feat: Add OIDC client resource.

bigkevmcd · bigkevmcd · commit 7b87e5c5463c · 2026-04-24T15:49:27.000+01:00
This adds support for the OIDC Provider OIDCClient resource.
diff --git a/aspell_custom.txt b/aspell_custom.txt
@@ -40,3 +40,4 @@ oidc
 eslint
 destructuring
 yaml
+oidcclients
diff --git a/rancher2/provider.go b/rancher2/provider.go
@@ -140,6 +140,7 @@ func Provider() terraform.ResourceProvider {
 			"rancher2_namespace":                                     resourceRancher2Namespace(),
 			"rancher2_node_driver":                                   resourceRancher2NodeDriver(),
 			"rancher2_node_pool":                                     resourceRancher2NodePool(),
+			"rancher2_oidc_client":                                   resourceRancher2OIDCClient(),
 			"rancher2_pod_security_admission_configuration_template": resourceRancher2PodSecurityAdmissionConfigurationTemplate(),
 			"rancher2_project":                                       resourceRancher2Project(),
 			"rancher2_project_role_template_binding":                 resourceRancher2ProjectRoleTemplateBinding(),
diff --git a/rancher2/resource_rancher2_oidc_client.go b/rancher2/resource_rancher2_oidc_client.go
@@ -0,0 +1,225 @@
+package rancher2
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"maps"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	managementClient "github.com/rancher/rancher/pkg/client/generated/management/v3"
+)
+
+func resourceRancher2OIDCClient() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceRancher2OIDCClientCreate,
+		Read:   resourceRancher2OIDCClientRead,
+		Update: resourceRancher2OIDCClientUpdate,
+		Delete: resourceRancher2OIDCClientDelete,
+
+		Schema: oidcClientFields(),
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(5 * time.Minute),
+			Update: schema.DefaultTimeout(5 * time.Minute),
+			Delete: schema.DefaultTimeout(5 * time.Minute),
+		},
+	}
+}
+
+func oidcClientFields() map[string]*schema.Schema {
+	s := map[string]*schema.Schema{
+		"token_expiration_seconds": {
+			Type:         schema.TypeInt,
+			Optional:     true,
+			Computed:     true,
+			Description:  "The duration (in seconds) before an access token and ID token expires. Reducing this will invalidate existing tokens.",
+			ValidateFunc: validation.IntAtLeast(1),
+		},
+		"refresh_token_expiration_seconds": {
+			Type:         schema.TypeInt,
+			Optional:     true,
+			Computed:     true,
+			Description:  "The duration (in seconds) a refresh token remains valid before expiration. Reducing this will invalidate existing tokens.",
+			ValidateFunc: validation.IntAtLeast(1),
+		},
+		"redirect_uris": {
+			Description: "List of allowed redirect_uris for this client.",
+			Required:    true,
+			Type:        schema.TypeList,
+			Elem: &schema.Schema{
+				Type: schema.TypeString,
+			},
+		},
+		"description": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "OIDCClient description",
+		},
+	}
+
+	maps.Copy(s, commonAnnotationLabelFields())
+
+	return s
+}
+
+func resourceRancher2OIDCClientCreate(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Creating OIDCClient")
+	oidcClient, err := expandOIDCClient(d)
+	if err != nil {
+		return err
+	}
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when creating OIDC Client: %s", err)
+		return err
+	}
+
+	updatedClient, err := client.OIDCClient.Create(oidcClient)
+	if err != nil {
+		log.Printf("[ERROR] creating OIDCClient: %s", err)
+		return err
+	}
+
+	d.SetId(updatedClient.ID)
+
+	return resourceRancher2OIDCClientRead(d, meta)
+}
+
+func resourceRancher2OIDCClientRead(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Refreshing OIDCClient ID %s", d.Id())
