Add security role mapping data source (#178)

* Implement role mapping data-source

* Generate docs for security role mapping data-source

* Update CHANGELOG

* Fix docs to include subcategory

Author: Kanji Yomoda

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ### Added
 - New resource `elasticstack_elasticsearch_logstash_pipeline` to manage Logstash pipelines ([Centralized Pipeline Management](https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html)) ([#151](https://github.com/elastic/terraform-provider-elasticstack/pull/151))
+- Add `elasticstack_elasticsearch_security_role_mapping` data source ([#178](https://github.com/elastic/terraform-provider-elasticstack/pull/178))
 
 ### Fixed
 - Remove unnecessary unsetting id on delete ([#174](https://github.com/elastic/terraform-provider-elasticstack/pull/174))

docs/data-sources/elasticsearch_security_role_mapping.md

@@ -0,0 +1,60 @@
+---
+subcategory: "Security"
+layout: ""
+page_title: "Elasticstack: elasticstack_elasticsearch_security_role_mapping Data Source"
+description: |-
+  Retrieves role mappings.
+---
+
+# Data Source: elasticstack_elasticsearch_security_role_mapping
+
+Retrieves role mappings. See, https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-role-mapping.html
+
+## Example Usage
+
+```terraform
+provider "elasticstack" {
+  elasticsearch {}
+}
+
+data "elasticstack_elasticsearch_security_role_mapping" "mapping" {
+  name = "my_mapping"
+}
+
+output "user" {
+  value = data.elasticstack_elasticsearch_security_role_mapping.mapping.name
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The distinct name that identifies the role mapping, used solely as an identifier.
+
+### Optional
+
+- `elasticsearch_connection` (Block List, Max: 1) Used to establish connection to Elasticsearch server. Overrides environment variables if present. (see [below for nested schema](#nestedblock--elasticsearch_connection))
+
+### Read-Only
+
+- `enabled` (Boolean) Mappings that have `enabled` set to `false` are ignored when role mapping is performed.
+- `id` (String) Internal identifier of the resource
+- `metadata` (String) Additional metadata that helps define which roles are assigned to each user. Keys beginning with `_` are reserved for system usage.
+- `role_templates` (String) A list of mustache templates that will be evaluated to determine the roles names that should granted to the users that match the role mapping rules.
+- `roles` (Set of String) A list of role names that are granted to the users that match the role mapping rules.
+- `rules` (String) The rules that determine which users should be matched by the mapping. A rule is a logical condition that is expressed by using a JSON DSL.
+
+<a id="nestedblock--elasticsearch_connection"></a>
+### Nested Schema for `elasticsearch_connection`
+
+Optional:
+
+- `api_key` (String, Sensitive) API Key to use for authentication to Elasticsearch
+- `ca_data` (String) PEM-encoded custom Certificate Authority certificate
+- `ca_file` (String) Path to a custom Certificate Authority certificate
+- `endpoints` (List of String, Sensitive) A list of endpoints the Terraform provider will point to. They must include the http(s) schema and port number.
+- `insecure` (Boolean) Disable TLS certificate validation
+- `password` (String, Sensitive) A password to use for API authentication to Elasticsearch.
+- `username` (String) A username to use for API authentication to Elasticsearch.

examples/data-sources/elasticstack_elasticsearch_security_role_mapping/data-source.tf

@@ -0,0 +1,11 @@
+provider "elasticstack" {
+  elasticsearch {}
+}
+
+data "elasticstack_elasticsearch_security_role_mapping" "mapping" {
+  name = "my_mapping"
+}
+
+output "user" {
+  value = data.elasticstack_elasticsearch_security_role_mapping.mapping.name
+}

