Merge pull request #2074 from okta/OKTA-755063-add-support-custom-role

add support for custom role in okta_group_role
okta · Aug 30, 2024 · 4932705 · 4932705
2 parents 13a3aaa + edd714a
commit 4932705
Show file tree

Hide file tree

Showing 6 changed files with 125 additions and 2 deletions.
diff --git a/docs/resources/group_role.md b/docs/resources/group_role.md
@@ -15,6 +15,33 @@ resource "okta_group_role" "example" {
   group_id  = "<group id>"
   role_type = "READ_ONLY_ADMIN"
 }
+
+// Example for CUSTOM role
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource "okta_resource_set" "test" {
+  label       = "test"
+  description = "testing, testing"
+  resources = [
+    format("%s/api/v1/users", "https://tien-oie-2023-26-26.oktapreview.com"),
+  ]
+}
+
+resource "okta_admin_role_custom" "test" {
+  label       = "testt"
+  description = "testing, testing"
+  permissions = ["okta.apps.assignment.manage", "okta.users.manage", "okta.apps.manage"]
+}
+
+resource "okta_group_role" "test" {
+  group_id        = okta_group.test.id
+  role_id         = okta_admin_role_custom.test.id
+  resource_set_id = okta_resource_set.test.id
+  role_type       = "CUSTOM"
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -41,6 +68,8 @@ resource "okta_group_role" "example" {
 ### Optional
 
 - `disable_notifications` (Boolean) When this setting is enabled, the admins won't receive any of the default Okta administrator emails. These admins also won't have access to contact Okta Support and open support cases on behalf of your org.
+- `resource_set_id` (String) Resource Set ID. Required for role_type = `CUSTOM`
+- `role_id` (String) Role ID. Required for role_type = `CUSTOM`
 - `target_app_list` (Set of String) A list of app names (name represents set of app instances, like 'salesforce' or 'facebook'), or a combination of app name and app instance ID (like 'facebook.0oapsqQ6dv19pqyEo0g3') you would like as the targets of the admin role. - Only supported when used with the role type `APP_ADMIN`.
 - `target_group_list` (Set of String) A list of group IDs you would like as the targets of the admin role. - Only supported when used with the role types: `GROUP_MEMBERSHIP_ADMIN`, `HELP_DESK_ADMIN`, or `USER_ADMIN`.
 

diff --git a/examples/resources/okta_group_role/custom.tf b/examples/resources/okta_group_role/custom.tf
@@ -0,0 +1,25 @@
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource "okta_resource_set" "test" {
+  label       = "test"
+  description = "testing, testing"
+  resources = [
+    format("%s/api/v1/users", "https://tien-oie-2023-26-26.oktapreview.com"),
+  ]
+}
+
+resource "okta_admin_role_custom" "test" {
+  label       = "testt"
+  description = "testing, testing"
+  permissions = ["okta.apps.assignment.manage", "okta.users.manage", "okta.apps.manage"]
+}
+
+resource "okta_group_role" "test" {
+  group_id        = okta_group.test.id
+  role_id         = okta_admin_role_custom.test.id
+  resource_set_id = okta_resource_set.test.id
+  role_type       = "CUSTOM"
+}
diff --git a/examples/resources/okta_group_role/resource.tf b/examples/resources/okta_group_role/resource.tf
@@ -2,3 +2,30 @@ resource "okta_group_role" "example" {
   group_id  = "<group id>"
   role_type = "READ_ONLY_ADMIN"
 }
+
+// Example for CUSTOM role
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource "okta_resource_set" "test" {
+  label       = "test"
+  description = "testing, testing"
+  resources = [
+    format("%s/api/v1/users", "https://tien-oie-2023-26-26.oktapreview.com"),
+  ]
+}
+
+resource "okta_admin_role_custom" "test" {
+  label       = "testt"
+  description = "testing, testing"
+  permissions = ["okta.apps.assignment.manage", "okta.users.manage", "okta.apps.manage"]
+}
+
+resource "okta_group_role" "test" {
+  group_id        = okta_group.test.id
+  role_id         = okta_admin_role_custom.test.id
+  resource_set_id = okta_resource_set.test.id
+  role_type       = "CUSTOM"
+}
diff --git a/okta/resource_okta_group_role.go b/okta/resource_okta_group_role.go
@@ -96,6 +96,16 @@ func resourceGroupRole() *schema.Resource {
 				Description: "When this setting is enabled, the admins won't receive any of the default Okta administrator emails. These admins also won't have access to contact Okta Support and open support cases on behalf of your org.",
 				Default:     false,
 			},
+			"role_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Role ID. Required for role_type = `CUSTOM`",
+			},
+			"resource_set_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Resource Set ID. Required for role_type = `CUSTOM`",
+			},
 		},
 	}
 }
@@ -105,7 +115,14 @@ func resourceGroupRoleCreate(ctx context.Context, d *schema.ResourceData, m inte
 	roleType := d.Get("role_type").(string)
 	client := getOktaClientFromMetadata(m)
 	logger(m).Info("assigning role to group", "group_id", groupID, "role_type", roleType)
-	role, _, err := client.Group.AssignRoleToGroup(ctx, groupID, sdk.AssignRoleRequest{Type: roleType},
+	role, _, err := client.Group.AssignRoleToGroup(
+		ctx,
+		groupID,
+		sdk.AssignRoleRequest{
+			Type:        roleType,
+			Role:        d.Get("role_id").(string),
+			ResourceSet: d.Get("resource_set_id").(string),
+		},
 		&query.Params{DisableNotifications: boolPtr(d.Get("disable_notifications").(bool))})
 	if err != nil {
 		return diag.Errorf("failed to assign role %s to group %s: %v", roleType, groupID, err)

diff --git a/okta/resource_okta_group_role_test.go b/okta/resource_okta_group_role_test.go
@@ -59,3 +59,26 @@ func TestAccResourceOktaGroupAdminRole_crud(t *testing.T) {
 		},
 	})
 }
+
+func TestAccResourceOktaGroupCustomRole_crud(t *testing.T) {
+	resourceName := fmt.Sprintf("%s.test", groupRole)
+	mgr := newFixtureManager("resources", groupRole, t.Name())
+	config := mgr.GetFixtures("custom.tf", t)
+
+	oktaResourceTest(t, resource.TestCase{
+		PreCheck:          testAccPreCheck(t),
+		ErrorCheck:        testAccErrorChecks(t),
+		ProviderFactories: testAccProvidersFactories,
+		CheckDestroy:      checkResourceDestroy(group, doesGroupExist),
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "role_type", "CUSTOM"),
+					resource.TestCheckResourceAttrSet(resourceName, "role_id"),
+					resource.TestCheckResourceAttrSet(resourceName, "resource_set_id"),
+				),
+			},
+		},
+	})
+}
diff --git a/sdk/v2_assignRoleRequest.go b/sdk/v2_assignRoleRequest.go
@@ -2,5 +2,7 @@
 package sdk
 
 type AssignRoleRequest struct {
-	Type string `json:"type,omitempty"`
+	Type        string `json:"type,omitempty"`
+	Role        string `json:"role,omitempty"`
+	ResourceSet string `json:"resource-set,omitempty"`
 }