sysdiglabs
diff --git a/‎sysdig/internal/client/v2/sso_openid.go‎
Lines changed: 41 additions & 20 deletions b/‎sysdig/internal/client/v2/sso_openid.go‎
Lines changed: 41 additions & 20 deletions
diff --git a/‎sysdig/internal/client/v2/sso_saml.go‎
Lines changed: 41 additions & 20 deletions b/‎sysdig/internal/client/v2/sso_saml.go‎
Lines changed: 41 additions & 20 deletions
diff --git a/‎sysdig/resource_sysdig_sso_openid.go‎
Lines changed: 35 additions & 6 deletions b/‎sysdig/resource_sysdig_sso_openid.go‎
Lines changed: 35 additions & 6 deletions
@@ -14,23 +14,28 @@ const (
 	getSSOOpenIDPath    = "%s/platform/v1/sso-settings/%d"
 	updateSSOOpenIDPath = "%s/platform/v1/sso-settings/%d"
 	deleteSSOOpenIDPath = "%s/platform/v1/sso-settings/%d"
+
+	createSystemSSOOpenIDPath = "%s/platform/v1/system-sso-settings/"
+	getSystemSSOOpenIDPath    = "%s/platform/v1/system-sso-settings/%d"
+	updateSystemSSOOpenIDPath = "%s/platform/v1/system-sso-settings/%d"
+	deleteSystemSSOOpenIDPath = "%s/platform/v1/system-sso-settings/%d"
 )
 
 type SSOOpenIDInterface interface {
 	Base
-	CreateSSOOpenID(ctx context.Context, sso *SSOOpenID) (*SSOOpenID, error)
-	GetSSOOpenID(ctx context.Context, id int) (*SSOOpenID, error)
-	UpdateSSOOpenID(ctx context.Context, id int, sso *SSOOpenID) (*SSOOpenID, error)
-	DeleteSSOOpenID(ctx context.Context, id int) error
+	CreateSSOOpenID(ctx context.Context, isSystem bool, sso *SSOOpenID) (*SSOOpenID, error)
+	GetSSOOpenID(ctx context.Context, isSystem bool, id int) (*SSOOpenID, error)
+	UpdateSSOOpenID(ctx context.Context, isSystem bool, id int, sso *SSOOpenID) (*SSOOpenID, error)
+	DeleteSSOOpenID(ctx context.Context, isSystem bool, id int) error
 }
 
-func (c *Client) CreateSSOOpenID(ctx context.Context, sso *SSOOpenID) (result *SSOOpenID, err error) {
+func (c *Client) CreateSSOOpenID(ctx context.Context, isSystem bool, sso *SSOOpenID) (result *SSOOpenID, err error) {
 	payload, err := Marshal(sso)
 	if err != nil {
 		return nil, err
 	}
 
-	response, err := c.requester.Request(ctx, http.MethodPost, c.createSSOOpenIDURL(), payload)
+	response, err := c.requester.Request(ctx, http.MethodPost, c.createSSOOpenIDURL(isSystem), payload)
 	if err != nil {
 		return nil, err
 	}
@@ -47,8 +52,8 @@ func (c *Client) CreateSSOOpenID(ctx context.Context, sso *SSOOpenID) (result *S
 	return Unmarshal[*SSOOpenID](response.Body)
 }
 
-func (c *Client) GetSSOOpenID(ctx context.Context, id int) (result *SSOOpenID, err error) {
-	response, err := c.requester.Request(ctx, http.MethodGet, c.getSSOOpenIDURL(id), nil)
+func (c *Client) GetSSOOpenID(ctx context.Context, isSystem bool, id int) (result *SSOOpenID, err error) {
+	response, err := c.requester.Request(ctx, http.MethodGet, c.getSSOOpenIDURL(isSystem, id), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -68,13 +73,13 @@ func (c *Client) GetSSOOpenID(ctx context.Context, id int) (result *SSOOpenID, e
 	return Unmarshal[*SSOOpenID](response.Body)
 }
 
-func (c *Client) UpdateSSOOpenID(ctx context.Context, id int, sso *SSOOpenID) (result *SSOOpenID, err error) {
+func (c *Client) UpdateSSOOpenID(ctx context.Context, isSystem bool, id int, sso *SSOOpenID) (result *SSOOpenID, err error) {
 	payload, err := Marshal(sso)
 	if err != nil {
 		return nil, err
 	}
 
