diff --git a/sysdig/data_source_sysdig_builtin_role.go b/sysdig/data_source_sysdig_builtin_role.go new file mode 100644 index 00000000..82a9da30 --- /dev/null +++ b/sysdig/data_source_sysdig_builtin_role.go @@ -0,0 +1,75 @@ +package sysdig + +import ( + "context" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func dataSourceSysdigBuiltinRole() *schema.Resource { + timeout := 5 * time.Minute + + return &schema.Resource{ + ReadContext: dataSourceSysdigBuiltinRoleRead, + + Timeouts: &schema.ResourceTimeout{ + Read: schema.DefaultTimeout(timeout), + }, + + Schema: map[string]*schema.Schema{ + SchemaNameKey: { + Type: schema.TypeString, + Required: true, + }, + SchemaMonitorPermKey: { + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + SchemaSecurePermKey: { + Type: schema.TypeSet, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + } +} + +func dataSourceSysdigBuiltinRoleRead(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics { + client, err := m.(SysdigClients).sysdigCommonClientV2() + if err != nil { + return diag.FromErr(err) + } + + name := d.Get(SchemaNameKey).(string) + + builtinRole, err := client.GetBuiltinRole(ctx, name) + if err != nil { + return diag.FromErr(err) + } + + d.SetId(name) + + err = d.Set(SchemaNameKey, builtinRole.Name) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaMonitorPermKey, builtinRole.MonitorPermissions) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaSecurePermKey, builtinRole.SecurePermissions) + if err != nil { + return diag.FromErr(err) + } + + return nil +} diff --git a/sysdig/data_source_sysdig_builtin_role_test.go b/sysdig/data_source_sysdig_builtin_role_test.go new file mode 100644 index 00000000..b3480fc5 --- /dev/null +++ b/sysdig/data_source_sysdig_builtin_role_test.go @@ -0,0 +1,44 @@ +//go:build tf_acc_sysdig_monitor || tf_acc_sysdig_secure || tf_acc_onprem_monitor || tf_acc_onprem_secure + +package sysdig_test + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + + "github.com/draios/terraform-provider-sysdig/sysdig" +) + +func TestAccDataSourceSysdigBuiltinRole(t *testing.T) { + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheckAnyEnv(t, SysdigMonitorApiTokenEnv, SysdigSecureApiTokenEnv), + ProviderFactories: map[string]func() (*schema.Provider, error){ + "sysdig": func() (*schema.Provider, error) { + return sysdig.Provider(), nil + }, + }, + Steps: []resource.TestStep{ + { + Config: `data "sysdig_builtin_role" "advanced" { + name = "Advanced User" +}`, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("data.sysdig_builtin_role.advanced", "name", "Advanced User"), + // Verify both permission sets are non-empty + resource.TestCheckResourceAttrSet("data.sysdig_builtin_role.advanced", "monitor_permissions.#"), + resource.TestCheckResourceAttrSet("data.sysdig_builtin_role.advanced", "secure_permissions.#"), + // Verify well-known monitor permissions are present + resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "monitor_permissions.*", "alerts.read"), + resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "monitor_permissions.*", "dashboards.read"), + resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "monitor_permissions.*", "token.view"), + // Verify well-known secure permissions are present + resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "secure_permissions.*", "scanning.read"), + resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "secure_permissions.*", "secure.policy.read"), + resource.TestCheckTypeSetElemAttr("data.sysdig_builtin_role.advanced", "secure_permissions.