Merge pull request #651 from okta/users_exluded

Added 'users_excluded' to the 'okta_group_rule' resource
okta · Sep 16, 2021 · a669a53 · a669a53
2 parents 68a46c1 + 146e173
commit a669a53
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 5 deletions.
diff --git a/examples/okta_group_rule/basic_deactivated.tf b/examples/okta_group_rule/basic_deactivated.tf
@@ -2,10 +2,18 @@ resource "okta_group" "test_other" {
   name = "testAcc_replace_with_uuid"
 }
 
+resource "okta_user" "test" {
+  first_name = "TestAcc"
+  last_name  = "Smith"
+  login      = "testAcc-replace_with_uuid@example.com"
+  email      = "testAcc-replace_with_uuid@example.com"
+}
+
 resource "okta_group_rule" "test" {
   name              = "testAcc_replace_with_uuid"
   status            = "INACTIVE"
   group_assignments = [okta_group.test_other.id]
   expression_type   = "urn:okta:expression:1.0"
   expression_value  = "String.startsWith(user.firstName,\"bob\")"
+  users_excluded    = [okta_user.test.id]
 }
diff --git a/okta/resource_okta_group.go b/okta/resource_okta_group.go
@@ -5,6 +5,9 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -69,6 +72,22 @@ func resourceGroupCreate(ctx context.Context, d *schema.ResourceData, m interfac
 	if err != nil {
 		return diag.Errorf("failed to create group: %v", err)
 	}
+	bOff := backoff.NewExponentialBackOff()
+	bOff.MaxElapsedTime = time.Second * 10
+	bOff.InitialInterval = time.Second
+	err = backoff.Retry(func() error {
+		g, resp, err := getOktaClientFromMetadata(m).Group.GetGroup(ctx, responseGroup.Id)
+		if err := suppressErrorOn404(resp, err); err != nil {
+			return backoff.Permanent(err)
+		}
+		if g == nil {
+			return fmt.Errorf("group '%s' hasn't been created after multiple checks", responseGroup.Id)
+		}
+		return nil
+	}, bOff)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 	d.SetId(responseGroup.Id)
 	err = updateGroupUsers(ctx, d, m)
 	if err != nil {

diff --git a/okta/resource_okta_group_rule.go b/okta/resource_okta_group_rule.go
@@ -50,6 +50,12 @@ func resourceGroupRule() *schema.Resource {
 				Optional:    true,
 				Description: "Remove users added by this rule from the assigned group after deleting this resource",
 			},
+			"users_excluded": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: "The list of user IDs that would be excluded when rules are processed",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
 		},
 		CustomizeDiff: customdiff.ForceNewIf("status", func(ctx context.Context, d *schema.ResourceDiff, meta interface{}) bool {
 			g, _, _ := getOktaClientFromMetadata(meta).Group.GetGroupRule(ctx, d.Id(), nil)
@@ -89,9 +95,14 @@ func resourceGroupRuleRead(ctx context.Context, d *schema.ResourceData, m interf
 	_ = d.Set("name", g.Name)
 	_ = d.Set("status", g.Status)
 	// Just for the sake of safety, should never be nil
-	if g.Conditions != nil && g.Conditions.Expression != nil {
-		_ = d.Set("expression_type", g.Conditions.Expression.Type)
-		_ = d.Set("expression_value", g.Conditions.Expression.Value)
+	if g.Conditions != nil {
+		if g.Conditions.Expression != nil {
+			_ = d.Set("expression_type", g.Conditions.Expression.Type)
+			_ = d.Set("expression_value", g.Conditions.Expression.Value)
+		}
+		if g.Conditions.People != nil && g.Conditions.People.Users != nil {
+			_ = d.Set("users_excluded", convertStringSliceToSet(g.Conditions.People.Users.Exclude))
+		}
 	}
 	err = setNonPrimitives(d, map[string]interface{}{
 		"group_assignments": convertStringSliceToSet(g.Actions.AssignUserToGroups.GroupIds),
@@ -139,7 +150,7 @@ func resourceGroupRuleUpdate(ctx context.Context, d *schema.ResourceData, m inte
 }
 
 func hasGroupRuleChange(d *schema.ResourceData) bool {
-	for _, k := range []string{"expression_type", "expression_value", "name", "group_assignments"} {
+	for _, k := range []string{"expression_type", "expression_value", "name", "group_assignments", "users_excluded"} {
 		if d.HasChange(k) {
 			return true
 		}
@@ -176,6 +187,11 @@ func buildGroupRule(d *schema.ResourceData) *okta.GroupRule {
 				Type:  d.Get("expression_type").(string),
 				Value: d.Get("expression_value").(string),
 			},
+			People: &okta.GroupRulePeopleCondition{
+				Users: &okta.GroupRuleUserCondition{
+					Exclude: convertInterfaceToStringSet(d.Get("users_excluded")),
+				},
+			},
 		},
 		Name: d.Get("name").(string),
 		Type: "group_rule",

diff --git a/okta/resource_okta_group_rule_test.go b/okta/resource_okta_group_rule_test.go
@@ -78,6 +78,7 @@ func TestAccOktaGroupRule_crud(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "name", name2),
 					resource.TestCheckResourceAttr(resourceName, "status", statusInactive),
+					resource.TestCheckResourceAttr(resourceName, "users_excluded.#", "1"),
 				),
 			},
 		},

diff --git a/okta/resource_okta_group_test.go b/okta/resource_okta_group_test.go
@@ -26,7 +26,7 @@ func sweepGroups(client *testClient) error {
 	return condenseError(errorList)
 }
 
-func TestAccOktaGroups_crud(t *testing.T) {
+func TestAccOktaGroup_crud(t *testing.T) {
 	ri := acctest.RandInt()
 	resourceName := fmt.Sprintf("%s.test", oktaGroup)
 	mgr := newFixtureManager("okta_group")

diff --git a/website/docs/r/group_rule.html.markdown b/website/docs/r/group_rule.html.markdown
@@ -43,6 +43,8 @@ The following arguments are supported:
 - `remove_assigned_users` - (Optional) This tells the provider to remove users added by this rule from the assigned
   group after destroying this resource. Default is `false`.
 
+- `users_excluded` - (Optional) The list of user IDs that would be excluded when rules are processed.
+
 ## Attributes Reference
 
 - `id` - The ID of the Group Rule.