feat: add resource_type attribute for keycloak_openid_client_authoriz…

…ation_permission resource (#702)
mrparkers · Jul 28, 2022 · 0a213cc · 0a213cc
1 parent 607790a
commit 0a213cc
Show file tree

Hide file tree

Showing 5 changed files with 195 additions and 30 deletions.
diff --git a/docs/resources/openid_client_authorization_permission.md b/docs/resources/openid_client_authorization_permission.md
@@ -0,0 +1,84 @@
+# keycloak_openid_client_authorization_permission
+
+Allows you to manage openid Client Authorization Permissions.
+
+### Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+	realm   = "my-realm"
+	enabled = true
+}
+
+resource keycloak_openid_client test {
+	client_id                = "client_id"
+	realm_id                 = keycloak_realm.realm.id
+	access_type              = "CONFIDENTIAL"
+	service_accounts_enabled = true
+	authorization {
+		policy_enforcement_mode = "ENFORCING"
+	}
+}
+
+data keycloak_openid_client_authorization_policy default {
+	realm_id           = keycloak_realm.realm.id
+	resource_server_id = keycloak_openid_client.test.resource_server_id
+	name               = "default"
+}
+
+resource keycloak_openid_client_authorization_resource test {
+	resource_server_id = keycloak_openid_client.test.resource_server_id
+	name               = "resource_name"
+	realm_id           = keycloak_realm.realm.id
+
+	uris = [
+		"/endpoint/*"
+	]
+}
+
+resource keycloak_openid_client_authorization_scope test {
+	resource_server_id = keycloak_openid_client.test.resource_server_id
+	name               = "scope_name"
+	realm_id           = keycloak_realm.realm.id
+}
+
+resource keycloak_openid_client_authorization_permission test {
+	resource_server_id = keycloak_openid_client.test.resource_server_id
+	realm_id           = keycloak_realm.realm.id
+	name               = "permission_name"
+	policies           = [data.keycloak_openid_client_authorization_policy.default.id]
+	resources          = [keycloak_openid_client_authorization_resource.test.id]
+
+}
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm this group exists in.
+- `resource_server_id` - (Required) The ID of the resource server.
+- `name` - (Required) The name of the permission.
+- `description` - (Optional) A description for the authorization permission.
+- `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`.
+- `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission.
+- `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`.
+- `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`.
+- `scopes` - (Optional) A list of scope IDs that this permission must be applied to.
+- `type` - (Optional) The type of permission, can be one of `resource` or `scope`.
+
+### Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+- `id` - Permission ID representing the permission.
+
+## Import
+
+Client authorization permissions can be imported using the format: `{{realmId}}/{{resourceServerId}}/{{permissionId}}`.
+
+Example:
+
+```bash
+$ terraform import keycloak_openid_client_authorization_permission.test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9
+```
diff --git a/docs/resources/openid_client_client_policy.md b/docs/resources/openid_client_client_policy.md
@@ -10,7 +10,6 @@ This resource can be used to create client policy.
 
