feat: Add OIDC client resource.

This adds support for the OIDC Provider OIDCClient resource.

Author: bigkevmcd

aspell_custom.txt

@@ -43,3 +43,4 @@ destructuring
 yaml
 ttl
 pkce
+oidcclients

rancher2/provider.go

@@ -140,6 +140,7 @@ func Provider() terraform.ResourceProvider {
 			"rancher2_namespace":                                     resourceRancher2Namespace(),
 			"rancher2_node_driver":                                   resourceRancher2NodeDriver(),
 			"rancher2_node_pool":                                     resourceRancher2NodePool(),
+			"rancher2_oidc_client":                                   resourceRancher2OIDCClient(),
 			"rancher2_pod_security_admission_configuration_template": resourceRancher2PodSecurityAdmissionConfigurationTemplate(),
 			"rancher2_project":                                       resourceRancher2Project(),
 			"rancher2_project_role_template_binding":                 resourceRancher2ProjectRoleTemplateBinding(),

rancher2/resource_rancher2_oidc_client.go

@@ -0,0 +1,256 @@
+package rancher2
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"maps"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	managementClient "github.com/rancher/rancher/pkg/client/generated/management/v3"
+)
+
+func resourceRancher2OIDCClient() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceRancher2OIDCClientCreate,
+		Read:   resourceRancher2OIDCClientRead,
+		Update: resourceRancher2OIDCClientUpdate,
+		Delete: resourceRancher2OIDCClientDelete,
+		Importer: &schema.ResourceImporter{
+			State: resourceRancher2OIDCClientImport,
+		},
+
+		Schema: oidcClientFields(),
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(5 * time.Minute),
+			Update: schema.DefaultTimeout(5 * time.Minute),
+			Delete: schema.DefaultTimeout(5 * time.Minute),
+		},
+	}
+}
+
+func oidcClientFields() map[string]*schema.Schema {
+	s := map[string]*schema.Schema{
+		"token_expiration_seconds": {
+			Type:         schema.TypeInt,
+			Optional:     true,
+			Computed:     true,
+			Description:  "The duration (in seconds) before an access token and ID token expires.",
+			ValidateFunc: validation.IntAtLeast(1),
+		},
+		"refresh_token_expiration_seconds": {
+			Type:         schema.TypeInt,
+			Optional:     true,
+			Computed:     true,
+			Description:  "The duration (in seconds) a refresh token remains valid before expiration.",
+			ValidateFunc: validation.IntAtLeast(1),
+		},
+		"redirect_uris": {
+			Description: "List of allowed redirect_uris for this client.",
+			Required:    true,
+			Type:        schema.TypeList,
+			Elem: &schema.Schema{
+				Type: schema.TypeString,
+			},
+		},
+		"description": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "OIDCClient description",
+		},
+	}
+
+	maps.Copy(s, commonAnnotationLabelFields())
+
+	return s
+}
+
+func resourceRancher2OIDCClientCreate(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Creating OIDCClient")
+	oidcClient, err := expandOIDCClient(d)
+	if err != nil {
+		return err
+	}
+
+	client, err := meta.(managementClientGetter).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when creating OIDC Client: %s", err)
+		return fmt.Errorf("getting a client when creating OIDC Client: %w", err)
+	}
+
+	updatedClient, err := client.OIDCClient.Create(oidcClient)
+	if err != nil {
+		log.Printf("[ERROR] creating OIDCClient: %s", err)
+		return fmt.Errorf("creating OIDCClient: %w", err)
+	}
+
+	d.SetId(updatedClient.ID)
+
+	return resourceRancher2OIDCClientRead(d, meta)
+}
+
+func resourceRancher2OIDCClientRead(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Refreshing OIDCClient ID %s", d.Id())
+
+	client, err := meta.(managementClientGetter).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when reading OIDC Client: %s", err)
+		return fmt.Errorf("getting a client when reading OIDC Client: %w", err)
+	}
+	oidcClient, err := client.OIDCClient.ByID(d.Id())
+	if err != nil {
+		if IsNotFound(err) || IsForbidden(err) || IsNotAccessibleByID(err) {
+			log.Printf("[INFO] OIDC Client %s not found", d.Id())
+			d.SetId("")
+			return nil
+		}
+		log.Printf("[ERROR] reading OIDC Client %s: %s", d.Id(), err)
+		return fmt.Errorf("reading OIDC Client %s: %w", d.Id(), err)
+	}
+
+	return flattenOIDCClient(d, oidcClient)
+}
+
+func resourceRancher2OIDCClientUpdate(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Updating OIDCClient ID %s", d.Id())
