From 085c067463464a0496a5b2393c884c968c0c1e82 Mon Sep 17 00:00:00 2001 From: btfhernandez <133419363+btfhernandez@users.noreply.github.com> Date: Fri, 8 Nov 2024 09:40:53 -0500 Subject: [PATCH] feat: add writing managed accounts feature in terraform provider (#86) * feat: add writing managed accounts feature in terraform provider * fix: solve PR comments * fix: solve PR comments * chore: update go client library version in go.mod file --- go.mod | 4 +- go.sum | 18 +-- provider/provider.go | 303 ++++++++++++++++++++++++++++++++++++++++++- terraform/main.tf | 8 ++ 4 files changed, 314 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 810984b..83ebaa4 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,6 @@ require ( github.com/hashicorp/terraform-plugin-sdk/v2 v2.32.0 github.com/joho/godotenv v1.5.1 go.uber.org/zap v1.27.0 - golang.org/x/crypto v0.26.0 ) require ( @@ -18,10 +17,11 @@ require ( github.com/go-playground/validator/v10 v10.19.0 // indirect github.com/leodido/go-urn v1.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect + golang.org/x/crypto v0.26.0 // indirect ) require ( - github.com/BeyondTrust/go-client-library-passwordsafe v0.8.1 + github.com/BeyondTrust/go-client-library-passwordsafe v0.9.0 github.com/agext/levenshtein v1.2.2 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/fatih/color v1.13.0 // indirect diff --git a/go.sum b/go.sum index cacad1d..94f0b4c 100644 --- a/go.sum +++ b/go.sum @@ -1,19 +1,11 @@ -github.com/BeyondTrust/go-client-library-passwordsafe v0.6.0 h1:3zdjZl8h3/9DzTnpWqAzhiUqMwIzpU+EL0grJ7BODV8= -github.com/BeyondTrust/go-client-library-passwordsafe v0.6.0/go.mod h1:TnbBwWYg9rtfDxQGF7pmD0gCPcbWgCUQIqum3dFMRTk= -github.com/BeyondTrust/go-client-library-passwordsafe v0.7.0 h1:l+Fssf3jAyoOWCLFWEfYtXqrwrdyrjdtJN0alj/4hm4= -github.com/BeyondTrust/go-client-library-passwordsafe v0.7.0/go.mod h1:TnbBwWYg9rtfDxQGF7pmD0gCPcbWgCUQIqum3dFMRTk= -github.com/BeyondTrust/go-client-library-passwordsafe v0.8.0 h1:F1ZHkaZsaIILBlzX90JEDS3WGRicZWQkZO04hHftu0M= -github.com/BeyondTrust/go-client-library-passwordsafe v0.8.0/go.mod h1:TnbBwWYg9rtfDxQGF7pmD0gCPcbWgCUQIqum3dFMRTk= -github.com/BeyondTrust/go-client-library-passwordsafe v0.8.1 h1:duuYLAx4xsdVgibSap1nHoLyYIj/IXdzmnUXjZw7Dmw= -github.com/BeyondTrust/go-client-library-passwordsafe v0.8.1/go.mod h1:TnbBwWYg9rtfDxQGF7pmD0gCPcbWgCUQIqum3dFMRTk= +github.com/BeyondTrust/go-client-library-passwordsafe v0.9.0 h1:7uY74cRTycrdmae/6Jm46Ji0NLcEWfmk8gWNb5+LVZA= +github.com/BeyondTrust/go-client-library-passwordsafe v0.9.0/go.mod h1:TnbBwWYg9rtfDxQGF7pmD0gCPcbWgCUQIqum3dFMRTk= github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE= github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA= -github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= -github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -25,6 +17,7 @@ github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uq github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= @@ -73,8 +66,8 @@ github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwA github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= @@ -99,8 +92,8 @@ github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI= github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= @@ -111,6 +104,7 @@ github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zclconf/go-cty v1.14.2 h1:kTG7lqmBou0Zkx35r6HJHUQTvaRPr5bIAf3AoHS0izI= github.com/zclconf/go-cty v1.14.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= diff --git a/provider/provider.go b/provider/provider.go index bc8ac00..ea75ef5 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -13,6 +13,7 @@ import ( "time" auth "github.com/BeyondTrust/go-client-library-passwordsafe/api/authentication" + "github.com/BeyondTrust/go-client-library-passwordsafe/api/entities" "github.com/BeyondTrust/go-client-library-passwordsafe/api/logging" managed_accounts "github.com/BeyondTrust/go-client-library-passwordsafe/api/managed_account" "github.com/BeyondTrust/go-client-library-passwordsafe/api/secrets" @@ -46,6 +47,9 @@ var zapLogger = logging.NewZapLogger(logger) // Provider Definition. func Provider() *schema.Provider { return &schema.Provider{ + ResourcesMap: map[string]*schema.Resource{ + "passwordsafe_managed_account": resourceManagedAccount(), + }, DataSourcesMap: map[string]*schema.Resource{ "passwordsafe_secret": getSecretByPath(), "passwordsafe_managed_account": getManagedAccount(), @@ -169,7 +173,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} certificate := "" certificateKey := "" - var err error = nil + var err error if clientCertificateName != "" { certificate, certificateKey, err = utils.GetPFXContent(clientCertificatePath, clientCertificateName, clientCertificatePassword, zapLogger) @@ -248,6 +252,279 @@ func getManagedAccount() *schema.Resource { } } +// resourceManagedAccount Resource. +func resourceManagedAccount() *schema.Resource { + return &schema.Resource{ + Create: resourceManagedAccountCreate, + Read: resourceManagedAccountRead, + Update: resourceManagedAccountUpdate, + Delete: resourceManagedAccountDelete, + + Schema: map[string]*schema.Schema{ + "system_name": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + "account_name": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + "password": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + "domain_name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "user_principal_name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "sam_account_name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "distinguished_name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "private_key": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "passphrase": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "password_fallback_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "login_account_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "password_rule_id": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + Default: 0, + }, + "api_enabled": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "release_notification_email": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "change_services_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "restart_services_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "change_tasks_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "release_duration": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + }, + "max_release_duration": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + }, + "isa_release_duration": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + }, + "max_concurrent_requests": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + }, + "auto_management_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "dss_auto_management_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "check_password_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "change_password_after_any_release_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "reset_password_on_mismatch_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "change_frequency_type": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "change_frequency_days": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + }, + "change_time": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "next_change_date": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "use_own_credentials": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "workgroup_id": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + }, + "change_windows_auto_logon_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "change_com_plus_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "change_dcom_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "change_scom_flag": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + }, + "object_id": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + }, + } +} + +// Create context for resourceManagedAccount Resource. +func resourceManagedAccountCreate(d *schema.ResourceData, m interface{}) error { + + authenticationObj := m.(*auth.AuthenticationObj) + system_name := d.Get("system_name").(string) + + mu.Lock() + if atomic.LoadUint64(&signInCount) > 0 { + atomic.AddUint64(&signInCount, 1) + zapLogger.Debug(fmt.Sprintf("%v %v", "Already signed in", atomic.LoadUint64(&signInCount))) + mu.Unlock() + + } else { + _, err := authenticationObj.GetPasswordSafeAuthentication() + if err != nil { + mu.Unlock() + zapLogger.Error(err.Error()) + return err + } + atomic.AddUint64(&signInCount, 1) + zapLogger.Debug(fmt.Sprintf("%v %v", "signin", atomic.LoadUint64(&signInCount))) + mu.Unlock() + } + + manageAccountObj, _ := managed_accounts.NewManagedAccountObj(*authenticationObj, zapLogger) + + accountDetailsObj := entities.AccountDetails{ + AccountName: d.Get("account_name").(string), + Password: d.Get("password").(string), + DomainName: d.Get("domain_name").(string), + UserPrincipalName: d.Get("user_principal_name").(string), + SAMAccountName: d.Get("sam_account_name").(string), + DistinguishedName: d.Get("distinguished_name").(string), + PrivateKey: d.Get("private_key").(string), + Passphrase: d.Get("passphrase").(string), + PasswordFallbackFlag: d.Get("password_fallback_flag").(bool), + LoginAccountFlag: d.Get("login_account_flag").(bool), + Description: d.Get("description").(string), + ApiEnabled: d.Get("api_enabled").