AUTH-5974 added saml_attribute_transform_jsonata

cloudflare · Mar 14, 2024 · 118f105 · 118f105
1 parent e451cb5
commit 118f105
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 10 deletions.
diff --git a/.changelog/3187.txt b/.changelog/3187.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_application: adds saml_attribute_transform_jsonata` to SaaS applications
+```
diff --git a/internal/sdkv2provider/resource_cloudflare_access_application_test.go b/internal/sdkv2provider/resource_cloudflare_access_application_test.go
@@ -189,6 +189,7 @@ func TestAccCloudflareAccessApplication_WithSAMLSaas(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "saas_app.0.name_id_format", "email"),
 					resource.TestCheckResourceAttr(name, "saas_app.0.default_relay_state", "https://saas-app.example"),
 					resource.TestCheckResourceAttr(name, "saas_app.0.name_id_transform_jsonata", "$substringBefore(email, '@') & '+sandbox@' & $substringAfter(email, '@')"),
+					resource.TestCheckResourceAttr(name, "saas_app.0.saml_attribute_transform_jsonata", "$ ~>| groups | {'group_name': name} |"),
 
 					resource.TestCheckResourceAttrSet(name, "saas_app.0.idp_entity_id"),
 					resource.TestCheckResourceAttrSet(name, "saas_app.0.public_key"),
@@ -225,6 +226,7 @@ func TestAccCloudflareAccessApplication_WithSAMLSaas_Import(t *testing.T) {
 		resource.TestCheckResourceAttr(name, "saas_app.0.name_id_format", "email"),
 		resource.TestCheckResourceAttr(name, "saas_app.0.default_relay_state", "https://saas-app.example"),
 		resource.TestCheckResourceAttr(name, "saas_app.0.name_id_transform_jsonata", "$substringBefore(email, '@') & '+sandbox@' & $substringAfter(email, '@')"),
+		resource.TestCheckResourceAttr(name, "saas_app.0.saml_attribute_transform_jsonata", "$ ~>| groups | {'group_name': name} |"),
 
 		resource.TestCheckResourceAttr(name, "saas_app.0.custom_attribute.#", "2"),
 		resource.TestCheckResourceAttr(name, "saas_app.0.custom_attribute.0.name", "email"),
@@ -771,6 +773,8 @@ resource "cloudflare_access_application" "%[1]s" {
     name_id_format =  "email"
 	default_relay_state = "https://saas-app.example"
 	name_id_transform_jsonata = "$substringBefore(email, '@') & '+sandbox@' & $substringAfter(email, '@')"
+	saml_attribute_transform_jsonata = "$ ~>| groups | {'group_name': name} |"
+
 	custom_attribute {
 		name = "email"
 		name_format = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

diff --git a/internal/sdkv2provider/schema_cloudflare_access_application.go b/internal/sdkv2provider/schema_cloudflare_access_application.go
@@ -4,8 +4,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/cloudflare/cloudflare-go"
-
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -292,6 +290,11 @@ func resourceCloudflareAccessApplicationSchema() map[string]*schema.Schema {
 						Optional:    true,
 						Description: "A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.",
 					},
+					"saml_attribute_transform_jsonata": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.",
+					},
 				},
 			},
 		},
@@ -572,6 +575,7 @@ func convertSaasSchemaToStruct(d *schema.ResourceData) *cloudflare.SaasApplicati
 			SaasConfig.NameIDFormat = d.Get("saas_app.0.name_id_format").(string)
 			SaasConfig.DefaultRelayState = d.Get("saas_app.0.default_relay_state").(string)
 			SaasConfig.NameIDTransformJsonata = d.Get("saas_app.0.name_id_transform_jsonata").(string)
+			SaasConfig.SamlAttributeTransformJsonata = d.Get("saas_app.0.saml_attribute_transform_jsonata").(string)
 
 			customAttributes, _ := d.Get("saas_app.0.custom_attribute").([]interface{})
 			for _, customAttributes := range customAttributes {
@@ -692,14 +696,15 @@ func convertSaasStructToSchema(d *schema.ResourceData, app *cloudflare.SaasAppli
 		return []interface{}{m}
 	} else {
 		m := map[string]interface{}{
-			"sp_entity_id":              app.SPEntityID,
-			"consumer_service_url":      app.ConsumerServiceUrl,
-			"name_id_format":            app.NameIDFormat,
-			"idp_entity_id":             app.IDPEntityID,
-			"public_key":                app.PublicKey,
-			"sso_endpoint":              app.SSOEndpoint,
-			"default_relay_state":       app.DefaultRelayState,
-			"name_id_transform_jsonata": app.NameIDTransformJsonata,
+			"sp_entity_id":                     app.SPEntityID,
+			"consumer_service_url":             app.ConsumerServiceUrl,
+			"name_id_format":                   app.NameIDFormat,
+			"idp_entity_id":                    app.IDPEntityID,
+			"public_key":                       app.PublicKey,
+			"sso_endpoint":                     app.SSOEndpoint,
+			"default_relay_state":              app.DefaultRelayState,
+			"name_id_transform_jsonata":        app.NameIDTransformJsonata,
+			"saml_attribute_transform_jsonata": app.SamlAttributeTransformJsonata,
 		}
 
 		var customAttributes []interface{}