+
+	client, err := meta.(managementClientGetter).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when updating OIDC Client: %s", err)
+		return fmt.Errorf("getting a client when updating OIDC Client: %w", err)
+	}
+
+	oidcClient, err := client.OIDCClient.ByID(d.Id())
+	if err != nil {
+		log.Printf("[ERROR] getting OIDC Client %s for update: %s", d.Id(), err)
+		return fmt.Errorf("getting OIDC Client %s for update: %w", d.Id(), err)
+	}
+
+	update := map[string]any{
+		"labels":                        d.Get("labels"),
+		"annotations":                   d.Get("annotations"),
+		"description":                   d.Get("description"),
+		"redirectURIs":                  d.Get("redirect_uris"),
+		"tokenExpirationSeconds":        d.Get("token_expiration_seconds"),
+		"refreshTokenExpirationSeconds": d.Get("refresh_token_expiration_seconds"),
+	}
+
+	_, err = client.OIDCClient.Update(oidcClient, update)
+	if err != nil {
+		log.Printf("[ERROR] updating OIDC Client %s: %s", d.Id(), err)
+		return fmt.Errorf("updating OIDC Client %s: %w", d.Id(), err)
+	}
+
+	return resourceRancher2OIDCClientRead(d, meta)
+}
+
+func resourceRancher2OIDCClientDelete(d *schema.ResourceData, meta any) error {
+	log.Printf("[INFO] Deleting OIDCClient ID %s", d.Id())
+
+	client, err := meta.(managementClientGetter).ManagementClient()
+	if err != nil {
+		log.Printf("[ERROR] getting a client when deleting OIDC Client: %s", err)
+		return fmt.Errorf("getting a client when deleting OIDC Client: %w", err)
+	}
+
+	oidcClient, err := client.OIDCClient.ByID(d.Id())
+	if err != nil {
+		if IsNotFound(err) || IsForbidden(err) {
+			log.Printf("[INFO] OIDC Client ID %s not found", d.Id())
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("getting OIDC Client %s for deletion: %w", d.Id(), err)
+	}
+
+	err = client.OIDCClient.Delete(oidcClient)
+	if err != nil {
+		if !IsNotFound(err) {
+			log.Printf("[ERROR] deleting OIDC Client %s: %s", d.Id(), err)
+			return fmt.Errorf("deleting OIDC Client %s: %w", d.Id(), err)
+		}
+	}
+
+	d.SetId("")
+	return nil
+}
+
+func expandOIDCClient(in *schema.ResourceData) (*managementClient.OIDCClient, error) {
+	obj := &managementClient.OIDCClient{}
+	if in == nil {
+		return nil, errors.New("expanding OIDC Client: Input ResourceData is nil")
+	}
+
+	if v := in.Id(); len(v) > 0 {
+		obj.ID = v
+	}
+
+	if v, ok := in.GetOk("description"); ok {
+		obj.Description = v.(string)
+	}
+
+	v := in.Get("redirect_uris")
+	obj.RedirectURIs = toArrayString(v.([]any))
+
+	v, ok := in.GetOk("token_expiration_seconds")
+	if ok {
+		// This should be safe because the field is declared as an integer.
+		tokenExpirationSeconds, _ := v.(int)
+		obj.TokenExpirationSeconds = int64(tokenExpirationSeconds)
+	} else {
+		obj.TokenExpirationSeconds = 0
+	}
+
+	v, ok = in.GetOk("refresh_token_expiration_seconds")
+	if ok {
+		// This should be safe because the field is declared as an integer.
+		refreshTokenExpirationSeconds, _ := v.(int)
+		obj.RefreshTokenExpirationSeconds = int64(refreshTokenExpirationSeconds)
+	} else {
+		obj.RefreshTokenExpirationSeconds = 0
+	}
+
+	if v, ok := in.Get("annotations").(map[string]any); ok && len(v) > 0 {
+		obj.Annotations = toMapString(v)
+	}
+
+	if v, ok := in.Get("labels").(map[string]any); ok && len(v) > 0 {
+		obj.Labels = toMapString(v)
+	}
+
+	return obj, nil
+}
+
+func flattenOIDCClient(d *schema.ResourceData, in *managementClient.OIDCClient) error {
+	if in == nil {
+		return errors.New("flattening OIDC Client: Input config is nil")
+	}
+
+	if in.ID != "" {
+		d.SetId(in.ID)
+	}
+
+	return errors.Join(
+		d.Set("description", in.Description),
+		d.Set("redirect_uris", in.RedirectURIs),
+		d.Set("token_expiration_seconds", int(in.TokenExpirationSeconds)),
+		d.Set("refresh_token_expiration_seconds", int(in.RefreshTokenExpirationSeconds)),
+		d.Set("annotations", toMapInterface(in.Annotations)),
+		d.Set("labels", toMapInterface(in.Labels)),
+	)
+}
+
+func resourceRancher2OIDCClientImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	err := resourceRancher2OIDCClientRead(d, meta)
+	if err != nil || d.Id() == "" {
+		return []*schema.ResourceData{}, err
+	}
+
+	return []*schema.ResourceData{d}, nil
+}
+
+type managementClientGetter interface {
+	ManagementClient() (*managementClient.Client, error)
+}