SAML IdP Updates for changes to API resulting from Cognito effort (#43)

* updated schema to latest * fixes from testing
AxtonGrams · Nov 30, 2022 · 90b2b31 · 90b2b31
1 parent 3cc09a6
commit 90b2b31
Show file tree

Hide file tree

Showing 8 changed files with 210,095 additions and 204,095 deletions.
diff --git a/docs/resources/project.md b/docs/resources/project.md
@@ -21,7 +21,7 @@ resource "wiz_project" "test" {
   risk_profile {
     business_impact = "MBI"
   }
-  business_unit = data.insight_organization.aws.description
+  business_unit = "Technology"
   cloud_organization_link {
     cloud_organization = "7edbb879-9960-513f-b56d-876e9db2a962"
     environment        = "PRODUCTION"

diff --git a/docs/resources/saml_idp.md b/docs/resources/saml_idp.md
@@ -14,10 +14,12 @@ Configure SAML Providers and associated resources (group mappings).
 
 ```terraform
 resource "wiz_saml_idp" "test" {
-  name                         = "Ping"
+  name                         = "SSO-Test"
+  issuer_url                   = "https://ping.example.com/idp/SSO.saml2"
   login_url                    = "https://ping.example.com/idp/SSO.saml2"
   logout_url                   = "https://ping.example.com/idp/SLO.saml2"
-  use_provider_managed_roles   = false
+  use_provider_managed_roles   = true
+  allow_manual_role_override   = false
   merge_groups_mapping_by_role = false
   certificate                  = <<EOT
 -----BEGIN CERTIFICATE-----
@@ -54,9 +56,28 @@ Z8lCchNPFJqIlyvk9LSEorFq4tT21t/pgVOFgw0yJaTyBZ/IvIimjwNHJBnIeBQ2
 GfRTgIAGAQ8ZFfQ=
 -----END CERTIFICATE-----
 EOT
-  domains = [
-    "example.com",
-  ]
+
+  group_mapping {
+    provider_group_id = "test1.project_admin"
+    role              = "PROJECT_ADMIN"
+    projects = [
+      "ee25cc95-82b0-4543-8934-5bc655b86786",
+    ]
+  }
+
+  group_mapping {
+    provider_group_id = "test2.project_reader"
+    role              = "PROJECT_READER"
+    projects = [
+      "e7f6542c-81f6-43cf-af48-bdd77f09650d",
+    ]
+  }
+
+  group_mapping {
+    provider_group_id = "global.admin"
+    role              = "GLOBAL_ADMIN"
+  }
+
 }
 ```
 
@@ -66,18 +87,19 @@ EOT
 ### Required
 
 - `certificate` (String) PEM certificate from IdP
-- `domains` (List of String) A list of domains the IdP handles.
 - `login_url` (String) IdP Login URL
 - `name` (String) IdP name to display in Wiz.
 
 ### Optional
 
-- `allow_manual_role_override` (Boolean) Allow manual override for role assignment? Must be set `true` if `use_provided_roles` is false.
+- `allow_manual_role_override` (Boolean) When set to true, allow overriding the mapped SSO role for specific users. Must be set `true` if `use_provided_roles` is false.
     - Defaults to `true`.
+- `domains` (List of String, Deprecated) A list of domains the IdP handles.
 - `group_mapping` (Block Set) Group mappings (see [below for nested schema](#nestedblock--group_mapping))
+- `issuer_url` (String) If undefined, this will default to the login_url value. Set to the same value as login_url if unsure what value to use.
 - `logout_url` (String) IdP Logout URL
 - `merge_groups_mapping_by_role` (Boolean) Manage group mapping by role?
-- `use_provider_managed_roles` (Boolean) Use provider managed roles?
+- `use_provider_managed_roles` (Boolean) When set to true, roles will be provided by the SSO provider. Manage the roles via Wiz portal otherwise.
     - Defaults to `false`.
 
