From 59fb84538747bed54cb399d612f60234a5895d28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jeremia=20N=C3=B6bel?= <137068091+NerdJeremia@users.noreply.github.com> Date: Mon, 18 Nov 2024 13:22:08 +0100 Subject: [PATCH] New resource: wiz_saml_group_mapping (#216) --- docs/resources/saml_group_mapping.md | 124 +++++ .../wiz_saml_group_mapping/import.sh | 12 + .../wiz_saml_group_mapping/resource.tf | 65 +++ internal/acceptance/common.go | 2 + internal/acceptance/provider_test.go | 2 + .../resource_saml_group_mapping_test.go | 56 +++ internal/provider/provider.go | 1 + .../provider/resource_saml_group_mapping.go | 438 ++++++++++++++++++ .../resource_saml_group_mapping_test.go | 55 +++ internal/wiz/structs.go | 20 + 10 files changed, 775 insertions(+) create mode 100644 docs/resources/saml_group_mapping.md create mode 100644 examples/resources/wiz_saml_group_mapping/import.sh create mode 100644 examples/resources/wiz_saml_group_mapping/resource.tf create mode 100644 internal/acceptance/resource_saml_group_mapping_test.go create mode 100644 internal/provider/resource_saml_group_mapping.go create mode 100644 internal/provider/resource_saml_group_mapping_test.go diff --git a/docs/resources/saml_group_mapping.md b/docs/resources/saml_group_mapping.md new file mode 100644 index 0000000..f8e1555 --- /dev/null +++ b/docs/resources/saml_group_mapping.md @@ -0,0 +1,124 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "wiz_saml_group_mapping Resource - terraform-provider-wiz" +subcategory: "" +description: |- + Configure SAML Group Role Mapping. When using SSO to authenticate with Wiz, you can map group memberships in SAML assertions to Wiz roles across specific scopes. +--- + +# wiz_saml_group_mapping (Resource) + +Configure SAML Group Role Mapping. When using SSO to authenticate with Wiz, you can map group memberships in SAML assertions to Wiz roles across specific scopes. + +## Example Usage + +```terraform +# Configure SAML Group Role Mapping on a global scope +resource "wiz_saml_group_mapping" "test_global_scope" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "global-reader-group-id" + role = "PROJECT_READER" + } + ] +} + +# Configure SAML Group Role Mapping for a single project +resource "wiz_saml_group_mapping" "test_single_project" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "admin-group-id" + role = "PROJECT_ADMIN" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786" + ] + } + ] +} + +# Configure SAML Group Role Mapping for multiple projects +resource "wiz_saml_group_mapping" "test_multi_project" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "member-group-id" + role = "PROJECT_MEMBER" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786", + "e7f6542c-81f6-43cf-af48-bdd77f09650d" + ] + } + ] +} + +# Configure multiple SAML Group Role Mappings +resource "wiz_saml_group_mapping" "test_multi_mappings" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "global-reader-group-id" + role = "PROJECT_READER" + }, + { + provider_group_id = "admin-group-id" + role = "PROJECT_ADMIN" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786" + ] + }, + { + provider_group_id = "member-group-id" + role = "PROJECT_MEMBER" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786", + "e7f6542c-81f6-43cf-af48-bdd77f09650d" + ] + } + ] +} +``` + + +## Schema + +### Required + +- `group_mapping` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--group_mapping)) +- `saml_idp_id` (String) Identifier for the Saml Provider + +### Read-Only + +- `id` (String) Unique tf-internal identifier for the saml group mapping + + +### Nested Schema for `group_mapping` + +Required: + +- `provider_group_id` (String) Provider group ID +- `role` (String) Wiz Role name + +Optional: + +- `projects` (List of String) Project mapping + +## Import + +Import is supported using the following syntax: + +```shell +# The id for importing resources has to be in this format: 'mapping||::#...'