Skip to content

Commit

Permalink
Fix: resource access (Twingate#461)
Browse files Browse the repository at this point in the history
* fix update groups and service accounts access

* enable test

* revert ci.yml

---------

Co-authored-by: bertekintw <[email protected]>
  • Loading branch information
vmanilo and bertekintw authored Jan 29, 2024
1 parent e0c21cc commit 2111bae
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 22 deletions.
36 changes: 14 additions & 22 deletions twingate/internal/provider/resource/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ func (r *twingateResource) ImportState(ctx context.Context, req resource.ImportS
}

if len(res.Groups) > 0 || len(res.ServiceAccounts) > 0 {
access, diags := convertAccessBlockToTerraform(ctx, res, types.SetNull(types.StringType), types.SetNull(types.StringType))
access, diags := convertAccessBlockToTerraform(ctx, res)

resp.Diagnostics.Append(diags...)

Expand Down Expand Up @@ -1184,19 +1184,15 @@ func setState(ctx context.Context, state, reference *resourceModel, resource *mo
}
}

if !state.Access.IsNull() {
access, diags := convertAccessBlockToTerraform(ctx, resource,
state.Access.Elements()[0].(types.Object).Attributes()[attr.GroupIDs],
state.Access.Elements()[0].(types.Object).Attributes()[attr.ServiceAccountIDs])
access, diags := convertAccessBlockToTerraform(ctx, resource)

diagnostics.Append(diags...)

if diagnostics.HasError() {
return
}
diagnostics.Append(diags...)

state.Access = access
if diagnostics.HasError() {
return
}

state.Access = access
}

func convertProtocolsToTerraform(protocols *model.Protocols, reference *types.Object) (types.Object, diag.Diagnostics) {
Expand Down Expand Up @@ -1362,9 +1358,13 @@ func protocolAttributeTypes() map[string]tfattr.Type {
}
}

func convertAccessBlockToTerraform(ctx context.Context, resource *model.Resource, stateGroupIDs, stateServiceAccounts tfattr.Value) (types.List, diag.Diagnostics) {
func convertAccessBlockToTerraform(ctx context.Context, resource *model.Resource) (types.List, diag.Diagnostics) {
var diagnostics, diags diag.Diagnostics

if len(resource.Groups) == 0 && len(resource.ServiceAccounts) == 0 {
return makeObjectsListNull(ctx, accessAttributeTypes()), diagnostics
}

groupIDs, serviceAccountIDs := types.SetNull(types.StringType), types.SetNull(types.StringType)

if len(resource.Groups) > 0 {
Expand All @@ -1382,16 +1382,8 @@ func convertAccessBlockToTerraform(ctx context.Context, resource *model.Resource
}

attributes := map[string]tfattr.Value{
attr.GroupIDs: stateGroupIDs,
attr.ServiceAccountIDs: stateServiceAccounts,
}

if !groupIDs.IsNull() {
attributes[attr.GroupIDs] = groupIDs
}

if !serviceAccountIDs.IsNull() {
attributes[attr.ServiceAccountIDs] = serviceAccountIDs
attr.GroupIDs: groupIDs,
attr.ServiceAccountIDs: serviceAccountIDs,
}

obj, diags := types.ObjectValue(accessAttributeTypes(), attributes)
Expand Down
86 changes: 86 additions & 0 deletions twingate/internal/test/acctests/resource/resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -944,6 +944,22 @@ func TestAccTwingateResourceAddAccessGroupsAndServiceAccounts(t *testing.T) {
sdk.TestCheckResourceAttr(theResource, accessServiceAccountIdsLen, "1"),
),
},
{
Config: createResource16WithoutServiceAccounts(remoteNetworkName, resourceName, groups, groupsID, createServiceAccount(resourceName, serviceAccountName)),
Check: acctests.ComposeTestCheckFunc(
acctests.CheckTwingateResourceExists(theResource),
sdk.TestCheckResourceAttr(theResource, accessGroupIdsLen, "1"),
sdk.TestCheckResourceAttr(theResource, accessServiceAccountIdsLen, "0"),
),
},
{
Config: createResource16WithoutGroups(remoteNetworkName, resourceName, groups, groupsID, createServiceAccount(resourceName, serviceAccountName)),
Check: acctests.ComposeTestCheckFunc(
acctests.CheckTwingateResourceExists(theResource),
sdk.TestCheckResourceAttr(theResource, accessGroupIdsLen, "0"),
sdk.TestCheckResourceAttr(theResource, accessServiceAccountIdsLen, "1"),
),
},
},
})
}
Expand Down Expand Up @@ -983,6 +999,76 @@ func createResource16(networkName, resourceName string, groups, groupsID []strin
`, networkName, strings.Join(groups, "\n"), terraformServiceAccount, resourceName, model.PolicyRestricted, model.PolicyAllowAll, strings.Join(groupsID, ", "), acctests.TerraformServiceAccount(resourceName)+".id")
}

func createResource16WithoutServiceAccounts(networkName, resourceName string, groups, groupsID []string, terraformServiceAccount string) string {
return fmt.Sprintf(`
resource "twingate_remote_network" "test16" {
name = "%s"
}
%s
%s
resource "twingate_resource" "test16" {
name = "%s"
address = "acc-test.com.16"
remote_network_id = twingate_remote_network.test16.id
protocols = {
allow_icmp = true
tcp = {
policy = "%s"
ports = ["80", "82-83"]
}
udp = {
policy = "%s"
}
}
access {
group_ids = [%s]
# service_account_ids = [%s]
}
}
`, networkName, strings.Join(groups, "\n"), terraformServiceAccount, resourceName, model.PolicyRestricted, model.PolicyAllowAll, strings.Join(groupsID, ", "), acctests.TerraformServiceAccount(resourceName)+".id")
}

func createResource16WithoutGroups(networkName, resourceName string, groups, groupsID []string, terraformServiceAccount string) string {
return fmt.Sprintf(`
resource "twingate_remote_network" "test16" {
name = "%s"
}
%s
%s
resource "twingate_resource" "test16" {
name = "%s"
address = "acc-test.com.16"
remote_network_id = twingate_remote_network.test16.id
protocols = {
allow_icmp = true
tcp = {
policy = "%s"
ports = ["80", "82-83"]
}
udp = {
policy = "%s"
}
}
access {
# group_ids = [%s]
service_account_ids = [%s]
}
}
`, networkName, strings.Join(groups, "\n"), terraformServiceAccount, resourceName, model.PolicyRestricted, model.PolicyAllowAll, strings.Join(groupsID, ", "), acctests.TerraformServiceAccount(resourceName)+".id")
}

func TestAccTwingateResourceAccessServiceAccountsNotAuthoritative(t *testing.T) {
t.Parallel()
const theResource = "twingate_resource.test17"
Expand Down

0 comments on commit 2111bae

Please sign in to comment.