Feat: add new OIDC credentials creation and assigment (Azure data sou…

…rce) (#773)
env0 · Dec 26, 2023 · fcf27bc · fcf27bc
1 parent 7ad25a2
commit fcf27bc
Show file tree

Hide file tree

Showing 9 changed files with 200 additions and 72 deletions.
diff --git a/env0/data_aws_oidc_credentials.go b/env0/data_aws_oidc_credentials.go
diff --git a/env0/data_aws_oidc_credentials_test.go b/env0/data_aws_oidc_credentials_test.go
@@ -29,8 +29,6 @@ func TestAwsOidcCredentialDataSource(t *testing.T) {
 		Type: string(client.AwsAssumedRoleCredentialsType),
 	}
 
-	oidcSub := "oidc sub 123345 !!!"
-
 	byName := map[string]interface{}{"name": credentials.Name}
 	byId := map[string]interface{}{"id": credentials.Id}
 
@@ -46,7 +44,6 @@ func TestAwsOidcCredentialDataSource(t *testing.T) {
 					Check: resource.ComposeAggregateTestCheckFunc(
 						resource.TestCheckResourceAttr(accessor, "id", credentials.Id),
 						resource.TestCheckResourceAttr(accessor, "name", credentials.Name),
-						resource.TestCheckResourceAttr(accessor, "oidc_sub", oidcSub),
 					),
 				},
 			},
@@ -67,14 +64,12 @@ func TestAwsOidcCredentialDataSource(t *testing.T) {
 	mockGetCredentials := func(returnValue client.Credentials) func(mockFunc *client.MockApiClientInterface) {
 		return func(mock *client.MockApiClientInterface) {
 			mock.EXPECT().CloudCredentials(credentials.Id).AnyTimes().Return(returnValue, nil)
-			mock.EXPECT().OidcSub().AnyTimes().Return(oidcSub, nil)
 		}
 	}
 
 	mockListCredentials := func(returnValue []client.Credentials) func(mockFunc *client.MockApiClientInterface) {
 		return func(mock *client.MockApiClientInterface) {
 			mock.EXPECT().CloudCredentialsList().AnyTimes().Return(returnValue, nil)
-			mock.EXPECT().OidcSub().AnyTimes().Return(oidcSub, nil)
 		}
 	}
 

