From 68bb41003076439ed801cd28d975ff4ffb6de100 Mon Sep 17 00:00:00 2001 From: ngharo Date: Fri, 23 Aug 2024 09:14:58 -0500 Subject: [PATCH 1/5] Adds resource: minio_iam_ldap_group_policy_attachment --- minio/provider.go | 1 + ..._minio_iam_ldap_group_policy_attachment.go | 180 ++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 minio/resource_minio_iam_ldap_group_policy_attachment.go diff --git a/minio/provider.go b/minio/provider.go index bccf5a70..39787aa4 100644 --- a/minio/provider.go +++ b/minio/provider.go @@ -143,6 +143,7 @@ func newProvider(envvarPrefixed ...string) *schema.Provider { "minio_iam_policy": resourceMinioIAMPolicy(), "minio_iam_user_policy_attachment": resourceMinioIAMUserPolicyAttachment(), "minio_iam_group_policy_attachment": resourceMinioIAMGroupPolicyAttachment(), + "minio_iam_ldap_group_policy_attachment": resourceMinioIAMLDAPGroupPolicyAttachment(), "minio_iam_group_user_attachment": resourceMinioIAMGroupUserAttachment(), "minio_ilm_policy": resourceMinioILMPolicy(), "minio_kms_key": resourceMinioKMSKey(), diff --git a/minio/resource_minio_iam_ldap_group_policy_attachment.go b/minio/resource_minio_iam_ldap_group_policy_attachment.go new file mode 100644 index 00000000..2fa8726e --- /dev/null +++ b/minio/resource_minio_iam_ldap_group_policy_attachment.go @@ -0,0 +1,180 @@ +package minio + +import ( + "context" + "errors" + "fmt" + "log" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/id" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/minio/madmin-go/v3" +) + +var ldapGroupPolicyAttachmentLock = NewMutexKV() + +func resourceMinioIAMLDAPGroupPolicyAttachment() *schema.Resource { + return &schema.Resource{ + CreateContext: minioCreateLDAPGroupPolicyAttachment, + ReadContext: minioReadLDAPGroupPolicyAttachment, + DeleteContext: minioDeleteLDAPGroupPolicyAttachment, + Importer: &schema.ResourceImporter{ + StateContext: minioImportLDAPGroupPolicyAttachment, + }, + Schema: map[string]*schema.Schema{ + "policy_name": { + Type: schema.TypeString, + Description: "Name of policy to attach to group", + Required: true, + ForceNew: true, + ValidateFunc: validateIAMNamePolicy, + }, + "group_name": { + Type: schema.TypeString, + Description: "Name of group to attach policy to", + Required: true, + ForceNew: true, + ValidateFunc: validateMinioIamGroupName, + }, + }, + } +} + +func minioCreateLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + minioAdmin := meta.(*S3MinioClient).S3Admin + + var groupName = d.Get("group_name").(string) + var policyName = d.Get("policy_name").(string) + + ldapGroupPolicyAttachmentLock.Lock(groupName) + defer ldapGroupPolicyAttachmentLock.Unlock(groupName) + + policies, err := minioReadLDAPGroupPolicies(ctx, minioAdmin, groupName) + if err != nil { + return err + } + + log.Printf("[DEBUG] '%s' group policies: %v", groupName, policies) + + if !Contains(policies, policyName) { + log.Printf("[DEBUG] Attaching policy %s to group: %s", policyName, groupName) + paResp, err := minioAdmin.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policyName}, + Group: groupName, + }) + + log.Printf("[DEBUG] PolicyAssociationResp: %v", paResp) + + if err != nil { + return NewResourceError(fmt.Sprintf("Unable to attach group to policy '%s'", policyName), groupName, err) + } + } + + d.SetId(fmt.Sprintf("%s/%s", policyName, groupName)) + + return doMinioReadLDAPGroupPolicyAttachment(ctx, d, meta, groupName, policyName) +} + +func minioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + var groupName = d.Get("group_name").(string) + var policyName = d.Get("policy_name").