Add support for HYOK Configurations and OIDC Configurations (#1162)

Co-authored-by: Helen Jiang <[email protected]>

Author: iuri-slywitch-hashicorp

aws_oidc_configuration.go

@@ -0,0 +1,144 @@
+package tfe
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+)
+
+const OIDCConfigPathFormat = "oidc-configurations/%s"
+
+type AWSOIDCConfigurations interface {
+	Create(ctx context.Context, organization string, options AWSOIDCConfigurationCreateOptions) (*AWSOIDCConfiguration, error)
+
+	Read(ctx context.Context, oidcID string) (*AWSOIDCConfiguration, error)
+
+	Update(ctx context.Context, oidcID string, options AWSOIDCConfigurationUpdateOptions) (*AWSOIDCConfiguration, error)
+
+	Delete(ctx context.Context, oidcID string) error
+}
+
+type awsOIDCConfigurations struct {
+	client *Client
+}
+
+var _ AWSOIDCConfigurations = &awsOIDCConfigurations{}
+
+type AWSOIDCConfiguration struct {
+	ID      string `jsonapi:"primary,aws-oidc-configurations"`
+	RoleARN string `jsonapi:"attr,role-arn"`
+
+	Organization *Organization `jsonapi:"relation,organization"`
+}
+
+type AWSOIDCConfigurationCreateOptions struct {
+	// Type is a public field utilized by JSON:API to
+	// set the resource type via the field tag.
+	// It is not a user-defined value and does not need to be set.
+	// https://jsonapi.org/format/#crud-creating
+	Type string `jsonapi:"primary,aws-oidc-configurations"`
+
+	// Attributes
+	RoleARN string `jsonapi:"attr,role-arn"`
+}
+
+type AWSOIDCConfigurationUpdateOptions struct {
+	// Type is a public field utilized by JSON:API to
+	// set the resource type via the field tag.
+	// It is not a user-defined value and does not need to be set.
+	// https://jsonapi.org/format/#crud-creating
+	Type string `jsonapi:"primary,aws-oidc-configurations"`
+
+	// Attributes
+	RoleARN string `jsonapi:"attr,role-arn"`
+}
+
+func (o *AWSOIDCConfigurationCreateOptions) valid() error {
+	if o.RoleARN == "" {
+		return ErrRequiredRoleARN
+	}
+
+	return nil
+}
+
+func (aoc *awsOIDCConfigurations) Create(ctx context.Context, organization string, options AWSOIDCConfigurationCreateOptions) (*AWSOIDCConfiguration, error) {
+	if !validStringID(&organization) {
+		return nil, ErrInvalidOrg
+	}
+
+	if err := options.valid(); err != nil {
+		return nil, err
+	}
+
+	req, err := aoc.client.NewRequest("POST", fmt.Sprintf("organizations/%s/oidc-configurations", organization), &options)
+	if err != nil {
+		return nil, err
+	}
+
+	awsOIDCConfiguration := &AWSOIDCConfiguration{}
+	err = req.Do(ctx, awsOIDCConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return awsOIDCConfiguration, nil
+}
+
+func (aoc *awsOIDCConfigurations) Read(ctx context.Context, oidcID string) (*AWSOIDCConfiguration, error) {
+	req, err := aoc.client.NewRequest("GET", fmt.Sprintf(OIDCConfigPathFormat, url.PathEscape(oidcID)), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	awsOIDCConfiguration := &AWSOIDCConfiguration{}
+	err = req.Do(ctx, awsOIDCConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return awsOIDCConfiguration, nil
+}
+
+func (o *AWSOIDCConfigurationUpdateOptions) valid() error {
+	if o.RoleARN == "" {
+		return ErrRequiredRoleARN
+	}
+
+	return nil
+}
+
+func (aoc *awsOIDCConfigurations) Update(ctx context.Context, oidcID string, options AWSOIDCConfigurationUpdateOptions) (*AWSOIDCConfiguration, error) {
+	if !validStringID(&oidcID) {
+		return nil, ErrInvalidOIDC
+	}
+
+	if err := options.valid(); err != nil {
+		return nil, err
+	}
+
+	req, err := aoc.client.NewRequest("PATCH", fmt.Sprintf(OIDCConfigPathFormat, url.PathEscape(oidcID)), &options)
+	if err != nil {
+		return nil, err
+	}
+
+	awsOIDCConfiguration := &AWSOIDCConfiguration{}
+	err = req.Do(ctx, awsOIDCConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return awsOIDCConfiguration, nil
+}
+
+func (aoc *awsOIDCConfigurations) Delete(ctx context.Context, oidcID string) error {
+	if !validStringID(&oidcID) {
+		return ErrInvalidOIDC
+	}
+
+	req, err := aoc.client.NewRequest("DELETE", fmt.Sprintf(OIDCConfigPathFormat, url.PathEscape(oidcID)), nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}

