaxItems: 1,
+			},
 		},
 	}
 }
 
 func resourceRoleMappingCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	c := m.(*client.Client)
-	RoleMapping, err := expandRoleMapping(d, c)
+	sso, ldap, err := expandRoleMapping(d, c)
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	err = c.CreateSSO(RoleMapping)
+	err = c.CreateSSO(sso)
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	d.SetId("aquasec-RoleMapping")
+
+	err = c.CreateLdap(ldap)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId("aquasec-aquaRoleMapping")
 	return resourceRoleMappingRead(ctx, d, m)
 }
 
 func resourceRoleMappingRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	c := m.(*client.Client)
-	roleMapping, err := c.GetSSO()
+	sso, err := c.GetSSO()
 	if err == nil {
 		saml, ok := d.GetOk("saml")
 		if ok {
-			roleMapping.Saml.RoleMapping = convertRoleMapping(saml.(*schema.Set).List()[0].(map[string]interface{}))
-			d.Set("saml", flattenSamlRoleMapping(roleMapping.Saml))
+			sso.Saml.RoleMapping = convertRoleMapping(saml.(*schema.Set).List()[0].(map[string]interface{}))
+			d.Set("saml", flattenSamlRoleMapping(sso.Saml))
 		}
 		oAuth2, ok := d.GetOk("oauth2")
 		if ok {
-			roleMapping.OAuth2.RoleMapping = convertRoleMapping(oAuth2.(*schema.Set).List()[0].(map[string]interface{}))
-			d.Set("oauth2", flattenOAuth2RoleMapping(roleMapping.OAuth2))
+			sso.OAuth2.RoleMapping = convertRoleMapping(oAuth2.(*schema.Set).List()[0].(map[string]interface{}))
+			d.Set("oauth2", flattenOAuth2RoleMapping(sso.OAuth2))
 		}
 		openId, ok := d.GetOk("openid")
 		if ok {
-			roleMapping.OpenId.RoleMapping = convertRoleMapping(openId.(*schema.Set).List()[0].(map[string]interface{}))
-			d.Set("openid", flattenOpenIdRoleMapping(roleMapping.OpenId))
+			sso.OpenId.RoleMapping = convertRoleMapping(openId.(*schema.Set).List()[0].(map[string]interface{}))
+			d.Set("openid", flattenOpenIdRoleMapping(sso.OpenId))
 		}
+
+		ldap, err := c.GetLdap()
+
+		if err == nil {
+			l, ok := d.GetOk("ldap")
+			if ok {
+				ldap.RoleMapping = convertRoleMapping(l.(*schema.Set).List()[0].(map[string]interface{}))
+				d.Set("l", flattenLdapRoleMapping(ldap))
+			}
+		}
+
 		d.SetId("aquasec-RoleMapping")
 	} else {
 		return diag.FromErr(err)
@@ -119,16 +155,22 @@ func resourceRoleMappingRead(ctx context.Context, d *schema.ResourceData, m inte
 }
 
 func resourceRoleMappingUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
-	if d.HasChanges("saml", "oauth2", "openid") {
+	if d.HasChanges("saml", "oauth2", "openid", "ldap") {
 		c := m.(*client.Client)
-		roleMapping, err := expandRoleMapping(d, c)
+		sso, ldap, err := expandRoleMapping(d, c)
 		if err != nil {
 			return diag.FromErr(err)
 		}
-		err = c.UpdateSSO(roleMapping)
+		err = c.UpdateSSO(sso)
 		if err != nil {
 			return diag.FromErr(err)
 		}
+
+		err = c.UpdateLdap(ldap)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+
 		d.SetId("aquasec-RoleMapping")
 		return resourceRoleMappingRead(ctx, d, m)
 	}
@@ -137,26 +179,49 @@ func resourceRoleMappingUpdate(ctx context.Context, d *schema.ResourceData, m in
 
 func resourceRoleMappingDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	c := m.(*client.Client)
-	roleMapping, err := c.GetSSO()
+	sso, err := c.GetSSO()
 
