feat(teams): enable on IBM secure (#361)

sysdiglabs · Jun 9, 2023 · edc0967 · edc0967
1 parent af3f215
commit edc0967
Show file tree

Hide file tree

Showing 8 changed files with 124 additions and 51 deletions.
diff --git a/buildinfo/ibm_secure.go b/buildinfo/ibm_secure.go
@@ -0,0 +1,7 @@
+//go:build tf_acc_ibm_secure
+
+package buildinfo
+
+func init() {
+	IBMSecure = true
+}
diff --git a/buildinfo/info.go b/buildinfo/info.go
@@ -5,4 +5,5 @@ var (
 	SysdigMonitor bool
 	SysdigSecure  bool
 	IBMMonitor    bool
+	IBMSecure     bool
 )
diff --git a/sysdig/resource_sysdig_monitor_team.go b/sysdig/resource_sysdig_monitor_team.go
@@ -194,21 +194,12 @@ func resourceSysdigMonitorTeamRead(ctx context.Context, d *schema.ResourceData,
 	_ = d.Set("entrypoint", entrypointToSet(t.EntryPoint))
 
 	if clients.GetClientType() == IBMMonitor {
-		resourceSysdigMonitorTeamReadIBM(d, &t)
+		resourceSysdigTeamReadIBM(d, &t)
 	}
 
 	return nil
 }
 
-func resourceSysdigMonitorTeamReadIBM(d *schema.ResourceData, t *v2.Team) {
-	var ibmPlatformMetrics *string
-	if t.NamespaceFilters != nil {
-		ibmPlatformMetrics = t.NamespaceFilters.IBMPlatformMetrics
-	}
-	_ = d.Set("enable_ibm_platform_metrics", t.CanUseBeaconMetrics)
-	_ = d.Set("ibm_platform_metrics", ibmPlatformMetrics)
-}
-
 func userMonitorRolesToSet(userRoles []v2.UserRoles) (res []map[string]interface{}) {
 	for _, role := range userRoles {
 		if role.Admin { // Admins are added by default, so skip them
@@ -273,18 +264,6 @@ func resourceSysdigMonitorTeamDelete(ctx context.Context, d *schema.ResourceData
 	return nil
 }
 
-func updateNamespaceFilters(filters *v2.NamespaceFilters, update v2.NamespaceFilters) *v2.NamespaceFilters {
-	if filters == nil {
-		filters = &v2.NamespaceFilters{}
-	}
-
-	if update.IBMPlatformMetrics != nil {
-		filters.IBMPlatformMetrics = update.IBMPlatformMetrics
-	}
-
-	return filters
-}
-
 func teamFromResourceData(d *schema.ResourceData, clientType ClientType) v2.Team {
 	canUseSysdigCapture := d.Get("can_use_sysdig_capture").(bool)
 	canUseCustomEvents := d.Get("can_see_infrastructure_events").(bool)
@@ -325,15 +304,3 @@ func teamFromResourceData(d *schema.ResourceData, clientType ClientType) v2.Team
 
 	return t
 }
-
-func teamFromResourceDataIBM(d *schema.ResourceData, t *v2.Team) {
-	canUseBeaconMetrics := d.Get("enable_ibm_platform_metrics").(bool)
-	t.CanUseBeaconMetrics = &canUseBeaconMetrics
-
-	if v, ok := d.GetOk("ibm_platform_metrics"); ok {
-		metrics := v.(string)
-		t.NamespaceFilters = updateNamespaceFilters(t.NamespaceFilters, v2.NamespaceFilters{
-			IBMPlatformMetrics: &metrics,
-		})
-	}
-}
diff --git a/sysdig/resource_sysdig_secure_team.go b/sysdig/resource_sysdig_secure_team.go
@@ -53,6 +53,14 @@ func resourceSysdigSecureTeam() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"enable_ibm_platform_metrics": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
+			"ibm_platform_metrics": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"use_sysdig_capture": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -90,13 +98,32 @@ func resourceSysdigSecureTeam() *schema.Resource {
 	}
 }
 
