added access group

.github/workflows/ci.yml

@@ -16,6 +16,7 @@ on:
       - 'README.md'
     branches:
       - main
+      - feature/add-support-for-policies-in-resource-access-blocks
 
 
 # Ensures only 1 action runs per PR and previous is canceled on new trigger
@@ -120,7 +121,7 @@ jobs:
     name: Matrix Acceptance Tests
     needs: build
     runs-on: ubuntu-latest
-    if: "!github.event.pull_request.head.repo.fork"
+#    if: "!github.event.pull_request.head.repo.fork"
     timeout-minutes: 15
     strategy:
       fail-fast: false
@@ -172,7 +173,7 @@ jobs:
 
   cleanup:
     name: Cleanup
-    if: "!github.event.pull_request.head.repo.fork"
+#    if: "!github.event.pull_request.head.repo.fork"
     needs: tests-acceptance
     runs-on: ubuntu-latest
     timeout-minutes: 15

docs/resources/resource.md

@@ -52,9 +52,18 @@ resource "twingate_resource" "resource" {
     }
   }
 
-  access {
-    group_ids = [twingate_group.aws.id]
-    service_account_ids = [twingate_service_account.github_actions_prod.id]
+  dynamic "access_group" {
+    for_each = [twingate_group.aws.id]
+    content {
+      group_id = access_group.value
+    }
+  }
+
+  dynamic "access_service" {
+    for_each = [twingate_service_account.github_actions_prod.id]
+    content {
+      service_account_id = access_service.value
+    }
   }
 
   is_active = true
@@ -72,7 +81,8 @@ resource "twingate_resource" "resource" {
 
 ### Optional
 
-- `access` (Block List) Restrict access to certain groups or service accounts (see [below for nested schema](#nestedblock--access))
+- `access_group` (Block Set) Restrict access to certain group (see [below for nested schema](#nestedblock--access_group))
+- `access_service` (Block Set) Restrict access to certain service account (see [below for nested schema](#nestedblock--access_service))
 - `alias` (String) Set a DNS alias address for the Resource. Must be a DNS-valid name string.
 - `is_active` (Boolean) Set the resource as active or inactive. Default is `true`.
 - `is_authoritative` (Boolean) Determines whether assignments in the access block will override any existing assignments. Default is `true`. If set to `false`, assignments made outside of Terraform will be ignored.
@@ -85,13 +95,21 @@ resource "twingate_resource" "resource" {
 
 - `id` (String) Autogenerated ID of the Resource, encoded in base64
 
-<a id="nestedblock--access"></a>
-### Nested Schema for `access`
+<a id="nestedblock--access_group"></a>
+### Nested Schema for `access_group`
+
+Optional:
+
+- `group_id` (String) Group ID that will have permission to access the Resource.
+- `security_policy_id` (String) The ID of a `twingate_security_policy` to use as the access policy for the group IDs in the access block.
+
+
+<a id="nestedblock--access_service"></a>
+### Nested Schema for `access_service`
 
 Optional:
 
-- `group_ids` (Set of String) List of Group IDs that will have permission to access the Resource.
-- `service_account_ids` (Set of String) List of Service Account IDs that will have permission to access the Resource.
+- `service_account_id` (String) The ID of the service account that should have access to this Resource.
 
 
 <a id="nestedatt--protocols"></a>

examples/resources/twingate_resource/resource.tf

@@ -37,9 +37,18 @@ resource "twingate_resource" "resource" {
     }
   }
 
-  access {
-    group_ids = [twingate_group.aws.id]
-    service_account_ids = [twingate_service_account.github_actions_prod.id]
+  dynamic "access_group" {
+    for_each = [twingate_group.aws.id]
+    content {
+      group_id = access_group.value
+    }
+  }
+
+  dynamic "access_service" {
+    for_each = [twingate_service_account.github_actions_prod.id]
+    content {
+      service_account_id = access_service.value
+    }
   }
 
   is_active = true

twingate/internal/client/query/resource-read.go

@@ -80,10 +80,9 @@ func (r gqlResource) ToModel() *model.Resource {
 	resource := r.ResourceNode.ToModel()
 
 	for _, access := range r.Access.Edges {
-		var securityPolicyID *string
+		var securityPolicyID string
 		if access.SecurityPolicy != nil {
-			id := string(access.SecurityPolicy.ID)
-			securityPolicyID = &id
+			securityPolicyID = string(access.SecurityPolicy.ID)
 		}
 
 		switch access.Node.Type {

twingate/internal/client/resource.go

@@ -329,14 +329,19 @@ func (client *Client) AddResourceAccess(ctx context.Context, resourceID string,
 		return opr.apiError(ErrGraphqlIDIsEmpty)
 	}
 
