Various issues and data sources for resources. (#140)

* add data sources for policies and roles (#138) * stop create policy clobbering * Prevent new roles from clobbering existing roles * Force new roles and policies if name changes to align with api * address various issues * generate documentation --------- Co-authored-by: Jordan Yerkes <jkyerkes@gmail.com> Co-authored-by: Jordan Yerkes <jyerkes@strikingdistancestudios.com>
banyansecurity · Aug 26, 2023 · 9e94b45 · 9e94b45
1 parent 7a5b4fd
commit 9e94b45
Show file tree

Hide file tree

Showing 31 changed files with 1,165 additions and 57 deletions.
diff --git a/banyan/data_source_oidc_settings.go b/banyan/data_source_oidc_settings.go
@@ -13,36 +13,37 @@ import (
 func dataSourceOidcSettings() *schema.Resource {
 	return &schema.Resource{
 		ReadContext: dataSourceOidcSettingsRead,
+		Description: "Obtains information describing the OIDC settings from banyan",
 		Schema: map[string]*schema.Schema{
-			"issuer_url": &schema.Schema{
+			"issuer_url": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"authorization_endpoint": &schema.Schema{
+			"authorization_endpoint": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"token_endpoint": &schema.Schema{
+			"token_endpoint": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"jwks_endpoint": &schema.Schema{
+			"jwks_endpoint": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"redirect_url": &schema.Schema{
+			"redirect_url": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"scope": &schema.Schema{
+			"scope": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"userinfo_endpoint": &schema.Schema{
+			"userinfo_endpoint": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"openid_configuration_endpoint": &schema.Schema{
+			"openid_configuration_endpoint": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
@@ -51,8 +52,8 @@ func dataSourceOidcSettings() *schema.Resource {
 }
 
 func dataSourceOidcSettingsRead(ctx context.Context, d *schema.ResourceData, m interface{}) (diagnostics diag.Diagnostics) {
-	client := m.(*client.Holder)
-	oidcSettings, err := client.Admin.OidcSettings.Get()
+	myClient := m.(*client.Holder)
+	oidcSettings, err := myClient.Admin.OidcSettings.Get()
 	if err != nil {
 		diagnostics = diag.FromErr(err)
 		return

