Add SCIM Config resource (#2179)

* add SCIM config

* add README

* add newline

* clarify that resource ID should always be default

* use legacy implementation to hardcode scim app platform endpoints

* merge create/update funcs, correct path & namespace

* go generate docs

* generate schema

* update URL construction & clean up test cases

Author: colin-stuart

docs/resources/scim_config.md

@@ -0,0 +1,41 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_scim_config Resource - terraform-provider-grafana"
+subcategory: "Grafana Enterprise"
+description: |-
+  Note: This resource is available only with Grafana Enterprise.
+  Official documentation https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-scim-provisioning/
+---
+
+# grafana_scim_config (Resource)
+
+**Note:** This resource is available only with Grafana Enterprise.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-scim-provisioning/)
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `enable_group_sync` (Boolean) Whether group synchronization is enabled.
+- `enable_user_sync` (Boolean) Whether user synchronization is enabled.
+
+### Optional
+
+- `org_id` (String) The Organization ID. If not set, the Org ID defined in the provider block will be used.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import grafana_scim_config.name ""
+terraform import grafana_scim_config.name "{{ orgID }}"
+```

examples/resources/grafana_scim_config/import.sh

@@ -0,0 +1,2 @@
+terraform import grafana_scim_config.name ""
+terraform import grafana_scim_config.name "{{ orgID }}"

examples/resources/grafana_scim_config/main.tf

@@ -0,0 +1,4 @@
+resource "grafana_scim_config" "default" {
+  enable_user_sync  = true
+  enable_group_sync = false
+}

internal/resources/grafana/catalog-resource.yaml

@@ -430,6 +430,19 @@ spec:
 ---
 apiVersion: backstage.io/v1alpha1
 kind: Component
+metadata:
+  name: resource-grafana_scim_config
+  title: grafana_scim_config (resource)
+  description: |
+    resource `grafana_scim_config` in Grafana Labs' Terraform Provider
+spec:
+  subcomponentOf: component:default/terraform-provider-grafana
+  type: terraform-resource
+  owner: group:default/identity-squad
+  lifecycle: production
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
 metadata:
   name: resource-grafana_user
   title: grafana_user (resource)

