vmanilo · vmanilo · Aug 30, 2023 · Aug 30, 2023 · Aug 30, 2023 · Sep 5, 2023
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -118,7 +118,7 @@ jobs:
     name: Matrix Acceptance Tests
     needs: build
     runs-on: ubuntu-latest
-    if: "!github.event.pull_request.head.repo.fork"
+#    if: "!github.event.pull_request.head.repo.fork"
     timeout-minutes: 15
     strategy:
       fail-fast: false
@@ -169,7 +169,7 @@ jobs:
 
   cleanup:
     name: Cleanup
-    if: "!github.event.pull_request.head.repo.fork"
+#    if: "!github.event.pull_request.head.repo.fork"
     needs: tests-acceptance
     runs-on: ubuntu-latest
     timeout-minutes: 15

diff --git a/docs/resources/resource.md b/docs/resources/resource.md
@@ -70,6 +70,7 @@ resource "twingate_resource" "resource" {
 - `is_browser_shortcut_enabled` (Boolean) Controls whether an "Open in Browser" shortcut will be shown for this Resource in the Twingate Client.
 - `is_visible` (Boolean) Controls whether this Resource will be visible in the main Resource list in the Twingate Client.
 - `protocols` (Block List, Max: 1) Restrict access to certain protocols and ports. By default or when this argument is not defined, there is no restriction, and all protocols and ports are allowed. (see [below for nested schema](#nestedblock--protocols))
+- `security_policy_id` (String) The ID of a twingate_security_policy to set as this Resource's Security Policy.
 
 ### Read-Only
 
@@ -81,6 +82,7 @@ resource "twingate_resource" "resource" {
 Optional:
 
 - `group_ids` (Set of String) List of Group IDs that will have permission to access the Resource.
+- `security_policy_id` (String) The ID of a twingate_security_policy to use as the access policy for the group IDs in the access block.
 - `service_account_ids` (Set of String) List of Service Account IDs that will have permission to access the Resource.
 
 

diff --git a/golangci.yml b/golangci.yml
@@ -22,6 +22,7 @@ linters-settings:
       - github.com/hashicorp/terraform-plugin-framework/datasource.DataSource
       - github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier.Set
       - github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier.Bool
+      - github.com/hashicorp/terraform-plugin-framework/attr.Value
   errcheck:
     check-type-assertions: false
     check-blank: false

diff --git a/twingate/internal/client/query/resource-create.go b/twingate/internal/client/query/resource-create.go
@@ -1,7 +1,7 @@
 package query
 
 type CreateResource struct {
-	ResourceEntityResponse `graphql:"resourceCreate(name: $name, address: $address, remoteNetworkId: $remoteNetworkId, groupIds: $groupIds, protocols: $protocols, isVisible: $isVisible, isBrowserShortcutEnabled: $isBrowserShortcutEnabled, alias: $alias)"`
+	ResourceEntityResponse `graphql:"resourceCreate(name: $name, address: $address, remoteNetworkId: $remoteNetworkId, protocols: $protocols, isVisible: $isVisible, isBrowserShortcutEnabled: $isBrowserShortcutEnabled, alias: $alias, securityPolicyId: $securityPolicyId)"`
 }
 
 func (q CreateResource) IsEmpty() bool {

diff --git a/twingate/internal/client/query/resource-read.go b/twingate/internal/client/query/resource-read.go
@@ -31,7 +31,8 @@ type Access struct {
 }
 
 type AccessEdge struct {
-	Node Principal
+	Node           Principal
+	SecurityPolicy *gqlSecurityPolicy
 }
 
 type Principal struct {
@@ -56,6 +57,7 @@ type ResourceNode struct {
 	IsVisible                bool
 	IsBrowserShortcutEnabled bool
 	Alias                    string
+	SecurityPolicy           *gqlSecurityPolicy
 }
 
 type Protocols struct {
@@ -81,6 +83,12 @@ func (r gqlResource) ToModel() *model.Resource {
 		switch access.Node.Type {
 		case AccessGroup:
 			resource.Groups = append(resource.Groups, string(access.Node.ID))
+
+			if resource.GroupsSecurityPolicyID == nil && access.SecurityPolicy != nil {
+				id := string(access.SecurityPolicy.ID)
+				resource.GroupsSecurityPolicyID = &id
+			}
+
 		case AccessServiceAccount:
 			resource.ServiceAccounts = append(resource.ServiceAccounts, string(access.Node.ID))
 		}
@@ -90,6 +98,11 @@ func (r gqlResource) ToModel() *model.Resource {
 }
 
 func (r ResourceNode) ToModel() *model.Resource {
+	var securityPolicyID string
+	if r.SecurityPolicy != nil {
+		securityPolicyID = string(r.SecurityPolicy.ID)
+	}
+
 	return &model.Resource{
 		ID:                       string(r.ID),
 		Name:                     r.Name,
@@ -100,6 +113,7 @@ func (r ResourceNode) ToModel() *model.Resource {
 		IsVisible:                &r.IsVisible,
 		IsBrowserShortcutEnabled: &r.IsBrowserShortcutEnabled,
 		Alias:                    optionalString(r.Alias),
+		SecurityPolicyID:         optionalString(securityPolicyID),
 	}
 }
 

