Merge and use a single datasource

sysdiglabs · Oct 25, 2024 · eb803c0 · eb803c0
1 parent 7d06e43
commit eb803c0
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 136 deletions.
diff --git a/sysdig/data_source_sysdig_secure_onboarding.go b/sysdig/data_source_sysdig_secure_onboarding.go
@@ -54,6 +54,18 @@ func dataSourceSysdigSecureTrustedCloudIdentity() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"gov_identity": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"aws_gov_account_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"aws_gov_role_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -65,18 +77,55 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche
 		return diag.FromErr(err)
 	}
 
+	// get trusted identity for commercial backend
 	identity, err := client.GetTrustedCloudIdentitySecure(ctx, d.Get("cloud_provider").(string))
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
+	// get trusted identity for regulatory backend, such as govcloud
+	// XXX: only supported for aws currently. update when supported for other providers
+	var trustedRegulation map[string]string
+	if d.Get("cloud_provider").(string) == "aws" {
+		trustedRegulation, err = client.GetTrustedCloudRegulationAssetsSecure(ctx, d.Get("cloud_provider").(string))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	d.SetId(identity)
-	_ = d.Set("identity", identity)
 
 	provider := d.Get("cloud_provider")
 	switch provider {
-	case "aws", "gcp":
-		// If identity is an ARN, attempt to extract certain fields
+	case "aws":
+		// set the commercial identity
+		_ = d.Set("identity", identity)
+		// if identity is an ARN, attempt to extract certain fields
+		parsedArn, err := arn.Parse(identity)
+		if err == nil {
+			_ = d.Set("aws_account_id", parsedArn.AccountID)
+			if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
+				_ = d.Set("aws_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
+			}
+		}
+
+		// set the gov regulation based identity (only supported for aws currently)
+		err = d.Set("gov_identity", trustedRegulation["trustedIdentityGov"])
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		// if identity is an ARN, attempt to extract certain fields
+		parsedArn, err = arn.Parse(trustedRegulation["trustedIdentityGov"])
+		if err == nil {
+			_ = d.Set("aws_gov_account_id", parsedArn.AccountID)
+			if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
+				_ = d.Set("aws_gov_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
+			}
+		}
+	case "gcp":
+		// set the commercial identity
+		_ = d.Set("identity", identity)
+		// if identity is an ARN, attempt to extract certain fields
 		parsedArn, err := arn.Parse(identity)
 		if err == nil {
 			_ = d.Set("aws_account_id", parsedArn.AccountID)
@@ -85,7 +134,9 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche
 			}
 		}
 	case "azure":
-		// If identity is an Azure tenantID/clientID, separate into each part
+		// set the commercial identity
+		_ = d.Set("identity", identity)
+		// if identity is an Azure tenantID/clientID, separate into each part
 		tenantID, spID, err := parseAzureCreds(identity)
 		if err == nil {
 			_ = d.Set("azure_tenant_id", tenantID)
@@ -348,72 +399,6 @@ func dataSourceSysdigSecureCloudIngestionAssetsRead(ctx context.Context, d *sche
 	return nil
 }
 
-func dataSourceSysdigSecureTrustedCloudRegulationAssets() *schema.Resource {
-	timeout := 5 * time.Minute
-
-	return &schema.Resource{
-		ReadContext: dataSourceSysdigSecureTrustedCloudRegulationAssetsRead,
-
-		Timeouts: &schema.ResourceTimeout{
-			Read: schema.DefaultTimeout(timeout),
-		},
-
-		Schema: map[string]*schema.Schema{
-			"cloud_provider": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ValidateFunc: validation.StringInSlice([]string{"aws"}, false),
-			},
-			"gov_identity": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"aws_gov_account_id": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"aws_gov_role_name": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-		},
-	}
-}
-
-// Retrieves the information of a resource form the file and loads it in Terraform
-func dataSourceSysdigSecureTrustedCloudRegulationAssetsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := getSecureOnboardingClient(meta.(SysdigClients))
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	trustedRegulation, err := client.GetTrustedCloudRegulationAssetsSecure(ctx, d.Get("cloud_provider").(string))
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	provider := d.Get("cloud_provider")
-	d.SetId(fmt.Sprintf("%s_trusted_regulation_assets", provider.(string)))
-
-	switch provider {
-	case "aws":
-		// set the gov regulation based identity
-		err = d.Set("gov_identity", trustedRegulation["trustedIdentityGov"])
-		if err != nil {
-			return diag.FromErr(err)
-		}
-		// If identity is an ARN, attempt to extract certain fields
-		parsedArn, err := arn.Parse(trustedRegulation["trustedIdentityGov"])
-		if err == nil {
-			_ = d.Set("aws_gov_account_id", parsedArn.AccountID)
-			if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
-				_ = d.Set("aws_gov_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
-			}
-		}
-	}
-	return nil
-}
-
 var matchFirstCap = regexp.MustCompile("(.)([A-Z][a-z]+)")
 var matchAllCap = regexp.MustCompile("([a-z0-9])([A-Z])")
 

