Add support for isSudoEnabled to AWS SSH installations (#43)

Adds a new management property, `is_sudo_enabled`, to the AWS SSH installation resource. The parameter defaults to "false" and can be omitted. ### Examples ##### Disabled ``` resource "p0_ssh_aws" "aws-example" { account_id = "123456789012" group_key = "Customer" } ``` ``` resource "p0_ssh_aws" "aws-example" { account_id = "123456789012" group_key = "Customer" is_sudo_enabled = false } ``` ##### Enabled ``` resource "p0_ssh_aws" "aws-example" { account_id = "123456789012" group_key = "Customer" is_sudo_enabled = true } ```
p0-security · Dec 18, 2024 · d051f47 · d051f47
1 parent 61988b5
commit d051f47
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 8 deletions.
diff --git a/docs/resources/ssh_aws.md b/docs/resources/ssh_aws.md
@@ -32,6 +32,7 @@ resource "p0_ssh_aws" "example" {
 ### Optional
 
 - `group_key` (String) If present, AWS instances will be grouped by the value of this tag. Access can be requested, in one request, to all instances with a shared tag value
+- `is_sudo_enabled` (Boolean) If true, users will be able to request sudo access to the instances
 - `label` (String) The AWS account's alias (if available)
 
 ### Read-Only

diff --git a/internal/provider/resources/install/ssh/aws.go b/internal/provider/resources/install/ssh/aws.go
@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/p0-security/terraform-provider-p0/internal"
@@ -29,16 +30,18 @@ type sshAwsIamWrite struct {
 }
 
 type sshAwsIamWriteModel struct {
-	AccountId types.String `tfsdk:"account_id" json:"accountId,omitempty"`
-	GroupKey  types.String `tfsdk:"group_key" json:"groupKey,omitempty"`
-	State     types.String `tfsdk:"state" json:"state,omitempty"`
-	Label     types.String `tfsdk:"label" json:"label,omitempty"`
+	AccountId     types.String `tfsdk:"account_id" json:"accountId,omitempty"`
+	IsSudoEnabled types.Bool   `tfsdk:"is_sudo_enabled" json:"isSudoEnabled,omitempty"`
+	GroupKey      types.String `tfsdk:"group_key" json:"groupKey,omitempty"`
+	State         types.String `tfsdk:"state" json:"state,omitempty"`
+	Label         types.String `tfsdk:"label" json:"label,omitempty"`
 }
 
 type sshAwsIamWriteJson struct {
-	GroupKey *string `json:"groupKey"`
-	State    string  `json:"state"`
-	Label    *string `json:"label,omitempty"`
+	GroupKey      *string `json:"groupKey"`
+	IsSudoEnabled *bool   `json:"isSudoEnabled,omitempty"`
+	State         string  `json:"state"`
+	Label         *string `json:"label,omitempty"`
 }
 
 type sshAwsIamWriteApi struct {
@@ -72,6 +75,12 @@ Installing SSH allows you to manage access to your servers on AWS.`,
 				MarkdownDescription: `If present, AWS instances will be grouped by the value of this tag. Access can be requested, in one request, to all instances with a shared tag value`,
 				Optional:            true,
 			},
+			"is_sudo_enabled": schema.BoolAttribute{
+				MarkdownDescription: `If true, users will be able to request sudo access to the instances`,
+				Optional:            true,
+				Computed:            true,
+				Default:             booldefault.StaticBool(false),
+			},
 			"state": schema.StringAttribute{
 				MarkdownDescription: installresources.StateMarkdownDescription,
 				Computed:            true,
@@ -126,19 +135,26 @@ func (r *sshAwsIamWrite) fromJson(ctx context.Context, diags *diag.Diagnostics,
 	// remove the aws prefix.
 	accountId := strings.TrimPrefix(id, awsPrefix)
 	data.AccountId = types.StringValue(accountId)
+	data.State = types.StringValue(jsonv.State)
+
 	data.Label = types.StringNull()
 	if jsonv.Label != nil {
 		label := types.StringValue(*jsonv.Label)
 		data.Label = label
 	}
 
-	data.State = types.StringValue(jsonv.State)
 	data.GroupKey = types.StringNull()
 	if jsonv.GroupKey != nil {
 		group := types.StringValue(*jsonv.GroupKey)
 		data.GroupKey = group
 	}
 
+	data.IsSudoEnabled = types.BoolNull()
+	if jsonv.IsSudoEnabled != nil {
+		isSudoEnabled := types.BoolValue(*jsonv.IsSudoEnabled)
+		data.IsSudoEnabled = isSudoEnabled
+	}
+
 	return &data
 }
 
@@ -160,6 +176,11 @@ func (r *sshAwsIamWrite) toJson(data any) any {
 		json.GroupKey = &group
 	}
 
+	if !datav.IsSudoEnabled.IsNull() {
+		isSudoEnabled := datav.IsSudoEnabled.ValueBool()
+		json.IsSudoEnabled = &isSudoEnabled
+	}
+
 	// can omit state here as it's filled by the backend
 	return &json
 }