fix: add support for AuthConfig Cognito (#2029)

Signed-off-by: Kevin McDermott <kevin.mcdermott@suse.com>

Author: bigkevmcd

aspell_custom.txt

@@ -32,3 +32,5 @@ backport
 GKE
 PDB
 PC
+AuthConfig
+Cognito

rancher2/config.go

@@ -1225,6 +1225,8 @@ func getAuthConfigObject(kind string) (interface{}, error) {
 		return &managementClient.KeyCloakConfig{}, nil
 	case managementClient.GenericOIDCConfigType:
 		return &managementClient.GenericOIDCConfig{}, nil
+	case managementClient.CognitoConfigType:
+		return &managementClient.CognitoConfig{}, nil
 	case managementClient.OIDCConfigType:
 		return &managementClient.OIDCConfig{}, nil
 	case managementClient.OKTAConfigType:

rancher2/provider.go

@@ -117,6 +117,7 @@ func Provider() terraform.ResourceProvider {
 			"rancher2_auth_config_keycloak":                          resourceRancher2AuthConfigKeyCloak(),
 			"rancher2_auth_config_okta":                              resourceRancher2AuthConfigOKTA(),
 			"rancher2_auth_config_generic_oidc":                      resourceRancher2AuthConfigGenericOIDC(),
+			"rancher2_auth_config_cognito":                           resourceRancher2AuthConfigCognito(),
 			"rancher2_auth_config_openldap":                          resourceRancher2AuthConfigOpenLdap(),
 			"rancher2_auth_config_ping":                              resourceRancher2AuthConfigPing(),
 			"rancher2_bootstrap":                                     resourceRancher2Bootstrap(),

rancher2/resource_rancher2_auth_config_cognito.go

@@ -0,0 +1,119 @@
+package rancher2
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	managementClient "github.com/rancher/rancher/pkg/client/generated/management/v3"
+)
+
+func resourceRancher2AuthConfigCognito() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceRancher2AuthConfigCognitoCreate,
+		Read:   resourceRancher2AuthConfigCognitoRead,
+		Update: resourceRancher2AuthConfigCognitoUpdate,
+		Delete: resourceRancher2AuthConfigCognitoDelete,
+
+		Schema: authConfigCognitoFields(),
+	}
+}
+
+func resourceRancher2AuthConfigCognitoCreate(d *schema.ResourceData, meta interface{}) error {
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigCognitoName)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed to get Auth Config %s: %s", AuthConfigCognitoName, err)
+	}
+
+	log.Printf("[INFO] Creating Auth Config %s", AuthConfigCognitoName)
+
+	authOIDC, err := expandAuthConfigCognito(d)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed expanding Auth Config %s: %s", AuthConfigCognitoName, err)
+	}
+
+	// Checking if other auth config is enabled
+	if authOIDC.Enabled {
+		err = meta.(*Config).CheckAuthConfigEnabled(AuthConfigCognitoName)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Checking to enable Auth Config %s: %s", AuthConfigCognitoName, err)
+		}
+	}
+
+	newAuth := &managementClient.CognitoConfig{}
+	err = meta.(*Config).UpdateAuthConfig(auth.Links["self"], authOIDC, newAuth)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Updating Auth Config %s: %s", AuthConfigCognitoName, err)
+	}
+
+	return resourceRancher2AuthConfigCognitoRead(d, meta)
+}
+
+func resourceRancher2AuthConfigCognitoRead(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Refreshing Auth Config %s", AuthConfigCognitoName)
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigCognitoName)
+	if err != nil {
+		if IsNotFound(err) {
+			log.Printf("[INFO] Auth Config %s not found.", AuthConfigCognitoName)
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	authOIDC, err := meta.(*Config).GetAuthConfig(auth)
+	if err != nil {
+		return err
+	}
+
+	err = flattenAuthConfigCognito(d, authOIDC.(*managementClient.CognitoConfig))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func resourceRancher2AuthConfigCognitoUpdate(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Updating Auth Config %s", AuthConfigCognitoName)
+	return resourceRancher2AuthConfigCognitoCreate(d, meta)
+}
+
+func resourceRancher2AuthConfigCognitoDelete(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Disabling Auth Config %s", AuthConfigCognitoName)
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigCognitoName)
+	if err != nil {
+		if IsNotFound(err) {
+			log.Printf("[INFO] Auth Config %s not found.", AuthConfigCognitoName)
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	if auth.Enabled == true {
+		err = client.Post(auth.Actions["disable"], nil, nil)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Disabling Auth Config %s: %s", AuthConfigCognitoName, err)
+		}
+	}
+
+	d.SetId("")
+	return nil
+}