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	// setting the roleMapping to an empty map, because the api support only put operation
+	// setting the sso to an empty map, because the api support only put operation
 	saml, ok := d.GetOk("saml")
 	if ok {
-		roleMapping.Saml.RoleMapping = splitRoleMapping(convertRoleMapping(saml.(*schema.Set).List()[0].(map[string]interface{})), roleMapping.Saml.RoleMapping)
+		sso.Saml.RoleMapping = splitRoleMapping(convertRoleMapping(saml.(*schema.Set).List()[0].(map[string]interface{})), sso.Saml.RoleMapping)
 	}
 	oAuth2, ok := d.GetOk("oauth2")
 	if ok {
-		roleMapping.OAuth2.RoleMapping = splitRoleMapping(convertRoleMapping(oAuth2.(*schema.Set).List()[0].(map[string]interface{})), roleMapping.OAuth2.RoleMapping)
+		sso.OAuth2.RoleMapping = splitRoleMapping(convertRoleMapping(oAuth2.(*schema.Set).List()[0].(map[string]interface{})), sso.OAuth2.RoleMapping)
 	}
 	openId, ok := d.GetOk("openid")
 	if ok {
-		roleMapping.OpenId.RoleMapping = splitRoleMapping(convertRoleMapping(openId.(*schema.Set).List()[0].(map[string]interface{})), roleMapping.OpenId.RoleMapping)
+		sso.OpenId.RoleMapping = splitRoleMapping(convertRoleMapping(openId.(*schema.Set).List()[0].(map[string]interface{})), sso.OpenId.RoleMapping)
+	}
+
+	err = c.DeleteSSO(sso)
+
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	ldap, err := c.GetLdap()
+
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	l, ok := d.GetOk("ldap")
+
+	if ok {
+		ldap.RoleMapping = splitRoleMapping(convertRoleMapping(l.(*schema.Set).List()[0].(map[string]interface{})), ldap.RoleMapping)
+	}
+
+	err = c.DeleteLdap(ldap)
+
+	if err != nil {
+		return diag.FromErr(err)
 	}
 
-	err = c.DeleteSSO(roleMapping)
 	if err == nil {
 		d.SetId("")
 	} else {
@@ -166,27 +231,38 @@ func resourceRoleMappingDelete(ctx context.Context, d *schema.ResourceData, m in
 	return nil
 }
 
-func expandRoleMapping(d *schema.ResourceData, c *client.Client) (*client.SSO, error) {
+func expandRoleMapping(d *schema.ResourceData, c *client.Client) (*client.SSO, *client.Ldap, error) {
 	// for now we are allowing to set from terraform only role mapping all the other vars are getting from the console.
-	RoleMapping, err := c.GetSSO()
+	sso, err := c.GetSSO()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	saml, ok := d.GetOk("saml")
 	if ok {
-		RoleMapping.Saml.RoleMapping = joinRoleMapping(convertRoleMapping(saml.(*schema.Set).List()[0].(map[string]interface{})), RoleMapping.Saml.RoleMapping)
+		sso.Saml.RoleMapping = joinRoleMapping(convertRoleMapping(saml.(*schema.Set).List()[0].(map[string]interface{})), sso.Saml.RoleMapping)
 	}
 
 	oauth2, ok := d.GetOk("oauth2")
 	if ok {
-		RoleMapping.OAuth2.RoleMapping = joinRoleMapping(convertRoleMapping(oauth2.(*schema.Set).List()[0].(map[string]interface{})), RoleMapping.OAuth2.RoleMapping)
+		sso.OAuth2.RoleMapping = joinRoleMapping(convertRoleMapping(oauth2.(*schema.Set).List()[0].(map[string]interface{})), sso.OAuth2.RoleMapping)
 	}
 
 	openid, ok := d.GetOk("openid")
 	if ok {
-		RoleMapping.OpenId.RoleMapping = joinRoleMapping(convertRoleMapping(openid.(*schema.Set).List()[0].(map[string]interface{})), RoleMapping.OpenId.RoleMapping)
+		sso.OpenId.RoleMapping = joinRoleMapping(convertRoleMapping(openid.(*schema.Set).List()[0].(map[string]interface{})), sso.OpenId.RoleMapping)
+	}
+
+	ldap, err := c.GetLdap()
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	l, ok := d.GetOk("ldap")
+	if ok {
+		ldap.RoleMapping = joinRoleMapping(convertRoleMapping(l.(*schema.Set).List()[0].(map[string]interface{})), ldap.RoleMapping)
 	}
 
-	return RoleMapping, nil
+	return sso, ldap, nil
 }