Add smallstep_identity_provider and smalltep_idp_client (#35)

Author: areed

docs/data-sources/identity_provider.md

@@ -0,0 +1,24 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_identity_provider Data Source - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  
+---
+
+# smallstep_identity_provider (Data Source)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `authorize_endpoint` (String) The URL where clients authenticate.
+- `issuer` (String) The URL of this identity provider.
+- `jwks_endpoint` (String) The URL where relying parties can read the provider's public key.
+- `token_endpoint` (String) The URL where relying parties exchange authorization codes for identity tokens.
+- `trust_roots` (String) The CA used to verify clients at the authorize endpoint.

docs/data-sources/identity_provider_client.md

@@ -0,0 +1,24 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_identity_provider_client Data Source - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  
+---
+
+# smallstep_identity_provider_client (Data Source)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) The client ID.
+
+### Read-Only
+
+- `redirect_uri` (String) Where user-agents will be sent after authentication attempts.

docs/resources/identity_provider.md

@@ -0,0 +1,45 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_identity_provider Resource - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  
+---
+
+# smallstep_identity_provider (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "smallstep_identity_provider" "my_idp" {
+  trust_roots = file("${path.module}/root.crt")
+}
+
+output "idp_authorize_url" {
+  value = smallstep_identity_provider.my_idp.authorize_endpoint
+}
+
+output "idp_token_url" {
+  value = smallstep_identity_provider.my_idp.token_endpoint
+}
+
+output "idp_jwks_url" {
+  value = smallstep_identity_provider.my_idp.jwks_endpoint
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `trust_roots` (String) The CA used to verify clients at the authorize endpoint.
+
+### Read-Only
+
+- `authorize_endpoint` (String) The URL where clients authenticate.
+- `issuer` (String) The URL of this identity provider.
+- `jwks_endpoint` (String) The URL where relying parties can read the provider's public key.
+- `token_endpoint` (String) The URL where relying parties exchange authorization codes for identity tokens.

docs/resources/identity_provider_client.md

@@ -0,0 +1,50 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_identity_provider_client Resource - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  
+---
+
+# smallstep_identity_provider_client (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "smallstep_identity_provider" "my_idp" {
+  trust_roots = file("${path.module}/root.crt")
+}
+
+resource "smallstep_identity_provider_client" "my_idp_client" {
+  redirect_uri = "https://example.com/callback"
+  store_secret = true
+  depends_on   = [smallstep_identity_provider.my_idp]
+}
+
+output "idp_client_id" {
+  value = smallstep_identity_provider_client.my_idp_client.id
+}
+
+output "idp_client_secret" {
+  value = smallstep_identity_provider_client.my_idp_client.secret
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `redirect_uri` (String) Where user-agents will be sent after authentication attempts.
+
+### Optional
+
+- `store_secret` (Boolean) Whether to store the client_secret in terraform state when it is created. The secret cannot be recovered later.
+- `write_secret_file` (String) If non-empty the client_secret will be written to this filepath when it is created. The secret cannot be recovered later.
+
+### Read-Only
+
+- `id` (String) The client ID.
+- `secret` (String, Sensitive) The secret relying parties will use to authenticate when exchanging an authorization code for an id token.

examples/resources/smallstep_identity_provider/resource.tf

@@ -0,0 +1,16 @@
+
+resource "smallstep_identity_provider" "my_idp" {
+  trust_roots = file("${path.module}/root.crt")
+}
+
+output "idp_authorize_url" {
+  value = smallstep_identity_provider.my_idp.authorize_endpoint
+}
+
+output "idp_token_url" {
+  value = smallstep_identity_provider.my_idp.token_endpoint
+}
+
+output "idp_jwks_url" {
+  value = smallstep_identity_provider.my_idp.jwks_endpoint
+}

examples/resources/smallstep_identity_provider_client/resource.tf

@@ -0,0 +1,18 @@
+
+resource "smallstep_identity_provider" "my_idp" {
+  trust_roots = file("${path.module}/root.crt")
+}
+
+resource "smallstep_identity_provider_client" "my_idp_client" {
+  redirect_uri = "https://example.com/callback"
+  store_secret = true
+  depends_on   = [smallstep_identity_provider.my_idp]
+}
+
+output "idp_client_id" {
+  value = smallstep_identity_provider_client.my_idp_client.id
+}
+
+output "idp_client_secret" {
+  value = smallstep_identity_provider_client.my_idp_client.secret
+}