aws_oidc_configuration_integration_test.go

@@ -0,0 +1,109 @@
+package tfe
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// These tests are intended for local execution only, as OIDC configurations for HYOK requires specific conditions.
+// To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
+
+func TestAWSOIDCConfigurationCreateDelete(t *testing.T) {
+	if skipHYOKIntegrationTests {
+		t.Skip()
+	}
+
+	client := testClient(t)
+	ctx := context.Background()
+
+	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("with valid options", func(t *testing.T) {
+		opts := AWSOIDCConfigurationCreateOptions{
+			RoleARN: "arn:aws:iam::123456789012:role/some-role",
+		}
+
+		oidcConfig, err := client.AWSOIDCConfigurations.Create(ctx, orgTest.Name, opts)
+		require.NoError(t, err)
+		require.NotNil(t, oidcConfig)
+		assert.Equal(t, oidcConfig.RoleARN, opts.RoleARN)
+
+		// delete the created configuration
+		err = client.AWSOIDCConfigurations.Delete(ctx, oidcConfig.ID)
+		require.NoError(t, err)
+	})
+
+	t.Run("missing role ARN", func(t *testing.T) {
+		opts := AWSOIDCConfigurationCreateOptions{}
+
+		_, err := client.AWSOIDCConfigurations.Create(ctx, orgTest.Name, opts)
+		assert.ErrorIs(t, err, ErrRequiredRoleARN)
+	})
+}
+
+func TestAWSOIDCConfigurationRead(t *testing.T) {
+	if skipHYOKIntegrationTests {
+		t.Skip()
+	}
+
+	client := testClient(t)
+	ctx := context.Background()
+
+	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	oidcConfig, oidcConfigCleanup := createAWSOIDCConfiguration(t, client, orgTest)
+	t.Cleanup(oidcConfigCleanup)
+
+	t.Run("fetch existing configuration", func(t *testing.T) {
+		fetched, err := client.AWSOIDCConfigurations.Read(ctx, oidcConfig.ID)
+		require.NoError(t, err)
+		require.NotEmpty(t, fetched)
+	})
+
+	t.Run("fetching non-existing configuration", func(t *testing.T) {
+		_, err := client.AWSOIDCConfigurations.Read(ctx, "awsoidc-notreal")
+		assert.ErrorIs(t, err, ErrResourceNotFound)
+	})
+}
+
+func TestAWSOIDCConfigurationsUpdate(t *testing.T) {
+	if skipHYOKIntegrationTests {
+		t.Skip()
+	}
+
+	client := testClient(t)
+	ctx := context.Background()
+
+	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	oidcConfig, oidcConfigCleanup := createAWSOIDCConfiguration(t, client, orgTest)
+	t.Cleanup(oidcConfigCleanup)
+
+	t.Run("with valid options", func(t *testing.T) {
+		opts := AWSOIDCConfigurationUpdateOptions{
+			RoleARN: "arn:aws:iam::123456789012:role/some-role-2",
+		}
+		updated, err := client.AWSOIDCConfigurations.Update(ctx, oidcConfig.ID, opts)
+		require.NoError(t, err)
+		require.NotEmpty(t, updated)
+		assert.Equal(t, opts.RoleARN, updated.RoleARN)
+	})
+
+	t.Run("missing role ARN", func(t *testing.T) {
+		opts := AWSOIDCConfigurationUpdateOptions{}
+		_, err := client.AWSOIDCConfigurations.Update(ctx, oidcConfig.ID, opts)
+		assert.ErrorIs(t, err, ErrRequiredRoleARN)
+	})
+}