-	response, err := c.requester.Request(ctx, http.MethodPut, c.updateSSOOpenIDURL(id), payload)
+	response, err := c.requester.Request(ctx, http.MethodPut, c.updateSSOOpenIDURL(isSystem, id), payload)
 	if err != nil {
 		return nil, err
 	}
@@ -91,8 +96,8 @@ func (c *Client) UpdateSSOOpenID(ctx context.Context, id int, sso *SSOOpenID) (r
 	return Unmarshal[*SSOOpenID](response.Body)
 }
 
-func (c *Client) DeleteSSOOpenID(ctx context.Context, id int) (err error) {
-	response, err := c.requester.Request(ctx, http.MethodDelete, c.deleteSSOOpenIDURL(id), nil)
+func (c *Client) DeleteSSOOpenID(ctx context.Context, isSystem bool, id int) (err error) {
+	response, err := c.requester.Request(ctx, http.MethodDelete, c.deleteSSOOpenIDURL(isSystem, id), nil)
 	if err != nil {
 		return err
 	}
@@ -109,18 +114,34 @@ func (c *Client) DeleteSSOOpenID(ctx context.Context, id int) (err error) {
 	return nil
 }
 
-func (c *Client) createSSOOpenIDURL() string {
-	return fmt.Sprintf(createSSOOpenIDPath, c.config.url)
+func (c *Client) createSSOOpenIDURL(isSystem bool) string {
+	path := createSSOOpenIDPath
+	if isSystem {
+		path = createSystemSSOOpenIDPath
+	}
+	return fmt.Sprintf(path, c.config.url)
 }
 
-func (c *Client) getSSOOpenIDURL(id int) string {
-	return fmt.Sprintf(getSSOOpenIDPath, c.config.url, id)
+func (c *Client) getSSOOpenIDURL(isSystem bool, id int) string {
+	path := getSSOOpenIDPath
+	if isSystem {
+		path = getSystemSSOOpenIDPath
+	}
+	return fmt.Sprintf(path, c.config.url, id)
 }
 
-func (c *Client) updateSSOOpenIDURL(id int) string {
-	return fmt.Sprintf(updateSSOOpenIDPath, c.config.url, id)
+func (c *Client) updateSSOOpenIDURL(isSystem bool, id int) string {
+	path := updateSSOOpenIDPath
+	if isSystem {
+		path = updateSystemSSOOpenIDPath
+	}
+	return fmt.Sprintf(path, c.config.url, id)
 }
 
-func (c *Client) deleteSSOOpenIDURL(id int) string {
-	return fmt.Sprintf(deleteSSOOpenIDPath, c.config.url, id)
+func (c *Client) deleteSSOOpenIDURL(isSystem bool, id int) string {
+	path := deleteSSOOpenIDPath
+	if isSystem {
+		path = deleteSystemSSOOpenIDPath
+	}
+	return fmt.Sprintf(path, c.config.url, id)
 }
@@ -14,23 +14,28 @@ const (
 	getSSOSamlPath    = "%s/platform/v1/sso-settings/%d"
 	updateSSOSamlPath = "%s/platform/v1/sso-settings/%d"
 	deleteSSOSamlPath = "%s/platform/v1/sso-settings/%d"
+
+	createSystemSSOSamlPath = "%s/platform/v1/system-sso-settings/"
+	getSystemSSOSamlPath    = "%s/platform/v1/system-sso-settings/%d"
+	updateSystemSSOSamlPath = "%s/platform/v1/system-sso-settings/%d"
+	deleteSystemSSOSamlPath = "%s/platform/v1/system-sso-settings/%d"
 )
 
 type SSOSamlInterface interface {
 	Base
-	CreateSSOSaml(ctx context.Context, sso *SSOSaml) (*SSOSaml, error)
-	GetSSOSaml(ctx context.Context, id int) (*SSOSaml, error)
-	UpdateSSOSaml(ctx context.Context, id int, sso *SSOSaml) (*SSOSaml, error)
-	DeleteSSOSaml(ctx context.Context, id int) error
+	CreateSSOSaml(ctx context.Context, isSystem bool, sso *SSOSaml) (*SSOSaml, error)
+	GetSSOSaml(ctx context.Context, isSystem bool, id int) (*SSOSaml, error)
+	UpdateSSOSaml(ctx context.Context, isSystem bool, id int, sso *SSOSaml) (*SSOSaml, error)
+	DeleteSSOSaml(ctx context.Context, isSystem bool, id int) error
 }
 
