Josh/cf 3611 allow multi stage approvals (#128)

* Add approval steps to access workflows * Generate documentation * Fix Name assigned to When * bump sdk to v1.63.0 * fix terraform always wanting to update default values * changeset --------- Co-authored-by: JoshuaWilkes <[email protected]>
common-fate · Oct 4, 2024 · 89ea58b · 89ea58b
1 parent aebff46
commit 89ea58b
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 2 deletions.
diff --git a/.changeset/good-beers-occur.md b/.changeset/good-beers-occur.md
@@ -0,0 +1,5 @@
+---
+"@common-fate/terraform-provider-commonfate": minor
+---
+
+Adds support for configuring approval steps on a workflow, which enables multi approval requirements for Grants.
diff --git a/docs/resources/access_workflow.md b/docs/resources/access_workflow.md
@@ -46,6 +46,7 @@ resource "commonfate-access_workflow" "workflow-demo" {
 ### Optional
 
 - `activation_expiry` (Number) The amount of time after access is activated before the request will be expired
+- `approval_steps` (Attributes List) Define the requirements for grant approval, each step must be completed by a distict principal, steps can be completed in any order. (see [below for nested schema](#nestedatt--approval_steps))
 - `default_duration_seconds` (Number) The default duration of the access workflow
 - `extension_conditions` (Attributes) Configuration for extending access (see [below for nested schema](#nestedatt--extension_conditions))
 - `name` (String) A unique name for the workflow so you know how to identify it.
@@ -57,6 +58,15 @@ resource "commonfate-access_workflow" "workflow-demo" {
 
 - `id` (String) The internal approval workflow ID
 
+<a id="nestedatt--approval_steps"></a>
+### Nested Schema for `approval_steps`
+
+Required:
+
+- `name` (String) The name of the approval step.
+- `when` (String) The Cedar when expression to evaluate a review for a match.
+
+
 <a id="nestedatt--extension_conditions"></a>
 ### Nested Schema for `extension_conditions`
 

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ toolchain go1.21.4
 require (
 	connectrpc.com/connect v1.14.0
 	github.com/common-fate/grab v1.1.0
-	github.com/common-fate/sdk v1.60.0
+	github.com/common-fate/sdk v1.63.0
 	github.com/hashicorp/terraform-plugin-docs v0.13.0
 	github.com/hashicorp/terraform-plugin-framework v1.4.2
 	github.com/hashicorp/terraform-plugin-log v0.9.0

diff --git a/go.sum b/go.sum
@@ -68,6 +68,10 @@ github.com/common-fate/sdk v1.59.3-0.20240930041650-9dff9f8c434c h1:fXiW8om7V+0G
 github.com/common-fate/sdk v1.59.3-0.20240930041650-9dff9f8c434c/go.mod h1:OrXhzB2Y1JSrKGHrb4qRmY+6MF2M3MFb+3edBnessXo=
 github.com/common-fate/sdk v1.60.0 h1:Ebh9SfCoA/2dArKDMlw89rgfmNYVWUqJY0J5gNxRsgc=
 github.com/common-fate/sdk v1.60.0/go.mod h1:OrXhzB2Y1JSrKGHrb4qRmY+6MF2M3MFb+3edBnessXo=
+github.com/common-fate/sdk v1.61.1-0.20241003003332-71be03ac64a6 h1:Y5VvsG4+byDP5AlVoXM2h8izSvN7WDLGvTeuHdiczmA=
+github.com/common-fate/sdk v1.61.1-0.20241003003332-71be03ac64a6/go.mod h1:OrXhzB2Y1JSrKGHrb4qRmY+6MF2M3MFb+3edBnessXo=
+github.com/common-fate/sdk v1.63.0 h1:Nlgf3jpoJVy7DR3QhKvkZW3LYUyWXT5oDBpF3h/Xtjs=
+github.com/common-fate/sdk v1.63.0/go.mod h1:OrXhzB2Y1JSrKGHrb4qRmY+6MF2M3MFb+3edBnessXo=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=

