✨ Add asset routing table and rule resources (#395)

* ✨ Add asset routing table and rule resources

Add two new Terraform resources for managing org-level asset routing:

- mondoo_asset_routing_table (authoritative): manages the entire routing
  table for an org, replacing all rules atomically on apply
- mondoo_asset_routing_rule (non-authoritative): manages individual
  routing rules independently, ideal for multi-team setups

Depends on server PR #14344 for the GraphQL API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix tflint: add version constraint to example provider configs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update examples to use variables and create spaces

Use org_id variable with data source lookup and create the target
spaces within the example, matching the pattern from other examples.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Switch condition and rule from ListNestedAttribute to ListNestedBlock

Fixes "Unsupported block type" error by using schema.ListNestedBlock
for rule and condition, which supports the natural HCL block syntax.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Remove redundant provider block from asset routing examples

* ©

* Enhance asset routing tests and error handling

- Add conditional execution for asset routing tests based on environment variable.
- Implement error handling for not found errors in asset routing resources.
- Update test cases to reflect new error handling and conditional execution logic.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Mikita Iwanowski <mik@mondoo.com>

Author: 3 people

.github/workflows/test.yml

@@ -65,6 +65,12 @@ jobs:
           - '1.11.*'
           - '1.12.*'
           - '1.13.*'
+        include:
+          # Org-scoped asset routing tests mutate shared state, so only run them
+          # on a single Terraform version to avoid parallel conflicts.
+          # Other entries get run_asset_routing_tests="" which the Go tests treat as false.
+          - terraform: '1.13.*'
+            run_asset_routing_tests: true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -79,6 +85,7 @@ jobs:
       - env:
           TF_ACC: "1"
           MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_CONFIG_BASE64 }}
+          RUN_ASSET_ROUTING_TESTS: ${{ matrix.run_asset_routing_tests }}
         run: go test -v -cover ./internal/provider/
         timeout-minutes: 10
 

examples/resources/mondoo_asset_routing_rule/main.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    mondoo = {
+      source  = "mondoohq/mondoo"
+      version = ">= 0.19"
+    }
+  }
+}

examples/resources/mondoo_asset_routing_rule/resource.tf

@@ -0,0 +1,49 @@
+variable "org_id" {
+  description = "The ID of the organization"
+  type        = string
+}
+
+provider "mondoo" {}
+
+data "mondoo_organization" "current" {
+  id = var.org_id
+}
+
+# Create spaces for routing targets
+resource "mondoo_space" "production" {
+  name   = "production"
+  org_id = var.org_id
+}
+
+resource "mondoo_space" "staging" {
+  name   = "staging"
+  org_id = var.org_id
+}
+
+# Manage individual routing rules independently.
+# Ideal for multi-team setups where each team manages their own rules.
+resource "mondoo_asset_routing_rule" "production" {
+  org_mrn          = data.mondoo_organization.current.mrn
+  target_space_mrn = mondoo_space.production.mrn
+  priority         = 10
+
+  condition {
+    field    = "LABEL"
+    operator = "EQUAL"
+    key      = "env"
+    values   = ["production"]
+  }
+}
+
+resource "mondoo_asset_routing_rule" "staging" {
+  org_mrn          = data.mondoo_organization.current.mrn
+  target_space_mrn = mondoo_space.staging.mrn
+  priority         = 20
+
+  condition {
+    field    = "LABEL"
+    operator = "EQUAL"
+    key      = "env"
+    values   = ["staging"]
+  }
+}

examples/resources/mondoo_asset_routing_table/main.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    mondoo = {
+      source  = "mondoohq/mondoo"
+      version = ">= 0.19"
+    }
+  }
+}

examples/resources/mondoo_asset_routing_table/resource.tf

@@ -0,0 +1,59 @@
+variable "org_id" {
+  description = "The ID of the organization"
+  type        = string
+}
+
+provider "mondoo" {}
+
+data "mondoo_organization" "current" {
+  id = var.org_id
+}
+
+# Create spaces for routing targets
+resource "mondoo_space" "linux" {
+  name   = "linux-assets"
+  org_id = var.org_id
+}
+
+resource "mondoo_space" "windows" {
+  name   = "windows-assets"
+  org_id = var.org_id
+}
+
+resource "mondoo_space" "catch_all" {
+  name   = "catch-all"
+  org_id = var.org_id
+}
+
+# Manage the entire routing table for an organization.
+# Priority is derived from the order of rules (first = highest priority).
+resource "mondoo_asset_routing_table" "example" {
+  org_mrn = data.mondoo_organization.current.mrn
+
+  # Rule 1: Route Linux assets
+  rule {
+    target_space_mrn = mondoo_space.linux.mrn
+
+    condition {
+      field    = "PLATFORM"
+      operator = "EQUAL"
+      values   = ["ubuntu", "debian", "rhel", "amazonlinux"]
+    }
+  }
+
+  # Rule 2: Route Windows assets
+  rule {
+    target_space_mrn = mondoo_space.windows.mrn
+
+    condition {
+      field    = "PLATFORM"
+      operator = "EQUAL"
+      values   = ["windows"]
+    }
+  }
+
+  # Rule 3: Catch-all for everything else
+  rule {
+    target_space_mrn = mondoo_space.catch_all.mrn
+  }
+}

