-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathorganization_permission.go
153 lines (135 loc) · 5.07 KB
/
organization_permission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package organization
import (
"context"
avngen "github.com/aiven/go-client-codegen"
"github.com/aiven/go-client-codegen/handler/account"
"github.com/aiven/go-client-codegen/handler/organization"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/aiven/terraform-provider-aiven/internal/common"
"github.com/aiven/terraform-provider-aiven/internal/schemautil"
"github.com/aiven/terraform-provider-aiven/internal/schemautil/userconfig"
)
var aivenOrganizationalPermissionSchema = map[string]*schema.Schema{
"organization_id": {
Type: schema.TypeString,
Description: "Organization ID.",
Required: true,
},
"resource_type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice(organization.ResourceTypeChoices(), false),
Description: userconfig.Desc("Resource type.").PossibleValuesString(organization.ResourceTypeChoices()...).Build(),
},
"resource_id": {
Type: schema.TypeString,
Required: true,
Description: "Resource ID.",
},
"permissions": {
Type: schema.TypeSet,
Description: "Permissions to grant to principals.",
Required: true,
Elem: &schema.Resource{
Schema: permissionFields,
},
},
}
var permissionFields = map[string]*schema.Schema{
"principal_type": {
Type: schema.TypeString,
Required: true,
Description: userconfig.Desc("The type of principal.").PossibleValuesString(organization.PrincipalTypeChoices()...).Build(),
},
"principal_id": {
Type: schema.TypeString,
Required: true,
Description: "ID of the user or group to grant permissions to. Only active users who have accepted an [invite](https://aiven.io/docs/platform/howto/manage-org-users) to join the organization can be granted permissions.",
},
"permissions": {
Type: schema.TypeSet,
Description: userconfig.Desc("List of [roles and permissions](https://aiven.io/docs/platform/concepts/permissions) to grant.").PossibleValuesString(account.MemberTypeChoices()...).Build(),
Required: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"create_time": {
Type: schema.TypeString,
Description: "Time created.",
Computed: true,
},
"update_time": {
Type: schema.TypeString,
Description: "Time updated.",
Computed: true,
},
}
func ResourceOrganizationalPermission() *schema.Resource {
return &schema.Resource{
Description: `Grants [roles and permissions](https://aiven.io/docs/platform/concepts/permissions)
to a principal for a resource. Permissions can be granted at the organization, organizational unit, and project level.
Unit-level permissions aren't shown in the Aiven Console.
**Do not use the ` + "`aiven_project_user`" + ` or ` + "`aiven_organization_group_project`" + ` resources with this resource**.
`,
CreateContext: common.WithGenClient(resourceOrganizationalPermissionUpsert),
ReadContext: common.WithGenClient(resourceOrganizationalPermissionRead),
UpdateContext: common.WithGenClient(resourceOrganizationalPermissionUpsert),
DeleteContext: common.WithGenClient(resourceOrganizationalPermissionDelete),
Importer: &schema.ResourceImporter{
StateContext: schema.ImportStatePassthroughContext,
},
Timeouts: schemautil.DefaultResourceTimeouts(),
Schema: aivenOrganizationalPermissionSchema,
}
}
func resourceOrganizationalPermissionUpsert(ctx context.Context, d *schema.ResourceData, client avngen.Client) error {
orgID := d.Get("organization_id").(string)
resourceType := d.Get("resource_type").(string)
resourceID := d.Get("resource_id").(string)
req := new(organization.PermissionsSetIn)
err := schemautil.ResourceDataGet(d, req)
if err != nil {
return err
}
if req.Permissions == nil {
req.Permissions = make([]organization.PermissionIn, 0)
}
err = client.PermissionsSet(ctx, orgID, organization.ResourceType(resourceType), resourceID, req)
if err != nil {
return err
}
d.SetId(schemautil.BuildResourceID(orgID, resourceType, resourceID))
return resourceOrganizationalPermissionRead(ctx, d, client)
}
func resourceOrganizationalPermissionRead(ctx context.Context, d *schema.ResourceData, client avngen.Client) error {
orgID, resourceType, resourceID, err := schemautil.SplitResourceID3(d.Id())
if err != nil {
return err
}
out, err := client.PermissionsGet(ctx, orgID, organization.ResourceType(resourceType), resourceID)
if err != nil {
return err
}
permissions := make([]map[string]any, 0, len(out))
err = schemautil.Remarshal(out, &permissions)
if err != nil {
return err
}
// Removes fields that are not on the schema,
// so it won't blow up when the DTO gets new fields with the updates
for _, m := range permissions {
for k := range m {
if _, ok := permissionFields[k]; !ok {
delete(m, k)
}
}
}
return d.Set("permissions", permissions)
}
func resourceOrganizationalPermissionDelete(ctx context.Context, d *schema.ResourceData, client avngen.Client) error {
err := d.Set("permissions", []any{})
if err != nil {
return err
}
return resourceOrganizationalPermissionUpsert(ctx, d, client)
}