Merge pull request #221 from philips-software/feature/220

IAM: Add IAM Role Sharing Policy resource. Refs #220

Author: loafoe

.gitignore

@@ -6,6 +6,7 @@
 *.exe
 b.sh
 .swp
+.*.run
 .DS_Store
 terraform-provider-hsdp
 build/

docs/data-sources/iam_role_sharing_policies.md

@@ -0,0 +1,40 @@
+---
+subcategory: "Identity and Access Management (IAM)"
+---
+
+# hsdp_iam_role_sharing_policies
+
+Lists defined IAM Role Sharing Policies
+
+## Example Usage
+
+```hcl
+data "hsdp_iam_role_sharing_policies" "all" {
+  role_id = var.role_id
+}
+```
+
+```hcl
+output "policy_ids" {
+   value = data.hsdp_iam_role_sharing_policies.all.ids
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `role_id` - (Required) The role ID to search for policies
+* `sharing_policy` - (Optional) Only list results with this policy sharing
+* `target_organization_id` - (Optional) Only list policies targetting the given organization
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `ids` - The IDS of the sharing policies
+* `role_names` - The role names
+* `sharing_policies` - The sharing policies
+* `target_organization_ids` - The target organization IDs
+* `source_organization_ids` - The source organization IDs
+* `purposes` - The purposes

docs/resources/iam_role_sharing_policy.md

@@ -0,0 +1,74 @@
+---
+subcategory: "Identity and Access Management (IAM)"
+---
+
+# hsdp_iam_role_sharing_policy
+
+Provides a resource for managing HSDP IAM Role Sharing Policies, introduced in the
+March 2022 release.
+
+A principal (user / identity) with any of the following permissions can create/update the policy:
+
+* `HSDP_IAM_ROLE_SHARE.WRITE`
+* `HSDP_IAM_ORGANIZATION.MGMT`
+
+!>  Changing any permissions assigned to a shared role impacts the application behavior across organizations and sometimes may result in application downtime.
+Applying a restrictive sharing policy to an organization automatically and recursively removes any existing assignments from all its children - unless the child organization has an overriding policy to retain the assignments. Removal of assignments are permanent and requires re-assignments by the organization administrators
+
+## Example Usage
+
+The following example creates a role sharing policy
+
+```hcl
+# Create the role
+resource "hsdp_iam_role" "shared" {
+  name        = "SOME Role"
+  description = "A role we want to share across ORGs"
+
+  permissions = [
+    "PATIENT.READ",
+    "PRACTITIONER.READ",
+  ]
+
+  managing_organization = hsdp_iam_org.my_org.id
+}
+
+# Share the role
+resource "hsdp_iam_role_sharing_policy" "policy" {
+  role_id        = hsdp_iam_role.shared.id
+  sharing_policy = "AllowChildren"
+  purpose        = "Share SOME role with another organization"
+  
+  target_organization_id = hsdp_iam_org.another_org.id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `role_id` - (Required) The ID of the role to share
+* `sharing_policy` - (Required) The policy to use
+  Sharing of a role with a tenant organization can be in one of the following modes:
+  * Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization
+      hierarchy - shall fail the API.
+  * AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
+  * Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
+* `target_organization_id` - (Required) The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
+* `purpose` - (Optional) The purpose of this role sharing policy mapping
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The GUID of the role sharing policy (also known as `internalId` at the API level)
+* `source_organization_id` - The source organization ID
+* `role_name` - The role name
+
+## Import
+
+An existing role sharing policy can be imported using `terraform import hsdp_iam_role_sharing_policy`, e.g.
+
+```shell
+> terraform import hsdp_iam_role_sharing_policy.mypolicy a-guid
+```

internal/provider/provider.go

@@ -27,6 +27,7 @@ import (
 	"github.com/philips-software/terraform-provider-hsdp/internal/services/iam"
 	"github.com/philips-software/terraform-provider-hsdp/internal/services/iam/client"
 	"github.com/philips-software/terraform-provider-hsdp/internal/services/iam/group"
+	"github.com/philips-software/terraform-provider-hsdp/internal/services/iam/role_sharing_policy"
 	"github.com/philips-software/terraform-provider-hsdp/internal/services/iam/service"
 	"github.com/philips-software/terraform-provider-hsdp/internal/services/metrics"
 	"github.com/philips-software/terraform-provider-hsdp/internal/services/notification"
@@ -297,6 +298,7 @@ func Provider(build string) *schema.Provider {
 			"hsdp_iam_group_membership":                      iam.ResourceIAMGroupMembership(),
 			"hsdp_dicom_notification":                        dicom.ResourceDICOMNotification(),
 			"hsdp_cdr_practitioner":                          practitioner.ResourceCDRPractitioner(),
+			"hsdp_iam_role_sharing_policy":                   role_sharing_policy.ResourceRoleSharingPolicy(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{
 			"hsdp_iam_introspect":                        iam.DataSourceIAMIntrospect(),
@@ -368,6 +370,7 @@ func Provider(build string) *schema.Provider {
 			"hsdp_iam_permission":                        iam.DataSourceIAMPermission(),
 			"hsdp_cdr_practitioner":                      practitioner.DataSourceCDRPractitioner(),
 			"hsdp_cdr_org":                               org.DataSourceCDROrg(),
+			"hsdp_iam_role_sharing_policies":             iam.DataSourceIAMRoleSharingPolicies(),
 		},
 		ConfigureContextFunc: providerConfigure(build),
 	}