internal/elasticsearch/security/role_mapping_data_source.go

@@ -0,0 +1,77 @@
+package security
+
+import (
+	"context"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients"
+	"github.com/elastic/terraform-provider-elasticstack/internal/utils"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func DataSourceRoleMapping() *schema.Resource {
+	roleMappingSchema := map[string]*schema.Schema{
+		"id": {
+			Description: "Internal identifier of the resource",
+			Type:        schema.TypeString,
+			Computed:    true,
+		},
+		"name": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Description: "The distinct name that identifies the role mapping, used solely as an identifier.",
+		},
+		"enabled": {
+			Type:        schema.TypeBool,
+			Computed:    true,
+			Description: "Mappings that have `enabled` set to `false` are ignored when role mapping is performed.",
+		},
+		"rules": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The rules that determine which users should be matched by the mapping. A rule is a logical condition that is expressed by using a JSON DSL.",
+		},
+		"roles": {
+			Type: schema.TypeSet,
+			Elem: &schema.Schema{
+				Type: schema.TypeString,
+			},
+			Computed:    true,
+			Description: "A list of role names that are granted to the users that match the role mapping rules.",
+		},
+		"role_templates": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "A list of mustache templates that will be evaluated to determine the roles names that should granted to the users that match the role mapping rules.",
+		},
+		"metadata": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "Additional metadata that helps define which roles are assigned to each user. Keys beginning with `_` are reserved for system usage.",
+		},
+	}
+
+	utils.AddConnectionSchema(roleMappingSchema)
+
+	return &schema.Resource{
+		Description: "Retrieves role mappings. See, https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-role-mapping.html",
+		ReadContext: dataSourceSecurityRoleMappingRead,
+		Schema:      roleMappingSchema,
+	}
+}
+
+func dataSourceSecurityRoleMappingRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := clients.NewApiClient(d, meta)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	roleId := d.Get("name").(string)
+	id, diags := client.ID(ctx, roleId)
+	if diags.HasError() {
+		return diags
+	}
+	d.SetId(id.String())
+
+	return resourceSecurityRoleMappingRead(ctx, d, meta)
+}

internal/elasticsearch/security/role_mapping_data_source_test.go

@@ -0,0 +1,54 @@
+package security_test
+
+import (
+	"testing"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/acctest"
+	"github.com/elastic/terraform-provider-elasticstack/internal/utils"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccDataSourceSecurityRoleMapping(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSecurityRole,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.elasticstack_elasticsearch_security_role_mapping.test", "name", "data_source_test"),
+					resource.TestCheckResourceAttr("data.elasticstack_elasticsearch_security_role_mapping.test", "enabled", "true"),
+					utils.TestCheckResourceListAttr("data.elasticstack_elasticsearch_security_role_mapping.test", "roles", []string{"admin"}),
+					resource.TestCheckResourceAttr("data.elasticstack_elasticsearch_security_role_mapping.test", "rules", `{"any":[{"field":{"username":"esadmin"}},{"field":{"groups":"cn=admins,dc=example,dc=com"}}]}`),
+					resource.TestCheckResourceAttr("data.elasticstack_elasticsearch_security_role_mapping.test", "metadata", `{"version":1}`),
+				),
+			},
+		},
+	})
+}
+
+const testAccDataSourceSecurityRole = `
+provider "elasticstack" {
+  elasticsearch {}
+}
+
+resource "elasticstack_elasticsearch_security_role_mapping" "test" {
+  name = "data_source_test"
+  enabled = true
+  roles = [
+    "admin"
+  ]
+  rules = jsonencode({
+    any = [
+      { field = { username = "esadmin" } },
+      { field = { groups = "cn=admins,dc=example,dc=com" } },
+    ]
+  })
+
+  metadata = jsonencode({ version = 1 })
+}
+
+data "elasticstack_elasticsearch_security_role_mapping" "test" {
+  name = elasticstack_elasticsearch_security_role_mapping.test.name
+}
+`

provider/provider.go

@@ -118,6 +118,7 @@ func New(version string) func() *schema.Provider {
 				"elasticstack_elasticsearch_ingest_processor_urldecode":         ingest.DataSourceProcessorUrldecode(),
 				"elasticstack_elasticsearch_ingest_processor_uri_parts":         ingest.DataSourceProcessorUriParts(),
 				"elasticstack_elasticsearch_ingest_processor_user_agent":        ingest.DataSourceProcessorUserAgent(),
+				"elasticstack_elasticsearch_security_role_mapping":              security.DataSourceRoleMapping(),
 				"elasticstack_elasticsearch_security_user":                      security.DataSourceUser(),
 				"elasticstack_elasticsearch_snapshot_repository":                cluster.DataSourceSnapshotRespository(),
 			},

templates/data-sources/elasticsearch_security_role_mapping.md.tmpl

@@ -0,0 +1,17 @@
+---
+subcategory: "Security"
+layout: ""
+page_title: "Elasticstack: elasticstack_elasticsearch_security_role_mapping Data Source"
+description: |-
+  Retrieves role mappings.
+---
+
+# Data Source: elasticstack_elasticsearch_security_role_mapping
+
+Retrieves role mappings. See, https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-role-mapping.html
+
+## Example Usage
+
+{{ tffile "examples/data-sources/elasticstack_elasticsearch_security_role_mapping/data-source.tf" }}
+
+{{ .SchemaMarkdown | trimspace }}