adds jwt_groups_filter

Author: wasaga

example/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     pomerium = {
       source  = "pomerium/pomerium"
-      version = "0.0.5"
+      version = "0.0.7"
     }
   }
 }
@@ -52,6 +52,10 @@ resource "pomerium_settings" "settings" {
   proxy_log_level = "info"
 
   timeout_idle = "5m"
+
+  jwt_groups_filter = {
+    groups = ["id1", "id2"]
+  }
 }
 
 resource "pomerium_service_account" "test_sa" {
@@ -82,6 +86,9 @@ resource "pomerium_route" "test_route" {
   from         = "https://verify-tf.localhost.pomerium.io"
   to           = ["https://verify.pomerium.com"]
   policies     = [pomerium_policy.test_policy.id]
+  jwt_groups_filter = {
+    infer_from_ppl = true
+  }
 }
 
 resource "pomerium_key_pair" "test_key_pair" {

internal/provider/jwt_group_filter.go

@@ -0,0 +1,94 @@
+package provider
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
+	"github.com/pomerium/enterprise-client-go/pb"
+)
+
+var (
+	jwtGroupsFilterSchema = schema.SingleNestedAttribute{
+		Optional:    true,
+		Description: "JWT Groups Filter",
+		Attributes: map[string]schema.Attribute{
+			"groups": schema.SetAttribute{
+				ElementType: types.StringType,
+				Optional:    true,
+				Computed:    false,
+				Sensitive:   false,
+				Description: "Group IDs to filter",
+			},
+			"infer_from_ppl": schema.BoolAttribute{
+				Optional: true,
+			},
+		},
+	}
+	jwtGroupsFilterSchemaAttr = map[string]attr.Type{
+		"groups": types.SetType{
+			ElemType: types.StringType,
+		},
+		"infer_from_ppl": types.BoolType,
+	}
+)
+
+func JWTGroupsFilterFromPB(
+	dst *types.Object,
+	src *pb.JwtGroupsFilter,
+	diags *diag.Diagnostics,
+) {
+	if src == nil {
+		*dst = types.ObjectNull(jwtGroupsFilterSchemaAttr)
+		return
+	}
+
+	attrs := make(map[string]attr.Value)
+	if src.Groups == nil {
+		attrs["groups"] = types.SetNull(types.StringType)
+	} else {
+		var vals []attr.Value
+		for _, v := range src.Groups {
+			vals = append(vals, types.StringValue(v))
+		}
+		attrs["groups"] = types.SetValueMust(types.StringType, vals)
+	}
+
+	attrs["infer_from_ppl"] = types.BoolValue(src.InferFromPpl)
+
+	*dst = types.ObjectValueMust(jwtGroupsFilterSchemaAttr, attrs)
+}
+
+func JWTGroupsFilterToPB(
+	ctx context.Context,
+	dst **pb.JwtGroupsFilter,
+	src types.Object,
+	diags *diag.Diagnostics,
+) {
+	if src.IsNull() {
+		dst = nil
+		return
+	}
+
+	type jwtOptions struct {
+		Groups       []string `tfsdk:"groups"`
+		InferFromPpl bool     `tfsdk:"infer_from_ppl"`
+	}
+	var opts jwtOptions
+	d := src.As(ctx, &opts, basetypes.ObjectAsOptions{
+		UnhandledNullAsEmpty:    true,
+		UnhandledUnknownAsEmpty: false,
+	})
+	diags.Append(d...)
+	if d.HasError() {
+		return
+	}
+
+	*dst = &pb.JwtGroupsFilter{
+		Groups:       opts.Groups,
+		InferFromPpl: opts.InferFromPpl,
+	}
+}

internal/provider/jwt_group_filter_test.go

@@ -0,0 +1,115 @@
+package provider
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/pomerium/enterprise-client-go/pb"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/testing/protocmp"
+)
+
+func TestJWTGroupsFilterFromPB(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    *pb.JwtGroupsFilter
+		expected types.Object
+	}{
+		{
+			name:     "nil input",
+			input:    nil,
+			expected: types.ObjectNull(jwtGroupsFilterSchemaAttr),
+		},
+		{
+			name: "empty groups",
+			input: &pb.JwtGroupsFilter{
+				Groups:       []string{},
+				InferFromPpl: false,
+			},
+			expected: types.ObjectValueMust(jwtGroupsFilterSchemaAttr, map[string]attr.Value{
+				"groups":         types.SetValueMust(types.StringType, []attr.Value{}),
+				"infer_from_ppl": types.BoolValue(false),
+			}),
+		},
+		{
+			name: "with groups",
+			input: &pb.JwtGroupsFilter{
+				Groups:       []string{"group1", "group2"},
+				InferFromPpl: true,
+			},
+			expected: types.ObjectValueMust(jwtGroupsFilterSchemaAttr, map[string]attr.Value{
+				"groups": types.SetValueMust(types.StringType, []attr.Value{
+					types.StringValue("group1"),
+					types.StringValue("group2"),
+				}),
+				"infer_from_ppl": types.BoolValue(true),
+			}),
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			var diags diag.Diagnostics
+			var result types.Object
+			JWTGroupsFilterFromPB(&result, tc.input, &diags)
+			assert.False(t, diags.HasError())
+			diff := cmp.Diff(tc.expected, result)
+			assert.Empty(t, diff)
+		})
+	}
+}
+
+func TestJWTGroupsFilterToPB(t *testing.T) {
+	ctx := context.Background()
+	tests := []struct {
+		name     string
+		input    types.Object
+		expected *pb.JwtGroupsFilter
+	}{
+		{
+			name:     "null input",
+			input:    types.ObjectNull(jwtGroupsFilterSchemaAttr),
+			expected: nil,
+		},
+		{
+			name: "empty groups",
+			input: types.ObjectValueMust(jwtGroupsFilterSchemaAttr, map[string]attr.Value{
+				"groups":         types.SetValueMust(types.StringType, []attr.Value{}),
+				"infer_from_ppl": types.BoolValue(false),
+			}),
+			expected: &pb.JwtGroupsFilter{
+				Groups:       []string{},
+				InferFromPpl: false,
+			},
+		},
+		{
+			name: "with groups",
+			input: types.ObjectValueMust(jwtGroupsFilterSchemaAttr, map[string]attr.Value{
+				"groups": types.SetValueMust(types.StringType, []attr.Value{
+					types.StringValue("group1"),
+					types.StringValue("group2"),
+				}),
+				"infer_from_ppl": types.BoolValue(true),
+			}),
+			expected: &pb.JwtGroupsFilter{
+				Groups:       []string{"group1", "group2"},
+				InferFromPpl: true,
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			var diags diag.Diagnostics
+			var result *pb.JwtGroupsFilter
+			JWTGroupsFilterToPB(ctx, &result, tc.input, &diags)
+			assert.False(t, diags.HasError())
+			diff := cmp.Diff(tc.expected, result, protocmp.Transform())
+			assert.Empty(t, diff)
+		})
+	}
+}

