Merge pull request #132 from okta/ulfat/terraformImplementationFrSudo…

…OKTA-707627 Add Sudo Commands Bundle
okta · Jul 18, 2024 · ce96585 · ce96585
2 parents e29fa97 + 30d2822
commit ce96585
Show file tree

Hide file tree

Showing 90 changed files with 12,390 additions and 1,048 deletions.
diff --git a/Makefile b/Makefile
@@ -7,7 +7,7 @@ VERSION=0.4.1
 OS_ARCH=$(shell go env GOOS)_$(shell go env GOARCH)
 PLUGIN_DIR=~/.terraform.d/plugins
 DOCGEN_RESOURCES_DIR=docgen-resources
-
+GOPRIVATE="github.com/atko-pam,github.com/okta"
 SET_VERSION=-ldflags "-X github.com/okta/terraform-provider-oktapam/oktapam/version.Version=${VERSION}"
 
 ifneq ($(DEBUG), )
@@ -64,3 +64,11 @@ check-generate:
 	go generate ./...
 	git diff --compact-summary --exit-code || \
 	  (echo; echo "Unexpected difference in directories after code generation. Run 'go generate ./...' command and commit."; exit 1)
+updatedep:
+	ifndef dep
+		$(error you must specify dep=<your dependency>)
+	endif
+	GOPRIVATE=${GOPRIVATE} go mod tidy
+	GOPRIVATE=${GOPRIVATE} go get $(dep)@latest
+	GOPRIVATE=${GOPRIVATE} go mod tidy
+	GOPRIVATE=${GOPRIVATE} go mod vendor
diff --git a/docs/data-sources/cloud_connection.md b/docs/data-sources/cloud_connection.md
@@ -0,0 +1,40 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_cloud_connection Data Source - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  Returns an existing PAM Cloud Connection. For details, see Cloud Connection https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-entitlement-aws-connect.
+---
+
+# oktapam_cloud_connection (Data Source)
+
+Returns an existing PAM Cloud Connection. For details, see [Cloud Connection](https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-entitlement-aws-connect).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `cloud_connection_details` (List of Object) More data about the cloud connection to be able to connect to the cloud provider (see [below for nested schema](#nestedatt--cloud_connection_details))
+- `id` (String) The ID of this resource.
+- `name` (String) The human-readable name of the resource. Values are case-sensitive.
+
+<a id="nestedatt--cloud_connection_details"></a>
+### Nested Schema for `cloud_connection_details`
+
+Read-Only:
+
+- `aws` (List of Object) (see [below for nested schema](#nestedobjatt--cloud_connection_details--aws))
+
+<a id="nestedobjatt--cloud_connection_details--aws"></a>
+### Nested Schema for `cloud_connection_details.aws`
+
+Read-Only:
+
+- `account_id` (String)
+- `external_id` (String)
+- `role_arn` (String)
+
+
diff --git a/docs/data-sources/cloud_connections.md b/docs/data-sources/cloud_connections.md
@@ -0,0 +1,27 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_cloud_connections Data Source - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  Returns a list of Cloud Connections. For details, see Cloud Connection https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-entitlement-aws-connect.
+---
+
+# oktapam_cloud_connections (Data Source)
+
+Returns a list of Cloud Connections. For details, see [Cloud Connection](https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-entitlement-aws-connect).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `name` (String) The name of the resource
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `ids` (List of String)
+
+
diff --git a/docs/data-sources/security_policy.md b/docs/data-sources/security_policy.md
@@ -123,6 +123,18 @@ Read-Only:
 
 - `admin_level_permissions` (Boolean)
 - `enabled` (Boolean)
+- `sudo_command_bundles` (List of Object) (see [below for nested schema](#nestedobjatt--rule--privileges--principal_account_ssh--sudo_command_bundles))
+- `uam_display_name` (String)
+
+<a id="nestedobjatt--rule--privileges--principal_account_ssh--sudo_command_bundles"></a>
+### Nested Schema for `rule.privileges.principal_account_ssh.uam_display_name`
+
+Read-Only:
+
+- `id` (String)
+- `name` (String)
+- `type` (String)
+
 