internal/provider/asset_routing_common.go

@@ -0,0 +1,111 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package provider
+
+import (
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	mondoov1 "go.mondoo.com/mondoo-go"
+)
+
+// AssetRoutingConditionModel is the Terraform model for a single routing condition.
+// Shared between mondoo_asset_routing_table and mondoo_asset_routing_rule.
+type AssetRoutingConditionModel struct {
+	Field    types.String `tfsdk:"field"`
+	Operator types.String `tfsdk:"operator"`
+	Values   types.List   `tfsdk:"values"`
+	Key      types.String `tfsdk:"key"`
+}
+
+// assetRoutingConditionSchemaBlock returns a ListNestedBlock for routing conditions,
+// reusable by both the table and rule resources.
+func assetRoutingConditionSchemaBlock() schema.ListNestedBlock {
+	return schema.ListNestedBlock{
+		MarkdownDescription: "Conditions that must all match for this rule to apply (AND logic). If empty, the rule matches all assets (catch-all).",
+		NestedObject: schema.NestedBlockObject{
+			Attributes: map[string]schema.Attribute{
+				"field": schema.StringAttribute{
+					MarkdownDescription: "The field to match on. Valid values: `HOSTNAME`, `PLATFORM`, `LABEL`.",
+					Required:            true,
+					Validators: []validator.String{
+						stringvalidator.OneOf("HOSTNAME", "PLATFORM", "LABEL"),
+					},
+				},
+				"operator": schema.StringAttribute{
+					MarkdownDescription: "The comparison operator. Valid values: `EQUAL`, `NOT_EQUAL`, `CONTAINS`, `MATCHES`.",
+					Required:            true,
+					Validators: []validator.String{
+						stringvalidator.OneOf("EQUAL", "NOT_EQUAL", "CONTAINS", "MATCHES"),
+					},
+				},
+				"values": schema.ListAttribute{
+					MarkdownDescription: "List of values to match against. A condition matches if the field matches any of the listed values (OR logic).",
+					Required:            true,
+					ElementType:         types.StringType,
+				},
+				"key": schema.StringAttribute{
+					MarkdownDescription: "The label key to match on. Required when `field` is `LABEL`.",
+					Optional:            true,
+				},
+			},
+		},
+	}
+}
+
+// conditionsFromModel converts Terraform condition models to GraphQL input types.
+func conditionsFromModel(conditions []AssetRoutingConditionModel) []AssetRoutingConditionInput {
+	result := make([]AssetRoutingConditionInput, len(conditions))
+	for i, c := range conditions {
+		values := make([]mondoov1.String, 0)
+		if !c.Values.IsNull() && !c.Values.IsUnknown() {
+			for _, v := range c.Values.Elements() {
+				if sv, ok := v.(types.String); ok {
+					values = append(values, mondoov1.String(sv.ValueString()))
+				}
+			}
+		}
+
+		input := AssetRoutingConditionInput{
+			Field:    AssetRoutingConditionField(c.Field.ValueString()),
+			Operator: AssetRoutingConditionOperator(c.Operator.ValueString()),
+			Values:   values,
+		}
+		if !c.Key.IsNull() && !c.Key.IsUnknown() && c.Key.ValueString() != "" {
+			key := mondoov1.String(c.Key.ValueString())
+			input.Key = &key
+		}
+		result[i] = input
+	}
+	return result
+}
+
+func isNotFoundError(err error) bool {
+	return err != nil && strings.Contains(err.Error(), "code = NotFound")
+}
+
+// conditionsToModel converts GraphQL condition payloads to Terraform models.
+func conditionsToModel(conditions []AssetRoutingConditionPayload) []AssetRoutingConditionModel {
+	result := make([]AssetRoutingConditionModel, len(conditions))
+	for i, c := range conditions {
+		values := make([]string, len(c.Values))
+		copy(values, c.Values)
+
+		model := AssetRoutingConditionModel{
+			Field:    types.StringValue(c.Field),
+			Operator: types.StringValue(c.Operator),
+			Values:   ConvertListValue(values),
+		}
+		if c.Key != "" {
+			model.Key = types.StringValue(c.Key)
+		} else {
+			model.Key = types.StringNull()
+		}
+		result[i] = model
+	}
+	return result
+}