feat: Adds support for OIDC WORKLOAD IdP type to `federated_setting…

…s_identity_provider` (#2318)

---------

Co-authored-by: Oriol Arbusi <[email protected]>

.changelog/2318.txt

@@ -0,0 +1,15 @@
+```release-note:enhancement
+resource/mongodbatlas_federated_settings_identity_provider: Adds OIDC Workload support
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_federated_settings_identity_provider: Adds OIDC Workload support
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_federated_settings_identity_providers: Adds OIDC Workload support
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_federated_settings_identity_providers: Adds filtering support for Protocol and IdP type
+```

internal/service/federatedsettingsidentityprovider/data_source_federated_settings_identity_provider.go

@@ -236,6 +236,10 @@ func DataSource() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"idp_type": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -347,6 +351,10 @@ func dataSourceRead(ctx context.Context, d *schema.ResourceData, meta any) diag.
 		return diag.FromErr(fmt.Errorf("error setting `idp_id` for federatedSettings IdentityProviders: %s", err))
 	}
 
+	if err := d.Set("idp_type", federatedSettingsIdentityProvider.IdpType); err != nil {
+		return diag.FromErr(fmt.Errorf("error setting `idp_type` for federatedSettings IdentityProviders: %s", err))
+	}
+
 	d.SetId(federatedSettingsIdentityProvider.Id)
 
 	return nil

internal/service/federatedsettingsidentityprovider/data_source_federated_settings_identity_providers.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/constant"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/config"
 )
 
@@ -22,6 +23,20 @@ func PluralDataSource() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
+			"idp_types": {
+				Type: schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+			},
+			"protocols": {
+				Type: schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+			},
 			"page_num": {
 				Type:       schema.TypeInt,
 				Optional:   true,
@@ -249,6 +264,10 @@ func PluralDataSource() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						"idp_type": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
 					},
 				},
 			},
@@ -262,11 +281,13 @@ func dataSourcePluralRead(ctx context.Context, d *schema.ResourceData, meta any)
 	if !federationSettingsIDOk {
 		return diag.FromErr(errors.New("federation_settings_id must be configured"))
 	}
+	idpTypes := conversion.ExpandStringList(d.Get("idp_types").([]any))
+	protocols := conversion.ExpandStringList(d.Get("protocols").([]any))
 
 	params := &admin.ListIdentityProvidersApiParams{
 		FederationSettingsId: federationSettingsID.(string),
-		Protocol:             &[]string{OIDC, SAML},
-		IdpType:              &[]string{WORKFORCE},
+		Protocol:             &protocols,
+		IdpType:              &idpTypes,
 	}
 
 	providers, _, err := connV2.FederatedAuthenticationApi.ListIdentityProvidersWithParams(ctx, params).Execute()

internal/service/federatedsettingsidentityprovider/data_source_federated_settings_identity_providers_test.go

@@ -6,6 +6,8 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/service/federatedsettingsidentityprovider"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/testutil/acc"
 )
 
@@ -20,22 +22,66 @@ func TestAccFederatedSettingsIdentityProvidersDS_basic(t *testing.T) {
 		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
 		Steps: []resource.TestStep{
 			{
-				Config: configBasicPluralDS(federatedSettingsID),
+				Config: configPluralDS(federatedSettingsID, conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE), []string{oidcProtocol, samlProtocol}),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrSet(dataSourceName, "federation_settings_id"),
 					resource.TestCheckResourceAttr(dataSourceName, "results.#", "2"),
 				),
 			},
+			{
+				Config: configPluralDS(federatedSettingsID, conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE), []string{samlProtocol}),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataSourceName, "federation_settings_id"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.0.display_name", "SAML-test"),
+				),
+			},
+			{
+				Config: configPluralDS(federatedSettingsID, conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE), []string{oidcProtocol}),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataSourceName, "federation_settings_id"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.0.display_name", "OIDC-test"),
+				),
+			},
+			{
+				Config: configPluralDS(federatedSettingsID, conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE), []string{}),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataSourceName, "federation_settings_id"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.0.display_name", "SAML-test"), // if no protocol is specified, it defaults to SAML
+				),
+			},
+			{
+				Config: configPluralDS(federatedSettingsID, conversion.StringPtr(federatedsettingsidentityprovider.WORKLOAD), []string{}),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataSourceName, "federation_settings_id"),
+					resource.TestCheckResourceAttr(dataSourceName, "results.#", "0"),
+				),
+			},
 		},
 	})
 }
 
-func configBasicPluralDS(federatedSettingsID string) string {
+func configPluralDS(federatedSettingsID string, idpType *string, protocols []string) string {
+	var protocolString string
+	if len(protocols) > 1 {
+		protocolString = fmt.Sprintf(`protocols = [%[1]q, %[2]q]`, protocols[0], protocols[1])
+	} else if len(protocols) > 0 {
+		protocolString = fmt.Sprintf(`protocols = [%[1]q]`, protocols[0])
+	}
+	var idpTypeString string
+	if idpType != nil {
+		idpTypeString = fmt.Sprintf(`idp_types = [%[1]q]`, *idpType)
+	}
+
 	return fmt.Sprintf(`
 		data "mongodbatlas_federated_settings_identity_providers" "test" {
 			federation_settings_id = "%[1]s"
 			page_num = 1
 			items_per_page = 100
+			%[2]s
+			%[3]s
 		}
-`, federatedSettingsID)
+`, federatedSettingsID, protocolString, idpTypeString)
 }

internal/service/federatedsettingsidentityprovider/model_federated_settings_identity_provider.go