 
 <a id="nestedobjatt--rule--privileges--secret"></a>

diff --git a/docs/data-sources/sudo_commands_bundle.md b/docs/data-sources/sudo_commands_bundle.md
@@ -0,0 +1,41 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_sudo_commands_bundle Data Source - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  Returns an existing PAM Sudo Commands Bundle. For details, see Sudo Commands Bundle https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands.
+---
+
+# oktapam_sudo_commands_bundle (Data Source)
+
+Returns an existing PAM Sudo Commands Bundle. For details, see [Sudo Commands Bundle](https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `add_env` (List of String) A list of environment variables to include when running sudo commands. See [the sudo documentation](https://www.sudo.ws/man/1.8.13/sudoers.man.html#Command_environment).
+- `id` (String) The ID of this resource.
+- `name` (String) The name of the Sudo Command bundle. This controls the ordering of all bundles within your Team.
+- `no_exec` (Boolean) Whether to allow commands to execute child processes
+- `no_passwd` (Boolean) Whether to require a password when sudo is run. This should generally not be used as Users don't require a password.
+- `run_as` (String) A non-root user account used to run the command
+- `set_env` (Boolean) Whether to allow overriding environment variables to commands
+- `structured_commands` (List of Object) A list of commands to allow (see [below for nested schema](#nestedatt--structured_commands))
+- `sub_env` (List of String) A list of environment variables to ignore when running the commands. See [the sudo documentation](https://www.sudo.ws/man/1.8.13/sudoers.man.html#Command_environment).
+
+<a id="nestedatt--structured_commands"></a>
+### Nested Schema for `structured_commands`
+
+Read-Only:
+
+- `args` (String)
+- `args_type` (String)
+- `command` (String)
+- `command_type` (String)
+- `rendered_command` (String)
+
+
diff --git a/docs/data-sources/sudo_commands_bundles.md b/docs/data-sources/sudo_commands_bundles.md
@@ -0,0 +1,27 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_sudo_commands_bundles Data Source - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  Returns a list of Sudo Commands Bundles. For details, see Sudo Commands Bundle https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands.
+---
+
+# oktapam_sudo_commands_bundles (Data Source)
+
+Returns a list of Sudo Commands Bundles. For details, see [Sudo Commands Bundle](https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `name` (String) The name of the resource
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `ids` (List of String)
+
+
diff --git a/docs/resources/cloud_connection.md b/docs/resources/cloud_connection.md
@@ -0,0 +1,43 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_cloud_connection Resource - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  A PAM construct that connects PAM with cloud providers. For details, see Cloud Connection https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-entitlement-aws-connect.
+---
+
+# oktapam_cloud_connection (Resource)
+
+A PAM construct that connects PAM with cloud providers. For details, see [Cloud Connection](https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-entitlement-aws-connect).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cloud_connection_details` (Block List, Min: 1, Max: 1) More data about the cloud connection to be able to connect to the cloud provider (see [below for nested schema](#nestedblock--cloud_connection_details))
+- `name` (String) The human-readable name of the resource. Values are case-sensitive.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--cloud_connection_details"></a>
+### Nested Schema for `cloud_connection_details`
+
+Required:
+
+- `aws` (Block List, Min: 1, Max: 1) More data about the AWS cloud connection to be able to connect to the cloud provider (see [below for nested schema](#nestedblock--cloud_connection_details--aws))
+
+<a id="nestedblock--cloud_connection_details--aws"></a>
+### Nested Schema for `cloud_connection_details.aws`
+
+Required:
+
+- `account_id` (String)
+- `external_id` (String)
+- `role_arn` (String)
+
+
diff --git a/docs/resources/security_policy.md b/docs/resources/security_policy.md
@@ -101,6 +101,21 @@ Required:
 Optional:
 
 - `admin_level_permissions` (Boolean) Provides coarse grain (full admin) access to the user.
+- `sudo_command_bundles` (Block List) Returns a list of Sudo Commands Bundles. For details, see [Sudo Commands Bundle](https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands). (see [below for nested schema](#nestedblock--rule--privileges--principal_account_ssh--sudo_command_bundles))
+- `uam_display_name` (String) TBD
+
+<a id="nestedblock--rule--privileges--principal_account_ssh--sudo_command_bundles"></a>
+### Nested Schema for `rule.privileges.principal_account_ssh.uam_display_name`
+
+Optional:
+
+- `name` (String)
+- `type` (String)
+
+Read-Only:
+
+- `id` (String) The ID of this resource.
+
 
 
 <a id="nestedblock--rule--privileges--secret"></a>

diff --git a/docs/resources/sudo_commands_bundle.md b/docs/resources/sudo_commands_bundle.md
@@ -0,0 +1,50 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_sudo_commands_bundle Resource - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  A PAM construct that allows fine grained access. For details, see Sudo Commands Bundle https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands.
+---
+
+# oktapam_sudo_commands_bundle (Resource)
+
+A PAM construct that allows fine grained access. For details, see [Sudo Commands Bundle](https://help.okta.com/okta_help.htm?type=oie&id=csh-pam-sudo-commands).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The human-readable name of the resource. Values are case-sensitive.
+- `structured_commands` (Block List, Min: 1, Max: 64) A list of commands to allow (see [below for nested schema](#nestedblock--structured_commands))
+
+### Optional
+
+- `add_env` (List of String)
+- `no_exec` (Boolean)
+- `no_passwd` (Boolean)
+- `run_as` (String)
+- `set_env` (Boolean)
+- `sub_env` (List of String)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--structured_commands"></a>
+### Nested Schema for `structured_commands`
+
+Required:
+
+- `command` (String)
+- `command_type` (String)
+
+Optional:
+
+- `args` (String)
+- `args_type` (String)
+- `rendered_command` (String)
+
+
diff --git a/go.mod b/go.mod
@@ -3,14 +3,15 @@ module github.com/okta/terraform-provider-oktapam
 go 1.21
 
