Skip to content

add is_system attribute to sysdig_sso_saml and sysdig_sso_openid resources#714

Merged
dbonf merged 7 commits intomasterfrom
system-sso
Mar 4, 2026
Merged

add is_system attribute to sysdig_sso_saml and sysdig_sso_openid resources#714
dbonf merged 7 commits intomasterfrom
system-sso

Conversation

@dbonf
Copy link
Copy Markdown
Collaborator

@dbonf dbonf commented Mar 2, 2026

In onprem installations regular sso settings are not usable, but users should use system sso settings for the same purpuse.

System sso settings are identical to regular sso settings but they work at a different permission level.

For this reason, we introduce a new attribute, is_system, to let onprem users create system sso settings.

@dbonf dbonf self-assigned this Mar 2, 2026
@dbonf dbonf marked this pull request as ready for review March 2, 2026 12:27
@dbonf dbonf requested a review from a team as a code owner March 2, 2026 12:27
Copilot AI review requested due to automatic review settings March 2, 2026 12:27
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for managing system-level SSO settings (intended for on-prem installs) by introducing an is_system flag on the sysdig_sso_saml and sysdig_sso_openid Terraform resources, routing CRUD operations to /system-sso-settings when enabled.

Changes:

  • Add is_system schema attribute (ForceNew) to SAML and OpenID SSO resources and thread it through Read/Create/Update/Delete calls.
  • Extend v2 client SSO APIs to select regular vs system endpoints based on an isSystem boolean.
  • Update docs and acceptance tests, including new on-prem-specific acceptance test files and import guidance using system/<id>.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
website/docs/r/sso_saml.md Documents new is_system option and system import format system/<id>.
website/docs/r/sso_openid.md Documents new is_system option and system import format system/<id>.
sysdig/resource_sysdig_sso_saml.go Adds is_system to schema, custom import parsing, and routes SAML CRUD to system/non-system endpoints.
sysdig/resource_sysdig_sso_openid.go Adds is_system to schema, custom import parsing, and routes OpenID CRUD to system/non-system endpoints.
sysdig/internal/client/v2/sso_saml.go Adds system endpoint paths and updates client methods to accept isSystem and choose the correct URL.
sysdig/internal/client/v2/sso_openid.go Adds system endpoint paths and updates client methods to accept isSystem and choose the correct URL.
sysdig/resource_sysdig_sso_saml_test.go Updates build tags to exclude on-prem acceptance runs.
sysdig/resource_sysdig_sso_openid_test.go Updates build tags to exclude on-prem acceptance runs.
sysdig/resource_sysdig_sso_saml_onprem_test.go New on-prem acceptance tests for system SAML configs.
sysdig/resource_sysdig_sso_openid_onprem_test.go New on-prem acceptance tests for system OpenID configs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread sysdig/resource_sysdig_sso_saml_onprem_test.go
Comment thread sysdig/resource_sysdig_sso_saml_onprem_test.go
Comment thread sysdig/resource_sysdig_sso_openid_onprem_test.go
Comment thread sysdig/resource_sysdig_sso_openid_onprem_test.go
tembleking
tembleking reviewed Mar 3, 2026
View reviewed changes
Comment thread sysdig/resource_sysdig_sso_openid_onprem_test.go Outdated
Comment thread website/docs/r/sso_openid.md
Copilot AI review requested due to automatic review settings March 3, 2026 16:45
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (2)

website/docs/r/sso_openid.md:58

  • This example sets is_system = false, which is already the default. Consider omitting it here and adding a dedicated on-prem example with is_system = true to highlight the new capability.
```terraform
resource "sysdig_sso_openid" "custom_idp" {
  issuer_url       = "https://idp.example.com"
  client_id        = "your-client-id"
  client_secret    = "your-client-secret"
  integration_name = "Custom IDP"

  is_active                     = true
  is_system                     = false
  is_metadata_discovery_enabled = false

  metadata {
    issuer                 = "https://idp.example.com"
    authorization_endpoint = "https://idp.example.com/oauth2/authorize"
    token_endpoint         = "https://idp.example.com/oauth2/token"
    jwks_uri               = "https://idp.example.com/.well-known/jwks.json"
    token_auth_method      = "CLIENT_SECRET_BASIC"
    end_session_endpoint   = "https://idp.example.com/oauth2/logout"
    user_info_endpoint     = "https://idp.example.com/userinfo"
  }
}

**website/docs/r/sso_openid.md:78**
* This example sets `is_system = false`, which is already the default. Consider omitting it here and adding a dedicated on-prem example with `is_system = true` to make the system-level configuration discoverable.

resource "sysdig_sso_openid" "okta" {
issuer_url = "https://your-org.okta.com"
client_id = "your-client-id"
client_secret = "your-client-secret"
integration_name = "Okta SSO"

is_active = true
is_system = false
create_user_on_login = true
is_group_mapping_enabled = true
group_mapping_attribute_name = "groups"
is_single_logout_enabled = true

is_additional_scopes_check_enabled = true
additional_scopes = ["groups", "profile", "email"]
}

</details>



---

💡 <a href="/sysdiglabs/terraform-provider-sysdig/new/master?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.

Comment thread website/docs/r/sso_saml.md
Comment thread website/docs/r/sso_saml.md
Comment thread sysdig/resource_sysdig_sso_openid_onprem_test.go Outdated
Comment thread sysdig/resource_sysdig_sso_openid_onprem_test.go Outdated
Comment thread website/docs/r/sso_saml.md
Comment thread website/docs/r/sso_openid.md
@dbonf dbonf added this pull request to the merge queue Mar 4, 2026
Merged via the queue into master with commit 23ef18b Mar 4, 2026
177 checks passed
@dbonf dbonf deleted the system-sso branch March 4, 2026 09:59
fcracker79 pushed a commit that referenced this pull request Mar 5, 2026
@dbonf @fcracker79
add is_system attribute to sysdig_sso_saml and `sysdig_sso_openid…
18e13a2 
…` resources (#714)

In onprem installations regular sso settings are not usable, but users
should use system sso settings for the same purpuse.

System sso settings are identical to regular sso settings but they work
at a different permission level.

For this reason, we introduce a new attribute, `is_system`, to let
onprem users create system sso settings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tembleking tembleking tembleking approved these changes

Assignees

@dbonf dbonf

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dbonf @tembleking