(string) + + ldapGroupPolicyAttachmentLock.Lock(groupName) + defer ldapGroupPolicyAttachmentLock.Unlock(groupName) + + return doMinioReadLDAPGroupPolicyAttachment(ctx, d, meta, groupName, policyName) +} + +func doMinioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}, groupName, policyName string) diag.Diagnostics { + minioAdmin := meta.(*S3MinioClient).S3Admin + + per, err := minioAdmin.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{ + Policy: []string{policyName}, + Groups: []string{groupName}, + }) + + if err != nil { + return NewResourceError(fmt.Sprintf("Failed to query for group policy '%s'", policyName), groupName, err) + } + + log.Printf("[DEBUG] PolicyEntityResponse: %v", per) + if len(per.PolicyMappings) == 0 { + log.Printf("[WARN] No such policy association (%s) found, removing from state", d.Id()) + d.SetId("") + return nil + } + + if err := d.Set("policy_name", policyName); err != nil { + return NewResourceError("failed to load group infos", groupName, err) + } + + return nil +} + +func minioDeleteLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + minioAdmin := meta.(*S3MinioClient).S3Admin + + var groupName = d.Get("group_name").(string) + var policyName = d.Get("policy_name").(string) + + ldapGroupPolicyAttachmentLock.Lock(groupName) + defer ldapGroupPolicyAttachmentLock.Unlock(groupName) + + policies, err := minioReadLDAPGroupPolicies(ctx, minioAdmin, groupName) + if err != nil { + return err + } + + _, found := Filter(policies, policyName) + if !found { + return nil + } + + paResp, detachErr := minioAdmin.DetachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policyName}, + Group: groupName, + }) + + log.Printf("[DEBUG] PolicyAssociationResp: %v", paResp) + + if detachErr != nil { + return NewResourceError(fmt.Sprintf("Unable to detach policy '%s'", policyName), groupName, detachErr) + } + + return nil +} + +func minioImportLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + idParts := strings.SplitN(d.Id(), "/", 2) + if len(idParts) != 2 || idParts[0] == "" || idParts[1] == "" { + return nil, fmt.Errorf("unexpected format of ID (%q), expected /", d.Id()) + } + + groupName := idParts[0] + policyName := idParts[1] + + err := d.Set("group_name", groupName) + if err != nil { + return nil, errors.New(NewResourceErrorStr("unable to import group policy", groupName, err)) + } + err = d.Set("policy_name", policyName) + if err != nil { + return nil, errors.New(NewResourceErrorStr("unable to import group policy", groupName, err)) + } + d.SetId(id.PrefixedUniqueId(fmt.Sprintf("%s-", groupName))) + return []*schema.ResourceData{d}, nil +} + +func minioReadLDAPGroupPolicies(ctx context.Context, minioAdmin *madmin.AdminClient, groupName string) ([]string, diag.Diagnostics) { + policyEntities, err := minioAdmin.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{ + Groups: []string{groupName}, + }) + + if err != nil { + return nil, NewResourceError("failed to load group infos", groupName, err) + } + + return policyEntities.GroupMappings[0].Policies, nil +} From e4a79d496ad9fac61f231cb17a3b4ac372556a56 Mon Sep 17 00:00:00 2001 From: ngharo Date: Fri, 23 Aug 2024 11:25:00 -0500 Subject: [PATCH 2/5] Rename group_name attribute to group_dn --- minio/provider.go | 3 +- ..._minio_iam_ldap_group_policy_attachment.go | 78 ++++---- ...e_minio_iam_ldap_user_policy_attachment.go | 188 ++++++++++++++++++ 3 files changed, 233 insertions(+), 36 deletions(-) create mode 100644 minio/resource_minio_iam_ldap_user_policy_attachment.go diff --git a/minio/provider.go