. +# Import with saml mapping to multiple projects +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a,ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_READER" + +# Import with mapping to single project +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER" + +# Import with global mapping +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7::PROJECT_READER" + +# Import with multiple group mappings +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER#12345678-1234-1234-1234-123456789012:ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_WRITER" +``` diff --git a/examples/resources/wiz_saml_group_mapping/import.sh b/examples/resources/wiz_saml_group_mapping/import.sh new file mode 100644 index 0000000..0652095 --- /dev/null +++ b/examples/resources/wiz_saml_group_mapping/import.sh @@ -0,0 +1,12 @@ +# The id for importing resources has to be in this format: 'mapping||::#...'. +# Import with saml mapping to multiple projects +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a,ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_READER" + +# Import with mapping to single project +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER" + +# Import with global mapping +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7::PROJECT_READER" + +# Import with multiple group mappings +terraform import wiz_saml_group_mapping.example_import "mapping|wiz-azure-ad-saml|88990357-fe36-421b-aedc-fcdd602b91d7:bb62aac7-e8bd-5d5e-b205-2dbafe106e1a:PROJECT_READER#12345678-1234-1234-1234-123456789012:ee25cc95-82b0-4543-8934-5bc655b86786:PROJECT_WRITER" \ No newline at end of file diff --git a/examples/resources/wiz_saml_group_mapping/resource.tf b/examples/resources/wiz_saml_group_mapping/resource.tf new file mode 100644 index 0000000..b0da5d4 --- /dev/null +++ b/examples/resources/wiz_saml_group_mapping/resource.tf @@ -0,0 +1,65 @@ +# Configure SAML Group Role Mapping on a global scope +resource "wiz_saml_group_mapping" "test_global_scope" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "global-reader-group-id" + role = "PROJECT_READER" + } + ] +} + +# Configure SAML Group Role Mapping for a single project +resource "wiz_saml_group_mapping" "test_single_project" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "admin-group-id" + role = "PROJECT_ADMIN" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786" + ] + } + ] +} + +# Configure SAML Group Role Mapping for multiple projects +resource "wiz_saml_group_mapping" "test_multi_project" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "member-group-id" + role = "PROJECT_MEMBER" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786", + "e7f6542c-81f6-43cf-af48-bdd77f09650d" + ] + } + ] +} + +# Configure multiple SAML Group Role Mappings +resource "wiz_saml_group_mapping" "test_multi_mappings" { + saml_idp_id = "test-saml-identity-provider" + group_mappings = [ + { + provider_group_id = "global-reader-group-id" + role = "PROJECT_READER" + }, + { + provider_group_id = "admin-group-id" + role = "PROJECT_ADMIN" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786" + ] + }, + { + provider_group_id = "member-group-id" + role = "PROJECT_MEMBER" + projects = [ + "ee25cc95-82b0-4543-8934-5bc655b86786", + "e7f6542c-81f6-43cf-af48-bdd77f09650d" + ] + } + ] +} \ No newline at end of file diff --git a/internal/acceptance/common.go b/internal/acceptance/common.go index 102d4e3..457cbb1 100644 --- a/internal/acceptance/common.go +++ b/internal/acceptance/common.go @@ -27,4 +27,6 @@ const ( TcCloudConfigRule TestCase = "CLOUD_CONFIG_RULE" // TcProjectCloudAccountLink test