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when reading OIDC Client: %s", err)
+		return err
+	}
+	oidcClient, err := client.OIDCClient.ByID(d.Id())
+	if err != nil {
+		log.Printf("[ERROR] reading OIDC Client %s: %s", d.Id(), err)
+		return err
+	}
+
+	return flattenOIDCClient(d, oidcClient)
+}
+
+func resourceRancher2OIDCClientUpdate(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Updating OIDCClient ID %s", d.Id())
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when updating OIDC Client: %s", err)
+		return err
+	}
+
+	oidcClient, err := client.OIDCClient.ByID(d.Id())
+	if err != nil {
+		log.Printf("[ERROR] getting OIDC Client %s for update: %s", d.Id(), err)
+		return err
+	}
+
+	update := map[string]any{
+		"description":                      d.Get("description"),
+		"redirectURIs":                     d.Get("redirect_uris"),
+		"token_expiration_seconds":         d.Get("token_expiration_seconds"),
+		"refresh_token_expiration_seconds": d.Get("refresh_token_expiration_seconds"),
+	}
+
+	_, err = client.OIDCClient.Update(oidcClient, update)
+	if err != nil {
+		log.Printf("[ERROR] updating OIDC Client %s: %s", d.Id(), err)
+		return fmt.Errorf("updating OIDC Client %s: %w", d.Id(), err)
+	}
+
+	return resourceRancher2OIDCClientRead(d, meta)
+}
+
+func resourceRancher2OIDCClientDelete(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Deleting OIDCClient ID %s", d.Id())
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when deleting OIDC Client: %s", err)
+		return err
+	}
+
+	oidcClient, err := client.OIDCClient.ByID(d.Id())
+	if err != nil {
+		log.Printf("[ERROR] getting OIDC Client %s for deletion: %s", d.Id(), err)
+		return nil
+	}
+
+	if err := client.OIDCClient.Delete(oidcClient); err != nil {
+		log.Printf("[ERROR] deleting OIDC Client %s: %s", d.Id(), err)
+		return err
+	}
+
+	return nil
+}
+
+func expandOIDCClient(in *schema.ResourceData) (*managementClient.OIDCClient, error) {
+	obj := &managementClient.OIDCClient{}
+	if in == nil {
+		return nil, fmt.Errorf("[ERROR] expanding OidcClient: Input ResourceData is nil")
+	}
+
+	if v := in.Id(); len(v) > 0 {
+		obj.ID = v
+	}
+
+	if v, ok := in.GetOk("description"); ok {
+		obj.Description = v.(string)
+	}
+
+	v := in.Get("redirect_uris")
+	obj.RedirectURIs = toArrayString(v.([]any))
+
+	v, ok := in.GetOk("token_expiration_seconds")
+	if ok {
+		// This should be safe because the field declared as an integer.
+		tokenExpirationSeconds, _ := v.(int)
+		obj.TokenExpirationSeconds = int64(tokenExpirationSeconds)
+	} else {
+		obj.TokenExpirationSeconds = 0
+	}
+
+	v, ok = in.GetOk("refresh_token_expiration_seconds")
+	if ok {
+		// This should be safe because the field declared as an integer.
+		refreshTokenExpirationSeconds, _ := v.(int)
+		obj.RefreshTokenExpirationSeconds = int64(refreshTokenExpirationSeconds)
+	} else {
+		obj.RefreshTokenExpirationSeconds = 0
+	}
+
+	if v, ok := in.Get("annotations").(map[string]any); ok && len(v) > 0 {
+		obj.Annotations = toMapString(v)
+	}
+
+	if v, ok := in.Get("labels").(map[string]any); ok && len(v) > 0 {
+		obj.Labels = toMapString(v)
+	}
+
+	return obj, nil
+}
+
+func flattenOIDCClient(d *schema.ResourceData, in *managementClient.OIDCClient) error {
+	if in == nil {
+		return fmt.Errorf("[ERROR] flattening OIDCClient: Input config is nil")
+	}
+
+	if in.ID != "" {
+		d.SetId(in.ID)
+	}
+
+	return errors.Join(
+		d.Set("description", in.Description),
+		d.Set("redirect_uris", in.RedirectURIs),
+		d.Set("token_expiration_seconds", int(in.TokenExpirationSeconds)),
+		d.Set("refresh_token_expiration_seconds", int(in.RefreshTokenExpirationSeconds)),
+		d.Set("annotations", toMapInterface(in.Annotations)),
