From eb803c0fa16ab109486f639193e02b3e13830253 Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Fri, 25 Oct 2024 15:47:54 -0700 Subject: [PATCH] Merge and use a single datasource --- .../data_source_sysdig_secure_onboarding.go | 125 ++++++++---------- ...ta_source_sysdig_secure_onboarding_test.go | 33 +---- sysdig/provider.go | 1 - .../docs/d/secure_trusted_cloud_identity.md | 5 + .../secure_trusted_cloud_regulation_assets.md | 37 ------ 5 files changed, 65 insertions(+), 136 deletions(-) delete mode 100644 website/docs/d/secure_trusted_cloud_regulation_assets.md diff --git a/sysdig/data_source_sysdig_secure_onboarding.go b/sysdig/data_source_sysdig_secure_onboarding.go index f2752d80..c13195d0 100644 --- a/sysdig/data_source_sysdig_secure_onboarding.go +++ b/sysdig/data_source_sysdig_secure_onboarding.go @@ -54,6 +54,18 @@ func dataSourceSysdigSecureTrustedCloudIdentity() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "gov_identity": { + Type: schema.TypeString, + Computed: true, + }, + "aws_gov_account_id": { + Type: schema.TypeString, + Computed: true, + }, + "aws_gov_role_name": { + Type: schema.TypeString, + Computed: true, + }, }, } } @@ -65,18 +77,55 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche return diag.FromErr(err) } + // get trusted identity for commercial backend identity, err := client.GetTrustedCloudIdentitySecure(ctx, d.Get("cloud_provider").(string)) if err != nil { return diag.FromErr(err) } + // get trusted identity for regulatory backend, such as govcloud + // XXX: only supported for aws currently. update when supported for other providers + var trustedRegulation map[string]string + if d.Get("cloud_provider").(string) == "aws" { + trustedRegulation, err = client.GetTrustedCloudRegulationAssetsSecure(ctx, d.Get("cloud_provider").(string)) + if err != nil { + return diag.FromErr(err) + } + } + d.SetId(identity) - _ = d.Set("identity", identity) provider := d.Get("cloud_provider") switch provider { - case "aws", "gcp": - // If identity is an ARN, attempt to extract certain fields + case "aws": + // set the commercial identity + _ = d.Set("identity", identity) + // if identity is an ARN, attempt to extract certain fields + parsedArn, err := arn.Parse(identity) + if err == nil { + _ = d.Set("aws_account_id", parsedArn.AccountID) + if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") { + _ = d.Set("aws_role_name", strings.TrimPrefix(parsedArn.Resource, "role/")) + } + } + + // set the gov regulation based identity (only supported for aws currently) + err = d.Set("gov_identity", trustedRegulation["trustedIdentityGov"]) + if err != nil { + return diag.FromErr(err) + } + // if identity is an ARN, attempt to extract certain fields + parsedArn, err = arn.Parse(trustedRegulation["trustedIdentityGov"]) + if err == nil { + _ = d.Set("aws_gov_account_id", parsedArn.AccountID) + if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") { + _ = d.Set("aws_gov_role_name", strings.TrimPrefix(parsedArn.Resource, "role/")) + } + } + case "gcp": + // set the commercial identity + _ = d.Set("identity", identity) + // if identity is an ARN, attempt to extract certain fields parsedArn, err := arn.Parse(identity) if err == nil { _ = d.Set("aws_account_id", parsedArn.AccountID) @@ -85,7 +134,9 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche } } case "azure": - // If identity is an Azure tenantID/clientID, separate into each part + // set the commercial identity + _ = d.Set("identity", identity) + // if identity is an Azure tenantID/clientID, separate into each part tenantID, spID, err := parseAzureCreds(identity) if err == nil { _ = d.Set("azure_tenant_id", tenantID) @@ -348,72 +399,6 @@ func dataSourceSysdigSecureCloudIngestionAssetsRead(ctx context.Context, d *sche return nil } -func dataSourceSysdigSecureTrustedCloudRegulationAssets() *schema.Resource { - timeout := 5 * time.Minute - - return &schema.Resource{ - ReadContext: dataSourceSysdigSecureTrustedCloudRegulationAssetsRead, - - Timeouts: &schema.ResourceTimeout{ - Read: schema.DefaultTimeout(timeout), - }, - - Schema: map[string]*schema.Schema{ - "cloud_provider": { - Type: schema.TypeString, - Required: true, - ValidateFunc: validation.StringInSlice([]string{"aws"}, false), - }, - "gov_identity": { - Type: schema.TypeString, - Computed: true, - }, - "aws_gov_account_id": { - Type: schema.TypeString, - Computed: true, - }, - "aws_gov_role_name": { - Type: schema.TypeString, - Computed: true, - }, - }, - } -} - -// Retrieves the information of a resource form the file and loads it in Terraform -func dataSourceSysdigSecureTrustedCloudRegulationAssetsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client, err := getSecureOnboardingClient(meta.(SysdigClients)) - if err != nil { - return diag.FromErr(err) - } - - trustedRegulation, err := client.GetTrustedCloudRegulationAssetsSecure(ctx, d.Get("cloud_provider").(string)) - if err != nil { - return diag.FromErr(err) - } - - provider := d.Get("cloud_provider") - d.SetId(fmt.Sprintf("%s_trusted_regulation_assets", provider.(string))) - - switch provider { - case "aws": - // set the gov regulation based identity - err = d.Set("gov_identity", trustedRegulation["trustedIdentityGov"]) - if err != nil { - return diag.FromErr(err) - } - // If identity is an ARN, attempt to extract certain fields - parsedArn, err := arn.Parse(trustedRegulation["trustedIdentityGov"]) - if err == nil { - _ = d.Set("aws_gov_account_id", parsedArn.AccountID) - if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") { - _ = d.Set("aws_gov_role_name", strings.TrimPrefix(parsedArn.Resource, "role/")) - } - } - } - return nil -} - var matchFirstCap = regexp.MustCompile("(.)([A-Z][a-z]+)") var matchAllCap = regexp.MustCompile("([a-z0-9])([A-Z])") diff --git a/sysdig/data_source_sysdig_secure_onboarding_test.go b/sysdig/data_source_sysdig_secure_onboarding_test.go index 8eb948b4..3183d5f6 100644 --- a/sysdig/data_source_sysdig_secure_onboarding_test.go +++ b/sysdig/data_source_sysdig_secure_onboarding_test.go @@ -26,12 +26,17 @@ func TestAccTrustedCloudIdentityDataSource(t *testing.T) { }, }, Steps: []resource.TestStep{ + { + Config: `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "invalid" }`, + ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`), + }, { Config: `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "aws" }`, Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "cloud_provider", "aws"), resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_account_id"), resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_role_name"), + // not asserting the gov exported fields because not every backend environment is gov supported and will have non-empty values returned ), }, { @@ -185,31 +190,3 @@ func TestAccCloudIngestionAssetsDataSource(t *testing.T) { }, }) } - -func TestAccTrustedCloudRegulationAssetsDataSource(t *testing.T) { - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { - if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" { - t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests") - } - }, - ProviderFactories: map[string]func() (*schema.Provider, error){ - "sysdig": func() (*schema.Provider, error) { - return sysdig.Provider(), nil - }, - }, - Steps: []resource.TestStep{ - { - Config: `data "sysdig_secure_trusted_cloud_regulation_assets" "trusted_identity_gov" { cloud_provider = "invalid" }`, - ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`), - }, - { - Config: `data "sysdig_secure_trusted_cloud_regulation_assets" "trusted_identity_gov" { cloud_provider = "aws" }`, - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("data.sysdig_secure_trusted_cloud_regulation_assets.trusted_identity_gov", "cloud_provider", "aws"), - // not asserting the exported fields because