From 146e1736e31983454335bb948a0ce6709c4e9d8f Mon Sep 17 00:00:00 2001 From: Bogdan Prodan Date: Thu, 16 Sep 2021 12:10:19 +0300 Subject: [PATCH] Added 'users_excluded' to the 'okta_group_rule' resource --- examples/okta_group_rule/basic_deactivated.tf | 8 +++++++ okta/resource_okta_group.go | 19 +++++++++++++++ okta/resource_okta_group_rule.go | 24 +++++++++++++++---- okta/resource_okta_group_rule_test.go | 1 + okta/resource_okta_group_test.go | 2 +- website/docs/r/group_rule.html.markdown | 2 ++ 6 files changed, 51 insertions(+), 5 deletions(-) diff --git a/examples/okta_group_rule/basic_deactivated.tf b/examples/okta_group_rule/basic_deactivated.tf index 162593eca..9194f1226 100644 --- a/examples/okta_group_rule/basic_deactivated.tf +++ b/examples/okta_group_rule/basic_deactivated.tf @@ -2,10 +2,18 @@ resource "okta_group" "test_other" { name = "testAcc_replace_with_uuid" } +resource "okta_user" "test" { + first_name = "TestAcc" + last_name = "Smith" + login = "testAcc-replace_with_uuid@example.com" + email = "testAcc-replace_with_uuid@example.com" +} + resource "okta_group_rule" "test" { name = "testAcc_replace_with_uuid" status = "INACTIVE" group_assignments = [okta_group.test_other.id] expression_type = "urn:okta:expression:1.0" expression_value = "String.startsWith(user.firstName,\"bob\")" + users_excluded = [okta_user.test.id] } diff --git a/okta/resource_okta_group.go b/okta/resource_okta_group.go index 5098a6523..444acd3b6 100644 --- a/okta/resource_okta_group.go +++ b/okta/resource_okta_group.go @@ -5,6 +5,9 @@ import ( "errors" "fmt" "strings" + "time" + + "github.com/cenkalti/backoff/v4" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" @@ -69,6 +72,22 @@ func resourceGroupCreate(ctx context.Context, d *schema.ResourceData, m interfac if err != nil { return diag.Errorf("failed to create group: %v", err) } + bOff := backoff.NewExponentialBackOff() + bOff.MaxElapsedTime = time.Second * 10 + bOff.InitialInterval = time.Second + err = backoff.Retry(func() error { + g, resp, err := getOktaClientFromMetadata(m).Group.GetGroup(ctx, responseGroup.Id) + if err := suppressErrorOn404(resp, err); err != nil { + return backoff.Permanent(err) + } + if g == nil { + return fmt.Errorf("group '%s' hasn't been created after multiple checks", responseGroup.Id) + } + return nil + }, bOff) + if err != nil { + return diag.FromErr(err) + } d.SetId(responseGroup.Id) err = updateGroupUsers(ctx, d, m) if err != nil { diff --git a/okta/resource_okta_group_rule.go b/okta/resource_okta_group_rule.go index df05463b3..b7717636e 100644 --- a/okta/resource_okta_group_rule.go +++ b/okta/resource_okta_group_rule.go @@ -50,6 +50,12 @@ func resourceGroupRule() *schema.Resource { Optional: true, Description: "Remove users added by this rule from the assigned group after deleting this resource", }, + "users_excluded": { + Type: schema.TypeSet, + Optional: true, + Description: "The list of user IDs that would be excluded when rules are processed", + Elem: &schema.Schema{Type: schema.TypeString}, + }, }, CustomizeDiff: customdiff.ForceNewIf("status", func(ctx context.Context, d *schema.ResourceDiff, meta interface{}) bool { g, _, _ := getOktaClientFromMetadata(meta).Group.GetGroupRule(ctx, d.Id(), nil) @@ -89,9 +95,14 @@ func resourceGroupRuleRead(ctx context.Context, d *schema.ResourceData, m interf _ = d.Set("name", g.Name) _ = d.Set("status", g.Status) // Just for the sake of safety, should never be nil - if g.Conditions != nil && g.Conditions.Expression != nil { - _ = d.Set("expression_type", g.Conditions.Expression.Type) - _ = d.Set("expression_value", g.Conditions.Expression.Value) + if g.Conditions != nil { + if g.Conditions.Expression != nil { + _ = d.Set("expression_type", g.Conditions.Expression.Type) + _ = d.Set("expression_value", g.Conditions.Expression.Value) + } + if g.Conditions.People != nil && g.Conditions.People.Users != nil { + _ = d.Set("users_excluded", convertStringSliceToSet(g.Conditions.People.Users.Exclude)) + } } err = setNonPrimitives(d, map[string]interface{}{ "group_assignments": convertStringSliceToSet(g.Actions.AssignUserToGroups.GroupIds), @@ -139,7 +150,7 @@ func resourceGroupRuleUpdate(ctx context.Context, d *schema.ResourceData, m inte } func hasGroupRuleChange(d *schema.ResourceData) bool { - for _, k := range []string{"expression_type", "expression_value", "name", "group_assignments"} { + for _, k := range []string{"expression_type", "expression_value", "name", "group_assignments", "users_excluded"} { if d.HasChange(k) { return true } @@ -176,6 +187,11 @@ func buildGroupRule(d *schema.ResourceData) *okta.GroupRule { Type: d.Get("expression_type").(string), Value: d.Get("expression_value").(string), }, + People: &okta.GroupRulePeopleCondition{ + Users: &okta.GroupRuleUserCondition{ + Exclude: convertInterfaceToStringSet(d.Get("users_excluded")), + }, + }, }, Name: d.Get("name").(string), Type: "group_rule", diff --git a/okta/resource_okta_group_rule_test.go b/okta/resource_okta_group_rule_test.go index 0c618e6c6..155b8a3f0 100644 --- a/okta/resource_okta_group_rule_test.go +++ b/okta/resource_okta_group_rule_test.go @@ -78,6 +78,7 @@ func TestAccOktaGroupRule_crud(t *testing.T) { Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "name", name2), resource.TestCheckResourceAttr(resourceName, "status", statusInactive), + resource.TestCheckResourceAttr(resourceName, "users_excluded.#", "1"), ), }, }, diff --git a/okta/resource_okta_group_test.go b/okta/resource_okta_group_test.go index 5f1951a07..506f97270 100644 --- a/okta/resource_okta_group_test.go +++ b/okta/resource_okta_group_test.go @@ -26,7 +26,7 @@ func sweepGroups(client *testClient) error { return condenseError(errorList) } -func TestAccOktaGroups_crud(t *testing.T) { +func TestAccOktaGroup_crud(t *testing.T) { ri := acctest.RandInt() resourceName := fmt.Sprintf("%s.test", oktaGroup) mgr := newFixtureManager("okta_group") diff --git a/website/docs/r/group_rule.html.markdown b/website/docs/r/group_rule.html.markdown index b64d549d8..fb1448bdd 100644 --- a/website/docs/r/group_rule.html.markdown +++ b/website/docs/r/group_rule.html.markdown @@ -43,6 +43,8 @@ The following arguments are supported: - `remove_assigned_users` - (Optional) This tells the provider to remove users added by this rule from the assigned group after destroying this resource. Default is `false`. +- `users_excluded` - (Optional) The list of user IDs that would be excluded when rules are processed. + ## Attributes Reference - `id` - The ID of the Group Rule.