internal/provider/identity_provider/client_data_source.go

@@ -0,0 +1,127 @@
+package identity_provider
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+
+	v20250101 "github.com/smallstep/terraform-provider-smallstep/internal/apiclient/v20250101"
+	"github.com/smallstep/terraform-provider-smallstep/internal/provider/utils"
+)
+
+var _ datasource.DataSourceWithConfigure = (*ClientDataSource)(nil)
+
+func NewClientDataSource() datasource.DataSource {
+	return &ClientDataSource{}
+}
+
+type ClientDataSource struct {
+	client *v20250101.Client
+}
+
+func (a *ClientDataSource) Metadata(ctx context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = client_name
+}
+
+// Configure adds the Smallstep API client to the data source.
+func (ds *ClientDataSource) Configure(ctx context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	client, ok := req.ProviderData.(*v20250101.Client)
+
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Get Smallstep API client from provider",
+			fmt.Sprintf("Expected *v20250101.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	ds.client = client
+}
+
+func (d *ClientDataSource) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	idp, props, err := utils.Describe("idpClient")
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Parse Smallstep OpenAPI Identity Provider Schema",
+			err.Error(),
+		)
+		return
+	}
+
+	resp.Schema = schema.Schema{
+		MarkdownDescription: idp,
+
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				MarkdownDescription: props["id"],
+				Required:            true,
+			},
+			"redirect_uri": schema.StringAttribute{
+				MarkdownDescription: props["redirectURI"],
+				Computed:            true,
+			},
+		},
+	}
+}
+
+func (ds *ClientDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
+	var id string
+	diags := req.Config.GetAttribute(ctx, path.Root("id"), &id)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	if id == "" {
+		resp.Diagnostics.AddError(
+			"Invalid Read Identity Provider Client Request",
+			"ID is required.",
+		)
+		return
+	}
+	httpResp, err := ds.client.GetIdpClient(ctx, id, &v20250101.GetIdpClientParams{})
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Smallstep API Client Error",
+			fmt.Sprintf("Failed to read identity provider client: %v", err),
+		)
+		return
+	}
+	defer httpResp.Body.Close()
+
+	if httpResp.StatusCode == http.StatusNotFound {
+		resp.State.RemoveResource(ctx)
+		return
+	}
+	if httpResp.StatusCode != http.StatusOK {
+		reqID := httpResp.Header.Get("X-Request-Id")
+		resp.Diagnostics.AddError(
+			"Smallstep API Response Error",
+			fmt.Sprintf("Request %q received status %d reading identity provider client: %s", reqID, httpResp.StatusCode, utils.APIErrorMsg(httpResp.Body)),
+		)
+		return
+	}
+
+	remote := &v20250101.IdpClient{}
+	if err := json.NewDecoder(httpResp.Body).Decode(remote); err != nil {
+		resp.Diagnostics.AddError(
+			"Smallstep API Client Error",
+			fmt.Sprintf("Failed to unmarshal identity provider: %v", err),
+		)
+		return
+	}
+
+	model := clientFromAPI(remote)
+
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), model.ID)...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("redirect_uri"), model.RedirectURI)...)
+}

internal/provider/identity_provider/client_data_source_test.go

@@ -0,0 +1,33 @@
+package identity_provider
+
+import (
+	"fmt"
+	"testing"
+
+	helper "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/smallstep/terraform-provider-smallstep/internal/provider/utils"
+)
+
+func TestAccIdentityProviderClientDataSource(t *testing.T) {
+	utils.NewIdentityProvider(t)
+	client := utils.NewIdentityProviderClient(t)
+
+	const config = `
+data "smallstep_identity_provider_client" "my_idp_client" {
+	id = %q
+}`
+	cfg := fmt.Sprintf(config, *client.Id)
+
+	helper.Test(t, helper.TestCase{
+		ProtoV6ProviderFactories: providerFactories,
+		Steps: []helper.TestStep{
+			{
+				Config: cfg,
+				Check: helper.ComposeAggregateTestCheckFunc(
+					helper.TestCheckResourceAttr("data.smallstep_identity_provider_client.my_idp_client", "id", *client.Id),
+					helper.TestCheckResourceAttr("data.smallstep_identity_provider_client.my_idp_client", "redirect_uri", client.RedirectURI),
+				),
+			},
+		},
+	})
+}