rancher2/schema_auth_config_cognito.go

@@ -0,0 +1,24 @@
+package rancher2
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+const AuthConfigCognitoName = "cognito"
+
+//Schemas
+
+func authConfigCognitoFields() map[string]*schema.Schema {
+	fields := oidcSchemaFields()
+
+	fields["name_claim"].Default = "cognito:username"
+
+	// Terraform doesn't allow defaults for Computed fields.
+	//
+	// It's not clear why this field is Computed in the Schema, but we'll set it
+	// to false so we can provide a default.
+	fields["groups_field"].Computed = false
+	fields["groups_field"].Default = "cognito:groups"
+
+	return fields
+}

rancher2/schema_auth_config_cognito_test.go

@@ -0,0 +1,25 @@
+package rancher2
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func TestAuthConfigCognitoResourceDefaults(t *testing.T) {
+	r := resourceRancher2AuthConfigCognito()
+	d := schema.TestResourceDataRaw(t, r.Schema, map[string]any{
+		"client_id":     "client-id",
+		"client_secret": "client-secret",
+		"issuer":        "https://issuer.example.com",
+		"rancher_url":   "https://rancher.example.com/verify-auth",
+	})
+
+	if got := d.Get("name_claim"); got != "cognito:username" {
+		t.Fatalf("unexpected default for name_claim: got %v, want %q", got, "cognito:username")
+	}
+
+	if got := d.Get("group_search_enabled"); got != false {
+		t.Fatalf("unexpected default for group_search_enabled: got %v, want %v", got, false)
+	}
+}

rancher2/schema_auth_config_generic_oidc.go

@@ -1,14 +1,22 @@
 package rancher2
 
 import (
+	"maps"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 )
 
 const AuthConfigGenericOIDCName = "genericoidc"
 
 //Schemas
 
 func authConfigGenericOIDCFields() map[string]*schema.Schema {
+	return oidcSchemaFields()
+}
+
+// This is used by the Cognito and Generic OIDC providers.
+func oidcSchemaFields() map[string]*schema.Schema {
 	s := map[string]*schema.Schema{
 		"client_id": {
 			Type:        schema.TypeString,
@@ -88,11 +96,37 @@ func authConfigGenericOIDCFields() map[string]*schema.Schema {
 			StateFunc:   TrimSpace,
 			Description: "A PEM-encoded private key for the OIDC provider.",
 		},
+		"name_claim": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			StateFunc:   TrimSpace,
+			Description: "The OIDC Claim to use for the user name.",
+		},
+		"email_claim": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			StateFunc:   TrimSpace,
+			Description: "The OIDC Claim to use for the user email.",
+		},
+		"logout_all_enabled": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: "Allow the user to choose whether or not to logout of their session with the IdP.",
+		},
+		"logout_all_forced": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: "Force the user to logout of their session with the IdP.",
+		},
+		"end_session_endpoint": {
+			Type:         schema.TypeString,
+			Optional:     true,
+			ValidateFunc: validation.IsURLWithHTTPS,
+			Description:  "The provider specific URL used for logging a user out of their session.",
+		},
 	}
 
-	for k, v := range authConfigFields() {
-		s[k] = v
-	}
+	maps.Copy(s, authConfigFields())
 
 	return s
 }

rancher2/schema_auth_config_generic_oidc_test.go

@@ -0,0 +1,39 @@
+package rancher2
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAuthConfigGenericOIDCResourceValidateNoData(t *testing.T) {
+	r := resourceRancher2AuthConfigGenericOIDC()
+	d := terraform.NewResourceConfigRaw(map[string]any{})
+	warns, errs := r.Validate(d)
+
+	assert.Empty(t, warns)
+
+	assert.Len(t, errs, 4)
+	joined := errors.Join(errs...)
+	assert.ErrorContains(t, joined, "\"issuer\": required field is not set")
+	assert.ErrorContains(t, joined, "\"client_id\": required field is not set")
+	assert.ErrorContains(t, joined, "\"client_secret\": required field is not set")
+	assert.ErrorContains(t, joined, "\"rancher_url\": required field is not set")
+}
+
+func TestAuthConfigGenericOIDCResourceEndSessionEndpointValidation(t *testing.T) {
+	r := resourceRancher2AuthConfigGenericOIDC()
+	d := terraform.NewResourceConfigRaw(map[string]any{
+		"client_id":            "client-id",
+		"client_secret":        "client-secret",
+		"issuer":               "https://issuer.example.com",
+		"rancher_url":          "https://rancher.example.com/verify-auth",
+		"end_session_endpoint": "test",
+	})
+	warns, errs := r.Validate(d)
+
+	assert.Empty(t, warns)
+	assert.ErrorContains(t, errors.Join(errs...), `expected "end_session_endpoint" to have a host`)
+}