-func (c *Client) CreateSSOSaml(ctx context.Context, sso *SSOSaml) (result *SSOSaml, err error) {
+func (c *Client) CreateSSOSaml(ctx context.Context, isSystem bool, sso *SSOSaml) (result *SSOSaml, err error) {
 	payload, err := Marshal(sso)
 	if err != nil {
 		return nil, err
 	}
 
-	response, err := c.requester.Request(ctx, http.MethodPost, c.createSSOSamlURL(), payload)
+	response, err := c.requester.Request(ctx, http.MethodPost, c.createSSOSamlURL(isSystem), payload)
 	if err != nil {
 		return nil, err
 	}
@@ -47,8 +52,8 @@ func (c *Client) CreateSSOSaml(ctx context.Context, sso *SSOSaml) (result *SSOSa
 	return Unmarshal[*SSOSaml](response.Body)
 }
 
-func (c *Client) GetSSOSaml(ctx context.Context, id int) (result *SSOSaml, err error) {
-	response, err := c.requester.Request(ctx, http.MethodGet, c.getSSOSamlURL(id), nil)
+func (c *Client) GetSSOSaml(ctx context.Context, isSystem bool, id int) (result *SSOSaml, err error) {
+	response, err := c.requester.Request(ctx, http.MethodGet, c.getSSOSamlURL(isSystem, id), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -68,13 +73,13 @@ func (c *Client) GetSSOSaml(ctx context.Context, id int) (result *SSOSaml, err e
 	return Unmarshal[*SSOSaml](response.Body)
 }
 
-func (c *Client) UpdateSSOSaml(ctx context.Context, id int, sso *SSOSaml) (result *SSOSaml, err error) {
+func (c *Client) UpdateSSOSaml(ctx context.Context, isSystem bool, id int, sso *SSOSaml) (result *SSOSaml, err error) {
 	payload, err := Marshal(sso)
 	if err != nil {
 		return nil, err
 	}
 
-	response, err := c.requester.Request(ctx, http.MethodPut, c.updateSSOSamlURL(id), payload)
+	response, err := c.requester.Request(ctx, http.MethodPut, c.updateSSOSamlURL(isSystem, id), payload)
 	if err != nil {
 		return nil, err
 	}
@@ -91,8 +96,8 @@ func (c *Client) UpdateSSOSaml(ctx context.Context, id int, sso *SSOSaml) (resul
 	return Unmarshal[*SSOSaml](response.Body)
 }
 
-func (c *Client) DeleteSSOSaml(ctx context.Context, id int) (err error) {
-	response, err := c.requester.Request(ctx, http.MethodDelete, c.deleteSSOSamlURL(id), nil)
+func (c *Client) DeleteSSOSaml(ctx context.Context, isSystem bool, id int) (err error) {
+	response, err := c.requester.Request(ctx, http.MethodDelete, c.deleteSSOSamlURL(isSystem, id), nil)
 	if err != nil {
 		return err
 	}
@@ -109,18 +114,34 @@ func (c *Client) DeleteSSOSaml(ctx context.Context, id int) (err error) {
 	return nil
 }
 
-func (c *Client) createSSOSamlURL() string {
-	return fmt.Sprintf(createSSOSamlPath, c.config.url)
+func (c *Client) createSSOSamlURL(isSystem bool) string {
+	path := createSSOSamlPath
+	if isSystem {
+		path = createSystemSSOSamlPath
+	}
+	return fmt.Sprintf(path, c.config.url)
 }
 
-func (c *Client) getSSOSamlURL(id int) string {
-	return fmt.Sprintf(getSSOSamlPath, c.config.url, id)
+func (c *Client) getSSOSamlURL(isSystem bool, id int) string {
+	path := getSSOSamlPath
+	if isSystem {
+		path = getSystemSSOSamlPath
+	}
+	return fmt.Sprintf(path, c.config.url, id)
 }
 
-func (c *Client) updateSSOSamlURL(id int) string {
-	return fmt.Sprintf(updateSSOSamlPath, c.config.url, id)
+func (c *Client) updateSSOSamlURL(isSystem bool, id int) string {
+	path := updateSSOSamlPath
+	if isSystem {
+		path = updateSystemSSOSamlPath
+	}
+	return fmt.Sprintf(path, c.config.url, id)
 }
 