-	var access []AccessInput
+	access := make([]AccessInput, 0, len(accessInput))
 
 	for _, input := range accessInput {
 		var item AccessInput
-		if input.SecurityPolicyID != nil && *input.SecurityPolicyID == "" {
+
+		switch {
+		case input.SecurityPolicyID != nil && *input.SecurityPolicyID == "":
 			item = &AccessWithoutSecurityPolicy{PrincipalID: input.PrincipalID}
-		} else {
-			item = &input
+		case input.SecurityPolicyID != nil && *input.SecurityPolicyID == model.NullSecurityPolicy:
+			item = &Access{PrincipalID: input.PrincipalID}
+		default:
+			obj := input
+			item = &obj
 		}
 
 		access = append(access, item)

twingate/internal/model/resource.go

@@ -16,14 +16,16 @@ const (
 	PolicyRestricted = "RESTRICTED"
 	PolicyAllowAll   = "ALLOW_ALL"
 	PolicyDenyAll    = "DENY_ALL"
+
+	NullSecurityPolicy = "none"
 )
 
 //nolint:gochecknoglobals
 var Policies = []string{PolicyRestricted, PolicyAllowAll, PolicyDenyAll}
 
 type AccessGroup struct {
 	GroupID          string
-	SecurityPolicyID *string
+	SecurityPolicyID string
 }
 
 type Resource struct {

twingate/internal/provider/resource/helper.go

@@ -3,13 +3,12 @@ package resource
 import (
 	"context"
 	"fmt"
-	"github.com/Twingate/terraform-provider-twingate/twingate/internal/model"
-	tfattr "github.com/hashicorp/terraform-plugin-framework/attr"
-	"github.com/hashicorp/terraform-plugin-framework/types"
-	"strings"
 
+	"github.com/Twingate/terraform-provider-twingate/twingate/internal/model"
 	"github.com/Twingate/terraform-provider-twingate/twingate/internal/utils"
+	tfattr "github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
 // setIntersection - for given two sets A and B,
@@ -92,26 +91,14 @@ func setDifferenceGroupAccess(inputA, inputB []model.AccessGroup) []model.Access
 	result := make([]model.AccessGroup, 0, len(setA))
 
 	for key, valA := range setA {
-		if valB, exist := setB[key]; !exist || !equalOptionalStrings(valA.SecurityPolicyID, valB.SecurityPolicyID) {
+		if valB, exist := setB[key]; !exist || valA.SecurityPolicyID != valB.SecurityPolicyID {
 			result = append(result, valA)
 		}
 	}
 
 	return result
 }
 
-func equalOptionalStrings(str1, str2 *string) bool {
-	if str1 == nil && str2 == nil {
-		return true
-	}
-
-	if str1 == nil && str2 != nil || str1 != nil && str2 == nil {
-		return false
-	}
-
-	return strings.EqualFold(*str1, *str2)
-}
-
 func setDifferenceGroups(inputA, inputB []model.AccessGroup) []string {
 	groupsA := utils.Map(inputA, func(item model.AccessGroup) string {
 		return item.GroupID
@@ -155,24 +142,10 @@ func makeNullObject(attributeTypes map[string]tfattr.Type) types.Object {
 	return types.ObjectNull(attributeTypes)
 }
 
-func makeObjectsListNull(ctx context.Context, attributeTypes map[string]tfattr.Type) types.List {
-	return types.ListNull(types.ObjectNull(attributeTypes).Type(ctx))
-}
-
 func makeObjectsSetNull(ctx context.Context, attributeTypes map[string]tfattr.Type) types.Set {
 	return types.SetNull(types.ObjectNull(attributeTypes).Type(ctx))
 }
 
-func makeObjectsList(ctx context.Context, objects ...types.Object) (types.List, diag.Diagnostics) {
-	obj := objects[0]
-
-	items := utils.Map(objects, func(item types.Object) tfattr.Value {
-		return tfattr.Value(item)
-	})
-
-	return types.ListValue(obj.Type(ctx), items)
-}
-
 func makeObjectsSet(ctx context.Context, objects ...types.Object) (types.Set, diag.Diagnostics) {
 	obj := objects[0]
 
@@ -182,20 +155,3 @@ func makeObjectsSet(ctx context.Context, objects ...types.Object) (types.Set, di
 
 	return types.SetValue(obj.Type(ctx), items)
 }
-
-func makeSet(list []string) (types.Set, diag.Diagnostics) {
-	return types.SetValue(types.StringType, stringsToTerraformValue(list))
-}
-
-func stringsToTerraformValue(list []string) []tfattr.Value {
-	if len(list) == 0 {
-		return nil
-	}
-
-	out := make([]tfattr.Value, 0, len(list))
-	for _, item := range list {
-		out = append(out, types.StringValue(item))
-	}
-
-	return out
-}