diff --git a/twingate/internal/client/query/resource-update.go b/twingate/internal/client/query/resource-update.go
@@ -1,7 +1,7 @@
 package query
 
 type UpdateResource struct {
-	ResourceEntityResponse `graphql:"resourceUpdate(id: $id, name: $name, address: $address, remoteNetworkId: $remoteNetworkId, protocols: $protocols, isVisible: $isVisible, isBrowserShortcutEnabled: $isBrowserShortcutEnabled, alias: $alias)"`
+	ResourceEntityResponse `graphql:"resourceUpdate(id: $id, name: $name, address: $address, remoteNetworkId: $remoteNetworkId, protocols: $protocols, isVisible: $isVisible, isBrowserShortcutEnabled: $isBrowserShortcutEnabled, alias: $alias, securityPolicyId: $securityPolicyId)"`
 }
 
 func (q UpdateResource) IsEmpty() bool {

diff --git a/twingate/internal/client/resource.go b/twingate/internal/client/resource.go
@@ -63,13 +63,13 @@ func (client *Client) CreateResource(ctx context.Context, input *model.Resource)
 
 	variables := newVars(
 		gqlID(input.RemoteNetworkID, "remoteNetworkId"),
-		gqlIDs(input.Groups, "groupIds"),
 		gqlVar(input.Name, "name"),
 		gqlVar(input.Address, "address"),
 		gqlVar(newProtocolsInput(input.Protocols), "protocols"),
 		gqlNullable(input.IsVisible, "isVisible"),
 		gqlNullable(input.IsBrowserShortcutEnabled, "isBrowserShortcutEnabled"),
 		gqlNullable(input.Alias, "alias"),
+		gqlNullableID(input.SecurityPolicyID, "securityPolicyId"),
 		cursor(query.CursorAccess),
 		pageLimit(client.pageLimit),
 	)
@@ -81,8 +81,10 @@ func (client *Client) CreateResource(ctx context.Context, input *model.Resource)
 
 	resource := response.Entity.ToModel()
 	resource.Groups = input.Groups
+	resource.GroupsSecurityPolicyID = input.GroupsSecurityPolicyID
 	resource.ServiceAccounts = input.ServiceAccounts
 	resource.IsAuthoritative = input.IsAuthoritative
+	resource.SecurityPolicyID = input.SecurityPolicyID
 
 	if input.IsVisible == nil {
 		resource.IsVisible = nil
@@ -180,6 +182,7 @@ func (client *Client) UpdateResource(ctx context.Context, input *model.Resource)
 		gqlNullable(input.IsVisible, "isVisible"),
 		gqlNullable(input.IsBrowserShortcutEnabled, "isBrowserShortcutEnabled"),
 		gqlNullable(input.Alias, "alias"),
+		gqlNullableID(input.SecurityPolicyID, "securityPolicyId"),
 		cursor(query.CursorAccess),
 		pageLimit(client.pageLimit),
 	)
@@ -292,7 +295,7 @@ type AccessInput struct {
 	SecurityPolicyID *string `json:"securityPolicyId"`
 }
 
-func (client *Client) AddResourceAccess(ctx context.Context, resourceID string, principalIDs []string) error {
+func (client *Client) AddResourceAccess(ctx context.Context, resourceID string, principalIDs []string, securityPolicyID *string) error {
 	opr := resourceResourceAccess.update()
 
 	if len(principalIDs) == 0 {
@@ -304,7 +307,7 @@ func (client *Client) AddResourceAccess(ctx context.Context, resourceID string,
 	}
 
 	access := utils.Map(principalIDs, func(id string) AccessInput {
-		return AccessInput{PrincipalID: id}
+		return AccessInput{PrincipalID: id, SecurityPolicyID: securityPolicyID}
 	})
 
 	variables := newVars(

diff --git a/twingate/internal/client/variables.go b/twingate/internal/client/variables.go
@@ -105,7 +105,7 @@ func getValue(val any) any {
 	}
 }
 
-func gqlNullableID(val interface{}, name string) gqlVarOption {
+func gqlNullableID(val interface{}, name string) gqlVarOption { //nolint
 	return func(values map[string]interface{}) map[string]interface{} {
 		var (
 			gqlValue  interface{}

diff --git a/twingate/internal/model/resource.go b/twingate/internal/model/resource.go
@@ -33,12 +33,15 @@ type Resource struct {
 	IsVisible                *bool
 	IsBrowserShortcutEnabled *bool
 	Alias                    *string
+	SecurityPolicyID         *string
+	GroupsSecurityPolicyID   *string
 }
 
 func (r Resource) AccessToTerraform() []interface{} {
 	rawMap := make(map[string]interface{})
 	if len(r.Groups) != 0 {
 		rawMap[attr.GroupIDs] = r.Groups
+		rawMap[attr.SecurityPolicyID] = r.GroupsSecurityPolicyID
 	}
 
 	if len(r.ServiceAccounts) != 0 {