-func (c *Client) deleteSSOSamlURL(id int) string {
-	return fmt.Sprintf(deleteSSOSamlPath, c.config.url, id)
+func (c *Client) deleteSSOSamlURL(isSystem bool, id int) string {
+	path := deleteSSOSamlPath
+	if isSystem {
+		path = deleteSystemSSOSamlPath
+	}
+	return fmt.Sprintf(path, c.config.url, id)
 }
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
@@ -21,7 +22,7 @@ func resourceSysdigSSOOpenID() *schema.Resource {
 		UpdateContext: resourceSysdigSSOOpenIDUpdate,
 		DeleteContext: resourceSysdigSSOOpenIDDelete,
 		Importer: &schema.ResourceImporter{
-			StateContext: schema.ImportStatePassthroughContext,
+			StateContext: importSSOOpenIDState,
 		},
 		Timeouts: &schema.ResourceTimeout{
 			Create: schema.DefaultTimeout(timeout),
@@ -50,6 +51,13 @@ func resourceSysdigSSOOpenID() *schema.Resource {
 			},
 
 			// Optional base SSO fields
+			"is_system": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				ForceNew:    true,
+				Description: "Whether this is a system SSO configuration (Only applicable to on-prem installations)",
+			},
 			"product": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -185,6 +193,21 @@ func validateSSOOpenIDMetadata(_ context.Context, diff *schema.ResourceDiff, _ a
 	return nil
 }
 
+func importSSOOpenIDState(_ context.Context, d *schema.ResourceData, _ any) ([]*schema.ResourceData, error) {
+	importID := d.Id()
+	if strings.HasPrefix(importID, "system/") {
+		if err := d.Set("is_system", true); err != nil {
+			return nil, err
+		}
+		d.SetId(strings.TrimPrefix(importID, "system/"))
+	} else {
+		if err := d.Set("is_system", false); err != nil {
+			return nil, err
+		}
+	}
+	return []*schema.ResourceData{d}, nil
+}
+
 func resourceSysdigSSOOpenIDRead(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics {
 	client, err := m.(SysdigClients).sysdigCommonClientV2()
 	if err != nil {
@@ -196,7 +219,9 @@ func resourceSysdigSSOOpenIDRead(ctx context.Context, d *schema.ResourceData, m
 		return diag.FromErr(err)
 	}
 
-	sso, err := client.GetSSOOpenID(ctx, id)
+	isSystem := d.Get("is_system").(bool)
+
+	sso, err := client.GetSSOOpenID(ctx, isSystem, id)
 	if err != nil {
 		if err == v2.ErrSSOOpenIDNotFound {
 			d.SetId("")
@@ -214,9 +239,10 @@ func resourceSysdigSSOOpenIDCreate(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
+	isSystem := d.Get("is_system").(bool)
 	sso := ssoOpenIDFromResourceData(d)
 
-	created, err := client.CreateSSOOpenID(ctx, sso)
+	created, err := client.CreateSSOOpenID(ctx, isSystem, sso)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -237,11 +263,12 @@ func resourceSysdigSSOOpenIDUpdate(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
+	isSystem := d.Get("is_system").(bool)
 	sso := ssoOpenIDFromResourceData(d)
 	sso.ID = id
 	sso.Version = d.Get("version").(int)
 
-	_, err = client.UpdateSSOOpenID(ctx, id, sso)
+	_, err = client.UpdateSSOOpenID(ctx, isSystem, id, sso)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -260,6 +287,8 @@ func resourceSysdigSSOOpenIDDelete(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
+	isSystem := d.Get("is_system").(bool)
+
 	// API requires disabling SSO config before deletion
 	// We need to build the object from ResourceData to include client_secret
 	// (which is not returned by GET but is required for PUT)
@@ -269,13 +298,13 @@ func resourceSysdigSSOOpenIDDelete(ctx context.Context, d *schema.ResourceData,
 		sso.Version = d.Get("version").(int)
 		sso.IsActive = false
 
-		_, err = client.UpdateSSOOpenID(ctx, id, sso)
+		_, err = client.UpdateSSOOpenID(ctx, isSystem, id, sso)
 		if err != nil {
 			return diag.Errorf("failed to disable SSO config before deletion: %s", err)
 		}
 	}
 
-	err = client.DeleteSSOOpenID(ctx, id)
+	err = client.DeleteSSOOpenID(ctx, isSystem, id)
 	if err != nil {
 		return diag.FromErr(err)
 	}