Merge pull request #157 from okta/leo/add-new-service-account-checkou…

…t-settings-resources Add new resources for SaaS app and Okta Universal Directory checkout settings.
okta · Jan 31, 2025 · 33546fc · 33546fc
2 parents f06d6b3 + 5d426be
commit 33546fc
Show file tree

Hide file tree

Showing 13 changed files with 1,525 additions and 12 deletions.
diff --git a/docs/resources/okta_universal_directory_checkout_settings.md b/docs/resources/okta_universal_directory_checkout_settings.md
@@ -0,0 +1,32 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_okta_universal_directory_checkout_settings Resource - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  Manages checkout settings for Okta Universal Directory resources in a project
+---
+
+# oktapam_okta_universal_directory_checkout_settings (Resource)
+
+Manages checkout settings for Okta Universal Directory resources in a project
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `checkout_duration_in_seconds` (Number) The duration in seconds for the checkout. If the checkout is enabled, the duration is the maximum time a user can access the resource before the checkout expires.
+- `checkout_required` (Boolean) Indicates whether a checkout is mandatory for accessing resources within the project. If `true`, checkout is enforced for all applicable resources by default. If `false`, checkout is not required, and resources are accessible without it.
+- `project` (String) The UUID of a Project.
+- `resource_group` (String) The UUID of a OktaPA Resource Group.
+
+### Optional
+
+- `exclude_list` (List of String) If provided, only the account identifiers listed are excluded from the checkout requirement. This list is only considered if `checkout_required` is set to `true`. Only one of `include_list` and `exclude_list` can be specified in a request since they are mutually exclusive.
+- `include_list` (List of String) If provided, only the account identifiers listed are required to perform a checkout to access the resource. This list is only considered if `checkout_required` is set to `true`. Only one of `include_list` and `exclude_list` can be specified in a request since they are mutually exclusive.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/saas_app_checkout_settings.md b/docs/resources/saas_app_checkout_settings.md
@@ -0,0 +1,32 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_saas_app_checkout_settings Resource - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  Manages checkout settings for SaaS Application resources in a project
+---
+
+# oktapam_saas_app_checkout_settings (Resource)
+
+Manages checkout settings for SaaS Application resources in a project
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `checkout_duration_in_seconds` (Number) The duration in seconds for the checkout. If the checkout is enabled, the duration is the maximum time a user can access the resource before the checkout expires.
+- `checkout_required` (Boolean) Indicates whether a checkout is mandatory for accessing resources within the project. If `true`, checkout is enforced for all applicable resources by default. If `false`, checkout is not required, and resources are accessible without it.
+- `project` (String) The UUID of a Project.
+- `resource_group` (String) The UUID of a OktaPA Resource Group.
+
+### Optional
+
+- `exclude_list` (List of String) If provided, only the account identifiers listed are excluded from the checkout requirement. This list is only considered if `checkout_required` is set to `true`. Only one of `include_list` and `exclude_list` can be specified in a request since they are mutually exclusive.
+- `include_list` (List of String) If provided, only the account identifiers listed are required to perform a checkout to access the resource. This list is only considered if `checkout_required` is set to `true`. Only one of `include_list` and `exclude_list` can be specified in a request since they are mutually exclusive.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/security_policy_v2.md b/docs/resources/security_policy_v2.md
@@ -0,0 +1,209 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oktapam_security_policy_v2 Resource - terraform-provider-oktapam"
+subcategory: ""
+description: |-
+  A policy which defines how users can gain access to resources. For details, see Security policy https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-policy.
+---
+
+# oktapam_security_policy_v2 (Resource)
+
+A policy which defines how users can gain access to resources. For details, see [Security policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-pam-policy).
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `active` (Boolean)
+- `name` (String)
+- `principals` (Attributes) (see [below for nested schema](#nestedatt--principals))
+- `rules` (Attributes List) (see [below for nested schema](#nestedatt--rules))
+
+### Optional
+
+- `description` (String)
+- `type` (String)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedatt--principals"></a>
+### Nested Schema for `principals`
+
+Optional:
+
+- `user_groups` (List of String)
+
+
+<a id="nestedatt--rules"></a>
+### Nested Schema for `rules`
+
+Required:
+
+- `name` (String)
+- `privileges` (Attributes List) (see [below for nested schema](#nestedatt--rules--privileges))
+- `resource_selector` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector))
+- `resource_type` (String)
+
+Optional:
+