 In this example, we'll create a new OpenID client, then enabled permissions for the client. A client without permissions disabled cannot be assigned by a client policy. We'll use the `keycloak_openid_client_client_policy` resource to create a new client policy, which could be applied to many clients, for a realm and a resource_server_id.
 
-
 ```hcl
 resource "keycloak_realm" "realm" {
 	realm   = "my-realm"

diff --git a/keycloak/openid_client_authorization_permission.go b/keycloak/openid_client_authorization_permission.go
@@ -17,6 +17,7 @@ type OpenidClientAuthorizationPermission struct {
 	Resources        []string `json:"resources"`
 	Scopes           []string `json:"scopes"`
 	Type             string   `json:"type"`
+	ResourceType     string   `json:"resourceType,omitempty"`
 }
 
 func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(ctx context.Context, realm, resourceServerId, id string) (*OpenidClientAuthorizationPermission, error) {

diff --git a/provider/resource_keycloak_openid_client_authorization_permission.go b/provider/resource_keycloak_openid_client_authorization_permission.go
@@ -3,9 +3,10 @@ package provider
 import (
 	"context"
 	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"strings"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/mrparkers/terraform-provider-keycloak/keycloak"
@@ -55,9 +56,15 @@ func resourceKeycloakOpenidClientAuthorizationPermission() *schema.Resource {
 				Optional: true,
 			},
 			"resources": {
-				Type:     schema.TypeSet,
-				Elem:     &schema.Schema{Type: schema.TypeString},
-				Optional: true,
+				Type:          schema.TypeSet,
+				Elem:          &schema.Schema{Type: schema.TypeString},
+				Optional:      true,
+				ConflictsWith: []string{"resource_type"},
+			},
+			"resource_type": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"resources"},
 			},
 			"scopes": {
 				Type:     schema.TypeSet,
@@ -105,6 +112,7 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) *
 		Policies:         policies,
 		Scopes:           scopes,
 		Resources:        resources,
+		ResourceType:     data.Get("resource_type").(string),
 	}
 	return &permission
 }
@@ -120,6 +128,7 @@ func setOpenidClientAuthorizationPermissionData(data *schema.ResourceData, permi
 	data.Set("policies", permission.Policies)
 	data.Set("scopes", permission.Scopes)
 	data.Set("resources", permission.Resources)
+	data.Set("resource_type", permission.ResourceType)
 }
 
 func resourceKeycloakOpenidClientAuthorizationPermissionCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {

diff --git a/provider/resource_keycloak_openid_client_authorization_permission_test.go b/provider/resource_keycloak_openid_client_authorization_permission_test.go
@@ -30,6 +30,27 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) {
 	})
 }
 
+func TestAccKeycloakOpenidClientAuthorizationPermission_resourceType(t *testing.T) {
+	t.Parallel()
+	clientId := acctest.RandomWithPrefix("tf-acc")
+	resourceName := acctest.RandomWithPrefix("tf-acc")
+	resourceType := acctest.RandomWithPrefix("tf-acc")
+	permissionName := acctest.RandomWithPrefix("tf-acc")
+	scopeName := acctest.RandomWithPrefix("tf-acc")
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		CheckDestroy:      testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakOpenidClientAuthorizationPermission_resourceType(clientId, resourceName, resourceType, permissionName, scopeName),
+				Check:  testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
+			},
+		},
+	})
+}
+
 func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy(t *testing.T) {
 	t.Parallel()
 	var authorizationPermission = &keycloak.OpenidClientAuthorizationPermission{}
@@ -178,25 +199,25 @@ resource keycloak_openid_client test {
 }
 
 data keycloak_openid_client_authorization_policy default {
-  realm_id           = data.keycloak_realm.realm.id
-  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
-  name               = "default"
+	realm_id           = data.keycloak_realm.realm.id
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "default"
 }
 
 resource keycloak_openid_client_authorization_resource test {
-  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
-  name               = "%s"
-  realm_id           = data.keycloak_realm.realm.id
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "%s"
+	realm_id           = data.keycloak_realm.realm.id
 
-  uris = [
-    "/endpoint/*"
-  ]
+	uris = [
+		"/endpoint/*"
+	]
 }
 
 resource keycloak_openid_client_authorization_scope test {
-  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
-  name               = "%s"
-  realm_id           = data.keycloak_realm.realm.id
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "%s"
+	realm_id           = data.keycloak_realm.realm.id
 }
 
 resource keycloak_openid_client_authorization_permission test {
@@ -210,6 +231,57 @@ resource keycloak_openid_client_authorization_permission test {
 	`, testAccRealm.Realm, clientId, resourceName, scopeName, permissionName)
 }
 
+func testKeycloakOpenidClientAuthorizationPermission_resourceType(clientId, resourceName, resourceType, permissionName, scopeName string) string {
+	return fmt.Sprintf(`
+data "keycloak_realm" "realm" {
+	realm = "%s"
+}
+
+resource keycloak_openid_client test {
+	client_id                = "%s"
+	realm_id                 = data.keycloak_realm.realm.id
+	access_type              = "CONFIDENTIAL"
+	service_accounts_enabled = true
+	authorization {
+		policy_enforcement_mode = "ENFORCING"
+	}
+}
+
+data keycloak_openid_client_authorization_policy default {
+	realm_id           = data.keycloak_realm.realm.id
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "default"
+}
+
+resource keycloak_openid_client_authorization_resource test {
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "%s"
+	realm_id           = data.keycloak_realm.realm.id
+
+	type = "%s"
+
+	uris = [
+		"/endpoint/*"
+	]
+}
+
+resource keycloak_openid_client_authorization_scope test {
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "%s"
+	realm_id           = data.keycloak_realm.realm.id
+}
+
+resource keycloak_openid_client_authorization_permission test {
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	realm_id           = data.keycloak_realm.realm.id
+	name               = "%s"
+	policies           = ["${data.keycloak_openid_client_authorization_policy.default.id}"]
+	resource_type      = "%s"
+
+}
+	`, testAccRealm.Realm, clientId, resourceName, resourceType, scopeName, permissionName, resourceType)
+}
+
 func testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId string, authorizationPermission *keycloak.OpenidClientAuthorizationPermission, resourceName, scopeName string) string {
 	return fmt.Sprintf(`
 data "keycloak_realm" "realm" {
@@ -227,34 +299,34 @@ resource keycloak_openid_client test {
 }
 
 data keycloak_openid_client_authorization_policy default {
-  realm_id           = data.keycloak_realm.realm.id
-  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
-  name               = "default"
+	realm_id           = data.keycloak_realm.realm.id
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "default"
 }
 
 resource keycloak_openid_client_authorization_resource resource {
-  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
-  name               = "%s"
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "%s"
 	realm_id           = data.keycloak_realm.realm.id
 
-  uris = [
-    "/endpoint/*"
-  ]
+	uris = [
+		"/endpoint/*"
+	]
 }
 
 resource keycloak_openid_client_authorization_scope test {
-  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
-  name               = "%s"
-  realm_id           = data.keycloak_realm.realm.id
+	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+	name               = "%s"
+	realm_id           = data.keycloak_realm.realm.id
 }
 
 resource keycloak_openid_client_authorization_permission test {
 	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
 	realm_id           = data.keycloak_realm.realm.id
 	name               = "%s"
 	policies           = ["${data.keycloak_openid_client_authorization_policy.default.id}"]
-   resources          = ["${keycloak_openid_client_authorization_resource.resource.id}"]
-	 description        = "%s"
+	resources          = ["${keycloak_openid_client_authorization_resource.resource.id}"]
+	description        = "%s"
 	scopes = ["${keycloak_openid_client_authorization_scope.test.id}"]
 }
 	`, testAccRealm.Realm, clientId, resourceName, scopeName, authorizationPermission.Name, authorizationPermission.Description)