Skip to content

Commit

Permalink
⭐️ output service account credential
Browse files Browse the repository at this point in the history
  • Loading branch information
chris-rock committed Apr 28, 2024
1 parent 7550aed commit 2fe7339
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 5 deletions.
17 changes: 15 additions & 2 deletions docs/resources/service_account.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,12 @@ provider "mondoo" {
}
resource "mondoo_space" "my_space" {
name = "My Space Name"
name = "My Terraform Space"
org_id = var.mondoo_org
}
resource "mondoo_service_account" "service_account" {
name = "Service Account Terraform New"
name = "Service Account Terraform"
description = "Service Account for Terraform"
roles = [
"//iam.api.mondoo.app/roles/viewer",
Expand All @@ -45,6 +45,18 @@ resource "mondoo_service_account" "service_account" {
mondoo_space.my_space
]
}
output "service_account_json" {
description = "Service Account as JSON"
value = base64decode(mondoo_service_account.service_account.credential)
sensitive = true
}
output "service_account_base64" {
description = "Service Account as Base64"
value = mondoo_service_account.service_account.credential
sensitive = true
}
```

<!-- schema generated by tfplugindocs -->
Expand All @@ -60,4 +72,5 @@ resource "mondoo_service_account" "service_account" {

### Read-Only

- `credential` (String, Sensitive) The service account credential in JSON format, base64 encoded. This is the same content when creating service account credentials through the web console.
- `mrn` (String) The Mondoo Resource Name (MRN) of the created service account.
17 changes: 15 additions & 2 deletions examples/resources/mondoo_service_account/resource.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ provider "mondoo" {
}

resource "mondoo_space" "my_space" {
name = "My Space Name"
name = "My Terraform Space"
org_id = var.mondoo_org
}

resource "mondoo_service_account" "service_account" {
name = "Service Account Terraform New"
name = "Service Account Terraform"
description = "Service Account for Terraform"
roles = [
"//iam.api.mondoo.app/roles/viewer",
Expand All @@ -30,3 +30,16 @@ resource "mondoo_service_account" "service_account" {
mondoo_space.my_space
]
}

output "service_account_json" {
description = "Service Account as JSON"
value = base64decode(mondoo_service_account.service_account.credential)
sensitive = true
}

output "service_account_base64" {
description = "Service Account as Base64"
value = mondoo_service_account.service_account.credential
sensitive = true
}

44 changes: 43 additions & 1 deletion internal/provider/service_account_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ package provider

import (
"context"
"encoding/base64"
"encoding/json"
"fmt"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
Expand All @@ -26,6 +28,17 @@ var _ resource.Resource = &ServiceAccountResource{}

var defaultRoles = []string{"//iam.api.mondoo.app/roles/viewer"}

// serviceAccountCredential is a temporary object until the API returns the credential as a string
type serviceAccountCredential struct {
Mrn string `json:"mrn,omitempty"`
PrivateKey string `json:"private_key,omitempty"`
Certificate string `json:"certificate,omitempty"`
ApiEndpoint string `json:"api_endpoint,omitempty"`
ScopeMrn string `json:"scope_mrn,omitempty"`
// ParentMrn is deprecated and should not be used, use ScopeMrn instead
ParentMrn string `json:"parent_mrn,omitempty"`
}

func NewServiceAccountResource() resource.Resource {
return &ServiceAccountResource{}
}
Expand All @@ -46,6 +59,9 @@ type ServiceAccountResourceModel struct {
Name types.String `tfsdk:"name"`
Description types.String `tfsdk:"description"`
Roles types.List `tfsdk:"roles"`

// base 64 encoded service account credential
Credential types.String `tfsdk:"credential"`
}

func (r *ServiceAccountResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
Expand Down Expand Up @@ -99,6 +115,14 @@ func (r *ServiceAccountResource) Schema(ctx context.Context, req resource.Schema
listplanmodifier.UseStateForUnknown(),
},
},
"credential": schema.StringAttribute{
Computed: true,
MarkdownDescription: "The service account credential in JSON format, base64 encoded. This is the same content when creating service account credentials through the web console.",
PlanModifiers: []planmodifier.String{
stringplanmodifier.UseStateForUnknown(),
},
Sensitive: true,
},
},
}
}
Expand Down Expand Up @@ -206,7 +230,25 @@ func (r *ServiceAccountResource) Create(ctx context.Context, req resource.Create
// Save space mrn into the Terraform state.
data.Name = types.StringValue(name)
data.Mrn = types.StringValue(string(createMutation.CreateServiceAccount.Mrn))
// TODO: add certificate and private key

// NOTE: this is temporary, we want to change the API to return the credential as a string
serviceAccount := serviceAccountCredential{
Mrn: string(createMutation.CreateServiceAccount.Mrn),
PrivateKey: string(createMutation.CreateServiceAccount.PrivateKey),
Certificate: string(createMutation.CreateServiceAccount.Certificate),
ApiEndpoint: string(createMutation.CreateServiceAccount.ApiEndpoint),
ScopeMrn: string(createMutation.CreateServiceAccount.ScopeMrn),
ParentMrn: string(createMutation.CreateServiceAccount.ScopeMrn),
}

jsonData, err := json.Marshal(serviceAccount)
if err != nil {
resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to create service account, got error: %s", err))
return
}

// set base 64 encoded credential
data.Credential = types.StringValue(base64.StdEncoding.EncodeToString(jsonData))

// Write logs using the tflog package
tflog.Trace(ctx, "created a service account resource")
Expand Down

0 comments on commit 2fe7339

Please sign in to comment.