+- `conditions` (Attributes List) (see [below for nested schema](#nestedatt--rules--conditions))
+- `override_checkout_duration_in_seconds` (Number)
+
+<a id="nestedatt--rules--privileges"></a>
+### Nested Schema for `rules.privileges`
+
+Optional:
+
+- `password_checkout_database` (Attributes) (see [below for nested schema](#nestedatt--rules--privileges--password_checkout_database))
+- `password_checkout_ssh` (Attributes) (see [below for nested schema](#nestedatt--rules--privileges--password_checkout_ssh))
+- `principal_account_ssh` (Attributes) (see [below for nested schema](#nestedatt--rules--privileges--principal_account_ssh))
+
+<a id="nestedatt--rules--privileges--password_checkout_database"></a>
+### Nested Schema for `rules.privileges.password_checkout_database`
+
+Required:
+
+- `password_checkout_database` (Boolean)
+
+
+<a id="nestedatt--rules--privileges--password_checkout_ssh"></a>
+### Nested Schema for `rules.privileges.password_checkout_ssh`
+
+Required:
+
+- `password_checkout_ssh` (Boolean)
+
+
+<a id="nestedatt--rules--privileges--principal_account_ssh"></a>
+### Nested Schema for `rules.privileges.principal_account_ssh`
+
+Required:
+
+- `principal_account_ssh` (Boolean) Defines the privilege to make SSH connections to a server with the user's principal account.
+
+Optional:
+
+- `admin_level_permissions` (Boolean) Provides coarse grain (full admin) access to the user.
+- `sudo_command_bundles` (List of String) UUIDs of the existing sudo command bundles. These commands have been created by the resource administrator
+- `sudo_display_name` (String) The name for sudo commands that will be visible to end users
+
+
+
+<a id="nestedatt--rules--resource_selector"></a>
+### Nested Schema for `rules.resource_selector`
+
+Required:
+
+- `server_based_resource` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource))
+
+<a id="nestedatt--rules--resource_selector--server_based_resource"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource`
+
+Required:
+
+- `selectors` (Attributes List) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource--selectors))
+
+<a id="nestedatt--rules--resource_selector--server_based_resource--selectors"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource.selectors`
+
+Optional:
+
+- `individual_server` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource--selectors--individual_server))
+- `individual_server_account` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource--selectors--individual_server_account))
+- `server_label` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource--selectors--server_label))
+
+<a id="nestedatt--rules--resource_selector--server_based_resource--selectors--individual_server"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource.selectors.individual_server`
+
+Required:
+
+- `server` (String)
+
+
+<a id="nestedatt--rules--resource_selector--server_based_resource--selectors--individual_server_account"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource.selectors.individual_server_account`
+
+Required:
+
+- `server` (String)
+- `username` (String)
+
+
+<a id="nestedatt--rules--resource_selector--server_based_resource--selectors--server_label"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource.selectors.server_label`
+
+Required:
+
+- `account_selector` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource--selectors--server_label--account_selector))
+- `account_selector_type` (String)
+
+Optional:
+
+- `server_selector` (Attributes) (see [below for nested schema](#nestedatt--rules--resource_selector--server_based_resource--selectors--server_label--server_selector))
+
+<a id="nestedatt--rules--resource_selector--server_based_resource--selectors--server_label--account_selector"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource.selectors.server_label.account_selector`
+
+Optional:
+
+- `usernames` (List of String)
+
+
+<a id="nestedatt--rules--resource_selector--server_based_resource--selectors--server_label--server_selector"></a>
+### Nested Schema for `rules.resource_selector.server_based_resource.selectors.server_label.server_selector`
+
+Required:
+
+- `labels` (Map of String)
+
+
+
+
+
+
+<a id="nestedatt--rules--conditions"></a>
+### Nested Schema for `rules.conditions`
+
+Optional:
+
+- `access_request` (Attributes) (see [below for nested schema](#nestedatt--rules--conditions--access_request))
+- `gateway` (Attributes) (see [below for nested schema](#nestedatt--rules--conditions--gateway))
+- `mfa` (Attributes) (see [below for nested schema](#nestedatt--rules--conditions--mfa))
+
+<a id="nestedatt--rules--conditions--access_request"></a>
+### Nested Schema for `rules.conditions.access_request`
+
+Required:
+
+- `request_type_name` (String)
+
+Optional:
+
+- `expires_after_seconds` (Number)
+- `request_type_id` (String)
+
+
+<a id="nestedatt--rules--conditions--gateway"></a>
+### Nested Schema for `rules.conditions.gateway`
+
+Required:
+
+- `session_recording` (Boolean)
+- `traffic_forwarding` (Boolean)
+
+
+<a id="nestedatt--rules--conditions--mfa"></a>
+### Nested Schema for `rules.conditions.mfa`
+
+Required:
+
+- `re_auth_frequency_in_seconds` (Number)
+
+Optional:
+
+- `acr_values` (String)
diff --git a/oktapam/convert/resource_checkout_settings.go b/oktapam/convert/resource_checkout_settings.go
@@ -63,19 +63,32 @@ func ResourceCheckoutSettingsFromModelToSDK(ctx context.Context, in *ResourceChe
 		out.CheckoutDurationInSeconds = in.CheckoutDurationInSeconds.ValueInt32Pointer()
 	}
 