b/minio/provider.go index 39787aa4..bd10575e 100644 --- a/minio/provider.go +++ b/minio/provider.go @@ -143,8 +143,9 @@ func newProvider(envvarPrefixed ...string) *schema.Provider { "minio_iam_policy": resourceMinioIAMPolicy(), "minio_iam_user_policy_attachment": resourceMinioIAMUserPolicyAttachment(), "minio_iam_group_policy_attachment": resourceMinioIAMGroupPolicyAttachment(), - "minio_iam_ldap_group_policy_attachment": resourceMinioIAMLDAPGroupPolicyAttachment(), "minio_iam_group_user_attachment": resourceMinioIAMGroupUserAttachment(), + "minio_iam_ldap_group_policy_attachment": resourceMinioIAMLDAPGroupPolicyAttachment(), + "minio_iam_ldap_user_policy_attachment": resourceMinioIAMLDAPUserPolicyAttachment(), "minio_ilm_policy": resourceMinioILMPolicy(), "minio_kms_key": resourceMinioKMSKey(), "minio_ilm_tier": resourceMinioILMTier(), diff --git a/minio/resource_minio_iam_ldap_group_policy_attachment.go b/minio/resource_minio_iam_ldap_group_policy_attachment.go index 2fa8726e..1fe36c50 100644 --- a/minio/resource_minio_iam_ldap_group_policy_attachment.go +++ b/minio/resource_minio_iam_ldap_group_policy_attachment.go @@ -8,7 +8,6 @@ import ( "strings" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/id" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/minio/madmin-go/v3" ) @@ -31,9 +30,9 @@ func resourceMinioIAMLDAPGroupPolicyAttachment() *schema.Resource { ForceNew: true, ValidateFunc: validateIAMNamePolicy, }, - "group_name": { + "group_dn": { Type: schema.TypeString, - Description: "Name of group to attach policy to", + Description: "The dn of group to attach policy to", Required: true, ForceNew: true, ValidateFunc: validateMinioIamGroupName, @@ -45,58 +44,58 @@ func resourceMinioIAMLDAPGroupPolicyAttachment() *schema.Resource { func minioCreateLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { minioAdmin := meta.(*S3MinioClient).S3Admin - var groupName = d.Get("group_name").(string) + var groupDN = d.Get("group_dn").(string) var policyName = d.Get("policy_name").(string) - ldapGroupPolicyAttachmentLock.Lock(groupName) - defer ldapGroupPolicyAttachmentLock.Unlock(groupName) + ldapGroupPolicyAttachmentLock.Lock(groupDN) + defer ldapGroupPolicyAttachmentLock.Unlock(groupDN) - policies, err := minioReadLDAPGroupPolicies(ctx, minioAdmin, groupName) + policies, err := minioReadLDAPGroupPolicies(ctx, minioAdmin, groupDN) if err != nil { return err } - log.Printf("[DEBUG] '%s' group policies: %v", groupName, policies) + log.Printf("[DEBUG] '%s' group policies: %v", groupDN, policies) if !Contains(policies, policyName) { - log.Printf("[DEBUG] Attaching policy %s to group: %s", policyName, groupName) + log.Printf("[DEBUG] Attaching policy %s to group: %s", policyName, groupDN) paResp, err := minioAdmin.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ Policies: []string{policyName}, - Group: groupName, + Group: groupDN, }) log.Printf("[DEBUG] PolicyAssociationResp: %v", paResp) if err != nil { - return NewResourceError(fmt.Sprintf("Unable to attach group to policy '%s'", policyName), groupName, err) + return NewResourceError(fmt.Sprintf("Unable to attach group to policy '%s'", policyName), groupDN, err) } } - d.SetId(fmt.Sprintf("%s/%s", policyName, groupName)) + d.SetId(fmt.Sprintf("%s/%s", policyName, groupDN)) - return doMinioReadLDAPGroupPolicyAttachment(ctx, d, meta, groupName, policyName) + return doMinioReadLDAPGroupPolicyAttachment(ctx, d, meta, groupDN, policyName) } func minioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - var groupName = d.Get("group_name").