@@ -12,6 +12,7 @@ import (
 )
 
 const WORKFORCE = "WORKFORCE"
+const WORKLOAD = "WORKLOAD"
 
 func ExpandIdentityProviderOIDCCreate(d *schema.ResourceData) *admin.FederationOidcIdentityProviderUpdate {
 	return &admin.FederationOidcIdentityProviderUpdate{
@@ -22,7 +23,7 @@ func ExpandIdentityProviderOIDCCreate(d *schema.ResourceData) *admin.FederationO
 		Description:       conversion.StringPtr(d.Get("description").(string)),
 		DisplayName:       conversion.StringPtr(d.Get("name").(string)),
 		GroupsClaim:       conversion.StringPtr(d.Get("groups_claim").(string)),
-		IdpType:           conversion.StringPtr(WORKFORCE),
+		IdpType:           conversion.StringPtr(d.Get("idp_type").(string)),
 		IssuerUri:         conversion.StringPtr(d.Get("issuer_uri").(string)),
 		Protocol:          conversion.StringPtr(d.Get("protocol").(string)),
 		RequestedScopes:   expandRequestedScopes(d),
@@ -100,6 +101,7 @@ func FlattenFederatedSettingsIdentityProvider(federatedSettingsIdentityProvider
 				"user_claim":                   federatedSettingsIdentityProvider[i].UserClaim,
 				"authorization_type":           federatedSettingsIdentityProvider[i].AuthorizationType,
 				"description":                  federatedSettingsIdentityProvider[i].Description,
+				"idp_type":                     federatedSettingsIdentityProvider[i].IdpType,
 			}
 		}
 	}

internal/service/federatedsettingsidentityprovider/model_federated_settings_identity_provider_test.go

@@ -338,6 +338,7 @@ func TestFlattenFederatedSettingsIdentityProvider(t *testing.T) {
 					AssociatedOrgs:             &associatedOrgs,
 					AudienceUri:                &audienceURI,
 					DisplayName:                &displayName,
+					IdpType:                    conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE),
 					IssuerUri:                  &issuerURI,
 					OktaIdpId:                  oktaIdpID,
 					PemFileInfo:                &pemFileInfo,
@@ -375,6 +376,7 @@ func TestFlattenFederatedSettingsIdentityProvider(t *testing.T) {
 					"user_claim":                   nilStringPtr,
 					"description":                  &description,
 					"authorization_type":           nilStringPtr,
+					"idp_type":                     conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE),
 				},
 			},
 		},
@@ -395,6 +397,7 @@ func TestFlattenFederatedSettingsIdentityProvider(t *testing.T) {
 					UserClaim:         &userClaim,
 					Description:       &description,
 					AuthorizationType: &authorizationType,
+					IdpType:           conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE),
 				},
 			},
 			output: []map[string]any{
@@ -421,6 +424,7 @@ func TestFlattenFederatedSettingsIdentityProvider(t *testing.T) {
 					"user_claim":                   &userClaim,
 					"description":                  &description,
 					"authorization_type":           &authorizationType,
+					"idp_type":                     conversion.StringPtr(federatedsettingsidentityprovider.WORKFORCE),
 				},
 			},
 		},

internal/service/federatedsettingsidentityprovider/resource_federated_settings_identity_provider.go

@@ -111,6 +111,11 @@ func Resource() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"idp_type": {
+				Type:     schema.TypeString,
+				Optional: true, // Required for OIDC IdPs
+				Computed: true, // If not set for SAML IdPs, it will return WORKFORCE
+			},
 		},
 	}
 }
@@ -230,6 +235,9 @@ func resourceRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Di
 	if err := d.Set("authorization_type", federatedSettingsIdentityProvider.AuthorizationType); err != nil {
 		return diag.FromErr(fmt.Errorf("error setting authorization_type (%s): %s", d.Id(), err))
 	}
+	if err := d.Set("idp_type", federatedSettingsIdentityProvider.IdpType); err != nil {
+		return diag.FromErr(fmt.Errorf("error setting idp_type (%s): %s", d.Id(), err))
+	}
 
 	d.SetId(encodeStateID(federationSettingsID, federatedSettingsIdentityProvider.Id))
 
@@ -312,10 +320,17 @@ func resourceUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.
 	if d.HasChange("authorization_type") {
 		updateRequest.AuthorizationType = conversion.StringPtr(d.Get("authorization_type").(string))
 	}
+	if d.HasChange("idp_type") {
+		updateRequest.IdpType = conversion.StringPtr(d.Get("idp_type").(string))
+	}
 
 	if d.HasChange("groups_claim") {
 		groupsClaim := d.Get("groups_claim").(string)
-		updateRequest.GroupsClaim = &groupsClaim
+		if groupsClaim == "" {
+			updateRequest.GroupsClaim = nil
+		} else {
+			updateRequest.GroupsClaim = &groupsClaim
+		}
 	}
 
 	if d.HasChange("requested_scopes") {