diff --git a/sysdig/data_source_sysdig_secure_onboarding_test.go b/sysdig/data_source_sysdig_secure_onboarding_test.go
@@ -26,12 +26,17 @@ func TestAccTrustedCloudIdentityDataSource(t *testing.T) {
 			},
 		},
 		Steps: []resource.TestStep{
+			{
+				Config:      `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {	cloud_provider = "invalid" }`,
+				ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`),
+			},
 			{
 				Config: `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {	cloud_provider = "aws" }`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "cloud_provider", "aws"),
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_account_id"),
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_role_name"),
+					// not asserting the gov exported fields because not every backend environment is gov supported and will have non-empty values returned
 				),
 			},
 			{
@@ -185,31 +190,3 @@ func TestAccCloudIngestionAssetsDataSource(t *testing.T) {
 		},
 	})
 }
-
-func TestAccTrustedCloudRegulationAssetsDataSource(t *testing.T) {
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck: func() {
-			if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" {
-				t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests")
-			}
-		},
-		ProviderFactories: map[string]func() (*schema.Provider, error){
-			"sysdig": func() (*schema.Provider, error) {
-				return sysdig.Provider(), nil
-			},
-		},
-		Steps: []resource.TestStep{
-			{
-				Config:      `data "sysdig_secure_trusted_cloud_regulation_assets" "trusted_identity_gov" {	cloud_provider = "invalid" }`,
-				ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`),
-			},
-			{
-				Config: `data "sysdig_secure_trusted_cloud_regulation_assets" "trusted_identity_gov" {	cloud_provider = "aws" }`,
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("data.sysdig_secure_trusted_cloud_regulation_assets.trusted_identity_gov", "cloud_provider", "aws"),
-					// not asserting the exported fields because not every backend environment is gov supported and will have non-empty values returned
-				),
-			},
-		},
-	})
-}
diff --git a/sysdig/provider.go b/sysdig/provider.go
@@ -202,7 +202,6 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_secure_cloud_ingestion_assets":                        dataSourceSysdigSecureCloudIngestionAssets(),
 			"sysdig_secure_trusted_azure_app":                             dataSourceSysdigSecureTrustedAzureApp(),
 			"sysdig_secure_trusted_cloud_identity":                        dataSourceSysdigSecureTrustedCloudIdentity(),
-			"sysdig_secure_trusted_cloud_regulation_assets":               dataSourceSysdigSecureTrustedCloudRegulationAssets(),
 			"sysdig_secure_tenant_external_id":                            dataSourceSysdigSecureTenantExternalID(),
 			"sysdig_secure_notification_channel":                          dataSourceSysdigSecureNotificationChannel(),
 			"sysdig_secure_notification_channel_pagerduty":                dataSourceSysdigSecureNotificationChannelPagerduty(),

diff --git a/website/docs/d/secure_trusted_cloud_identity.md b/website/docs/d/secure_trusted_cloud_identity.md
@@ -39,3 +39,8 @@ In addition to all arguments above, the following attributes are exported:
 
 * `azure_service_principal_id` - If `identity` contains credentials for an Azure Service Principal, this attribute contains the service principal's ID. `cloud_provider` must be equal to `azure`.
 
+* `gov_identity` - Sysdig's identity for regulatory workloads (User/Role/etc) that should be used to create a trust relationship allowing Sysdig access to your regulated cloud account. Currently supported on `aws`.
+
+* `aws_gov_account_id` - If `gov_identity` is an AWS GOV IAM Role ARN, this attribute contains the AWS GOV Account ID to which the ARN belongs, otherwise it contains the empty string. Currently supported on `aws`.
+
+* `aws_gov_role_name` - If `gov_identity` is a AWS GOV IAM Role ARN, this attribute contains the name of the GOV role, otherwise it contains the empty string. Currently supported on `aws`.
diff --git a/website/docs/d/secure_trusted_cloud_regulation_assets.md b/website/docs/d/secure_trusted_cloud_regulation_assets.md