not every backend environment is gov supported and will have non-empty values returned - ), - }, - }, - }) -} diff --git a/sysdig/provider.go b/sysdig/provider.go index 125d52bb..3b2fa2a0 100644 --- a/sysdig/provider.go +++ b/sysdig/provider.go @@ -202,7 +202,6 @@ func (p *SysdigProvider) Provider() *schema.Provider { "sysdig_secure_cloud_ingestion_assets": dataSourceSysdigSecureCloudIngestionAssets(), "sysdig_secure_trusted_azure_app": dataSourceSysdigSecureTrustedAzureApp(), "sysdig_secure_trusted_cloud_identity": dataSourceSysdigSecureTrustedCloudIdentity(), - "sysdig_secure_trusted_cloud_regulation_assets": dataSourceSysdigSecureTrustedCloudRegulationAssets(), "sysdig_secure_tenant_external_id": dataSourceSysdigSecureTenantExternalID(), "sysdig_secure_notification_channel": dataSourceSysdigSecureNotificationChannel(), "sysdig_secure_notification_channel_pagerduty": dataSourceSysdigSecureNotificationChannelPagerduty(), diff --git a/website/docs/d/secure_trusted_cloud_identity.md b/website/docs/d/secure_trusted_cloud_identity.md index c81772b0..04f13085 100644 --- a/website/docs/d/secure_trusted_cloud_identity.md +++ b/website/docs/d/secure_trusted_cloud_identity.md @@ -39,3 +39,8 @@ In addition to all arguments above, the following attributes are exported: * `azure_service_principal_id` - If `identity` contains credentials for an Azure Service Principal, this attribute contains the service principal's ID. `cloud_provider` must be equal to `azure`. +* `gov_identity` - Sysdig's identity for regulatory workloads (User/Role/etc) that should be used to create a trust relationship allowing Sysdig access to your regulated cloud account. Currently supported on `aws`. + +* `aws_gov_account_id` - If `gov_identity` is an AWS GOV IAM Role ARN, this attribute contains the AWS GOV Account ID to which the ARN belongs, otherwise it contains the empty string. Currently supported on `aws`. + +* `aws_gov_role_name` - If `gov_identity` is a AWS GOV IAM Role ARN, this attribute contains the name of the GOV role, otherwise it contains the empty string. Currently supported on `aws`. diff --git a/website/docs/d/secure_trusted_cloud_regulation_assets.md b/website/docs/d/secure_trusted_cloud_regulation_assets.md deleted file mode 100644 index d9013f2a..00000000 --- a/website/docs/d/secure_trusted_cloud_regulation_assets.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -subcategory: "Sysdig Secure" -layout: "sysdig" -page_title: "Sysdig: sysdig_secure_trusted_cloud_regulation_assets" -description: |- - Retrieves information about the Sysdig Secure Trusted Cloud Regulation Assets ---- - -# Data Source: sysdig_secure_trusted_cloud_regulation_assets - -Retrieves information about the Sysdig Secure Trusted Cloud Regulation Assets - --> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository. - -## Example Usage - -```terraform -data "sysdig_secure_trusted_cloud_regulation_assets" "trusted_identity_gov" { - cloud_provider = "aws" -} -``` - -## Argument Reference - -* `cloud_provider` - (Required) The cloud provider in which the trusted identity for regulatory workloads will be used. Currently supported providers are `aws` - - -## Attributes Reference - -In addition to all arguments above, the following attributes are exported: - -* `gov_identity` - Sysdig's identity for regulatory workloads (User/Role/etc) that should be used to create a trust relationship allowing Sysdig access to your regulated cloud account. - -* `aws_gov_account_id` - If `gov_identity` is an AWS GOV ARN, this attribute contains the AWS GOV Account ID to which the ARN belongs, otherwise it contains the empty string. `cloud_provider` must be equal to `aws`. - -* `aws_gov_role_name` - If `gov_identity` is a AWS GOV IAM Role ARN, this attribute contains the name of the GOV role, otherwise it contains the empty string. `cloud_provider` must be equal to `aws`. -