feat(iam): add iam policy resource (#1344)

Co-authored-by: Rémy Léone <[email protected]>

Author: Codelax

scaleway/helpers_iam.go

@@ -1,9 +1,61 @@
 package scaleway
 
-import iam "github.com/scaleway/scaleway-sdk-go/api/iam/v1alpha1"
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	iam "github.com/scaleway/scaleway-sdk-go/api/iam/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+)
 
 // instanceAPIWithZone returns a new iam API for a Create request
 func iamAPI(m interface{}) *iam.API {
 	meta := m.(*Meta)
 	return iam.NewAPI(meta.scwClient)
 }
+
+func expandPermissionSetNames(rawPermissions interface{}) *[]string {
+	permissions := []string{}
+	permissionSet := rawPermissions.(*schema.Set)
+	for _, rawPermission := range permissionSet.List() {
+		permissions = append(permissions, rawPermission.(string))
+	}
+	return &permissions
+}
+
+func expandPolicyRuleSpecs(d interface{}) []*iam.RuleSpecs {
+	rules := []*iam.RuleSpecs(nil)
+	rawRules := d.([]interface{})
+	for _, rawRule := range rawRules {
+		mapRule := rawRule.(map[string]interface{})
+		rule := &iam.RuleSpecs{
+			PermissionSetNames: expandPermissionSetNames(mapRule["permission_set_names"]),
+		}
+		if orgID, orgIDExists := mapRule["organization_id"]; orgIDExists && orgID.(string) != "" {
+			rule.OrganizationID = scw.StringPtr(orgID.(string))
+		}
+		if projIDs, projIDsExists := mapRule["project_ids"]; projIDsExists {
+			rule.ProjectIDs = expandStringsPtr(projIDs)
+		}
+		rules = append(rules, rule)
+	}
+	return rules
+}
+
+func flattenPolicyRules(rules []*iam.Rule) interface{} {
+	rawRules := []interface{}(nil)
+	for _, rule := range rules {
+		rawRule := map[string]interface{}{}
+		if rule.OrganizationID != nil {
+			rawRule["organization_id"] = flattenStringPtr(rule.OrganizationID)
+		} else {
+			rawRule["organization_id"] = nil
+		}
+		if rule.ProjectIDs != nil {
+			rawRule["project_ids"] = flattenSliceString(*rule.ProjectIDs)
+		}
+		if rule.PermissionSetNames != nil {
+			rawRule["permission_set_names"] = flattenSliceString(*rule.PermissionSetNames)
+		}
+		rawRules = append(rawRules, rawRule)
+	}
+	return rawRules
+}

scaleway/provider.go

@@ -35,6 +35,7 @@ func addBetaResources(provider *schema.Provider) {
 		"scaleway_iam_api_key":     resourceScalewayIamAPIKey(),
 		"scaleway_iam_application": resourceScalewayIamApplication(),
 		"scaleway_iam_group":       resourceScalewayIamGroup(),
+		"scaleway_iam_policy":      resourceScalewayIamPolicy(),
 		"scaleway_iam_ssh_key":     resourceScalewayIamSSKKey(),
 	}
 	betaDataSources := map[string]*schema.Resource{