+func getSecureTeamClient(c SysdigClients) (v2.TeamInterface, error) {
+	var client v2.TeamInterface
+	var err error
+	switch c.GetClientType() {
+	case IBMSecure:
+		client, err = c.ibmSecureClient()
+		if err != nil {
+			return nil, err
+		}
+	default:
+		client, err = c.sysdigSecureClientV2()
+		if err != nil {
+			return nil, err
+		}
+	}
+	return client, nil
+}
+
 func resourceSysdigSecureTeamCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := meta.(SysdigClients).sysdigSecureClientV2()
+	clients := meta.(SysdigClients)
+	client, err := getSecureTeamClient(clients)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	team := secureTeamFromResourceData(d)
+	team := secureTeamFromResourceData(d, clients.GetClientType())
 	team.Products = []string{"SDS"}
 
 	team, err = client.CreateTeam(ctx, team)
@@ -106,13 +133,15 @@ func resourceSysdigSecureTeamCreate(ctx context.Context, d *schema.ResourceData,
 
 	d.SetId(strconv.Itoa(team.ID))
 	_ = d.Set("version", team.Version)
+	resourceSysdigSecureTeamRead(ctx, d, meta)
 
 	return nil
 }
 
 // Retrieves the information of a resource form the file and loads it in Terraform
 func resourceSysdigSecureTeamRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := meta.(SysdigClients).sysdigSecureClientV2()
+	clients := meta.(SysdigClients)
+	client, err := getSecureTeamClient(clients)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -135,6 +164,10 @@ func resourceSysdigSecureTeamRead(ctx context.Context, d *schema.ResourceData, m
 	_ = d.Set("default_team", t.DefaultTeam)
 	_ = d.Set("user_roles", userSecureRolesToSet(t.UserRoles))
 
+	if clients.GetClientType() == IBMSecure {
+		resourceSysdigTeamReadIBM(d, &t)
+	}
+
 	return nil
 }
 
@@ -153,12 +186,13 @@ func userSecureRolesToSet(userRoles []v2.UserRoles) (res []map[string]interface{
 }
 
 func resourceSysdigSecureTeamUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := meta.(SysdigClients).sysdigSecureClientV2()
+	clients := meta.(SysdigClients)
+	client, err := getSecureTeamClient(clients)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	t := secureTeamFromResourceData(d)
+	t := secureTeamFromResourceData(d, clients.GetClientType())
 	t.Products = []string{"SDS"}
 
 	t.Version = d.Get("version").(int)
@@ -169,11 +203,12 @@ func resourceSysdigSecureTeamUpdate(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
+	resourceSysdigSecureTeamRead(ctx, d, meta)
 	return nil
 }
 
 func resourceSysdigSecureTeamDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := meta.(SysdigClients).sysdigSecureClientV2()
+	client, err := getSecureTeamClient(meta.(SysdigClients))
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -187,15 +222,17 @@ func resourceSysdigSecureTeamDelete(ctx context.Context, d *schema.ResourceData,
 	return nil
 }
 
-func secureTeamFromResourceData(d *schema.ResourceData) v2.Team {
+func secureTeamFromResourceData(d *schema.ResourceData, clientType ClientType) v2.Team {
 	canUseSysdigCapture := d.Get("use_sysdig_capture").(bool)
+	canUseAwsMetrics := new(bool)
 	t := v2.Team{
 		Theme:               d.Get("theme").(string),
 		Name:                d.Get("name").(string),
 		Description:         d.Get("description").(string),
 		Show:                d.Get("scope_by").(string),
 		Filter:              d.Get("filter").(string),
 		CanUseSysdigCapture: &canUseSysdigCapture,
+		CanUseAwsMetrics:    canUseAwsMetrics,
 		DefaultTeam:         d.Get("default_team").(bool),
 	}
 
@@ -209,5 +246,9 @@ func secureTeamFromResourceData(d *schema.ResourceData) v2.Team {
 	}
 	t.UserRoles = userRoles
 
+	if clientType == IBMSecure {
+		teamFromResourceDataIBM(d, &t)
+	}
+
 	return t
 }
diff --git a/sysdig/resource_sysdig_secure_team_test.go b/sysdig/resource_sysdig_secure_team_test.go
@@ -1,10 +1,10 @@
-//go:build tf_acc_sysdig_secure || tf_acc_sysdig_common
+//go:build tf_acc_sysdig_secure || tf_acc_sysdig_common || tf_acc_ibm_secure || tf_acc_ibm_common
 
