Merge branch 'main' into nithish/TF-32131-update-policyset-1

Author: nithishravindra

CHANGELOG.md

@@ -4,8 +4,10 @@
 * Improve API error handling to decode both JSON:API error objects and regular JSON errors arrays by @uk1288 [#1304](https://github.com/hashicorp/go-tfe/pull/1304)
 
 ## Enhancements
-* Adds the `ProviderType` field to `AdminSAMLSetting` and `AdminSAMLSettingsUpdateOptions` to support the `provider-type` SAML setting.
-* Adds `PolicyUpdatePatterns` to `PolicySet`, `PolicySetCreateOptions`, and `PolicySetUpdateOptions` to support `policy-update-patterns` by @nithishravindra
+
+* Adds the `ProviderType` field to `AdminSAMLSetting` and `AdminSAMLSettingsUpdateOptions` to support the `provider-type` SAML setting by @skj-skj [#1303](https://github.com/hashicorp/go-tfe/pull/1303)
+* Adds `AdminSCIMSetting` to support managing site-level SCIM settings by @skj-skj [#1307](https://github.com/hashicorp/go-tfe/pull/1307)
+* Adds `PolicyUpdatePatterns` to `PolicySet`, `PolicySetCreateOptions`, and `PolicySetUpdateOptions` to support `policy-update-patterns` by @nithishravindra [#1306](https://github.com/hashicorp/go-tfe/pull/1306)
 
 # v1.103.0
 

admin_setting.go

@@ -15,6 +15,7 @@ type AdminSettings struct {
 	Twilio         TwilioSettings
 	Customization  CustomizationSettings
 	OIDC           OIDCSettings
+	SCIM           SCIMSettings
 }
 
 func newAdminSettings(client *Client) *AdminSettings {
@@ -26,5 +27,6 @@ func newAdminSettings(client *Client) *AdminSettings {
 		Twilio:         &adminTwilioSettings{client: client},
 		Customization:  &adminCustomizationSettings{client: client},
 		OIDC:           &adminOIDCSettings{client: client},
+		SCIM:           &adminSCIMSettings{client: client},
 	}
 }

admin_setting_scim.go

@@ -0,0 +1,88 @@
+// Copyright IBM Corp. 2018, 2026
+// SPDX-License-Identifier: MPL-2.0
+
+package tfe
+
+import (
+	"context"
+)
+
+// Compile-time proof of interface implementation.
+var _ SCIMSettings = (*adminSCIMSettings)(nil)
+
+// SCIMSettings describes all the scim settings related methods that the Terraform
+// Enterprise API supports
+//
+// TFE API docs: https://developer.hashicorp.com/terraform/enterprise/api-docs/admin/settings
+type SCIMSettings interface {
+	// Read scim settings
+	Read(ctx context.Context) (*AdminSCIMSetting, error)
+
+	// Update scim settings
+	Update(ctx context.Context, options AdminSCIMSettingUpdateOptions) (*AdminSCIMSetting, error)
+
+	// Delete scim settings
+	Delete(ctx context.Context) error
+}
+
+// adminSCIMSettings implements SCIMSettings.
+type adminSCIMSettings struct {
+	client *Client
+}
+
+// AdminSCIMSetting represents the SCIM setting in Terraform Enterprise
+type AdminSCIMSetting struct {
+	ID                        string `jsonapi:"primary,scim-settings"`
+	Enabled                   bool   `jsonapi:"attr,enabled"`
+	Paused                    bool   `jsonapi:"attr,paused"`
+	SiteAdminGroupSCIMID      string `jsonapi:"attr,site-admin-group-scim-id"`
+	SiteAdminGroupDisplayName string `jsonapi:"attr,site-admin-group-display-name"`
+}
+
+// AdminSCIMSettingUpdateOptions represents the options for updating an admin SCIM setting.
+type AdminSCIMSettingUpdateOptions struct {
+	Enabled              *bool   `jsonapi:"attr,enabled,omitempty"`
+	Paused               *bool   `jsonapi:"attr,paused,omitempty"`
+	SiteAdminGroupSCIMID *string `jsonapi:"attr,site-admin-group-scim-id,omitempty"`
+}
+
+// Read scim setting.
+func (a *adminSCIMSettings) Read(ctx context.Context) (*AdminSCIMSetting, error) {
+	req, err := a.client.NewRequest("GET", "admin/scim-settings", nil)
+	if err != nil {
+		return nil, err
+	}
+
+	scim := &AdminSCIMSetting{}
+	err = req.Do(ctx, scim)
+	if err != nil {
+		return nil, err
+	}
+
+	return scim, nil
+}
+
+// Update scim setting.
+func (a *adminSCIMSettings) Update(ctx context.Context, options AdminSCIMSettingUpdateOptions) (*AdminSCIMSetting, error) {
+	req, err := a.client.NewRequest("PATCH", "admin/scim-settings", &options)
+	if err != nil {
+		return nil, err
+	}
+
+	scim := &AdminSCIMSetting{}
+	err = req.Do(ctx, scim)
+	if err != nil {
+		return nil, err
+	}
+	return scim, nil
+}
+
+// Delete scim setting.
+func (a *adminSCIMSettings) Delete(ctx context.Context) error {
+	req, err := a.client.NewRequest("DELETE", "admin/scim-settings", nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}