diff --git a/env0/data_azure_oidc_credentials_test.go b/env0/data_azure_oidc_credentials_test.go
@@ -0,0 +1,119 @@
+package env0
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/env0/terraform-provider-env0/client"
+	"github.com/env0/terraform-provider-env0/client/http"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAzureOidcCredentialDataSource(t *testing.T) {
+	credentials := client.Credentials{
+		Id:   "id0",
+		Name: "name0",
+		Type: string(client.AzureOidcCredentialsType),
+	}
+
+	credentialsOther1 := client.Credentials{
+		Id:   "id1",
+		Name: "name1",
+		Type: string(client.AzureOidcCredentialsType),
+	}
+
+	credentialsOther2 := client.Credentials{
+		Id:   "id2",
+		Name: "name2",
+		Type: string(client.AzureServicePrincipalCredentialsType),
+	}
+
+	byName := map[string]interface{}{"name": credentials.Name}
+	byId := map[string]interface{}{"id": credentials.Id}
+
+	resourceType := "env0_azure_oidc_credentials"
+	resourceName := "test_azure_oidc_credentials"
+	accessor := dataSourceAccessor(resourceType, resourceName)
+
+	getValidTestCase := func(input map[string]interface{}) resource.TestCase {
+		return resource.TestCase{
+			Steps: []resource.TestStep{
+				{
+					Config: dataSourceConfigCreate(resourceType, resourceName, input),
+					Check: resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttr(accessor, "id", credentials.Id),
+						resource.TestCheckResourceAttr(accessor, "name", credentials.Name),
+					),
+				},
+			},
+		}
+	}
+
+	getErrorTestCase := func(input map[string]interface{}, expectedError string) resource.TestCase {
+		return resource.TestCase{
+			Steps: []resource.TestStep{
+				{
+					Config:      dataSourceConfigCreate(resourceType, resourceName, input),
+					ExpectError: regexp.MustCompile(expectedError),
+				},
+			},
+		}
+	}
+
+	mockGetCredentials := func(returnValue client.Credentials) func(mockFunc *client.MockApiClientInterface) {
+		return func(mock *client.MockApiClientInterface) {
+			mock.EXPECT().CloudCredentials(credentials.Id).AnyTimes().Return(returnValue, nil)
+		}
+	}
+
+	mockListCredentials := func(returnValue []client.Credentials) func(mockFunc *client.MockApiClientInterface) {
+		return func(mock *client.MockApiClientInterface) {
+			mock.EXPECT().CloudCredentialsList().AnyTimes().Return(returnValue, nil)
+		}
+	}
+
+	t.Run("by id", func(t *testing.T) {
+		runUnitTest(t,
+			getValidTestCase(byId),
+			mockGetCredentials(credentials),
+		)
+	})
+
+	t.Run("by name", func(t *testing.T) {
+		runUnitTest(t,
+			getValidTestCase(byName),
+			mockListCredentials([]client.Credentials{credentials, credentialsOther1, credentialsOther2}),
+		)
+	})
+
+	t.Run("throw error when no name or id is supplied", func(t *testing.T) {
+		runUnitTest(t,
+			getErrorTestCase(map[string]interface{}{}, "one of `id,name` must be specified"),
+			func(mock *client.MockApiClientInterface) {},
+		)
+	})
+
+	t.Run("throw error when by name and more than one is returned", func(t *testing.T) {
+		runUnitTest(t,
+			getErrorTestCase(byName, "found multiple credentials"),
+			mockListCredentials([]client.Credentials{credentials, credentialsOther1, credentialsOther2, credentials}),
+		)
+	})
+
+	t.Run("Throw error when by name and not found", func(t *testing.T) {
+		runUnitTest(t,
+			getErrorTestCase(byName, "not found"),
+			mockListCredentials([]client.Credentials{credentialsOther1, credentialsOther2}),
+		)
+	})
+
+	t.Run("Throw error when by id and not found", func(t *testing.T) {
+		runUnitTest(t,
+			getErrorTestCase(byId, fmt.Sprintf("id %s not found", credentials.Id)),
+			func(mock *client.MockApiClientInterface) {
+				mock.EXPECT().CloudCredentials(credentials.Id).AnyTimes().Return(client.Credentials{}, http.NewMockFailedResponseError(404))
+			},
+		)
+	})
+}
diff --git a/env0/data_oidc_credentials.go b/env0/data_oidc_credentials.go
@@ -0,0 +1,55 @@
+package env0
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/env0/terraform-provider-env0/client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataOidcCredentials(credentialsType CloudType) *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataOidcCredentialRead(credentialsType),
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:         schema.TypeString,
+				Description:  fmt.Sprintf("the name of the %s oidc credentials", credentialsType),
+				Optional:     true,
+				ExactlyOneOf: []string{"name", "id"},
+			},
+			"id": {
+				Type:         schema.TypeString,
+				Description:  fmt.Sprintf("the id of the %s oidc credentials", credentialsType),
+				Optional:     true,
+				ExactlyOneOf: []string{"name", "id"},
+			},
+		},
+	}
+}
+
+func dataOidcCredentialRead(credentialsType CloudType) func(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	return func(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+		var credentials client.Credentials
+		var err error
+
+		id, ok := d.GetOk("id")
+		if ok {
+			credentials, err = getCredentialsById(id.(string), credentialsTypeToPrefixList[credentialsType], meta)
+		} else {
+			credentials, err = getCredentialsByName(d.Get("name").(string), credentialsTypeToPrefixList[credentialsType], meta)
+		}
+
+		if err != nil {
+			return DataGetFailure(fmt.Sprintf("%s oidc credentials", credentialsType), id, err)
+		}
+
+		if err := writeResourceData(&credentials, d); err != nil {
+			return diag.Errorf("schema resource data serialization failed: %v", err)
+		}
+
+		return nil
+	}
+}
diff --git a/env0/data_organization.go b/env0/data_organization.go
@@ -33,6 +33,11 @@ func dataOrganization() *schema.Resource {
 				Description: "is the organization self hosted",
 				Computed:    true,
 			},
+			"oidc_sub": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "the jwt oidc sub",
+			},
 		},
 	}
 }
@@ -49,5 +54,10 @@ func dataOrganizationRead(ctx context.Context, d *schema.ResourceData, meta inte
 		return diag.Errorf("schema resource data serialization failed: %v", err)
 	}
 
