The Resource prismacloudcompute_group will only create local groups. To create a group which is tied to one or more Identity Providers, one of the fields below should be set to true.
ldap_group (Boolean) Whether or not the group is an LDAP group.
oauth_group (Boolean) Whether or not the group is an OAuth group.
oidc_group (Boolean) Whether or not the group is an OpenID Connect group.
saml_group (Boolean) Whether or not the group is a SAML group.
Unfortunately the provider is not properly mapping these fields correctly for the API call, and they are recieved by the Twistlock API as nil/false and therefore the group which is created is a 'local' group rather than being accociated with one or more of the identity providers.
Expected behavior
Setting oauth_group:true should result in a group being created which is tied to the OIDC IDP.
Current behavior
The group which is created is listed as a 'local' group.
Possible solution
The provider needs to be fixed to properly map the terraform properties to the correct API values.
Setup a proper Terraform project, with the necessary configuration to talk to a Twistlock instance with an OIDC IDP configured, and a resource to create a new OIDC group.
Execute Terraform Module
See in Twistlock a local group has been created, instead of a group tied to one of the auth methods.
Example code
terraform {
required_providers {
prismacloudcompute = {
source = "PaloAltoNetworks/prismacloudcompute"
version = "0.8.0"
}
}
}
provider "prismacloudcompute" {
config_file = "creds.json"
}
resource "prismacloudcompute_group" "group" {
name = "test-group"
oidc_group = true
# note, when using role - the group will not be created as role is NOT allowed when creating a local group, which is not the use case when setting oidc_group = true
# omitting this will create a local group, further illustrating that oidc_group=true is not being properly handled
# role = auditor
}
Context
We configure Twistlock via IAC. We are migrating our legacy IAC solution to Crossplane and/or Terraform. As we use SSO via an OIDC IDP, this is blocking to us being able to use this provider to configure groups in our use case.
Your Environment
Version used: v0.8.0
Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): N/A
Operating System and version (desktop or mobile): N/A
Describe the bug
The Resource prismacloudcompute_group will only create local groups. To create a group which is tied to one or more Identity Providers, one of the fields below should be set to true.
Unfortunately the provider is not properly mapping these fields correctly for the API call, and they are recieved by the Twistlock API as nil/false and therefore the group which is created is a 'local' group rather than being accociated with one or more of the identity providers.
Expected behavior
Setting oauth_group:true should result in a group being created which is tied to the OIDC IDP.
Current behavior
The group which is created is listed as a 'local' group.
Possible solution
The provider needs to be fixed to properly map the terraform properties to the correct API values.
This is probably as simple as adding the necessary underscores to the convert method here: https://github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/blob/dd54d0b43ced68e156c3af027b5591bc077f6bca/internal/convert/group.go#L10-42
Steps to reproduce
Example code
Context
We configure Twistlock via IAC. We are migrating our legacy IAC solution to Crossplane and/or Terraform. As we use SSO via an OIDC IDP, this is blocking to us being able to use this provider to configure groups in our use case.
Your Environment