(string) + var groupDN = d.Get("group_dn").(string) var policyName = d.Get("policy_name").(string) - ldapGroupPolicyAttachmentLock.Lock(groupName) - defer ldapGroupPolicyAttachmentLock.Unlock(groupName) + ldapGroupPolicyAttachmentLock.Lock(groupDN) + defer ldapGroupPolicyAttachmentLock.Unlock(groupDN) - return doMinioReadLDAPGroupPolicyAttachment(ctx, d, meta, groupName, policyName) + return doMinioReadLDAPGroupPolicyAttachment(ctx, d, meta, groupDN, policyName) } -func doMinioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}, groupName, policyName string) diag.Diagnostics { +func doMinioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}, groupDN, policyName string) diag.Diagnostics { minioAdmin := meta.(*S3MinioClient).S3Admin per, err := minioAdmin.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{ Policy: []string{policyName}, - Groups: []string{groupName}, + Groups: []string{groupDN}, }) if err != nil { - return NewResourceError(fmt.Sprintf("Failed to query for group policy '%s'", policyName), groupName, err) + return NewResourceError(fmt.Sprintf("Failed to query for group policy '%s'", policyName), groupDN, err) } log.Printf("[DEBUG] PolicyEntityResponse: %v", per) @@ -107,7 +106,7 @@ func doMinioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.Resourc } if err := d.Set("policy_name", policyName); err != nil { - return NewResourceError("failed to load group infos", groupName, err) + return NewResourceError("failed to load group infos", groupDN, err) } return nil @@ -116,13 +115,13 @@ func doMinioReadLDAPGroupPolicyAttachment(ctx context.Context, d *schema.Resourc func minioDeleteLDAPGroupPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { minioAdmin := meta.(*S3MinioClient).S3Admin - var groupName = d.Get("group_name").(string) + var groupDN = d.Get("group_dn").(string) var policyName = d.Get("policy_name").(string) - ldapGroupPolicyAttachmentLock.Lock(groupName) - defer ldapGroupPolicyAttachmentLock.Unlock(groupName) + ldapGroupPolicyAttachmentLock.Lock(groupDN) + defer ldapGroupPolicyAttachmentLock.Unlock(groupDN) - policies, err := minioReadLDAPGroupPolicies(ctx, minioAdmin, groupName) + policies, err := minioReadLDAPGroupPolicies(ctx, minioAdmin, groupDN) if err != nil { return err } @@ -134,13 +133,13 @@ func minioDeleteLDAPGroupPolicyAttachment(ctx context.Context, d *schema.Resourc paResp, detachErr := minioAdmin.DetachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ Policies: []string{policyName}, - Group: groupName, + Group: groupDN, }) log.Printf("[DEBUG] PolicyAssociationResp: %v", paResp) if detachErr != nil { - return NewResourceError(fmt.Sprintf("Unable to detach policy '%s'", policyName), groupName, detachErr) + return NewResourceError(fmt.Sprintf("Unable to detach policy '%s'", policyName), groupDN, detachErr) } return nil @@ -152,28 +151,37 @@ func minioImportLDAPGroupPolicyAttachment(ctx context.Context, d *schema.Resourc return nil, fmt.Errorf("unexpected format of ID (%q), expected /", d.Id()) } - groupName := idParts[0] + groupDN := idParts[0] policyName := idParts[1] - err := d.Set("group_name", groupName) + err := d.Set("group_dn", groupDN) if err != nil { - return nil, errors.New(NewResourceErrorStr("unable to import group policy", groupName, err)) + return nil, errors.New(NewResourceErrorStr("unable to import group policy", groupDN, err)) } err = d.Set("policy_name", policyName) if err != nil { - return nil, errors.New(NewResourceErrorStr("unable to import group policy", groupName, err)) + return nil, errors.New(NewResourceErrorStr("unable to import group policy", groupDN, err)) } - d.SetId(id.PrefixedUniqueId(fmt.Sprintf("%s-", groupName))) + + d.SetId(fmt.Sprintf("%s/%s", policyName, groupDN)) return []*schema.ResourceData{d}, nil } -func minioReadLDAPGroupPolicies(ctx context.Context, minioAdmin *madmin.AdminClient, groupName string) ([]string, diag.Diagnostics) { +func minioReadLDAPGroupPolicies(ctx context.Context, minioAdmin *madmin.AdminClient, groupDN string) ([]string, diag.Diagnostics) { policyEntities, err := minioAdmin.