Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prismacloudcompute_group (Resource) unable to create non-local groups #81

Open
scott-sudweeks opened this issue Aug 30, 2024 · 0 comments
Open

prismacloudcompute_group (Resource) unable to create non-local groups #81

scott-sudweeks opened this issue Aug 30, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@scott-sudweeks
Copy link

Describe the bug

The Resource prismacloudcompute_group will only create local groups. To create a group which is tied to one or more Identity Providers, one of the fields below should be set to true.

  • ldap_group (Boolean) Whether or not the group is an LDAP group.
  • oauth_group (Boolean) Whether or not the group is an OAuth group.
  • oidc_group (Boolean) Whether or not the group is an OpenID Connect group.
  • saml_group (Boolean) Whether or not the group is a SAML group.

Unfortunately the provider is not properly mapping these fields correctly for the API call, and they are recieved by the Twistlock API as nil/false and therefore the group which is created is a 'local' group rather than being accociated with one or more of the identity providers.

Expected behavior

Setting oauth_group:true should result in a group being created which is tied to the OIDC IDP.

Current behavior

The group which is created is listed as a 'local' group.

Possible solution

The provider needs to be fixed to properly map the terraform properties to the correct API values.

This is probably as simple as adding the necessary underscores to the convert method here: https://github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/blob/dd54d0b43ced68e156c3af027b5591bc077f6bca/internal/convert/group.go#L10-42

Steps to reproduce

  1. Setup a proper Terraform project, with the necessary configuration to talk to a Twistlock instance with an OIDC IDP configured, and a resource to create a new OIDC group.
  2. Execute Terraform Module
  3. See in Twistlock a local group has been created, instead of a group tied to one of the auth methods.

Example code

terraform {
  required_providers {
    prismacloudcompute = {
      source  = "PaloAltoNetworks/prismacloudcompute"
      version = "0.8.0"
    }
  }
}

provider "prismacloudcompute" {
  config_file = "creds.json"
}

resource "prismacloudcompute_group" "group" {
  name       = "test-group"
  oidc_group = true
  
  # note, when using role - the group will not be created as role is NOT allowed when creating a local group, which is not the use case when setting oidc_group = true
  # omitting this will create a local group, further illustrating that oidc_group=true is not being properly handled
  # role = auditor 
}

Context

We configure Twistlock via IAC. We are migrating our legacy IAC solution to Crossplane and/or Terraform. As we use SSO via an OIDC IDP, this is blocking to us being able to use this provider to configure groups in our use case.

Your Environment

  • Version used: v0.8.0
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): N/A
  • Operating System and version (desktop or mobile): N/A
  • Link to your project: N/A
@scott-sudweeks scott-sudweeks added the bug Something isn't working label Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scott-sudweeks