scaleway/resource_iam_policy.go

@@ -0,0 +1,235 @@
+package scaleway
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	iam "github.com/scaleway/scaleway-sdk-go/api/iam/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+)
+
+func resourceScalewayIamPolicy() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceScalewayIamPolicyCreate,
+		ReadContext:   resourceScalewayIamPolicyRead,
+		UpdateContext: resourceScalewayIamPolicyUpdate,
+		DeleteContext: resourceScalewayIamPolicyDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		SchemaVersion: 0,
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Optional:    true,
+				Description: "The name of the iam policy",
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The description of the iam policy",
+			},
+			"created_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The date and time of the creation of the policy",
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The date and time of the last update of the policy",
+			},
+			"editable": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Whether or not the policy is editable.",
+			},
+			"organization_id": organizationIDSchema(),
+			"user_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "User id",
+				ExactlyOneOf: []string{"group_id", "application_id", "no_principal"},
+			},
+			"group_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Group id",
+				ExactlyOneOf: []string{"user_id", "application_id", "no_principal"},
+			},
+			"application_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Application id",
+				ExactlyOneOf: []string{"user_id", "group_id", "no_principal"},
+			},
+			"no_principal": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				Description:  "Application id",
+				ExactlyOneOf: []string{"user_id", "group_id", "application_id"},
+			},
+			"rule": {
+				Type:        schema.TypeList,
+				Required:    true,
+				Description: "Rules of the policy to create",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"organization_id": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "ID of organization scoped to the rule. Only one of project_ids and organization_id may be set.",
+						},
+						"project_ids": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: "List of project IDs scoped to the rule. Only one of project_ids and organization_id may be set.",
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+						"permission_set_names": {
+							Type:        schema.TypeSet,
+							Required:    true,
+							Description: "Names of permission sets bound to the rule.",
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceScalewayIamPolicyCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := iamAPI(meta)
+	pol, err := api.CreatePolicy(&iam.CreatePolicyRequest{
+		Name:          expandOrGenerateString(d.Get("name"), "policy-"),
+		Description:   d.Get("description").(string),
+		Rules:         expandPolicyRuleSpecs(d.Get("rule")),
+		UserID:        expandStringPtr(d.Get("user_id")),
+		GroupID:       expandStringPtr(d.Get("group_id")),
+		ApplicationID: expandStringPtr(d.Get("application_id")),
+		NoPrincipal:   expandBoolPtr(d.Get("no_principal")),
+	}, scw.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(pol.ID)
+
+	return resourceScalewayIamPolicyRead(ctx, d, meta)
+}
+
+func resourceScalewayIamPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := iamAPI(meta)
+	pol, err := api.GetPolicy(&iam.GetPolicyRequest{
+		PolicyID: d.Id(),
+	}, scw.WithContext(ctx))
+	if err != nil {
+		if is404Error(err) {
+			d.SetId("")
+			return nil
+		}
+		return diag.FromErr(err)
+	}
+	_ = d.Set("name", pol.Name)
+	_ = d.Set("description", pol.Description)
+	_ = d.Set("created_at", flattenTime(pol.CreatedAt))
+	_ = d.Set("updated_at", flattenTime(pol.UpdatedAt))
+	_ = d.Set("organization_id", pol.OrganizationID)
+	_ = d.Set("editable", pol.Editable)
+
+	if pol.UserID != nil {
+		_ = d.Set("user_id", flattenStringPtr(pol.UserID))
+	}
+	if pol.GroupID != nil {
+		_ = d.Set("group_id", flattenStringPtr(pol.GroupID))
+	}
+	if pol.ApplicationID != nil {
+		_ = d.Set("application_id", flattenStringPtr(pol.ApplicationID))
+	}
+	_ = d.Set("no_principal", flattenBoolPtr(pol.NoPrincipal))
+
+	listRules, err := api.ListRules(&iam.ListRulesRequest{
+		PolicyID: &pol.ID,
+	})
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to list policy's rules: %w", err))
+	}
+
+	_ = d.Set("rule", flattenPolicyRules(listRules.Rules))
+
+	return nil
+}
+
+func resourceScalewayIamPolicyUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := iamAPI(meta)
+
+	req := &iam.UpdatePolicyRequest{
+		PolicyID: d.Id(),
+	}
+
+	hasUpdated := false
+
+	if d.HasChange("name") {
+		hasUpdated = true
+		req.Name = expandStringPtr(d.Get("name"))
+	}
+	if d.HasChange("description") {
+		hasUpdated = true
+		req.Description = expandStringPtr(d.Get("description"))
+	}
+	if d.HasChange("user_id") {
+		hasUpdated = true
+		req.UserID = expandStringPtr(d.Get("user_id"))
+	}
+	if d.HasChange("group_id") {
+		hasUpdated = true
+		req.UserID = expandStringPtr(d.Get("group_id"))
+	}
+	if d.HasChange("application_id") {
+		hasUpdated = true
+		req.UserID = expandStringPtr(d.Get("application_id"))
+	}
+	if hasUpdated {
+		_, err := api.UpdatePolicy(req, scw.WithContext(ctx))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
+	if d.HasChange("rule") {
+		_, err := api.SetRules(&iam.SetRulesRequest{
+			PolicyID: d.Id(),
+			Rules:    expandPolicyRuleSpecs(d.Get("rule")),
+		})
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
+	return resourceScalewayIamPolicyRead(ctx, d, meta)
+}
+
+func resourceScalewayIamPolicyDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := iamAPI(meta)
+
+	err := api.DeletePolicy(&iam.DeletePolicyRequest{
+		PolicyID: d.Id(),
+	}, scw.WithContext(ctx))
+	if err != nil {
+		if is404Error(err) {
+			d.SetId("")
+			return nil
+		}
+		return diag.FromErr(err)
+	}
+
+	return nil
+}