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{ - Groups: []string{groupName}, + Groups: []string{groupDN}, }) if err != nil { - return nil, NewResourceError("failed to load group infos", groupName, err) + return nil, NewResourceError("failed to load group infos", groupDN, err) + } + + if len(policyEntities.GroupMappings) == 0 { + return nil, nil + } + + if len(policyEntities.GroupMappings) > 1 { + return nil, NewResourceError("failed to load user infos", groupDN, errors.New("More than one group returned when getting LDAP policies for single group")) } return policyEntities.GroupMappings[0].Policies, nil diff --git a/minio/resource_minio_iam_ldap_user_policy_attachment.go b/minio/resource_minio_iam_ldap_user_policy_attachment.go new file mode 100644 index 00000000..b4e85610 --- /dev/null +++ b/minio/resource_minio_iam_ldap_user_policy_attachment.go @@ -0,0 +1,188 @@ +package minio + +import ( + "context" + "errors" + "fmt" + "log" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/minio/madmin-go/v3" +) + +var ldapUserPolicyAttachmentLock = NewMutexKV() + +func resourceMinioIAMLDAPUserPolicyAttachment() *schema.Resource { + return &schema.Resource{ + CreateContext: minioCreateLDAPUserPolicyAttachment, + ReadContext: minioReadLDAPUserPolicyAttachment, + DeleteContext: minioDeleteLDAPUserPolicyAttachment, + Importer: &schema.ResourceImporter{ + StateContext: minioImportLDAPUserPolicyAttachment, + }, + Schema: map[string]*schema.Schema{ + "policy_name": { + Type: schema.TypeString, + Description: "Name of policy to attach to user", + Required: true, + ForceNew: true, + ValidateFunc: validateIAMNamePolicy, + }, + "user_dn": { + Type: schema.TypeString, + Description: "The dn of user to attach policy to", + Required: true, + ForceNew: true, + ValidateFunc: validateMinioIamUserName, + }, + }, + } +} + +func minioCreateLDAPUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + minioAdmin := meta.(*S3MinioClient).S3Admin + + var userDN = d.Get("user_dn").(string) + var policyName = d.Get("policy_name").(string) + + ldapUserPolicyAttachmentLock.Lock(userDN) + defer ldapUserPolicyAttachmentLock.Unlock(userDN) + + policies, err := minioReadLDAPUserPolicies(ctx, minioAdmin, userDN) + if err != nil { + return err + } + + log.Printf("[DEBUG] '%s' user policies: %v", userDN, policies) + + if !Contains(policies, policyName) { + log.Printf("[DEBUG] Attaching policy %s to user: %s", policyName, userDN) + paResp, err := minioAdmin.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policyName}, + User: userDN, + }) + + log.Printf("[DEBUG] PolicyAssociationResp: %v", paResp) + + if err != nil { + return NewResourceError(fmt.Sprintf("Unable to attach user to policy '%s'", policyName), userDN, err) + } + } + + d.SetId(fmt.Sprintf("%s/%s", policyName, userDN)) + + return doMinioReadLDAPUserPolicyAttachment(ctx, d, meta, userDN, policyName) +} + +func minioReadLDAPUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + var userDN = d.Get("user_dn").(string) + var policyName = d.Get("policy_name").