 ### Read-Only

diff --git a/examples/resources/wiz_project/resource.tf b/examples/resources/wiz_project/resource.tf
@@ -6,7 +6,7 @@ resource "wiz_project" "test" {
   risk_profile {
     business_impact = "MBI"
   }
-  business_unit = data.insight_organization.aws.description
+  business_unit = "Technology"
   cloud_organization_link {
     cloud_organization = "7edbb879-9960-513f-b56d-876e9db2a962"
     environment        = "PRODUCTION"

diff --git a/examples/resources/wiz_saml_idp/resource.tf b/examples/resources/wiz_saml_idp/resource.tf
@@ -1,8 +1,10 @@
 resource "wiz_saml_idp" "test" {
-  name                         = "Ping"
+  name                         = "SSO-Test"
+  issuer_url                   = "https://ping.example.com/idp/SSO.saml2"
   login_url                    = "https://ping.example.com/idp/SSO.saml2"
   logout_url                   = "https://ping.example.com/idp/SLO.saml2"
-  use_provider_managed_roles   = false
+  use_provider_managed_roles   = true
+  allow_manual_role_override   = false
   merge_groups_mapping_by_role = false
   certificate                  = <<EOT
 -----BEGIN CERTIFICATE-----
@@ -39,7 +41,26 @@ Z8lCchNPFJqIlyvk9LSEorFq4tT21t/pgVOFgw0yJaTyBZ/IvIimjwNHJBnIeBQ2
 GfRTgIAGAQ8ZFfQ=
 -----END CERTIFICATE-----
 EOT
-  domains = [
-    "example.com",
-  ]
+
+  group_mapping {
+    provider_group_id = "test1.project_admin"
+    role              = "PROJECT_ADMIN"
+    projects = [
+      "ee25cc95-82b0-4543-8934-5bc655b86786",
+    ]
+  }
+
+  group_mapping {
+    provider_group_id = "test2.project_reader"
+    role              = "PROJECT_READER"
+    projects = [
+      "e7f6542c-81f6-43cf-af48-bdd77f09650d",
+    ]
+  }
+
+  group_mapping {
+    provider_group_id = "global.admin"
+    role              = "GLOBAL_ADMIN"
+  }
+
 }
diff --git a/internal/provider/resource_saml_idp.go b/internal/provider/resource_saml_idp.go
@@ -28,6 +28,11 @@ func resourceWizSAMLIdP() *schema.Resource {
 				Description: "IdP name to display in Wiz.",
 				Required:    true,
 			},
+			"issuer_url": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "If undefined, this will default to the login_url value. Set to the same value as login_url if unsure what value to use.",
+			},
 			"login_url": {
 				Type:        schema.TypeString,
 				Description: "IdP Login URL",
@@ -40,13 +45,13 @@ func resourceWizSAMLIdP() *schema.Resource {
 			},
 			"use_provider_managed_roles": {
 				Type:        schema.TypeBool,
-				Description: "Use provider managed roles?",
+				Description: "When set to true, roles will be provided by the SSO provider. Manage the roles via Wiz portal otherwise.",
 				Optional:    true,
 				Default:     false,
 			},
 			"allow_manual_role_override": {
 				Type:        schema.TypeBool,
-				Description: "Allow manual override for role assignment? Must be set `true` if `use_provided_roles` is false.",
+				Description: "When set to true, allow overriding the mapped SSO role for specific users. Must be set `true` if `use_provided_roles` is false.",
 				Optional:    true,
 				Default:     true,
 				RequiredWith: []string{
@@ -60,8 +65,9 @@ func resourceWizSAMLIdP() *schema.Resource {
 			},
 			"domains": {
 				Type:        schema.TypeList,
-				Required:    true,
+				Optional:    true,
 				Description: "A list of domains the IdP handles.",
+				Deprecated:  "This field is no longer supported by Wiz. If defined, this will result in change detection on every run.",
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
 				},
@@ -223,6 +229,7 @@ func resourceWizSAMLIdPRead(ctx context.Context, d *schema.ResourceData, m inter
 	    ) {
 	        id
 	        name
+	        issuerURL
 	        loginURL