case TcProjectCloudAccountLink = "PROJECT_CLOUD_ACCOUNT_LINK" + // TcSAMLGroupMapping test case + TcSAMLGroupMapping TestCase = "SAML_GROUP_MAPPING" ) diff --git a/internal/acceptance/provider_test.go b/internal/acceptance/provider_test.go index 6d1f965..1e91644 100644 --- a/internal/acceptance/provider_test.go +++ b/internal/acceptance/provider_test.go @@ -49,6 +49,8 @@ func testAccPreCheck(t *testing.T, tc TestCase) { envVars = append(commonEnvVars, "WIZ_PROJECT_ID") case TcProjectCloudAccountLink: envVars = append(commonEnvVars, "WIZ_PROJECT_ID", "WIZ_SUBSCRIPTION_ID") + case TcSAMLGroupMapping: + envVars = append(commonEnvVars, "WIZ_PROJECT_ID", "WIZ_PROVIDER_GROUP_ID", "WIZ_SAML_IDP_ID") default: t.Fatalf("unknown testCase: %s", tc) } diff --git a/internal/acceptance/resource_saml_group_mapping_test.go b/internal/acceptance/resource_saml_group_mapping_test.go new file mode 100644 index 0000000..4e59fcb --- /dev/null +++ b/internal/acceptance/resource_saml_group_mapping_test.go @@ -0,0 +1,56 @@ +package acceptance + +import ( + "fmt" + "os" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" +) + +func TestAccResourceWizSAMLGroupMapping_basic(t *testing.T) { + samlIdpID := os.Getenv("WIZ_SAML_IDP_ID") + providerGroupID := os.Getenv("WIZ_PROVIDER_GROUP_ID") + projectID := os.Getenv("WIZ_PROJECT_ID") + + resource.UnitTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t, TcSAMLGroupMapping) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: testResourceWizSAMLGroupMappingBasic(samlIdpID, providerGroupID, projectID), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "wiz_saml_group_mapping.foo", + "saml_idp_id", + samlIdpID, + ), + resource.TestCheckResourceAttr( + "wiz_saml_group_mapping.foo", + "group_mapping.0.provider_group_id", + providerGroupID, + ), + resource.TestCheckResourceAttr( + "wiz_saml_group_mapping.foo", + "group_mapping.0.projects.0", + projectID, + ), + ), + }, + }, + }) +} + +func testResourceWizSAMLGroupMappingBasic(samlIdpID string, providerGroupID string, projectID string) string { + return fmt.Sprintf(` + resource "wiz_saml_group_mapping" "foo" { + saml_idp_id = "%s" + group_mapping { + provider_group_id = "%s" + role = "PROJECT_READER" + projects = [ + "%s" + ] + } + }`, samlIdpID, providerGroupID, projectID) +} diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 8d89428..15cc640 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -299,6 +299,7 @@ yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/ "wiz_report_graph_query": resourceWizReportGraphQuery(), "wiz_project": resourceWizProject(), "wiz_saml_idp": resourceWizSAMLIdP(), + "wiz_saml_group_mapping": resourceWizSAMLGroupMapping(), "wiz_security_framework": resourceWizSecurityFramework(), "wiz_service_account": resourceWizServiceAccount(), "wiz_user": resourceWizUser(), diff --git a/internal/provider/resource_saml_group_mapping.go b/internal/provider/resource_saml_group_mapping.go new file mode 100644 index 0000000..e14f265 --- /dev/null +++ b/internal/provider/resource_saml_group_mapping.go @@ -0,0 +1,438 @@ +package provider + +import ( + "context" + "errors" + "slices" + "strings" + + "github.com/google/uuid" + "wiz.io/hashicorp/terraform-provider-wiz/internal/utils" + + "github.com/hashicorp/terraform-plugin-log/tflog" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + + "wiz.io/hashicorp/terraform-provider-wiz/internal" + "wiz.io/hashicorp/terraform-provider-wiz/internal/client" + "wiz.io/hashicorp/terraform-provider-wiz/internal/wiz" +) + +// ReadSAMLGroupMappings represents the structure of a SAML group mappings read operation. +// It includes a SAMLIdentityProviderGroupMappingsConnection object. +type ReadSAMLGroupMappings struct { + SAMLGroupMappings wiz.SAMLIdentityProviderGroupMappingsConnection `json:"samlIdentityProviderGroupMappings"` +} + +// UpdateSAMLGroupMappingInput struct +type UpdateSAMLGroupMappingInput struct { + ID string `json:"id"` + Patch wiz.ModifySAMLGroupMappingPatch `json:"patch"` +} + +// SAMLGroupMappingsImport struct +type SAMLGroupMappingsImport struct { + SamlIdpID string + GroupMappings []wiz.SAMLGroupDetailsInput +} + +// UpdateSAMLGroupMappingPayload struct +type UpdateSAMLGroupMappingPayload struct { + SAMLGroupMapping wiz.SAMLGroupMapping `json:"samlGroupMapping,omitempty"` +} + +func resourceWizSAMLGroupMapping() *schema.Resource { + return &schema.Resource{ + Description: "Configure SAML Group Role Mapping. When using SSO to authenticate with Wiz, you can map group memberships in SAML assertions to Wiz roles across specific scopes.", + Schema: map[string]*schema.Schema{ + "id": { + Type: schema.TypeString, + Description: "Unique tf-internal identifier for the saml group mapping", + Computed: true, + }, + "saml_idp_id": { + Type: schema.TypeString, + Description: "Identifier for the Saml Provider", + Required: true, + ForceNew: true, + }, + "group_mapping": { + Type: schema.TypeSet, + Required: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "provider_group_id": { + Type: schema.TypeString, + Description: "Provider group ID", + Required: true, + }, + "role": { + Type: schema.TypeString, + Description: "Wiz Role name", + Required: true, + }, + "projects": { + Type: schema.TypeList, + Optional: true, + Description: "Project mapping", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + }, + CreateContext: resourceSAMLGroupMappingCreate, + ReadContext: resourceSAMLGroupMappingRead, + UpdateContext: resourceSAMLGroupMappingUpdate, + DeleteContext: resourceSAMLGroupMappingDelete, + Importer: &schema.ResourceImporter{ + + StateContext: func(ctx context.Context, d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) { + // schema for import id: | + mappingToImport, err := extractIDsFromSamlIdpGroupMappingImportID(d.Id()) + if err != nil { + return nil, err + } + + err = d.Set("saml_idp_id", mappingToImport.SamlIdpID) + if err != nil { + return nil, err + } + + var groupMappings []map[string]interface{} + for _, groupMapping := range mappingToImport.GroupMappings { + groupMappingMap := map[string]interface{}{ + "provider_group_id": groupMapping.ProviderGroupID, + "role": groupMapping.Role, + "projects": groupMapping.Projects, + } + groupMappings = append(groupMappings, groupMappingMap) + } + + err = d.Set("group_mappings", groupMappings) + if err != nil { + return nil, err + } + + d.SetId(uuid.NewString()) + return []*schema.ResourceData{d}, nil + }, + }, + } +} + +func resourceSAMLGroupMappingCreate(ctx context.Context, d *schema.ResourceData, m interface{}) (diags diag.Diagnostics) { + tflog.Info(ctx, "resourceWizSAMLGroupMappingCreate called...") + samlIdpID := d.Get("saml_idp_id").(string) + groupMappings := d.Get("group_mapping").(*schema.Set).List() + + var upsertGroupMappings []wiz.SAMLGroupDetailsInput + for _, item := range groupMappings { + groupMapping := item.(map[string]interface{}) + providerGroupID := groupMapping["provider_group_id"].(string) + role := groupMapping["role"].(string) + projectIDs := utils.ConvertListToString(groupMapping["projects"].