(string) + + ldapUserPolicyAttachmentLock.Lock(userDN) + defer ldapUserPolicyAttachmentLock.Unlock(userDN) + + return doMinioReadLDAPUserPolicyAttachment(ctx, d, meta, userDN, policyName) +} + +func doMinioReadLDAPUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}, userDN, policyName string) diag.Diagnostics { + minioAdmin := meta.(*S3MinioClient).S3Admin + + per, err := minioAdmin.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{ + Policy: []string{policyName}, + Users: []string{userDN}, + }) + + if err != nil { + return NewResourceError(fmt.Sprintf("Failed to query for user policy '%s'", policyName), userDN, err) + } + + log.Printf("[DEBUG] PolicyEntityResponse: %v", per) + if len(per.PolicyMappings) == 0 { + log.Printf("[WARN] No such policy association (%s) found, removing from state", d.Id()) + d.SetId("") + return nil + } + + if err := d.Set("policy_name", policyName); err != nil { + return NewResourceError("failed to load user infos", userDN, err) + } + + return nil +} + +func minioDeleteLDAPUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + minioAdmin := meta.(*S3MinioClient).S3Admin + + var userDN = d.Get("user_dn").(string) + var policyName = d.Get("policy_name").(string) + + ldapUserPolicyAttachmentLock.Lock(userDN) + defer ldapUserPolicyAttachmentLock.Unlock(userDN) + + policies, err := minioReadLDAPUserPolicies(ctx, minioAdmin, userDN) + if err != nil { + return err + } + + _, found := Filter(policies, policyName) + if !found { + return nil + } + + paResp, detachErr := minioAdmin.DetachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policyName}, + User: userDN, + }) + + log.Printf("[DEBUG] PolicyAssociationResp: %v", paResp) + + if detachErr != nil { + return NewResourceError(fmt.Sprintf("Unable to detach policy '%s'", policyName), userDN, detachErr) + } + + return nil +} + +func minioImportLDAPUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + idParts := strings.SplitN(d.Id(), "/", 2) + if len(idParts) != 2 || idParts[0] == "" || idParts[1] == "" { + return nil, fmt.Errorf("unexpected format of ID (%q), expected /", d.Id()) + } + + userDN := idParts[0] + policyName := idParts[1] + + err := d.Set("user_dn", userDN) + if err != nil { + return nil, errors.New(NewResourceErrorStr("unable to import user policy", userDN, err)) + } + err = d.Set("policy_name", policyName) + if err != nil { + return nil, errors.New(NewResourceErrorStr("unable to import user policy", userDN, err)) + } + + d.SetId(fmt.Sprintf("%s/%s", policyName, userDN)) + return []*schema.ResourceData{d}, nil +} + +func minioReadLDAPUserPolicies(ctx context.Context, minioAdmin *madmin.AdminClient, userDN string) ([]string, diag.Diagnostics) { + policyEntities, err := minioAdmin.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{ + Users: []string{userDN}, + }) + + if err != nil { + return nil, NewResourceError("failed to load user infos", userDN, err) + } + + if len(policyEntities.UserMappings) == 0 { + return nil, nil + } + + if len(policyEntities.UserMappings) > 1 { + return nil, NewResourceError("failed to load user infos", userDN, errors.New("More than one user returned when getting LDAP policies for single user")) + } + + return policyEntities.UserMappings[0].Policies, nil +} From 44e9f2ef59aa200c1b463aace4e4dff70d797a32 Mon Sep 17 00:00:00 2001 From: ngharo Date: Thu, 29 Aug 2024 22:13:28 -0500 Subject: [PATCH 3/5] Generate documentation --- docs/resources/iam_group_policy_attachment.md | 10 +--- .../iam_ldap_group_policy_attachment.md | 56 +++++++++++++++++++ .../iam_ldap_user_policy_attachment.md | 56 +++++++++++++++++++ .../resource.tf | 10 +--- .../resource.tf | 28 ++++++++++ .../resource.tf | 28 ++++++++++ ..._minio_iam_ldap_group_policy_attachment.go | 3 +- ...e_minio_iam_ldap_user_policy_attachment.go | 1 + 8 files changed, 173 insertions(+), 19 deletions(-) create mode 100644 docs/resources/iam_ldap_group_policy_attachment.md create mode 100644 docs/resources/iam_ldap_user_policy_attachment.md create mode 100644 examples/resources/minio_iam_ldap_group_policy_attachment/resource.tf create mode 100644 examples/resources/minio_iam_ldap_user_policy_attachment/resource.tf diff --git a/docs/resources/iam_group_policy_attachment.md b/docs/resources/iam_group_policy_attachment.md index 83fa47c8..04a14cd6 100644 --- a/docs/resources/iam_group_policy_attachment.md +++ b/docs/resources/iam_group_policy_attachment.md @@ -17,7 +17,7 @@ resource "minio_iam_group" "developer" { name = "developer" } -resource "minio_iam_group_policy" "test_policy" { +resource "minio_iam_policy" "test_policy" { name = "state-terraform-s3" policy = < diff --git a/docs/resources/iam_ldap_group_policy_attachment.md b/docs/resources/iam_ldap_group_policy_attachment.md new file mode 100644 index 00000000..9d53d0a1 --- /dev/null +++ b/docs/resources/iam_ldap_group_policy_attachment.md @@ -0,0 +1,56 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "minio_iam_ldap_group_policy_attachment Resource - terraform-provider-minio" +subcategory: "" +description: |- + Attaches LDAP group to a policy. Can be used against both built-in and user-defined policies. +--- + +# minio_iam_ldap_group_policy_attachment (Resource) + +Attaches LDAP group to a policy. Can be used against both built-in and user-defined policies. + +## Example Usage + +```terraform +resource "minio_iam_policy" "test_policy" { + name = "state-terraform-s3" + policy = < +## Schema + +### Required + +- `group_dn` (String) The distinguished name (dn) of group to attach policy to +- `policy_name` (String) Name of policy to attach to group + +### Read-Only + +- `id` (String) The ID of this resource. diff --git a/docs/resources/iam_ldap_user_policy_attachment.md b/docs/resources/iam_ldap_user_policy_attachment.md new file mode 100644 index 00000000..05aef762 --- /dev/null +++ b/docs/resources/iam_ldap_user_policy_attachment.md @@ -0,0 +1,56 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "minio_iam_ldap_user_policy_attachment Resource - terraform-provider-minio" +subcategory: "" +description: |- + Attaches LDAP user to a policy. Can be used against both built-in and user-defined policies. +--- + +# minio_iam_ldap_user_policy_attachment (Resource) + +Attaches LDAP user to a policy. Can be used against both built-in and user-defined policies. + +## Example Usage + +```terraform +resource "minio_iam_policy" "test_policy" { + name = "state-terraform-s3" + policy = < +## Schema + +### Required + +- `policy_name` (String) Name of policy to attach to user +- `user_dn` (String) The dn of user to attach policy to + +### Read-Only + +- `id` (String) The ID of this resource. diff --git a/examples/resources/minio_iam_group_policy_attachment/resource.tf b/examples/resources/minio_iam_group_policy_attachment/resource.tf index b89f0cf6..285259fe 100644 --- a/examples/resources/minio_iam_group_policy_attachment/resource.tf +++ b/examples/resources/minio_iam_group_policy_attachment/resource.tf @@ -2,7 +2,7 @@ resource "minio_iam_group" "developer" { name = "developer" } -resource "minio_iam_group_policy" "test_policy" { +resource "minio_iam_policy" "test_policy" { name = "state-terraform-s3" policy = < Date: Thu, 29 Aug 2024 22:14:17 -0500 Subject: [PATCH 4/5] Remove LDAP example from iam_user_policy_attachment --- docs/resources/iam_user_policy_attachment.md | 7 ------- .../resources/minio_iam_user_policy_attachment/resource.tf | 7 ------- 2 files changed, 14 deletions(-) diff --git a/docs/resources/iam_user_policy_attachment.md b/docs/resources/iam_user_policy_attachment.md index 0fff02bd..7ea5ff7f 100644 --- a/docs/resources/iam_user_policy_attachment.md +++ b/docs/resources/iam_user_policy_attachment.md @@ -51,13 +51,6 @@ output "minio_users" { output "minio_group" { value = minio_iam_user_policy_attachment.developer.policy_name } - -# Example using an LDAP User instead of a static MinIO group - -resource "minio_iam_user_policy_attachment" "developer" { - user_name = "CN=My User,OU=Unit,DC=example,DC=com" - policy_name = minio_iam_policy.test_policy.id -} ``` diff --git a/examples/resources/minio_iam_user_policy_attachment/resource.tf b/examples/resources/minio_iam_user_policy_attachment/resource.tf index 31daab03..c3dbc542 100644 --- a/examples/resources/minio_iam_user_policy_attachment/resource.tf +++ b/examples/resources/minio_iam_user_policy_attachment/resource.tf @@ -36,10 +36,3 @@ output "minio_users" { output "minio_group" { value = minio_iam_user_policy_attachment.developer.policy_name } - -# Example using an LDAP User instead of a static MinIO group - -resource "minio_iam_user_policy_attachment" "developer" { - user_name = "CN=My User,OU=Unit,DC=example,DC=com" - policy_name = minio_iam_policy.test_policy.id -} \ No newline at end of file From 8eb50f2d207e0cfe2a05d7b1e7b51c6e0783c1af Mon Sep 17 00:00:00 2001 From: Victor Nogueira Date: Fri, 30 Aug 2024 10:26:55 +0200 Subject: [PATCH 5/5] Fix lint issue with capitalized strings --- minio/resource_minio_iam_ldap_group_policy_attachment.go | 2 +- minio/resource_minio_iam_ldap_user_policy_attachment.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/minio/resource_minio_iam_ldap_group_policy_attachment.go b/minio/resource_minio_iam_ldap_group_policy_attachment.go index c51fff1c..4757a0ee 100644 --- a/minio/resource_minio_iam_ldap_group_policy_attachment.go +++ b/minio/resource_minio_iam_ldap_group_policy_attachment.go @@ -182,7 +182,7 @@ func minioReadLDAPGroupPolicies(ctx context.Context, minioAdmin *madmin.AdminCli } if len(policyEntities.GroupMappings) > 1 { - return nil, NewResourceError("failed to load user infos", groupDN, errors.New("More than one group returned when getting LDAP policies for single group")) + return nil, NewResourceError("failed to load user infos", groupDN, errors.New("more than one group returned when getting LDAP policies for single group")) } return policyEntities.GroupMappings[0].Policies, nil diff --git a/minio/resource_minio_iam_ldap_user_policy_attachment.go b/minio/resource_minio_iam_ldap_user_policy_attachment.go index 005e8c86..b544264b 100644 --- a/minio/resource_minio_iam_ldap_user_policy_attachment.go +++ b/minio/resource_minio_iam_ldap_user_policy_attachment.go @@ -182,7 +182,7 @@ func minioReadLDAPUserPolicies(ctx context.Context, minioAdmin *madmin.AdminClie } if len(policyEntities.UserMappings) > 1 { - return nil, NewResourceError("failed to load user infos", userDN, errors.New("More than one user returned when getting LDAP policies for single user")) + return nil, NewResourceError("failed to load user infos", userDN, errors.New("more than one user returned when getting LDAP policies for single user")) } return policyEntities.UserMappings[0].Policies, nil