+		d.Set("labels", toMapInterface(in.Labels)),
+	)
+}
diff --git a/rancher2/resource_rancher2_oidc_client_test.go b/rancher2/resource_rancher2_oidc_client_test.go
@@ -0,0 +1,123 @@
+package rancher2
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	managementClient "github.com/rancher/rancher/pkg/client/generated/management/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFlattenOIDCClient(t *testing.T) {
+	oidcClient := &managementClient.OIDCClient{
+		Name: "testing-client",
+		Annotations: map[string]string{
+			"example.com/testing": "annotation",
+		},
+		Labels: map[string]string{
+			"example.com/testing": "label",
+		},
+		RedirectURIs: []string{
+			"http://127.0.0.1:5556/auth/rancher/callback",
+			"http://127.0.0.1:33418/",
+			"https://vscode.dev/redirect",
+		},
+		Description:                   "Access for Rancher AI Agent",
+		TokenExpirationSeconds:        6000,
+		RefreshTokenExpirationSeconds: 12000,
+	}
+
+	flattened := schema.TestResourceDataRaw(t, oidcClientFields(), nil)
+	err := flattenOIDCClient(flattened, oidcClient)
+	require.NoError(t, err)
+
+	want := map[string]any{
+		"token_expiration_seconds":         6000,
+		"refresh_token_expiration_seconds": 12000,
+		"redirect_uris": []any{
+			"http://127.0.0.1:5556/auth/rancher/callback",
+			"http://127.0.0.1:33418/",
+			"https://vscode.dev/redirect",
+		},
+		"annotations": map[string]any{
+			"example.com/testing": "annotation",
+		},
+		"labels": map[string]any{
+			"example.com/testing": "label",
+		},
+	}
+	for key, want := range want {
+		assert.Equal(t, want, flattened.Get(key), "unexpected output from flattenOIDCClient")
+	}
+}
+
+func TestExpandOIDCClient(t *testing.T) {
+	expandTests := map[string]struct {
+		data map[string]any
+		want *managementClient.OIDCClient
+	}{
+		"all fields populated": {
+			data: map[string]any{
+				"token_expiration_seconds":         6000,
+				"refresh_token_expiration_seconds": 12000,
+				"redirect_uris": []any{
+					"http://127.0.0.1:5556/auth/rancher/callback",
+					"http://127.0.0.1:33418/",
+					"https://vscode.dev/redirect",
+				},
+				"description": "Testing OIDC Client",
+				"annotations": map[string]any{
+					"example.com/testing": "annotation",
+				},
+				"labels": map[string]any{
+					"example.com/testing": "label",
+				},
+			},
+			want: &managementClient.OIDCClient{
+				TokenExpirationSeconds:        6000,
+				RefreshTokenExpirationSeconds: 12000,
+				RedirectURIs: []string{
+					"http://127.0.0.1:5556/auth/rancher/callback",
+					"http://127.0.0.1:33418/",
+					"https://vscode.dev/redirect",
+				},
+				Description: "Testing OIDC Client",
+				Annotations: map[string]string{
+					"example.com/testing": "annotation",
+				},
+				Labels: map[string]string{
+					"example.com/testing": "label",
+				},
+			},
+		},
+		"only required fields populated": {
+			data: map[string]any{
+				"redirect_uris": []any{
+					"http://127.0.0.1:5556/auth/rancher/callback",
+					"http://127.0.0.1:33418/",
+					"https://vscode.dev/redirect",
+				},
+			},
+			want: &managementClient.OIDCClient{
+				TokenExpirationSeconds: 0,
+				RedirectURIs: []string{
+					"http://127.0.0.1:5556/auth/rancher/callback",
+					"http://127.0.0.1:33418/",
+					"https://vscode.dev/redirect",
+				},
+			},
+		},
+	}
+
+	for name, tt := range expandTests {
+		t.Run(name, func(t *testing.T) {
+			inputResourceData := schema.TestResourceDataRaw(t, oidcClientFields(), tt.data)
+
+			expanded, err := expandOIDCClient(inputResourceData)
+			assert.NoError(t, err, "Error in expandOIDCClient")
+
+			assert.Equal(t, tt.want, expanded, "Unexpected output from expandOIDCClient")
+		})
+	}
+}