(bool), + ReleaseNotificationEmail: d.Get("release_notification_email").(string), + ChangeServicesFlag: d.Get("change_services_flag").(bool), + RestartServicesFlag: d.Get("restart_services_flag").(bool), + ChangeTasksFlag: d.Get("change_tasks_flag").(bool), + ReleaseDuration: d.Get("release_duration").(int), + MaxReleaseDuration: d.Get("max_release_duration").(int), + ISAReleaseDuration: d.Get("isa_release_duration").(int), + MaxConcurrentRequests: d.Get("max_concurrent_requests").(int), + AutoManagementFlag: d.Get("auto_management_flag").(bool), + DSSAutoManagementFlag: d.Get("dss_auto_management_flag").(bool), + CheckPasswordFlag: d.Get("check_password_flag").(bool), + ResetPasswordOnMismatchFlag: d.Get("reset_password_on_mismatch_flag").(bool), + ChangePasswordAfterAnyReleaseFlag: d.Get("change_password_after_any_release_flag").(bool), + ChangeFrequencyType: d.Get("change_frequency_type").(string), + ChangeFrequencyDays: d.Get("change_frequency_days").(int), + ChangeTime: d.Get("change_time").(string), + NextChangeDate: d.Get("next_change_date").(string), + UseOwnCredentials: d.Get("use_own_credentials").(bool), + ChangeWindowsAutoLogonFlag: d.Get("change_windows_auto_logon_flag").(bool), + ChangeComPlusFlag: d.Get("change_com_plus_flag").(bool), + ChangeDComFlag: d.Get("change_dcom_flag").(bool), + ChangeSComFlag: d.Get("change_scom_flag").(bool), + ObjectID: d.Get("object_id").(string), + } + + _, err := manageAccountObj.ManageAccountCreateFlow(system_name, accountDetailsObj) + + if err != nil { + return err + } + + mu_out.Lock() + if atomic.LoadUint64(&signInCount) > 1 { + zapLogger.Debug(fmt.Sprintf("%v %v", "Ignore signout", atomic.LoadUint64(&signInCount))) + // decrement counter, don't signout. + atomic.AddUint64(&signInCount, ^uint64(0)) + mu_out.Unlock() + } else { + err = authenticationObj.SignOut() + if err != nil { + return err + } + zapLogger.Debug(fmt.Sprintf("%v %v", "signout user", atomic.LoadUint64(&signInCount))) + // decrement counter + atomic.AddUint64(&signInCount, ^uint64(0)) + mu_out.Unlock() + + } + + d.SetId(accountDetailsObj.AccountName) + return nil +} + +// Read context for resourceManagedAccount Resource. +func resourceManagedAccountRead(d *schema.ResourceData, m interface{}) error { + return nil +} + +// Update context for resourceManagedAccount Resource. +func resourceManagedAccountUpdate(d *schema.ResourceData, m interface{}) error { + return nil +} + +// Delete context for resourceManagedAccount Resource. +func resourceManagedAccountDelete(d *schema.ResourceData, m interface{}) error { + return nil +} + // Read context for getManagedAccount Datasource. func getManagedAccountReadContext(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics { @@ -283,7 +560,12 @@ func getManagedAccountReadContext(ctx context.Context, d *schema.ResourceData, m return diag.FromErr(err) } - d.Set("value", gotManagedAccount) + err = d.Set("value", gotManagedAccount) + + if err != nil { + return diag.FromErr(err) + } + d.SetId(hash(gotManagedAccount)) mu_out.Lock() @@ -293,7 +575,10 @@ func getManagedAccountReadContext(ctx context.Context, d *schema.ResourceData, m atomic.AddUint64(&signInCount, ^uint64(0)) mu_out.Unlock() } else { - authenticationObj.SignOut() + err = authenticationObj.SignOut() + if err != nil { + return diag.FromErr(err) + } zapLogger.Debug(fmt.Sprintf("%v %v", "signout user", atomic.LoadUint64(&signInCount))) // decrement counter atomic.AddUint64(&signInCount, ^uint64(0)) @@ -340,7 +625,12 @@ func getSecretByPathReadContext(ctx context.Context, d *schema.ResourceData, m i return diag.FromErr(err) } - d.Set("value", secret) + err = d.Set("value", secret) + + if err != nil { + return diag.FromErr(err) + } + d.SetId(hash(secret)) mu_out.Lock() @@ -350,7 +640,10 @@ func getSecretByPathReadContext(ctx context.Context, d *schema.ResourceData, m i atomic.AddUint64(&signInCount, ^uint64(0)) mu_out.Unlock() } else { - authenticationObj.SignOut() + err = authenticationObj.SignOut() + if err != nil { + return diag.FromErr(err) + } zapLogger.Debug(fmt.Sprintf("%v %v", "signout user", atomic.LoadUint64(&signInCount))) // decrement counter atomic.AddUint64(&signInCount, ^uint64(0)) diff --git a/terraform/main.tf b/terraform/main.tf index fb76d29..cf7fa13 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -123,4 +123,12 @@ data "passwordsafe_secret" "secret_text" { output "secret_text" { value = "${data.passwordsafe_secret.secret_text.value}" +} + + +resource "passwordsafe_managed_account" "my_managed_account" { + system_name = "system_integration_test" + account_name = "managed_account_Test" + password = "MyTest101*!" + api_enabled = true } \ No newline at end of file