+	// Initialize empty lists
+	out.IncludeList = []string{}
+	out.ExcludeList = []string{}
+
 	if !in.IncludeList.IsNull() && !in.IncludeList.IsUnknown() {
-		diags.Append(in.IncludeList.ElementsAs(ctx, &out.IncludeList, false)...)
+		var includeList []string
+		diags.Append(in.IncludeList.ElementsAs(ctx, &includeList, false)...)
 		if diags.HasError() {
 			return nil, diags
 		}
+		if len(includeList) > 0 {
+			out.IncludeList = includeList
+		}
 	}
 
 	if !in.ExcludeList.IsNull() && !in.ExcludeList.IsUnknown() {
-		diags.Append(in.ExcludeList.ElementsAs(ctx, &out.ExcludeList, false)...)
+		var excludeList []string
+		diags.Append(in.ExcludeList.ElementsAs(ctx, &excludeList, false)...)
 		if diags.HasError() {
 			return nil, diags
 		}
+		if len(excludeList) > 0 {
+			out.ExcludeList = excludeList
+		}
 	}
+
 	return &out, diags
 }
 
@@ -91,19 +104,67 @@ func ResourceCheckoutSettingsFromSDKToModel(ctx context.Context, in *pam.Resourc
 		out.CheckoutDurationInSeconds = types.Int32PointerValue(val)
 	}
 
-	includeList, d := types.ListValueFrom(ctx, types.StringType, in.IncludeList)
-	diags.Append(d...)
-	if diags.HasError() {
-		return nil, diags
+	if len(in.IncludeList) == 0 {
+		out.IncludeList = types.ListNull(types.StringType)
+	} else {
+		includeList, d := types.ListValueFrom(ctx, types.StringType, in.IncludeList)
+		diags.Append(d...)
+		if diags.HasError() {
+			return nil, diags
+		}
+		out.IncludeList = includeList
 	}
-	out.IncludeList = includeList
 
-	excludeList, d := types.ListValueFrom(ctx, types.StringType, in.ExcludeList)
-	diags.Append(d...)
-	if diags.HasError() {
-		return nil, diags
+	if len(in.ExcludeList) == 0 {
+		out.ExcludeList = types.ListNull(types.StringType)
+	} else {
+		excludeList, d := types.ListValueFrom(ctx, types.StringType, in.ExcludeList)
+		diags.Append(d...)
+		if diags.HasError() {
+			return nil, diags
+		}
+		out.ExcludeList = excludeList
 	}
-	out.ExcludeList = excludeList
 
 	return &out, diags
 }
+
+func PamResourceCheckoutSettingsToPamServiceAccountCheckoutSettings(in *pam.ResourceCheckoutSettings) *pam.APIServiceAccountCheckoutSettings {
+	includeList := []pam.ServiceAccountSettingNameObject{}
+	for _, Id := range in.IncludeList {
+		includeList = append(includeList, pam.ServiceAccountSettingNameObject{
+			Id: Id,
+		})
+	}
+	excludeList := []pam.ServiceAccountSettingNameObject{}
+	for _, Id := range in.ExcludeList {
+		excludeList = append(excludeList, pam.ServiceAccountSettingNameObject{
+			Id: Id,
+		})
+	}
+
+	return &pam.APIServiceAccountCheckoutSettings{
+		CheckoutRequired:          in.CheckoutRequired,
+		CheckoutDurationInSeconds: *in.CheckoutDurationInSeconds,
+		IncludeList:               includeList,
+		ExcludeList:               excludeList,
+	}
+}
+
+func PamServiceAccountCheckoutSettingsToPamResourceCheckoutSettings(in *pam.APIServiceAccountCheckoutSettings) *pam.ResourceCheckoutSettings {
+	includeList := []string{}
+	for _, include := range in.IncludeList {
+		includeList = append(includeList, include.Id)
+	}
+	excludeList := []string{}
+	for _, exclude := range in.ExcludeList {
+		excludeList = append(excludeList, exclude.Id)
+	}
+	resourceCheckoutSettings := &pam.ResourceCheckoutSettings{
+		CheckoutRequired:          in.CheckoutRequired,
+		CheckoutDurationInSeconds: &in.CheckoutDurationInSeconds,
+		IncludeList:               includeList,
+		ExcludeList:               excludeList,
+	}
+	return resourceCheckoutSettings
+}