Skip to content

Commit 6de0089

Browse files
authored
⭐ Detect drift for iam_binding_resource (#372)
We now query the currently set roles for the scope, identity pair
1 parent eef226f commit 6de0089

2 files changed

Lines changed: 47 additions & 1 deletion

File tree

internal/provider/gql.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1284,6 +1284,28 @@ func (c *ExtendedGqlClient) SetRoles(ctx context.Context, input SetRolesInput) (
12841284
err := c.Mutate(ctx, &mutation, input, nil)
12851285
return mutation.SetRoles, err
12861286
}
1287+
1288+
type GetRolesPayload struct {
1289+
IdentityMrn mondoov1.String `json:"identity_mrn"`
1290+
IdentityEmail *mondoov1.String `json:"identity_email"`
1291+
ScopeMrn mondoov1.String `json:"scope_mrn"`
1292+
Roles []mondoov1.String `json:"roles"`
1293+
}
1294+
1295+
func (c *ExtendedGqlClient) GetRoles(ctx context.Context, identity string, scopeMrn string) (*GetRolesPayload, error) {
1296+
var query struct {
1297+
GetRoles GetRolesPayload `graphql:"getRoles(identity: $identity, scopeMrn: $scopeMrn)"`
1298+
}
1299+
variables := map[string]interface{}{
1300+
"identity": mondoov1.String(identity),
1301+
"scopeMrn": mondoov1.String(scopeMrn),
1302+
}
1303+
err := c.Query(ctx, &query, variables)
1304+
if err != nil {
1305+
return nil, err
1306+
}
1307+
return &query.GetRoles, nil
1308+
}
12871309
func (c *ExtendedGqlClient) CreateException(
12881310
ctx context.Context,
12891311
scopeMrn string,

internal/provider/iam_binding_resource.go

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,31 @@ func (r *IAMBindingResource) Read(ctx context.Context, req resource.ReadRequest,
162162
return
163163
}
164164

165-
// TODO: There's no direct query to get a specific role binding in the GraphQL schema.
165+
// Query current roles from the API
166+
rolesPayload, err := r.client.GetRoles(ctx, data.IdentityMrn.ValueString(), data.ResourceMrn.ValueString())
167+
if err != nil {
168+
resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to read IAM binding, got error: %s", err))
169+
return
170+
}
171+
172+
// Filter out implicit roles (org-member, space-member) that are automatically added
173+
var explicitRoles []string
174+
for _, role := range rolesPayload.Roles {
175+
roleStr := string(role)
176+
// Skip implicit membership roles
177+
if roleStr != "//iam.api.mondoo.app/roles/org-member" && roleStr != "//iam.api.mondoo.app/roles/space-member" {
178+
explicitRoles = append(explicitRoles, roleStr)
179+
}
180+
}
181+
182+
// Convert to Terraform list type
183+
rolesList, diags := types.ListValueFrom(ctx, types.StringType, explicitRoles)
184+
resp.Diagnostics.Append(diags...)
185+
if resp.Diagnostics.HasError() {
186+
return
187+
}
188+
189+
data.Roles = rolesList
166190

167191
// Save updated data into Terraform state
168192
resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)

0 commit comments

Comments
 (0)