PaloAltoNetworks / terraform-provider-prismacloudcompute

Terraform provider for Prisma Cloud Compute
https://registry.terraform.io/providers/PaloAltoNetworks/prismacloudcompute/latest
Mozilla Public License 2.0
24 stars 28 forks source link

prismacloudcompute_group (Resource) unable to create non-local groups #81

Open scott-sudweeks opened 2 months ago

scott-sudweeks commented 2 months ago

Describe the bug

The Resource prismacloudcompute_group will only create local groups. To create a group which is tied to one or more Identity Providers, one of the fields below should be set to true.

Unfortunately the provider is not properly mapping these fields correctly for the API call, and they are recieved by the Twistlock API as nil/false and therefore the group which is created is a 'local' group rather than being accociated with one or more of the identity providers.

Expected behavior

Setting oauth_group:true should result in a group being created which is tied to the OIDC IDP.

Current behavior

The group which is created is listed as a 'local' group.

Possible solution

The provider needs to be fixed to properly map the terraform properties to the correct API values.

This is probably as simple as adding the necessary underscores to the convert method here: https://github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/blob/dd54d0b43ced68e156c3af027b5591bc077f6bca/internal/convert/group.go#L10-42

Steps to reproduce

  1. Setup a proper Terraform project, with the necessary configuration to talk to a Twistlock instance with an OIDC IDP configured, and a resource to create a new OIDC group.
  2. Execute Terraform Module
  3. See in Twistlock a local group has been created, instead of a group tied to one of the auth methods.

Example code

terraform {
  required_providers {
    prismacloudcompute = {
      source  = "PaloAltoNetworks/prismacloudcompute"
      version = "0.8.0"
    }
  }
}

provider "prismacloudcompute" {
  config_file = "creds.json"
}

resource "prismacloudcompute_group" "group" {
  name       = "test-group"
  oidc_group = true

  # note, when using role - the group will not be created as role is NOT allowed when creating a local group, which is not the use case when setting oidc_group = true
  # omitting this will create a local group, further illustrating that oidc_group=true is not being properly handled
  # role = auditor 
}

Context

We configure Twistlock via IAC. We are migrating our legacy IAC solution to Crossplane and/or Terraform. As we use SSO via an OIDC IDP, this is blocking to us being able to use this provider to configure groups in our use case.

Your Environment