 package sysdig_test
 
 import (
 	"fmt"
-	"os"
+	"github.com/draios/terraform-provider-sysdig/buildinfo"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -18,11 +18,7 @@ func TestAccSecureTeam(t *testing.T) {
 	rText := func() string { return acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) }
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck: func() {
-			if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" {
-				t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests")
-			}
-		},
+		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv, SysdigIBMSecureAPIKeyEnv),
 		ProviderFactories: map[string]func() (*schema.Provider, error){
 			"sysdig": func() (*schema.Provider, error) {
 				return sysdig.Provider(), nil
@@ -35,6 +31,12 @@ func TestAccSecureTeam(t *testing.T) {
 			{
 				Config: secureTeamMinimumConfiguration(rText()),
 			},
+			{
+				Config: secureTeamWithPlatformMetricsIBM(rText()),
+				SkipFunc: func() (bool, error) {
+					return !buildinfo.IBMSecure, nil
+				},
+			},
 			{
 				ResourceName:      "sysdig_secure_team.sample",
 				ImportState:       true,
@@ -61,3 +63,12 @@ resource "sysdig_secure_team" "sample" {
   name      = "sample-%s"
 }`, name)
 }
+
+func secureTeamWithPlatformMetricsIBM(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_team" "sample" {
+  name = "sample-%s"
+  enable_ibm_platform_metrics = true
+  ibm_platform_metrics = "foo in (\"0\") and bar in (\"3\")"
+}`, name)
+}
diff --git a/sysdig/resource_sysdig_team_common.go b/sysdig/resource_sysdig_team_common.go
@@ -0,0 +1,39 @@
+package sysdig
+
+import (
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceSysdigTeamReadIBM(d *schema.ResourceData, t *v2.Team) {
+	var ibmPlatformMetrics *string
+	if t.NamespaceFilters != nil {
+		ibmPlatformMetrics = t.NamespaceFilters.IBMPlatformMetrics
+	}
+	_ = d.Set("enable_ibm_platform_metrics", t.CanUseBeaconMetrics)
+	_ = d.Set("ibm_platform_metrics", ibmPlatformMetrics)
+}
+
+func updateNamespaceFilters(filters *v2.NamespaceFilters, update v2.NamespaceFilters) *v2.NamespaceFilters {
+	if filters == nil {
+		filters = &v2.NamespaceFilters{}
+	}
+
+	if update.IBMPlatformMetrics != nil {
+		filters.IBMPlatformMetrics = update.IBMPlatformMetrics
+	}
+
+	return filters
+}
+
+func teamFromResourceDataIBM(d *schema.ResourceData, t *v2.Team) {
+	canUseBeaconMetrics := d.Get("enable_ibm_platform_metrics").(bool)
+	t.CanUseBeaconMetrics = &canUseBeaconMetrics
+
+	if v, ok := d.GetOk("ibm_platform_metrics"); ok {
+		metrics := v.(string)
+		t.NamespaceFilters = updateNamespaceFilters(t.NamespaceFilters, v2.NamespaceFilters{
+			IBMPlatformMetrics: &metrics,
+		})
+	}
+}
diff --git a/website/docs/index.md b/website/docs/index.md
@@ -209,10 +209,11 @@ When IBM Workload Protection resources are to be created, this authentication mu
   It can also be configured from the `SYSDIG_SECURE_TEAM_NAME` environment variable.<br/><br/>
 
 > **Note**
-> Enabling this way of authentication is under active development.
+> Enabling resources and data sources on IBM is under active development.
 >
-> For now, you can manage following resources sources on IBM Cloud Monitoring:
+> For now, you can manage following resources:
 > - `sysdig_monitor_team`
+> - `sysdig_secure_team`
 > - `sysdig_monitor_notification_channel_email`
 > - `sysdig_secure_notification_channel_email`
 > - `sysdig_monitor_notification_channel_opsgenie`

diff --git a/website/docs/r/secure_team.md b/website/docs/r/secure_team.md
@@ -70,10 +70,16 @@ data "sysdig_current_user" "me" {
 
 No additional attributes are exported.
 
+### IBM Workload protection arguments
+
+* `enable_ibm_platform_metrics` - (Optional) Enable platform metrics on IBM Cloud Monitoring.
+
+* `ibm_platform_metrics` - (Optional) Define platform metrics on IBM Cloud Monitoring.
+
 ## Import
 
 Secure Teams can be imported using the ID, e.g.
 
 ```
 $ terraform import sysdig_secure_team.example 12345
-```
+```