azure_oidc_configuration.go

@@ -0,0 +1,144 @@
+package tfe
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+)
+
+type AzureOIDCConfigurations interface {
+	Create(ctx context.Context, organization string, options AzureOIDCConfigurationCreateOptions) (*AzureOIDCConfiguration, error)
+
+	Read(ctx context.Context, oidcID string) (*AzureOIDCConfiguration, error)
+
+	Update(ctx context.Context, oidcID string, options AzureOIDCConfigurationUpdateOptions) (*AzureOIDCConfiguration, error)
+
+	Delete(ctx context.Context, oidcID string) error
+}
+
+type azureOIDCConfigurations struct {
+	client *Client
+}
+
+var _ AzureOIDCConfigurations = &azureOIDCConfigurations{}
+
+type AzureOIDCConfiguration struct {
+	ID             string `jsonapi:"primary,azure-oidc-configurations"`
+	ClientID       string `jsonapi:"attr,client-id"`
+	SubscriptionID string `jsonapi:"attr,subscription-id"`
+	TenantID       string `jsonapi:"attr,tenant-id"`
+
+	Organization *Organization `jsonapi:"relation,organization"`
+}
+
+type AzureOIDCConfigurationCreateOptions struct {
+	// Type is a public field utilized by JSON:API to
+	// set the resource type via the field tag.
+	// It is not a user-defined value and does not need to be set.
+	// https://jsonapi.org/format/#crud-creating
+	Type string `jsonapi:"primary,azure-oidc-configurations"`
+
+	// Attributes
+	ClientID       string `jsonapi:"attr,client-id"`
+	SubscriptionID string `jsonapi:"attr,subscription-id"`
+	TenantID       string `jsonapi:"attr,tenant-id"`
+}
+
+type AzureOIDCConfigurationUpdateOptions struct {
+	// Type is a public field utilized by JSON:API to
+	// set the resource type via the field tag.
+	// It is not a user-defined value and does not need to be set.
+	// https://jsonapi.org/format/#crud-creating
+	Type string `jsonapi:"primary,azure-oidc-configurations"`
+
+	// Attributes
+	ClientID       *string `jsonapi:"attr,client-id,omitempty"`
+	SubscriptionID *string `jsonapi:"attr,subscription-id,omitempty"`
+	TenantID       *string `jsonapi:"attr,tenant-id,omitempty"`
+}
+
+func (o *AzureOIDCConfigurationCreateOptions) valid() error {
+	if o.ClientID == "" {
+		return ErrRequiredClientID
+	}
+
+	if o.SubscriptionID == "" {
+		return ErrRequiredSubscriptionID
+	}
+
+	if o.TenantID == "" {
+		return ErrRequiredTenantID
+	}
+
+	return nil
+}
+
+func (aoc *azureOIDCConfigurations) Create(ctx context.Context, organization string, options AzureOIDCConfigurationCreateOptions) (*AzureOIDCConfiguration, error) {
+	if !validStringID(&organization) {
+		return nil, ErrInvalidOrg
+	}
+
+	if err := options.valid(); err != nil {
+		return nil, err
+	}
+
+	req, err := aoc.client.NewRequest("POST", fmt.Sprintf("organizations/%s/oidc-configurations", organization), &options)
+	if err != nil {
+		return nil, err
+	}
+
+	azureOIDCConfiguration := &AzureOIDCConfiguration{}
+	err = req.Do(ctx, azureOIDCConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return azureOIDCConfiguration, nil
+}
+
+func (aoc *azureOIDCConfigurations) Read(ctx context.Context, oidcID string) (*AzureOIDCConfiguration, error) {
+	req, err := aoc.client.NewRequest("GET", fmt.Sprintf(OIDCConfigPathFormat, url.PathEscape(oidcID)), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	azureOIDCConfiguration := &AzureOIDCConfiguration{}
+	err = req.Do(ctx, azureOIDCConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return azureOIDCConfiguration, nil
+}
+
+func (aoc *azureOIDCConfigurations) Update(ctx context.Context, oidcID string, options AzureOIDCConfigurationUpdateOptions) (*AzureOIDCConfiguration, error) {
+	if !validStringID(&oidcID) {
+		return nil, ErrInvalidOIDC
+	}
+
+	req, err := aoc.client.NewRequest("PATCH", fmt.Sprintf(OIDCConfigPathFormat, url.PathEscape(oidcID)), &options)
+	if err != nil {
+		return nil, err
+	}
+
+	azureOIDCConfiguration := &AzureOIDCConfiguration{}
+	err = req.Do(ctx, azureOIDCConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return azureOIDCConfiguration, nil
+}
+
+func (aoc *azureOIDCConfigurations) Delete(ctx context.Context, oidcID string) error {
+	if !validStringID(&oidcID) {
+		return ErrInvalidOIDC
+	}
+
+	req, err := aoc.client.NewRequest("DELETE", fmt.Sprintf(OIDCConfigPathFormat, url.PathEscape(oidcID)), nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}