admin_setting_scim_integration_test.go

@@ -0,0 +1,196 @@
+// Copyright IBM Corp. 2018, 2026
+// SPDX-License-Identifier: MPL-2.0
+
+package tfe
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAdminSettings_SCIM_Read(t *testing.T) {
+	skipUnlessEnterprise(t)
+	client := testClient(t)
+	ctx := context.Background()
+
+	t.Run("read scim settings with default values", func(t *testing.T) {
+		scimSettings, err := client.Admin.Settings.SCIM.Read(ctx)
+		require.NoError(t, err)
+
+		assert.Equal(t, "scim", scimSettings.ID)
+		assert.False(t, scimSettings.Enabled)
+		assert.False(t, scimSettings.Paused)
+		assert.Empty(t, scimSettings.SiteAdminGroupSCIMID)
+		assert.Empty(t, scimSettings.SiteAdminGroupDisplayName)
+	})
+}
+
+func TestAdminSettings_SCIM_Update(t *testing.T) {
+	skipUnlessEnterprise(t)
+	client := testClient(t)
+	ctx := context.Background()
+
+	enableSAML(ctx, t, client, true)
+	defer enableSAML(ctx, t, client, false)
+
+	scimClient := client.Admin.Settings.SCIM
+
+	t.Run("enable scim settings", func(t *testing.T) {
+		err := setSAMLProviderType(ctx, t, client, true)
+		require.NoErrorf(t, err, "failed to set SAML provider type")
+		defer cleanupSCIMSettings(ctx, t, client)
+
+		scimSettings, err := scimClient.Update(ctx, AdminSCIMSettingUpdateOptions{Enabled: Bool(true)})
+		require.NoError(t, err)
+
+		assert.True(t, scimSettings.Enabled)
+	})
+
+	t.Run("pause scim settings", func(t *testing.T) {
+		err := setSAMLProviderType(ctx, t, client, true)
+		require.NoErrorf(t, err, "failed to set SAML provider type")
+		defer cleanupSCIMSettings(ctx, t, client)
+
+		_, err = scimClient.Update(ctx, AdminSCIMSettingUpdateOptions{
+			Enabled: Bool(true),
+		})
+		require.NoError(t, err)
+
+		testCases := []struct {
+			name   string
+			paused bool
+		}{
+			{"pause scim provisioning", true},
+			{"unpause scim provisioning", false},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				_, err := scimClient.Update(ctx, AdminSCIMSettingUpdateOptions{Paused: &tc.paused})
+				require.NoError(t, err)
+				scimSettings, err := scimClient.Read(ctx)
+				require.NoError(t, err)
+				assert.Equal(t, tc.paused, scimSettings.Paused)
+			})
+		}
+	})
+
+	t.Run("update site admin group scim id", func(t *testing.T) {
+		err := setSAMLProviderType(ctx, t, client, true)
+		require.NoErrorf(t, err, "failed to set SAML provider type")
+		defer cleanupSCIMSettings(ctx, t, client)
+
+		_, err = scimClient.Update(ctx, AdminSCIMSettingUpdateOptions{Enabled: Bool(true)})
+		require.NoError(t, err)
+
+		scimToken := generateSCIMToken(ctx, t, client)
+		scimGroupID := createSCIMGroup(ctx, t, client, "foo", scimToken)
+
+		testCases := []struct {
+			name        string
+			scimGroupID string
+			raiseError  bool
+		}{
+			{"link scim group to site admin role", scimGroupID, false},
+			{"trying to link non-existent group - should raise error", "this-group-doesn't-exist", true},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				_, err := scimClient.Update(ctx, AdminSCIMSettingUpdateOptions{SiteAdminGroupSCIMID: &tc.scimGroupID})
+				if tc.raiseError {
+					require.Error(t, err)
+					return
+				}
+				require.NoError(t, err)
+				scimSettings, err := scimClient.Read(ctx)
+				require.NoError(t, err)
+				assert.Equal(t, tc.scimGroupID, scimSettings.SiteAdminGroupSCIMID)
+				assert.Equal(t, "foo", scimSettings.SiteAdminGroupDisplayName)
+			})
+		}
+	})
+}
+
+func TestAdminSettings_SCIM_Delete(t *testing.T) {
+	skipUnlessEnterprise(t)
+	client := testClient(t)
+	ctx := context.Background()
+
+	enableSAML(ctx, t, client, true)
+	defer enableSAML(ctx, t, client, false)
+
+	scimClient := client.Admin.Settings.SCIM
+
+	t.Run("disable scim settings", func(t *testing.T) {
+		err := setSAMLProviderType(ctx, t, client, true)
+		require.NoErrorf(t, err, "failed to set SAML provider type")
+		defer cleanupSCIMSettings(ctx, t, client)
+
+		testCases := []struct {
+			name          string
+			isScimEnabled bool
+		}{
+			{"disable scim provisioning when it's already enabled", true},
+			{"disable scim provisioning when it's already disabled - should not raise error", false},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				if tc.isScimEnabled {
+					_, err := scimClient.Update(ctx, AdminSCIMSettingUpdateOptions{Enabled: Bool(true)})
+					require.NoError(t, err)
+				}
+
+				err := scimClient.Delete(ctx)
+				require.NoError(t, err)
+
+				scimSettings, err := scimClient.Read(ctx)
+				require.NoError(t, err)
+				assert.False(t, scimSettings.Enabled)
+			})
+		}
+	})
+}
+
+// cleanup scim settings by disabling scim provisioning and setting saml provider type to unknown.
+func cleanupSCIMSettings(ctx context.Context, t *testing.T, client *Client) {
+	t.Helper()
+	scimSettings, err := client.Admin.Settings.SCIM.Read(ctx)
+	if err == nil && scimSettings.Enabled {
+		err = client.Admin.Settings.SCIM.Delete(ctx)
+		require.NoErrorf(t, err, "failed to disable SCIM provisioning")
+	}
+
+	err = setSAMLProviderType(ctx, t, client, false)
+	require.NoErrorf(t, err, "failed to set SAML provider type")
+}
+
+// generate a SCIM token for testing
+func generateSCIMToken(ctx context.Context, t *testing.T, client *Client) string {
+	t.Helper()
+	// TFE requires a minimum of 30 days for SCIM token expiration
+	expiredAt := time.Now().Add(30 * 24 * time.Hour)
+
+	options := struct {
+		Description *string    `jsonapi:"attr,description"`
+		ExpiredAt   *time.Time `jsonapi:"attr,expired-at,iso8601"`
+	}{
+		Description: String("test-scim-token"),
+		ExpiredAt:   &expiredAt,
+	}
+	req, err := client.NewRequest("POST", "admin/scim-tokens", &options)
+	require.NoError(t, err)
+
+	var res struct {
+		Token string `jsonapi:"attr,token"`
+	}
+	err = req.Do(ctx, &res)
+	require.NoError(t, err)
+
+	return res.Token
+}