internal/resources/grafana/resource_scim_config.go

@@ -0,0 +1,270 @@
+package grafana
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/grafana/terraform-provider-grafana/v3/internal/common"
+)
+
+// SCIMConfig represents the SCIM configuration structure
+type SCIMConfig struct {
+	APIVersion string             `json:"apiVersion"`
+	Kind       string             `json:"kind"`
+	Metadata   SCIMConfigMetadata `json:"metadata"`
+	Spec       SCIMConfigSpec     `json:"spec"`
+}
+
+// SCIMConfigMetadata represents the metadata for SCIM config
+type SCIMConfigMetadata struct {
+	Name      string `json:"name"`
+	Namespace string `json:"namespace"`
+}
+
+// SCIMConfigSpec represents the SCIM configuration specification
+type SCIMConfigSpec struct {
+	EnableUserSync  bool `json:"enableUserSync"`
+	EnableGroupSync bool `json:"enableGroupSync"`
+}
+
+func resourceSCIMConfig() *common.Resource {
+	schema := &schema.Resource{
+		Description: `
+**Note:** This resource is available only with Grafana Enterprise.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-scim-provisioning/)
+`,
+		CreateContext: CreateOrUpdateSCIMConfig,
+		UpdateContext: CreateOrUpdateSCIMConfig,
+		ReadContext:   ReadSCIMConfig,
+		DeleteContext: DeleteSCIMConfig,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"org_id": orgIDAttribute(),
+			"enable_user_sync": {
+				Type:        schema.TypeBool,
+				Required:    true,
+				Description: "Whether user synchronization is enabled.",
+			},
+			"enable_group_sync": {
+				Type:        schema.TypeBool,
+				Required:    true,
+				Description: "Whether group synchronization is enabled.",
+			},
+		},
+	}
+
+	return common.NewLegacySDKResource(
+		common.CategoryGrafanaEnterprise,
+		"grafana_scim_config",
+		common.NewResourceID(common.OptionalIntIDField("orgID")),
+		schema,
+	)
+}
+
+func CreateOrUpdateSCIMConfig(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	_, orgID := OAPIClientFromNewOrgResource(meta, d)
+
+	// Get the transport configuration to access HTTP client and API key
+	metaClient := meta.(*common.Client)
+	transportConfig := metaClient.GrafanaAPIConfig
+	if transportConfig == nil {
+		return diag.Errorf("transport configuration not available")
+	}
+
+	// Determine namespace based on whether this is on-prem or cloud
+	var namespace string
+	switch {
+	case metaClient.GrafanaOrgID > 0:
+		// On-prem Grafana instance - use "default" namespace
+		namespace = "default"
+	case metaClient.GrafanaStackID > 0:
+		// Grafana Cloud instance - use "stacks-{stackId}" namespace
+		namespace = fmt.Sprintf("stacks-%d", metaClient.GrafanaStackID)
+	default:
+		return diag.Errorf("expected either Grafana org ID (for local Grafana) or Grafana stack ID (for Grafana Cloud) to be set")
+	}
+
+	// Create or update SCIM config
+	scimConfig := SCIMConfig{
+		APIVersion: "scim.grafana.app/v0alpha1",
+		Kind:       "SCIMConfig",
+		Metadata: SCIMConfigMetadata{
+			Name:      "default",
+			Namespace: namespace,
+		},
+		Spec: SCIMConfigSpec{
+			EnableUserSync:  d.Get("enable_user_sync").(bool),
+			EnableGroupSync: d.Get("enable_group_sync").(bool),
+		},
+	}
+
+	jsonData, err := json.Marshal(scimConfig)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to marshal SCIM config: %w", err))
+	}
+
+	apiPath, err := url.JoinPath(transportConfig.BasePath, "apis/scim.grafana.app/v0alpha1/namespaces", namespace, "config/default")
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to construct API path: %w", err))
+	}
+	requestURL := fmt.Sprintf("%s://%s/%s",
+		transportConfig.Schemes[0], transportConfig.Host, apiPath)
+
+	req, err := http.NewRequestWithContext(ctx, "PUT", requestURL, bytes.NewBuffer(jsonData))
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to create request: %w", err))
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+transportConfig.APIKey)
+
+	// Use the HTTP client from the transport configuration
+	httpClient := &http.Client{}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to create or update SCIM config: %w", err))
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return diag.FromErr(fmt.Errorf("failed to create or update SCIM config, status: %d", resp.StatusCode))
+	}
+
+	// Set ID if this is a create operation (ID is empty)
+	if d.Id() == "" {
+		d.SetId(MakeOrgResourceID(orgID, "scim-config"))
+	}
+
+	return ReadSCIMConfig(ctx, d, meta)
+}
+
+func ReadSCIMConfig(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	// Get the transport configuration to access HTTP client and API key
+	metaClient := meta.(*common.Client)
+	transportConfig := metaClient.GrafanaAPIConfig
+	if transportConfig == nil {
+		return diag.Errorf("transport configuration not available")
+	}
+
+	// Determine namespace based on whether this is on-prem or cloud
+	var namespace string
+	switch {
+	case metaClient.GrafanaOrgID > 0:
+		// On-prem Grafana instance - use "default" namespace
+		namespace = "default"
+	case metaClient.GrafanaStackID > 0:
+		// Grafana Cloud instance - use "stacks-{stackId}" namespace
+		namespace = fmt.Sprintf("stacks-%d", metaClient.GrafanaStackID)
+	default:
+		return diag.Errorf("expected either Grafana org ID (for local Grafana) or Grafana stack ID (for Grafana Cloud) to be set")
+	}
+
+	// Read SCIM config
+	apiPath, err := url.JoinPath(transportConfig.BasePath, "apis/scim.grafana.app/v0alpha1/namespaces", namespace, "config/default")
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to construct API path: %w", err))
+	}
+	requestURL := fmt.Sprintf("%s://%s/%s",
+		transportConfig.Schemes[0], transportConfig.Host, apiPath)
+
+	req, err := http.NewRequestWithContext(ctx, "GET", requestURL, nil)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to create request: %w", err))
+	}
+
+	req.Header.Set("Authorization", "Bearer "+transportConfig.APIKey)
+
+	// Use the HTTP client from the transport configuration
+	httpClient := &http.Client{}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to read SCIM config: %w", err))
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusNotFound {
+		d.SetId("")
+		return nil
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return diag.FromErr(fmt.Errorf("failed to read SCIM config, status: %d", resp.StatusCode))
+	}
+
+	var scimConfig SCIMConfig
+	if err := json.NewDecoder(resp.Body).Decode(&scimConfig); err != nil {
+		return diag.FromErr(fmt.Errorf("failed to decode SCIM config: %w", err))
+	}
+
+	err = d.Set("enable_user_sync", scimConfig.Spec.EnableUserSync)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set("enable_group_sync", scimConfig.Spec.EnableGroupSync)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func DeleteSCIMConfig(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	// Get the transport configuration to access HTTP client and API key
+	metaClient := meta.(*common.Client)
+	transportConfig := metaClient.GrafanaAPIConfig
+	if transportConfig == nil {
+		return diag.Errorf("transport configuration not available")
+	}
+
+	// Determine namespace based on whether this is on-prem or cloud
+	var namespace string
+	switch {
+	case metaClient.GrafanaOrgID > 0:
+		// On-prem Grafana instance - use "default" namespace
+		namespace = "default"
+	case metaClient.GrafanaStackID > 0:
+		// Grafana Cloud instance - use "stacks-{stackId}" namespace
+		namespace = fmt.Sprintf("stacks-%d", metaClient.GrafanaStackID)
+	default:
+		return diag.Errorf("expected either Grafana org ID (for local Grafana) or Grafana stack ID (for Grafana Cloud) to be set")
+	}
+
+	// Delete SCIM config
+	apiPath, err := url.JoinPath(transportConfig.BasePath, "apis/scim.grafana.app/v0alpha1/namespaces", namespace, "config/default")
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to construct API path: %w", err))
+	}
+	requestURL := fmt.Sprintf("%s://%s/%s",
+		transportConfig.Schemes[0], transportConfig.Host, apiPath)
+
+	req, err := http.NewRequestWithContext(ctx, "DELETE", requestURL, nil)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to create request: %w", err))
+	}
+
+	req.Header.Set("Authorization", "Bearer "+transportConfig.APIKey)
+
+	// Use the HTTP client from the transport configuration
+	httpClient := &http.Client{}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to delete SCIM config: %w", err))
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNotFound {
+		return diag.FromErr(fmt.Errorf("failed to delete SCIM config, status: %d", resp.StatusCode))
+	}
+
+	return nil
+}