*", "policies.read"), + ), + }, + }, + }) +} diff --git a/sysdig/internal/client/v2/builtin_role.go b/sysdig/internal/client/v2/builtin_role.go new file mode 100644 index 00000000..cfe398d7 --- /dev/null +++ b/sysdig/internal/client/v2/builtin_role.go @@ -0,0 +1,43 @@ +package v2 + +import ( + "context" + "errors" + "fmt" + "net/http" + "net/url" +) + +var ErrBuiltinRoleNotFound = errors.New("builtin role not found") + +const builtinRolePath = "%s/platform/v1/default-roles/%s" + +type BuiltinRoleInterface interface { + Base + GetBuiltinRole(ctx context.Context, name string) (*BuiltinRole, error) +} + +func (c *Client) GetBuiltinRole(ctx context.Context, name string) (builtinRole *BuiltinRole, err error) { + response, err := c.requester.Request(ctx, http.MethodGet, c.getBuiltinRoleURL(name), nil) + if err != nil { + return nil, err + } + defer func() { + if dErr := response.Body.Close(); dErr != nil { + err = fmt.Errorf("unable to close response body: %w", dErr) + } + }() + + if response.StatusCode != http.StatusOK { + if response.StatusCode == http.StatusNotFound { + return nil, ErrBuiltinRoleNotFound + } + return nil, c.ErrorFromResponse(response) + } + + return Unmarshal[*BuiltinRole](response.Body) +} + +func (c *Client) getBuiltinRoleURL(name string) string { + return fmt.Sprintf(builtinRolePath, c.config.url, url.PathEscape(name)) +} diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go index fb796aee..399b3794 100644 --- a/sysdig/internal/client/v2/model.go +++ b/sysdig/internal/client/v2/model.go @@ -55,6 +55,12 @@ type CustomRole struct { MonitorPermissions []string `json:"monitorPermissions,omitempty"` SecurePermissions []string `json:"securePermissions,omitempty"` } + +type BuiltinRole struct { + Name string `json:"name"` + MonitorPermissions []string `json:"monitorPermissions,omitempty"` + SecurePermissions []string `json:"securePermissions,omitempty"` +} type customRoleListWrapper struct { Roles []CustomRole `json:"roles"` } diff --git a/sysdig/internal/client/v2/sysdig.go b/sysdig/internal/client/v2/sysdig.go index 24428f28..4ca08c6c 100644 --- a/sysdig/internal/client/v2/sysdig.go +++ b/sysdig/internal/client/v2/sysdig.go @@ -21,6 +21,7 @@ type SysdigCommon interface { CustomRoleInterface CustomRolePermissionInterface + BuiltinRoleInterface GroupMappingConfigInterface GroupMappingInterface IPFilteringSettingsInterface diff --git a/sysdig/provider.go b/sysdig/provider.go index 93464333..df2a83c3 100644 --- a/sysdig/provider.go +++ b/sysdig/provider.go @@ -200,6 +200,7 @@ func (p *SysdigProvider) Provider() *schema.Provider { "sysdig_agent_access_key": dataSourceSysdigAgentAccessKey(), "sysdig_current_user": dataSourceSysdigCurrentUser(), "sysdig_custom_role": dataSourceSysdigCustomRole(), + "sysdig_builtin_role": dataSourceSysdigBuiltinRole(), "sysdig_fargate_workload_agent": dataSourceSysdigFargateWorkloadAgent(), "sysdig_user": dataSourceSysdigUser(), diff --git a/website/docs/d/builtin_role.md b/website/docs/d/builtin_role.md new file mode 100644 index 00000000..101a4f99 --- /dev/null +++ b/website/docs/d/builtin_role.md @@ -0,0 +1,35 @@ +--- +subcategory: "Sysdig Platform" +layout: "sysdig" +page_title: "Sysdig: sysdig_builtin_role" +description: |- + Retrieves information about a built-in (OOTB) role from the name. +--- + +# Data Source: sysdig_builtin_role + +Retrieves information about a built-in (out-of-the-box) role from the name. + +Built-in roles are the roles provided by Sysdig: View Only, Standard User, Advanced User, and Team Manager. + +-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository. + +## Example Usage + +```terraform +data "sysdig_builtin_role" "advanced_user" { + name = "Advanced User" +} +``` + +## Argument Reference + +* `name` - (Required) The name of the built-in role. Valid values are: `View Only`, `Standard User`, `Advanced User`, `Team Manager`. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `monitor_permissions` - The built-in role's monitor permissions. + +* `secure_permissions` - The built-in role's secure permissions.