([]interface{})) + + // verify the mapping doesn't already exist + matchingNodes, diags := querySAMLGroupMappings(ctx, m, samlIdpID, groupMappings) + if len(diags) != 0 { + return diags + } + + for _, matchingNode := range matchingNodes { + if matchingNode.ProviderGroupID == providerGroupID && matchingNode.Role.ID == role && slices.Equal(projectIDs, extractProjectIDs(matchingNode.Projects)) { + return diag.Errorf("saml group mapping for group: %s and role: %s to project(s): %s already exists for saml idp provider: %s and should be imported instead", + providerGroupID, role, strings.Join(projectIDs, ", "), samlIdpID) + } + } + + upsertGroupMapping := wiz.SAMLGroupDetailsInput{ + ProviderGroupID: providerGroupID, + Role: role, + Projects: projectIDs, + } + upsertGroupMappings = append(upsertGroupMappings, upsertGroupMapping) + } + + // define the graphql query + query := `mutation SetSAMLGroupMapping ($input: ModifySAMLGroupMappingInput!) { + modifySAMLIdentityProviderGroupMappings(input: $input) { + _stub + } + }` + + // populate the graphql variables + vars := &UpdateSAMLGroupMappingInput{} + vars.ID = samlIdpID + vars.Patch = wiz.ModifySAMLGroupMappingPatch{ + Upsert: &upsertGroupMappings, + } + + // process the request + data := &UpdateSAMLGroupMappingPayload{} + requestDiags := client.ProcessRequest(ctx, m, vars, data, query, "saml_group_mapping", "create") + diags = append(diags, requestDiags...) + if len(diags) > 0 { + return diags + } + + // set the id + d.SetId(uuid.NewString()) + + return resourceSAMLGroupMappingRead(ctx, d, m) +} + +func extractIDsFromSamlIdpGroupMappingImportID(id string) (SAMLGroupMappingsImport, error) { + parts := strings.Split(id, "|") + + if len(parts) != 3 { + return SAMLGroupMappingsImport{}, errors.New("invalid ID format") + } + + groupMappingStrings := strings.Split(parts[2], "#") + var groupMappings []wiz.SAMLGroupDetailsInput + for _, groupMappingString := range groupMappingStrings { + groupMappingParts := strings.Split(groupMappingString, ":") + if len(groupMappingParts) < 2 { + return SAMLGroupMappingsImport{}, errors.New("invalid group mapping format") + } + + providerGroupID := groupMappingParts[0] + role := groupMappingParts[1] + var projectIDs []string + if len(groupMappingParts) > 2 && groupMappingParts[2] != "" { + projectIDs = strings.Split(groupMappingParts[2], ",") + } + + groupMapping := wiz.SAMLGroupDetailsInput{ + ProviderGroupID: providerGroupID, + Role: role, + Projects: projectIDs, + } + groupMappings = append(groupMappings, groupMapping) + + } + + return SAMLGroupMappingsImport{ + SamlIdpID: parts[1], + GroupMappings: groupMappings, + }, nil +} + +func extractProjectIDs(projects []wiz.Project) []string { + projectIDs := make([]string, len(projects)) + for i, project := range projects { + projectIDs[i] = project.ID + } + + return projectIDs +} + +func resourceSAMLGroupMappingRead(ctx context.Context, d *schema.ResourceData, m interface{}) (diags diag.Diagnostics) { + tflog.Info(ctx, "resourceWizSAMLGroupMappingRead called...") + + // check the id + if d.Id() == "" { + return nil + } + + samlIdpID := d.Get("saml_idp_id").(string) + groupMappings := d.Get("group_mapping").(*schema.Set).List() + + var newGroupMappings []interface{} + + matchingNodes, diags := querySAMLGroupMappings(ctx, m, samlIdpID, groupMappings) + if len(diags) > 0 { + return diags + } + + for _, item := range groupMappings { + groupMapping := item.(map[string]interface{}) + providerGroupID := groupMapping["provider_group_id"].(string) + role := groupMapping["role"].(string) + projectIDs := utils.ConvertListToString(groupMapping["projects"].([]interface{})) + + for _, matchingNode := range matchingNodes { + if matchingNode.ProviderGroupID == providerGroupID && matchingNode.Role.ID == role && slices.Equal(projectIDs, extractProjectIDs(matchingNode.Projects)) { + // set the resource parameters + newGroupMapping := map[string]interface{}{ + "provider_group_id": matchingNode.ProviderGroupID, + "role": matchingNode.Role.ID, + "projects": extractProjectIDs(matchingNode.Projects), + } + newGroupMappings = append(newGroupMappings, newGroupMapping) + } + } + } + + err := d.Set("saml_idp_id", samlIdpID) + if err != nil { + return append(diags, diag.FromErr(err)...) + } + + err = d.Set("group_mapping", newGroupMappings) + if err != nil { + return append(diags, diag.FromErr(err)...) + } + + return diags + +} + +func resourceSAMLGroupMappingUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) (diags diag.Diagnostics) { + tflog.Info(ctx, "resourceWizSAMLGroupMappingUpdate called...") + + // check the id + if d.Id() == "" { + return nil + } + + samlIdpID := d.Get("saml_idp_id").