feat(platform): add sysdig_builtin_role data source (#718)

## Summary

Adds a read-only data source to retrieve the permissions of built-in
(OOTB) roles (View Only, Standard User, Advanced User, Team Manager) via
the `GET /platform/v1/default-roles/{name}` endpoint.

This allows users to reference built-in role permissions in their
Terraform configs, e.g. to compose custom roles based on a built-in
role's permission set.

```terraform
data "sysdig_builtin_role" "advanced_user" {
  name = "Advanced User"
}
```

Author: tembleking

sysdig/data_source_sysdig_builtin_role.go

@@ -0,0 +1,75 @@
+package sysdig
+
+import (
+	"context"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceSysdigBuiltinRole() *schema.Resource {
+	timeout := 5 * time.Minute
+
+	return &schema.Resource{
+		ReadContext: dataSourceSysdigBuiltinRoleRead,
+
+		Timeouts: &schema.ResourceTimeout{
+			Read: schema.DefaultTimeout(timeout),
+		},
+
+		Schema: map[string]*schema.Schema{
+			SchemaNameKey: {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			SchemaMonitorPermKey: {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			SchemaSecurePermKey: {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+		},
+	}
+}
+
+func dataSourceSysdigBuiltinRoleRead(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics {
+	client, err := m.(SysdigClients).sysdigCommonClientV2()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	name := d.Get(SchemaNameKey).(string)
+
+	builtinRole, err := client.GetBuiltinRole(ctx, name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(name)
+
+	err = d.Set(SchemaNameKey, builtinRole.Name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaMonitorPermKey, builtinRole.MonitorPermissions)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaSecurePermKey, builtinRole.SecurePermissions)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

sysdig/data_source_sysdig_builtin_role_test.go

@@ -0,0 +1,44 @@
+//go:build tf_acc_sysdig_monitor || tf_acc_sysdig_secure || tf_acc_onprem_monitor || tf_acc_onprem_secure
+
+package sysdig_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+)
+
+func TestAccDataSourceSysdigBuiltinRole(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigMonitorApiTokenEnv, SysdigSecureApiTokenEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: `data "sysdig_builtin_role" "advanced" {
+  name = "Advanced User"
+}`,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.sysdig_builtin_role.advanced", "name", "Advanced User"),
+					// Verify both permission sets are non-empty
+					resource.TestCheckResourceAttrSet("data.sysdig_builtin_role.advanced", "monitor_permissions.#"),
+					resource.TestCheckResourceAttrSet("data.sysdig_builtin_role.advanced", "secure_permissions.#"),
+					// Verify well-known monitor permissions are present
+					resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "monitor_permissions.*", "alerts.read"),
+					resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "monitor_permissions.*", "dashboards.read"),
+					resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "monitor_permissions.*", "token.view"),
+					// Verify well-known secure permissions are present
+					resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "secure_permissions.*", "scanning.read"),
+					resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "secure_permissions.*", "secure.policy.read"),
+					resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "secure_permissions.*", "policies.read"),
+				),
+			},
+		},
+	})
+}

sysdig/internal/client/v2/builtin_role.go

@@ -0,0 +1,43 @@
+package v2
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+var ErrBuiltinRoleNotFound = errors.New("builtin role not found")
+
+const builtinRolePath = "%s/platform/v1/default-roles/%s"
+
+type BuiltinRoleInterface interface {
+	Base
+	GetBuiltinRole(ctx context.Context, name string) (*BuiltinRole, error)
+}
+
+func (c *Client) GetBuiltinRole(ctx context.Context, name string) (builtinRole *BuiltinRole, err error) {
+	response, err := c.requester.Request(ctx, http.MethodGet, c.getBuiltinRoleURL(name), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if dErr := response.Body.Close(); dErr != nil {
+			err = fmt.Errorf("unable to close response body: %w", dErr)
+		}
+	}()
+
+	if response.StatusCode != http.StatusOK {
+		if response.StatusCode == http.StatusNotFound {
+			return nil, ErrBuiltinRoleNotFound
+		}
+		return nil, c.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[*BuiltinRole](response.Body)
+}
+
+func (c *Client) getBuiltinRoleURL(name string) string {
+	return fmt.Sprintf(builtinRolePath, c.config.url, url.PathEscape(name))
+}

sysdig/internal/client/v2/model.go

@@ -55,6 +55,12 @@ type CustomRole struct {
 	MonitorPermissions []string `json:"monitorPermissions,omitempty"`
 	SecurePermissions  []string `json:"securePermissions,omitempty"`
 }
+
+type BuiltinRole struct {
+	Name               string   `json:"name"`
+	MonitorPermissions []string `json:"monitorPermissions,omitempty"`
+	SecurePermissions  []string `json:"securePermissions,omitempty"`
+}
 type customRoleListWrapper struct {
 	Roles []CustomRole `json:"roles"`
 }

sysdig/internal/client/v2/sysdig.go

@@ -21,6 +21,7 @@ type SysdigCommon interface {
 
 	CustomRoleInterface
 	CustomRolePermissionInterface
+	BuiltinRoleInterface
 	GroupMappingConfigInterface
 	GroupMappingInterface
 	IPFilteringSettingsInterface

sysdig/provider.go

@@ -200,6 +200,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_agent_access_key":       dataSourceSysdigAgentAccessKey(),
 			"sysdig_current_user":           dataSourceSysdigCurrentUser(),
 			"sysdig_custom_role":            dataSourceSysdigCustomRole(),
+			"sysdig_builtin_role":           dataSourceSysdigBuiltinRole(),
 			"sysdig_fargate_workload_agent": dataSourceSysdigFargateWorkloadAgent(),
 			"sysdig_user":                   dataSourceSysdigUser(),
 

website/docs/d/builtin_role.md

@@ -0,0 +1,35 @@
+---
+subcategory: "Sysdig Platform"
+layout: "sysdig"
+page_title: "Sysdig: sysdig_builtin_role"
+description: |-
+  Retrieves information about a built-in (OOTB) role from the name.
+---
+
+# Data Source: sysdig_builtin_role
+
+Retrieves information about a built-in (out-of-the-box) role from the name.
+
+Built-in roles are the roles provided by Sysdig: View Only, Standard User, Advanced User, and Team Manager.
+
+-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository.
+
+## Example Usage
+
+```terraform
+data "sysdig_builtin_role" "advanced_user" {
+  name = "Advanced User"
+}
+```
+
+## Argument Reference
+
+* `name` - (Required) The name of the built-in role. Valid values are: `View Only`, `Standard User`, `Advanced User`, `Team Manager`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `monitor_permissions` - The built-in role's monitor permissions.
+
+* `secure_permissions` - The built-in role's secure permissions.