agent_integration_test.go

@@ -33,11 +33,13 @@ func TestAgentsRead(t *testing.T) {
 		assert.Equal(t, agent, k)
 	})
 
-	t.Run("when the agent does not exist", func(t *testing.T) {
-		k, err := client.Agents.Read(ctx, "nonexistent")
-		assert.Nil(t, k)
-		assert.Equal(t, err, ErrResourceNotFound)
-	})
+	// NOTE!! Commenting out test to unblock PRs pending a fix in the API.
+	// Please re-enable once the API is fixed.
+	// t.Run("when the agent does not exist", func(t *testing.T) {
+	// 	k, err := client.Agents.Read(ctx, "nonexistent")
+	// 	assert.Nil(t, k)
+	// 	assert.Equal(t, err, ErrResourceNotFound)
+	// })
 
 	t.Run("without a valid agent ID", func(t *testing.T) {
 		k, err := client.Agents.Read(ctx, badIdentifier)

generate_mocks.sh

@@ -14,6 +14,7 @@ mockgen -source=admin_setting_customization.go -destination=mocks/admin_setting_
 mockgen -source=admin_setting_general.go -destination=mocks/admin_setting_general_mocks.go -package=mocks
 mockgen -source=admin_setting_oidc.go -destination=mocks/admin_setting_oidc_mocks.go -package=mocks
 mockgen -source=admin_setting_saml.go -destination=mocks/admin_setting_saml_mocks.go -package=mocks
+mockgen -source=admin_setting_scim.go -destination=mocks/admin_setting_scim_mocks.go -package=mocks
 mockgen -source=admin_setting_smtp.go -destination=mocks/admin_setting_smtp_mocks.go -package=mocks
 mockgen -source=admin_setting_twilio.go -destination=mocks/admin_setting_twilio_mocks.go -package=mocks
 mockgen -source=admin_terraform_version.go -destination=mocks/admin_terraform_version_mocks.go -package=mocks