(string) + groupMappings := d.Get("group_mapping").(*schema.Set).List() + var upsertGroupMappings []wiz.SAMLGroupDetailsInput + for _, item := range groupMappings { + groupMapping := item.(map[string]interface{}) + providerGroupID := groupMapping["provider_group_id"].(string) + role := groupMapping["role"].(string) + projects := utils.ConvertListToString(groupMapping["projects"].([]interface{})) + upsertGroupMapping := wiz.SAMLGroupDetailsInput{ + ProviderGroupID: providerGroupID, + Role: role, + Projects: projects, + } + upsertGroupMappings = append(upsertGroupMappings, upsertGroupMapping) + } + + // define the graphql query + query := `mutation SetSAMLGroupMapping ($input: ModifySAMLGroupMappingInput!) { + modifySAMLIdentityProviderGroupMappings(input: $input) { + _stub + } + }` + + // populate the graphql variables + vars := &UpdateSAMLGroupMappingInput{} + vars.ID = samlIdpID + vars.Patch = wiz.ModifySAMLGroupMappingPatch{ + Upsert: &upsertGroupMappings, + } + + // process the request + data := &UpdateSAMLGroupMappingPayload{} + requestDiags := client.ProcessRequest(ctx, m, vars, data, query, "saml_group_mapping", "update") + diags = append(diags, requestDiags...) + if len(diags) > 0 { + return diags + } + + return resourceSAMLGroupMappingRead(ctx, d, m) +} + +func resourceSAMLGroupMappingDelete(ctx context.Context, d *schema.ResourceData, m interface{}) (diags diag.Diagnostics) { + tflog.Info(ctx, "resourceWizSAMLGroupMappingDelete called...") + + // check the id + if d.Id() == "" { + return nil + } + + samlIdpID := d.Get("saml_idp_id").(string) + groupMappings := d.Get("group_mapping").(*schema.Set).List() + + var deleteGroupMappings []string + for _, item := range groupMappings { + groupMapping := item.(map[string]interface{}) + providerGroupID := groupMapping["provider_group_id"].(string) + deleteGroupMappings = append(deleteGroupMappings, providerGroupID) + } + + // define the graphql query + query := `mutation SetSAMLGroupMapping ($input: ModifySAMLGroupMappingInput!) { + modifySAMLIdentityProviderGroupMappings(input: $input) { + _stub + } + }` + + // populate the graphql variables + vars := &UpdateSAMLGroupMappingInput{} + vars.ID = samlIdpID + vars.Patch = wiz.ModifySAMLGroupMappingPatch{ + Delete: &deleteGroupMappings, + } + + // process the request + data := &UpdateSAMLGroupMappingPayload{} + requestDiags := client.ProcessRequest(ctx, m, vars, data, query, "saml_group_mapping", "delete") + diags = append(diags, requestDiags...) + if len(diags) > 0 { + return diags + } + + return diags +} + +func querySAMLGroupMappings(ctx context.Context, m interface{}, samlIdpID string, groupMappings []interface{}) ([]*wiz.SAMLGroupMapping, diag.Diagnostics) { + // define the graphql query + query := `query samlIdentityProviderGroupMappings ($id: ID!, $first: Int! $after: String){ + samlIdentityProviderGroupMappings ( + id: $id, + first: $first + after: $after + ) { + pageInfo { + hasNextPage + endCursor + } + nodes { + providerGroupId + role { + id + } + projects { + id + } + } + } + }` + + // populate the graphql variables + vars := &internal.QueryVariables{} + vars.ID = samlIdpID + vars.First = 500 + + // Call ProcessPagedRequest + diags, allData := client.ProcessPagedRequest(ctx, m, vars, &ReadSAMLGroupMappings{}, query, "saml_idp", "read", 0) + if diags.HasError() { + return nil, diags + } + + var matchingNodes []*wiz.SAMLGroupMapping + + // Process the data... + for _, data := range allData { + typedData, ok := data.