diff --git a/banyan/data_source_policy_infra.go b/banyan/data_source_policy_infra.go
@@ -0,0 +1,98 @@
+package banyan
+
+import (
+	"context"
+
+	"github.com/pkg/errors"
+
+	"github.com/banyansecurity/terraform-banyan-provider/client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourcePolicyInfraSchema() (s map[string]*schema.Schema) {
+	s = map[string]*schema.Schema{
+		"name": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Description: "Name of the policy",
+		},
+		"id": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "ID of the policy in Banyan",
+		},
+		"description": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "Description of the policy",
+		},
+		"access": {
+			Type:        schema.TypeList,
+			Computed:    true,
+			Description: "Access describes the access rights for a set of roles",
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"roles": {
+						Type:        schema.TypeSet,
+						Description: "Role names to include ",
+						Elem: &schema.Schema{
+							Type: schema.TypeString,
+						},
+						Computed: true,
+					},
+					"trust_level": {
+						Type:        schema.TypeString,
+						Description: "The trust level of the end user device, must be one of: \"High\", \"Medium\", \"Low\", or \"\"",
+						Computed:    true,
+					},
+				},
+			},
+		},
+	}
+	return
+}
+
+func dataSourcePolicyInfra() *schema.Resource {
+	return &schema.Resource{
+		Description: "Obtains information describing the infra policy from banyan",
+		ReadContext: dataSourcePolicyInfraRead,
+		Schema:      dataSourcePolicyInfraSchema(),
+	}
+}
+
+// /v1/security_policies
+func dataSourcePolicyInfraRead(ctx context.Context, d *schema.ResourceData, m interface{}) (diagnostics diag.Diagnostics) {
+
+	client := m.(*client.Holder)
+	infraPolicy, err := client.Policy.GetName(d.Get("name").(string))
+
+	if err != nil {
+		diagnostics = diag.FromErr(err)
+		return
+	}
+
+	if infraPolicy.ID == "" {
+		err = errors.New("Could not find role with name: " + d.Get("name").(string))
+		return diag.FromErr(err)
+	}
+
+	if err != nil {
+		handleNotFoundError(d, err)
+		return
+	}
+	err = d.Set("name", infraPolicy.Name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("description", infraPolicy.Description)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("access", flattenPolicyInfraAccess(infraPolicy.UnmarshalledPolicy.Spec.Access))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	d.SetId(infraPolicy.ID)
+	return
+}
diff --git a/banyan/data_source_policy_tunnel.go b/banyan/data_source_policy_tunnel.go
@@ -0,0 +1,189 @@
+package banyan
+
+import (
+	"context"
+
+	"github.com/pkg/errors"
+
+	"github.com/banyansecurity/terraform-banyan-provider/client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourcePolicyTunnelSchema() (s map[string]*schema.Schema) {
+	s = map[string]*schema.Schema{
+		"name": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Description: "Name of the policy",
+		},
+		"id": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "ID of the policy in Banyan",
+		},
+		"description": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "Description of the policy",
+		},
+		"access": {
+			Type:        schema.TypeList,
+			Computed:    true,
+			Description: "Access describes the access rights for a set of roles",
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"roles": {
+						Type:        schema.TypeSet,
+						Description: "Role names to include ",
+						Elem: &schema.Schema{
+							Type: schema.TypeString,
+						},
+						Computed: true,
+					},
+					"trust_level": {
+						Type:        schema.TypeString,
+						Description: "The trust level of the end user device, must be one of: \"High\", \"Medium\", \"Low\", or \"\"",
+						Required:    true,
+					},
+					"l4_access": {
+						Type:        schema.TypeList,
+						Computed:    true,
+						Description: "L4 access rules",
+						Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+								"allow": {
+									Type:        schema.TypeList,
+									Description: "Role names to include ",
+									Computed:    true,
+									Elem: &schema.Resource{
+										Schema: map[string]*schema.Schema{
+											"cidrs": {
+												Type:        schema.TypeSet,
+												Description: "Allowed CIDRs through the service tunnel",
+												Computed:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"protocols": {
+												Type:        schema.TypeSet,
+												Description: "Allowed protocols through the service tunnel. Set to \"TCP\", \"UDP\", \"ICMP\", or \"ALL\"",
+												Computed:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"ports": {
+												Type:        schema.TypeSet,
+												Description: "Allowed ports through the service tunnel",
+												Computed:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"fqdns": {
+												Type:        schema.TypeSet,
+												Description: "Allowed FQDNs through the service tunnel",
+												Computed:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+										},
+									},
+								},
+								"deny": {
+									Type:        schema.TypeList,
+									Description: "Role names to include ",
+									Computed:    true,
+									Elem: &schema.Resource{
+										Schema: map[string]*schema.Schema{
+											"cidrs": {
+												Type:        schema.TypeSet,
+												Description: "Denied CIDRs through the service tunnel",
+												Optional:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"protocols": {
+												Type:        schema.TypeSet,
+												Description: "Denied protocols through the service tunnel. Set to \"TCP\", \"UDP\", \"ICMP\", or \"ALL\"",
+												Optional:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"ports": {
+												Type:        schema.TypeSet,
+												Description: "Denied ports through the service tunnel",
+												Optional:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"fqdns": {
+												Type:        schema.TypeSet,
+												Description: "Allowed FQDNs through the service tunnel",
+												Optional:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	return
+}
+
+func dataSourcePolicyTunnel() *schema.Resource {
+	return &schema.Resource{
+		Description: "Obtains information describing the tunnel policy from banyan",
+		ReadContext: dataSourcePolicyTunnelRead,
+		Schema:      dataSourcePolicyTunnelSchema(),
+	}
+}
+
+// /v1/security_policies
+func dataSourcePolicyTunnelRead(ctx context.Context, d *schema.ResourceData, m interface{}) (diagnostics diag.Diagnostics) {
+
+	client := m.(*client.Holder)
+	tunnelPolicy, err := client.Policy.GetName(d.Get("name").(string))
+
+	if err != nil {
+		diagnostics = diag.FromErr(err)
+		return
+	}
+
+	if tunnelPolicy.ID == "" {
+		err = errors.New("Could not find role with name: " + d.Get("name").(string))
+		return diag.FromErr(err)
+	}
+
+	if err != nil {
+		handleNotFoundError(d, err)
+		return
+	}
+	err = d.Set("name", tunnelPolicy.Name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("description", tunnelPolicy.Description)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("access", flattenPolicyTunnelAccess(tunnelPolicy.UnmarshalledPolicy.Spec.Access))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	d.SetId(tunnelPolicy.ID)
+	return
+}