 	        logoutURL
 	        useProviderManagedRoles
@@ -269,6 +276,10 @@ func resourceWizSAMLIdPRead(ctx context.Context, d *schema.ResourceData, m inter
 	if err != nil {
 		return append(diags, diag.FromErr(err)...)
 	}
+	err = d.Set("issuer_url", data.SAMLIdentityProvider.IssuerURL)
+	if err != nil {
+		return append(diags, diag.FromErr(err)...)
+	}
 	err = d.Set("login_url", data.SAMLIdentityProvider.LoginURL)
 	if err != nil {
 		return append(diags, diag.FromErr(err)...)
@@ -331,49 +342,38 @@ func resourceWizSAMLIdPUpdate(ctx context.Context, d *schema.ResourceData, m int
 	// populate the graphql variables
 	vars := &vendor.UpdateSAMLIdentityProviderInput{}
 	vars.ID = d.Id()
-	if d.HasChange("login_url") {
-		vars.Patch.LoginURL = d.Get("login_url").(string)
-	}
-	if d.HasChange("logout_url") {
-		vars.Patch.LogoutURL = d.Get("logout_url").(string)
-	}
-	if d.HasChange("use_provider_managed_roles") {
-		vars.Patch.UseProviderManagedRoles = utils.ConvertBoolToPointer(d.Get("use_provider_managed_roles").(bool))
-	}
-	if d.HasChange("allow_manual_role_override") {
-		vars.Patch.AllowManualRoleOverride = utils.ConvertBoolToPointer(d.Get("allow_manual_role_override").(bool))
-	}
-	if d.HasChange("certificate") {
-		vars.Patch.Certificate = d.Get("certificate").(string)
-	}
-	if d.HasChange("merge_groups_mapping_by_role") {
-		vars.Patch.MergeGroupsMappingByRole = utils.ConvertBoolToPointer(d.Get("merge_groups_mapping_by_role").(bool))
-	}
-	if d.HasChange("group_mapping") {
-		mappings := d.Get("group_mapping").(*schema.Set).List()
-		mappingUpdates := make([]vendor.SAMLGroupMappingUpdateInput, 0)
-		for a, b := range mappings {
-			var myMap = vendor.SAMLGroupMappingUpdateInput{}
-			tflog.Trace(ctx, fmt.Sprintf("a:b: %d %s", a, b))
-
-			for c, d := range b.(map[string]interface{}) {
-				tflog.Trace(ctx, fmt.Sprintf("c:d: %s %s", c, d))
-				switch c {
-				case "role":
-					myMap.Role = d.(string)
-				case "provider_group_id":
-					myMap.ProviderGroupID = d.(string)
-				case "projects":
-					for _, f := range d.([]interface{}) {
-						tflog.Trace(ctx, fmt.Sprintf("f: %t %s", f, f))
-						myMap.Projects = append(myMap.Projects, f.(string))
-					}
+	vars.Patch.Name = d.Get("name").(string)
+	vars.Patch.IssuerURL = d.Get("issuer_url").(string)
+	vars.Patch.LoginURL = d.Get("login_url").(string)
+	vars.Patch.LogoutURL = d.Get("logout_url").(string)
+	vars.Patch.UseProviderManagedRoles = utils.ConvertBoolToPointer(d.Get("use_provider_managed_roles").(bool))
+	vars.Patch.AllowManualRoleOverride = utils.ConvertBoolToPointer(d.Get("allow_manual_role_override").(bool))
+	vars.Patch.Certificate = d.Get("certificate").(string)
+	vars.Patch.MergeGroupsMappingByRole = utils.ConvertBoolToPointer(d.Get("merge_groups_mapping_by_role").(bool))
+	// populate the group mapping
+	mappings := d.Get("group_mapping").(*schema.Set).List()
+	mappingUpdates := make([]vendor.SAMLGroupMappingUpdateInput, 0)
+	for a, b := range mappings {
+		var myMap = vendor.SAMLGroupMappingUpdateInput{}
+		tflog.Trace(ctx, fmt.Sprintf("a:b: %d %s", a, b))
+
+		for c, d := range b.(map[string]interface{}) {
+			tflog.Trace(ctx, fmt.Sprintf("c:d: %s %s", c, d))
+			switch c {
+			case "role":
+				myMap.Role = d.(string)
+			case "provider_group_id":
+				myMap.ProviderGroupID = d.(string)
+			case "projects":
+				for _, f := range d.([]interface{}) {
+					tflog.Trace(ctx, fmt.Sprintf("f: %t %s", f, f))
+					myMap.Projects = append(myMap.Projects, f.(string))
 				}
 			}
-			mappingUpdates = append(mappingUpdates, myMap)
 		}
-		vars.Patch.GroupMapping = mappingUpdates
+		mappingUpdates = append(mappingUpdates, myMap)
 	}
+	vars.Patch.GroupMapping = mappingUpdates
 