 require (
-	github.com/atko-pam/pam-sdk-go v1.0.68
+	github.com/atko-pam/pam-sdk-go v1.0.73
 	github.com/go-resty/resty/v2 v2.7.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/terraform-plugin-docs v0.8.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0
 	github.com/kylelemons/godebug v1.1.0
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80
 	gopkg.in/square/go-jose.v2 v2.6.0
 )
@@ -54,7 +55,6 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect

diff --git a/go.sum b/go.sum
@@ -19,8 +19,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 h1:BUAU3CGlLvorLI26FmByPp2eC2qla6E1Tw+scpcg/to=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/atko-pam/pam-sdk-go v1.0.68 h1:IhhjY4k1Oh8ECKSfoUhyWFtxHONNdDsFx+JSPQaKh3A=
-github.com/atko-pam/pam-sdk-go v1.0.68/go.mod h1:MMEshvol2ctyIhLrvF92fapY+eg4roDCymqXEggxgac=
+github.com/atko-pam/pam-sdk-go v1.0.73 h1:m/K/F9UStMgScC77N1zzPFs7cfu3l+T3lD1961p4Bd0=
+github.com/atko-pam/pam-sdk-go v1.0.73/go.mod h1:MMEshvol2ctyIhLrvF92fapY+eg4roDCymqXEggxgac=
 github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=

diff --git a/oktapam/client/named_object.go b/oktapam/client/named_object.go
@@ -3,12 +3,13 @@ package client
 type NamedObjectType string
 
 const (
-	UserNamedObjectType          NamedObjectType = "user"
-	UserGroupNamedObjectType     NamedObjectType = "user_group"
-	SecretNamedObjectType        NamedObjectType = "secret"
-	SecretFolderNamedObjectType  NamedObjectType = "secret_folder"
-	ServerNamedObjectType        NamedObjectType = "server"
-	ResourceGroupNamedObjectType NamedObjectType = "resource_group"
+	UserNamedObjectType              NamedObjectType = "user"
+	UserGroupNamedObjectType         NamedObjectType = "user_group"
+	SecretNamedObjectType            NamedObjectType = "secret"
+	SecretFolderNamedObjectType      NamedObjectType = "secret_folder"
+	ServerNamedObjectType            NamedObjectType = "server"
+	ResourceGroupNamedObjectType     NamedObjectType = "resource_group"
+	SudoCommandBundleNamedObjectType NamedObjectType = "sudo_command_bundle"
 )
 
 type NamedObject struct {

diff --git a/oktapam/client/security_policy.go b/oktapam/client/security_policy.go
@@ -628,22 +628,36 @@ func (p *PrincipalAccountRDPPrivilege) ToResourceMap() map[string]any {
 }
 
 type PrincipalAccountSSHPrivilege struct {
-	Enabled               *bool `json:"principal_account_ssh"`
-	AdminLevelPermissions *bool `json:"admin_level_permissions"`
+	Enabled               *bool         `json:"principal_account_ssh"`
+	AdminLevelPermissions *bool         `json:"admin_level_permissions"`
+	UAMDisplayName        *string       `json:"uam_display_name"`
+	SudoCommandBundles    []NamedObject `json:"sudo_command_bundles"`
 }
 
 func (*PrincipalAccountSSHPrivilege) ValidForResourceType(resourceSelectorType ResourceSelectorType) bool {
 	return resourceSelectorType == ServerBasedResourceSelectorType
 }
 
 func (p *PrincipalAccountSSHPrivilege) ToResourceMap() map[string]any {
-	m := make(map[string]any, 2)
+	m := make(map[string]any)
 	m[attributes.Enabled] = *p.Enabled
 	if p.AdminLevelPermissions != nil {
 		m[attributes.AdminLevelPermissions] = *p.AdminLevelPermissions
 	} else {
 		m[attributes.AdminLevelPermissions] = false
 	}
+	if len(p.SudoCommandBundles) > 0 {
+		scbs := make([]map[string]any, len(p.SudoCommandBundles))
+		for i, scb := range p.SudoCommandBundles {
+			scbs[i] = map[string]any{
+				attributes.ID:   scb.Id,
+				attributes.Type: scb.Type,
+				attributes.Name: scb.Name,
+			}
+		}
+		m[attributes.SudoCommandBundles] = scbs
+		m[attributes.UAMDisplayName] = p.UAMDisplayName
+	}
 	return m
 }