diff --git a/internal/access/resource_access_workflow.go b/internal/access/resource_access_workflow.go
@@ -37,7 +37,10 @@ type ExtensionConditions struct {
 	MaxExtensions     types.Int64 `tfsdk:"maximum_number_of_extensions"`
 	ExtensionDuration types.Int64 `tfsdk:"extension_duration_seconds"`
 }
-
+type ApprovalStep struct {
+	Name types.String `tfsdk:"name"`
+	When types.String `tfsdk:"when"`
+}
 type AccessWorkflowModel struct {
 	ID                  types.String         `tfsdk:"id"`
 	Name                types.String         `tfsdk:"name"`
@@ -48,6 +51,7 @@ type AccessWorkflowModel struct {
 	DefaultDuration     types.Int64          `tfsdk:"default_duration_seconds"`
 	Validation          *Validations         `tfsdk:"validation"`
 	ExtensionConditions *ExtensionConditions `tfsdk:"extension_conditions"`
+	ApprovalSteps       []ApprovalStep       `tfsdk:"approval_steps"`
 }
 
 // AccessRuleResource is the data source implementation.
@@ -171,6 +175,23 @@ func (r *AccessWorkflowResource) Schema(ctx context.Context, req resource.Schema
 					},
 				},
 			},
+			"approval_steps": schema.ListNestedAttribute{
+				MarkdownDescription: "Define the requirements for grant approval, each step must be completed by a distict principal, steps can be completed in any order.",
+				Optional:            true,
+
+				NestedObject: schema.NestedAttributeObject{
+					Attributes: map[string]schema.Attribute{
+						"name": schema.StringAttribute{
+							MarkdownDescription: "The name of the approval step.",
+							Required:            true,
+						},
+						"when": schema.StringAttribute{
+							MarkdownDescription: "The Cedar when expression to evaluate a review for a match.",
+							Required:            true,
+						},
+					},
+				},
+			},
 		},
 		MarkdownDescription: `Access Workflows are used to describe how long access should be applied. Created Workflows can be referenced in other resources created.`,
 	}
@@ -261,6 +282,13 @@ func (r *AccessWorkflowResource) Create(ctx context.Context, req resource.Create
 		createReq.ExtensionConditions = &cond
 	}
 
+	for _, step := range data.ApprovalSteps {
+		createReq.ApprovalSteps = append(createReq.ApprovalSteps, &configv1alpha1.ApprovalStep{
+			Name: step.Name.ValueString(),
+			When: step.When.ValueString(),
+		})
+	}
+
 	res, err := r.client.CreateAccessWorkflow(ctx, connect.NewRequest(createReq))
 
 	if err != nil {
@@ -356,6 +384,14 @@ func (r *AccessWorkflowResource) Read(ctx context.Context, req resource.ReadRequ
 		}
 	}
 
+	state.ApprovalSteps = nil
+	for _, step := range res.Msg.Workflow.ApprovalSteps {
+		state.ApprovalSteps = append(state.ApprovalSteps, ApprovalStep{
+			Name: types.StringValue(step.Name),
+			When: types.StringValue(step.When),
+		})
+	}
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, &state)...)
 }
 
@@ -441,6 +477,13 @@ func (r *AccessWorkflowResource) Update(ctx context.Context, req resource.Update
 		updateReq.Workflow.ExtensionConditions = &cond
 	}
 
+	for _, step := range data.ApprovalSteps {
+		updateReq.Workflow.ApprovalSteps = append(updateReq.Workflow.ApprovalSteps, &configv1alpha1.ApprovalStep{
+			Name: step.Name.ValueString(),
+			When: step.When.ValueString(),
+		})
+	}
+
 	res, err := r.client.UpdateAccessWorkflow(ctx, connect.NewRequest(updateReq))
 
 	if err != nil {