 	// process the request
 	data := &UpdateSAMLIdentityProvider{}

diff --git a/internal/vendor/wiz.go b/internal/vendor/wiz.go
@@ -175,17 +175,19 @@ type UpdateSAMLIdentityProviderInput struct {
 	Patch UpdateSAMLIdentityProviderPatch `json:"patch"`
 }
 
-// UpdateSAMLIdentityProviderPatch struct -- updates
+// UpdateSAMLIdentityProviderPatch struct
+// We deviate from the GraphQL schema to include all attributes because the update requires an empty value to nullify removed attributes
 type UpdateSAMLIdentityProviderPatch struct {
-	EntityID                 string                        `json:"entityID,omitempty"`
-	LoginURL                 string                        `json:"loginURL,omitempty"`
-	LogoutURL                string                        `json:"logoutURL,omitempty"`
-	UseProviderManagedRoles  *bool                         `json:"useProviderManagedRoles,omitempty"`
-	AllowManualRoleOverride  *bool                         `json:"allowManualRoleOverride,omitempty"`
-	Certificate              string                        `json:"certificate,omitempty"`
-	Domains                  []string                      `json:"domains,omitempty"`
-	GroupMapping             []SAMLGroupMappingUpdateInput `json:"groupMapping,omitempty"`
-	MergeGroupsMappingByRole *bool                         `json:"mergeGroupsMappingByRole,omitempty"`
+	Name                     string                        `json:"name"`
+	IssuerURL                string                        `json:"issuerURL"`
+	LoginURL                 string                        `json:"loginURL"`
+	LogoutURL                string                        `json:"logoutURL"`
+	UseProviderManagedRoles  *bool                         `json:"useProviderManagedRoles"`
+	AllowManualRoleOverride  *bool                         `json:"allowManualRoleOverride"`
+	Certificate              string                        `json:"certificate"`
+	Domains                  []string                      `json:"domains"`
+	GroupMapping             []SAMLGroupMappingUpdateInput `json:"groupMapping"`
+	MergeGroupsMappingByRole *bool                         `json:"mergeGroupsMappingByRole"`
 }
 
 // UpdateSAMLIdentityProviderPayload struct -- updates
@@ -203,7 +205,7 @@ type SAMLGroupMappingUpdateInput struct {
 // CreateSAMLIdentityProviderInput struct -- updates
 type CreateSAMLIdentityProviderInput struct {
 	Name                     string                         `json:"name"`
-	EntityID                 string                         `json:"entityID,omitempty"`
+	IssuerURL                string                         `json:"issuerURL,omitempty"`
 	LoginURL                 string                         `json:"loginURL"`
 	LogoutURL                string                         `json:"logoutURL,omitempty"`
 	UseProviderManagedRoles  bool                           `json:"useProviderManagedRoles"`
@@ -216,7 +218,7 @@ type CreateSAMLIdentityProviderInput struct {
 
 // CreateSAMLIdentityProviderPayload struct -- updates
 type CreateSAMLIdentityProviderPayload struct {
-	SAMLIdentityProvider SAMLIdentityProvider `json:"samlIdentityProvider"`
+	SAMLIdentityProvider SAMLIdentityProvider `json:"samlIdentityProvider,omitempty"`
 }
 
 // SAMLGroupMappingCreateInput struct -- updates
@@ -231,9 +233,9 @@ type SAMLIdentityProvider struct {
 	AllowManualRoleOverride  *bool               `json:"allowManualRoleOverride"`
 	Certificate              string              `json:"certificate"`
 	Domains                  []string            `json:"domains"`
-	EntityID                 string              `json:"entityID,omitempty"`
 	GroupMapping             []*SAMLGroupMapping `json:"groupMapping,omitempty"`
 	ID                       string              `json:"id"`
+	IssuerURL                string              `json:"issuerURL,omitempty"`
 	LoginURL                 string              `json:"loginURL"`
 	LogoutURL                string              `json:"logoutURL"`
 	MergeGroupsMappingByRole bool                `json:"mergeGroupsMappingByRole"`
@@ -255,7 +257,7 @@ type DeleteSAMLIdentityProviderInput struct {
 
 // DeleteSAMLIdentityProviderPayload struct -- updated
 type DeleteSAMLIdentityProviderPayload struct {
-	Stub string `json:"_stub,omitempty"`
+	Stub string `json:"_stub"`
 }
 
 // DeleteAutomationActionInput struct -- updates