Feature: Resource access block (#249)

* WIP * updated project layout * fix linter * ignore sec warn * fix: re-generated docs * fix users test * added connector model * fix convertion graphql.ID to string * added connector tokens model * added group model * added remote-network model * fix fmt * added user model * fix fmt * WIP * added connectors pages * added featching all pages for groups * added featching all pages for resources * added featching all pages for users * updated test results location * wip: fixing tests * added generic paginated resource * added tests * renamed transport pkg to client * fixed tests * fix path to generated test coverage report * fix read resources * remove parallel resource tests * added debug log * debug error * debug error * fix test * remove logs * revert changes in ci.yml * simplify converters * added tests * added tests for models * fix fmt * added test coverage * added test coverage * added test coverage * fix test * added test coverage * run acc test * revert changes * added service-account resource * refactor acc tests * Fix http_max_retry doc * added service-account-key resource * regenerated docs * added example and gen docs * renamed resource: service-account -> service * update resource and fields name * fix acctest * fix acctest * wip * added acctests * renamed resource to twingate_service_account * renamed resource to twingate_service_account_key * added new datasource: twingate_service_accounts * added test coverage * added test coverage * added test coverage * added test coverage * added test coverage * added test coverage * updated doc description * updated docs * updated docs * updated docs * fix tests * fix PR comments * wip * wip: added access property to resource * wip * added access property * fix test * added new tests for resource access options * added new non-authoritative logic * added authoritative logic * added test coverage * added test coverage * added test coverage * added test coverage * added test coverage * fix fmt * added test coverage * added test coverage * fix test * fix test * fix docs * fix PR comments * fix docs --------- Co-authored-by: Eran Kampf <[email protected]>
Twingate · Feb 7, 2023 · 5874480 · 5874480
1 parent c134e10
commit 5874480
Show file tree

Hide file tree

Showing 32 changed files with 3,928 additions and 365 deletions.
diff --git a/docs/resources/resource.md b/docs/resources/resource.md
@@ -26,11 +26,15 @@ resource "twingate_group" "aws" {
   name = "aws_group"
 }
 
+resource "twingate_service_account" "github_actions_prod" {
+  name = "Github Actions PROD"
+}
+
 resource "twingate_resource" "resource" {
   name = "network"
   address = "internal.int"
   remote_network_id = twingate_remote_network.aws_network.id
-  group_ids = [twingate_group.aws.id]
+
   protocols {
     allow_icmp = true
     tcp  {
@@ -41,6 +45,11 @@ resource "twingate_resource" "resource" {
       policy = "ALLOW_ALL"
     }
   }
+
+  access {
+    group_ids = [twingate_group.aws.id]
+    service_account_ids = [twingate_service_account.github_actions_prod.id]
+  }
 }
 ```
 
@@ -55,7 +64,9 @@ resource "twingate_resource" "resource" {
 
 ### Optional
 
-- `group_ids` (Set of String) List of Group IDs that have permission to access the Resource, cannot be generated by Terraform and must be retrieved from the Twingate Admin Console or API
+- `access` (Block List, Max: 1) Restrict access to certain groups or service accounts (see [below for nested schema](#nestedblock--access))
+- `group_ids` (Set of String, Deprecated) List of Group IDs that have permission to access the Resource, cannot be generated by Terraform and must be retrieved from the Twingate Admin Console or API
+- `is_authoritative` (Boolean) Determines whether assignments in the access block will override any existing assignments. Default is `true`. If set to `false`, assignments made outside of Terraform will be ignored.
 - `is_browser_shortcut_enabled` (Boolean) Controls whether an "Open in Browser" shortcut will be shown for this Resource in the Twingate Client.
 - `is_visible` (Boolean) Controls whether this Resource will be visible in the main Resource list in the Twingate Client.
 - `protocols` (Block List, Max: 1) Restrict access to certain protocols and ports. By default or when this argument is not defined, there is no restriction, and all protocols and ports are allowed. (see [below for nested schema](#nestedblock--protocols))
@@ -64,6 +75,15 @@ resource "twingate_resource" "resource" {
 
 - `id` (String) Autogenerated ID of the Resource, encoded in base64
 
+<a id="nestedblock--access"></a>
+### Nested Schema for `access`
+
+Optional:
+
+- `group_ids` (Set of String) List of Group IDs that will have permission to access the Resource.
+- `service_account_ids` (Set of String) List of Service Account IDs that will have permission to access the Resource.
+
+
 <a id="nestedblock--protocols"></a>
 ### Nested Schema for `protocols`
 

diff --git a/examples/resources/twingate_resource/resource.tf b/examples/resources/twingate_resource/resource.tf
@@ -11,11 +11,15 @@ resource "twingate_group" "aws" {
   name = "aws_group"
 }
 
+resource "twingate_service_account" "github_actions_prod" {
+  name = "Github Actions PROD"
+}
+
 resource "twingate_resource" "resource" {
   name = "network"
   address = "internal.int"
   remote_network_id = twingate_remote_network.aws_network.id
-  group_ids = [twingate_group.aws.id]
+
   protocols {
     allow_icmp = true
     tcp  {
@@ -26,5 +30,10 @@ resource "twingate_resource" "resource" {
       policy = "ALLOW_ALL"
     }
   }
+
+  access {
+    group_ids = [twingate_group.aws.id]
+    service_account_ids = [twingate_service_account.github_actions_prod.id]
+  }
 }
 
diff --git a/twingate/internal/attr/common.go b/twingate/internal/attr/common.go
@@ -0,0 +1,6 @@
+package attr
+
+const (
+	ID   = "id"
+	Name = "name"
+)
diff --git a/twingate/internal/attr/helper.go b/twingate/internal/attr/helper.go
@@ -0,0 +1,22 @@
+package attr
+
+import "strings"
+
+const (
+	attrPathSeparator = ".0."
+	attrLenSymbol     = ".#"
+)
+
+func Path(attributes ...string) string {
+	return strings.Join(attributes, attrPathSeparator)
+}
+
+func Len(attributes ...string) string {
+	attr := Path(attributes...)
+
+	if attr == "" {
+		return ""
+	}
+
+	return attr + attrLenSymbol
+}
diff --git a/twingate/internal/attr/resource.go b/twingate/internal/attr/resource.go
@@ -0,0 +1,18 @@
+package attr
+
+const (
+	Access                   = "access"
+	GroupIDs                 = "group_ids"
+	ServiceAccountIDs        = "service_account_ids"
+	IsAuthoritative          = "is_authoritative"
+	Policy                   = "policy"
+	Ports                    = "ports"
+	Address                  = "address"
+	RemoteNetworkID          = "remote_network_id"
+	Protocols                = "protocols"
+	AllowIcmp                = "allow_icmp"
+	TCP                      = "tcp"
+	UDP                      = "udp"
+	IsVisible                = "is_visible"
+	IsBrowserShortcutEnabled = "is_browser_shortcut_enabled"
+)
diff --git a/twingate/internal/attr/service-key.go b/twingate/internal/attr/service-key.go
@@ -0,0 +1,6 @@
+package attr
+
+const (
+	ServiceAccountID = "service_account_id"
+	Token            = "token"
+)