internal/provider/route.go

@@ -198,6 +198,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Optional:    true,
 				Computed:    true,
 			},
+			"jwt_groups_filter": jwtGroupsFilterSchema,
 		},
 	}
 }

internal/provider/route_model.go

@@ -47,6 +47,7 @@ type RouteModel struct {
 	IDPClientID                      types.String         `tfsdk:"idp_client_id"`
 	IDPClientSecret                  types.String         `tfsdk:"idp_client_secret"`
 	ShowErrorDetails                 types.Bool           `tfsdk:"show_error_details"`
+	JWTGroupsFilter                  types.Object         `tfsdk:"jwt_groups_filter"`
 }
 
 func ConvertRouteToPB(
@@ -89,6 +90,7 @@ func ConvertRouteToPB(
 	pbRoute.IdpClientId = src.IDPClientID.ValueStringPointer()
 	pbRoute.IdpClientSecret = src.IDPClientSecret.ValueStringPointer()
 	pbRoute.ShowErrorDetails = src.ShowErrorDetails.ValueBool()
+	JWTGroupsFilterToPB(ctx, &pbRoute.JwtGroupsFilter, src.JWTGroupsFilter, &diagnostics)
 
 	diags := src.To.ElementsAs(ctx, &pbRoute.To, false)
 	diagnostics.Append(diags...)
@@ -147,6 +149,7 @@ func ConvertRouteFromPB(
 	dst.IDPClientID = types.StringPointerValue(src.IdpClientId)
 	dst.IDPClientSecret = types.StringPointerValue(src.IdpClientSecret)
 	dst.ShowErrorDetails = types.BoolValue(src.ShowErrorDetails)
+	JWTGroupsFilterFromPB(&dst.JWTGroupsFilter, src.JwtGroupsFilter, &diagnostics)
 
 	return diagnostics
 }

internal/provider/settings_model.go

@@ -80,6 +80,7 @@ type SettingsModel struct {
 	TimeoutIdle                                       timetypes.GoDuration `tfsdk:"timeout_idle"`
 	TimeoutRead                                       timetypes.GoDuration `tfsdk:"timeout_read"`
 	TimeoutWrite                                      timetypes.GoDuration `tfsdk:"timeout_write"`
+	JWTGroupsFilter                                   types.Object         `tfsdk:"jwt_groups_filter"`
 }
 
 func ConvertSettingsToPB(
@@ -151,6 +152,7 @@ func ConvertSettingsToPB(
 	ToDuration(&pbSettings.TimeoutIdle, src.TimeoutIdle, &diagnostics)
 	ToDuration(&pbSettings.TimeoutRead, src.TimeoutRead, &diagnostics)
 	ToDuration(&pbSettings.TimeoutWrite, src.TimeoutWrite, &diagnostics)
+	JWTGroupsFilterToPB(ctx, &pbSettings.JwtGroupsFilter, src.JWTGroupsFilter, &diagnostics)
 
 	return pbSettings, diagnostics
 }
@@ -223,6 +225,7 @@ func ConvertSettingsFromPB(
 	dst.TimeoutIdle = FromDuration(src.TimeoutIdle)
 	dst.TimeoutRead = FromDuration(src.TimeoutRead)
 	dst.TimeoutWrite = FromDuration(src.TimeoutWrite)
+	JWTGroupsFilterFromPB(&dst.JWTGroupsFilter, src.JwtGroupsFilter, &diagnostics)
 
 	return diagnostics
 }

internal/provider/settings_schema.go

@@ -190,6 +190,7 @@ var SettingsResourceSchema = schema.Schema{
 			Optional:    true,
 			Description: "JWT claims headers mapping",
 		},
+		"jwt_groups_filter": jwtGroupsFilterSchema,
 		"default_upstream_timeout": schema.StringAttribute{
 			Optional:    true,
 			Description: "Default upstream timeout",