internal/services/cdr/org/r4.go

@@ -52,7 +52,7 @@ func r4Create(ctx context.Context, c *config.Config, client *cdr.Client, d *sche
 			return nil, err
 		}
 		return resp.Response, err
-	})
+	}, append(tools.StandardRetryOnCodes, http.StatusNotFound)...) // CDR weirdness
 
 	if err != nil {
 		return diag.FromErr(err)

internal/services/cdr/org/stu3.go

@@ -79,7 +79,7 @@ func stu3Read(ctx context.Context, client *cdr.Client, d *schema.ResourceData) d
 			return nil, err
 		}
 		return resp.Response, err
-	})
+	}, append(tools.StandardRetryOnCodes, http.StatusNotFound)...) // CDR weirdness
 	if err != nil {
 		if resp != nil && (resp.StatusCode == http.StatusNotFound || resp.StatusCode == http.StatusGone) {
 			d.SetId("")

internal/services/cdr/practitioner/stu3.go

@@ -75,7 +75,7 @@ func stu3Create(ctx context.Context, c *config.Config, client *cdr.Client, d *sc
 		return diag.FromErr(err)
 	}
 
-	err = tools.TryHTTPCall(ctx, 5, func() (*http.Response, error) {
+	err = tools.TryHTTPCall(ctx, 8, func() (*http.Response, error) {
 		var resp *cdr.Response
 		var err error
 
@@ -101,7 +101,7 @@ func stu3Read(ctx context.Context, _ *config.Config, client *cdr.Client, d *sche
 	var resp *cdr.Response
 	var contained *resources_go_proto.ContainedResource
 
-	err := tools.TryHTTPCall(ctx, 5, func() (*http.Response, error) {
+	err := tools.TryHTTPCall(ctx, 8, func() (*http.Response, error) {
 		var err error
 
 		contained, resp, err = client.OperationsSTU3.Get("Practitioner/" + d.Id())
@@ -112,7 +112,7 @@ func stu3Read(ctx context.Context, _ *config.Config, client *cdr.Client, d *sche
 			return nil, fmt.Errorf("OperationsSTU3.Get: response is nil")
 		}
 		return resp.Response, err
-	})
+	}, append(tools.StandardRetryOnCodes, http.StatusNotFound)...) // CDR weirdness
 	if err != nil {
 		if resp != nil && (resp.StatusCode == http.StatusNotFound || resp.StatusCode == http.StatusGone) {
 			d.SetId("")

internal/services/iam/data_source_iam_role_sharing_policies.go

@@ -0,0 +1,114 @@
+package iam
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/philips-software/go-hsdp-api/iam"
+	"github.com/philips-software/terraform-provider-hsdp/internal/config"
+)
+
+func DataSourceIAMRoleSharingPolicies() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceIAMRoleSharingPoliciesRead,
+		Schema: map[string]*schema.Schema{
+			"role_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"target_organization_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"sharing_policy": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"ids": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"sharing_policies": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"target_organization_ids": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"source_organization_ids": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"role_names": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"purposes": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+		},
+	}
+
+}
+
+func dataSourceIAMRoleSharingPoliciesRead(_ context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	c := meta.(*config.Config)
+
+	var diags diag.Diagnostics
+
+	client, err := c.IAMClient()
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	roleID := d.Get("role_id").(string)
+	sharingPolicy := d.Get("sharing_policy").(string)
+	targetOrganizationID := d.Get("target_organization_id").(string)
+
+	listOptions := &iam.ListSharingPoliciesOptions{}
+	if sharingPolicy != "" {
+		listOptions.SharingPolicy = &sharingPolicy
+	}
+	if targetOrganizationID != "" {
+		listOptions.TargetOrganizationID = &targetOrganizationID
+	}
+
+	policies, _, err := client.Roles.ListSharingPolicies(iam.Role{ID: roleID}, listOptions)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	var ids []string
+	var sharingPolicies []string
+	var targetOrganizationIDs []string
+	var sourceOrganizationIDs []string
+	var roleNames []string
+	var purposes []string
+
+	for _, policy := range *policies {
+		ids = append(ids, policy.InternalID)
+		sharingPolicies = append(sharingPolicies, policy.SharingPolicy)
+		targetOrganizationIDs = append(targetOrganizationIDs, policy.TargetOrganizationID)
+		sourceOrganizationIDs = append(sourceOrganizationIDs, policy.TargetOrganizationID)
+		roleNames = append(roleNames, policy.RoleName)
+		purposes = append(purposes, policy.Purpose)
+	}
+	_ = d.Set("ids", ids)
+	_ = d.Set("sharing_policies", sharingPolicies)
+	_ = d.Set("target_organization_ids", targetOrganizationIDs)
+	_ = d.Set("source_organization_ids", sourceOrganizationIDs)
+	_ = d.Set("role_names", roleNames)
+	_ = d.Set("purposes", purposes)
+
+	d.SetId(roleID + targetOrganizationID)
+	return diags
+}