+	oidcSub, err := apiClient.OidcSub()
+	if err == nil {
+		d.Set("oidc_sub", oidcSub)
+	}
+
 	return nil
 }
diff --git a/env0/data_organization_test.go b/env0/data_organization_test.go
@@ -20,6 +20,8 @@ func TestUnitOrganizationData(t *testing.T) {
 		IsSelfHostedK8s: true,
 	}
 
+	oidcSub := "sub"
+
 	testCase := resource.TestCase{
 		Steps: []resource.TestStep{
 			{
@@ -30,12 +32,14 @@ func TestUnitOrganizationData(t *testing.T) {
 					resource.TestCheckResourceAttr(accessor, "created_by", organization.CreatedBy),
 					resource.TestCheckResourceAttr(accessor, "role", organization.Role),
 					resource.TestCheckResourceAttr(accessor, "is_self_hosted", strconv.FormatBool(organization.IsSelfHostedK8s)),
+					resource.TestCheckResourceAttr(accessor, "oidc_sub", oidcSub),
 				),
 			},
 		},
 	}
 
 	runUnitTest(t, testCase, func(mock *client.MockApiClientInterface) {
 		mock.EXPECT().Organization().AnyTimes().Return(organization, nil)
+		mock.EXPECT().OidcSub().AnyTimes().Return(oidcSub, nil)
 	})
 }
diff --git a/env0/provider.go b/env0/provider.go
@@ -69,9 +69,10 @@ func Provider(version string) plugin.ProviderFunc {
 				"env0_azure_cost_credentials":    dataCredentials(AZURE_COST_TYPE),
 				"env0_google_cost_credentials":   dataCredentials(GCP_COST_TYPE),
 				"env0_aws_credentials":           dataCredentials(AWS_TYPE),
-				"env0_aws_oidc_credentials":      dataAwsOidcCredentials(),
+				"env0_aws_oidc_credentials":      dataOidcCredentials(AWS_OIDC_TYPE),
 				"env0_gcp_credentials":           dataCredentials(GCP_TYPE),
 				"env0_azure_credentials":         dataCredentials(AZURE_TYPE),
+				"env0_azure_oidc_credentials":    dataOidcCredentials(AZURE_OIDC_TYPE),
 				"env0_team":                      dataTeam(),
 				"env0_teams":                     dataTeams(),
 				"env0_environment":               dataEnvironment(),

diff --git a/tests/integration/006_aws_credentials/main.tf b/tests/integration/006_aws_credentials/main.tf
@@ -32,6 +32,11 @@ resource "env0_aws_oidc_credentials" "oidc_credentials" {
   duration = 7200
 }
 
+data "env0_aws_oidc_credentials" "oidc_credentials" {
+  name       = "Test Oidc Credentials ${random_string.random.result}"
+  depends_on = [env0_aws_oidc_credentials.oidc_credentials]
+}
+
 output "name_by_arn" {
   value = replace(data.env0_aws_credentials.my_role_by_arn.name, random_string.random.result, "")
 }

diff --git a/tests/integration/016_azure_credentials/main.tf b/tests/integration/016_azure_credentials/main.tf
@@ -19,6 +19,11 @@ resource "env0_azure_oidc_credentials" "oidc_credentials" {
   tenant_id       = "tenant_id"
 }
 
+data "env0_azure_oidc_credentials" "oidc_credentials" {
+  name       = "test azure oidc credentials ${random_string.random.result}"
+  depends_on = [env0_azure_oidc_credentials.oidc_credentials]
+}
+
 data "env0_azure_credentials" "azure_cred" {
   name = env0_azure_credentials.azure_cred.name
 }