(*ReadSAMLGroupMappings) + if !ok { + return nil, diag.Errorf("data is not of type *ReadSAMLGroupMappings") + } + + nodes := typedData.SAMLGroupMappings.Nodes + for _, node := range nodes { + for _, item := range groupMappings { + groupMapping := item.(map[string]interface{}) + providerGroupID := groupMapping["provider_group_id"].(string) + roleID := groupMapping["role"].(string) + projectIDs := utils.ConvertListToString(groupMapping["projects"].([]interface{})) + nodeProjectIDs := extractProjectIDs(node.Projects) + + // If we find a match, store the node + if node.ProviderGroupID == providerGroupID && node.Role.ID == roleID && slices.Equal(projectIDs, nodeProjectIDs) { + matchingNodes = append(matchingNodes, node) + } + } + } + } + + return matchingNodes, nil +} diff --git a/internal/provider/resource_saml_group_mapping_test.go b/internal/provider/resource_saml_group_mapping_test.go new file mode 100644 index 0000000..c05d799 --- /dev/null +++ b/internal/provider/resource_saml_group_mapping_test.go @@ -0,0 +1,55 @@ +package provider + +import ( + "reflect" + + "wiz.io/hashicorp/terraform-provider-wiz/internal/wiz" + + "testing" +) + +func TestExtractIDsFromSamlIdpGroupMappingImportID(t *testing.T) { + testCases := []struct { + name string + input string + expectedMapping SAMLGroupMappingsImport + expectErr bool + }{ + { + name: "Valid ID", + input: "link|samlIdpID|providerGroupID:role:projectID1,projectID2", + expectedMapping: SAMLGroupMappingsImport{SamlIdpID: "samlIdpID", GroupMappings: []wiz.SAMLGroupDetailsInput{{ProviderGroupID: "providerGroupID", Role: "role", Projects: []string{"projectID1", "projectID2"}}}}, + expectErr: false, + }, + { + name: "Valid ID global mapping", + input: "link|samlIdpID|providerGroupID:role", + expectedMapping: SAMLGroupMappingsImport{SamlIdpID: "samlIdpID", GroupMappings: []wiz.SAMLGroupDetailsInput{{ProviderGroupID: "providerGroupID", Role: "role", Projects: nil}}}, + expectErr: false, + }, + { + name: "Invalid ID", + input: "invalidId", + expectedMapping: SAMLGroupMappingsImport{}, + expectErr: true, + }, + { + name: "Invalid ID length", + input: "link|samlIdpId", + expectedMapping: SAMLGroupMappingsImport{}, + expectErr: true, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + mapping, err := extractIDsFromSamlIdpGroupMappingImportID(tc.input) + if (err != nil) != tc.expectErr { + t.Errorf("Expected error: %v, got: %v", tc.expectErr, err) + } + if !reflect.DeepEqual(mapping, tc.expectedMapping) { + t.Errorf("Expected mapping: %+v, got: %+v", tc.expectedMapping, mapping) + } + }) + } +} diff --git a/internal/wiz/structs.go b/internal/wiz/structs.go index f0362f4..8195831 100644 --- a/internal/wiz/structs.go +++ b/internal/wiz/structs.go @@ -244,6 +244,26 @@ type SAMLGroupMappingCreateInput struct { Projects []string `json:"projects"` } +// SAMLGroupDetailsInput struct +// Incomplete because 'description' field is missing as in the schema +type SAMLGroupDetailsInput struct { + ProviderGroupID string `json:"providerGroupId"` + Role string `json:"role"` + Projects []string `json:"projects"` +} + +// ModifySAMLGroupMappingPatch struct +type ModifySAMLGroupMappingPatch struct { + Upsert *[]SAMLGroupDetailsInput `json:"upsert,omitempty"` + Delete *[]string `json:"delete,omitempty"` +} + +// SAMLIdentityProviderGroupMappingsConnection struct +type SAMLIdentityProviderGroupMappingsConnection struct { + PageInfo PageInfo `json:"pageInfo"` + Nodes []*SAMLGroupMapping `json:"nodes,omitempty"` +} + // SAMLIdentityProvider struct -- updates type SAMLIdentityProvider struct { AllowManualRoleOverride *bool `json:"allowManualRoleOverride"`