feat: support auth0_organization_discovery_domains resource

Author: ewanharris

docs/resources/organization_discovery_domains.md

@@ -0,0 +1,39 @@
+---
+page_title: "Resource: auth0_organization_discovery_domains"
+description: |-
+  With this resource, you can manage discovery domains on an organization.
+---
+
+# Resource: auth0_organization_discovery_domains
+
+With this resource, you can manage discovery domains on an organization.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `discovery_domains` (Block Set, Min: 1) Discovery domains that are configured for the organization. (see [below for nested schema](#nestedblock--discovery_domains))
+- `organization_id` (String) ID of the organization on which to manage the discovery domains.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--discovery_domains"></a>
+### Nested Schema for `discovery_domains`
+
+Required:
+
+- `domain` (String) The domain name for organization discovery.
+- `status` (String) Verification status. Must be either 'pending' or 'verified'.
+
+Read-Only:
+
+- `id` (String) The ID of the discovery domain.
+- `verification_host` (String) The full domain where the TXT record should be added.
+- `verification_txt` (String) TXT record value for domain verification.
+
+

internal/auth0/organization/expand.go

@@ -90,3 +90,23 @@ func expandOrganizationDiscoveryDomain(data *schema.ResourceData) *management.Or
 		// Note: ID, VerificationTXT, and VerificationHost are read-only and should not be sent to the API.
 	}
 }
+
+func expandOrganizationDiscoveryDomainFromConfig(domainCfg cty.Value) *management.OrganizationDiscoveryDomain {
+	return &management.OrganizationDiscoveryDomain{
+		Domain: value.String(domainCfg.GetAttr("domain")),
+		Status: value.String(domainCfg.GetAttr("status")),
+		// Note: ID, VerificationTXT, and VerificationHost are read-only and should not be sent to the API.
+	}
+}
+
+func expandOrganizationDiscoveryDomains(cfg cty.Value) []*management.OrganizationDiscoveryDomain {
+	domains := make([]*management.OrganizationDiscoveryDomain, 0)
+
+	cfg.ForEachElement(func(_ cty.Value, domainCfg cty.Value) (stop bool) {
+		domains = append(domains, expandOrganizationDiscoveryDomainFromConfig(domainCfg))
+
+		return stop
+	})
+
+	return domains
+}

internal/auth0/organization/flatten.go

@@ -142,3 +142,22 @@ func flattenOrganizationDiscoveryDomain(data *schema.ResourceData, discoveryDoma
 
 	return result.ErrorOrNil()
 }
+
+func flattenOrganizationDiscoveryDomains(data *schema.ResourceData, domains []*management.OrganizationDiscoveryDomain) error {
+	if len(domains) == 0 {
+		return data.Set("discovery_domains", []interface{}{})
+	}
+
+	var enabledDomains []interface{}
+	for _, domain := range domains {
+		enabledDomains = append(enabledDomains, map[string]interface{}{
+			"id":                domain.GetID(),
+			"domain":            domain.GetDomain(),
+			"status":            domain.GetStatus(),
+			"verification_txt":  domain.GetVerificationTXT(),
+			"verification_host": domain.GetVerificationHost(),
+		})
+	}
+
+	return data.Set("discovery_domains", enabledDomains)
+}

internal/auth0/organization/resource_discovery_domains.go

@@ -0,0 +1,293 @@
+package organization
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/auth0/go-auth0/management"
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	"github.com/auth0/terraform-provider-auth0/internal/config"
+	internalError "github.com/auth0/terraform-provider-auth0/internal/error"
+	"github.com/auth0/terraform-provider-auth0/internal/value"
+)
+
+// NewDiscoveryDomainsResource will return a new auth0_organization_discovery_domains (1:many) resource.
+func NewDiscoveryDomainsResource() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"organization_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "ID of the organization on which to manage the discovery domains.",
+			},
+			"discovery_domains": {
+				Type: schema.TypeSet,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"domain": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "The domain name for organization discovery.",
+						},
+						"status": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.StringInSlice([]string{"pending", "verified"}, false),
+							Description:  "Verification status. Must be either 'pending' or 'verified'.",
+						},
+						"id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The ID of the discovery domain.",
+						},
+						"verification_txt": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "TXT record value for domain verification.",
+						},
+						"verification_host": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The full domain where the TXT record should be added.",
+						},
+					},
+				},
+				Required:    true,
+				Description: "Discovery domains that are configured for the organization.",
+			},
+		},
+		CreateContext: createOrganizationDiscoveryDomains,
+		ReadContext:   readOrganizationDiscoveryDomains,
+		UpdateContext: updateOrganizationDiscoveryDomains,
+		DeleteContext: deleteOrganizationDiscoveryDomains,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Description: "With this resource, you can manage discovery domains on an organization.",
+	}
+}
+
+func createOrganizationDiscoveryDomains(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := meta.(*config.Config).GetAPI()
+
+	organizationID := data.Get("organization_id").(string)
+
+	var alreadyEnabledDomains []*management.OrganizationDiscoveryDomain
+	var checkpoint string
+	for {
+		var opts []management.RequestOption
+		if checkpoint != "" {
+			opts = append(opts, management.From(checkpoint))
+		}
+		opts = append(opts, management.Take(100))
+
+		domainList, err := api.Organization.DiscoveryDomains(
+			ctx,
+			organizationID,
+			opts...,
+		)
+		if err != nil {
+			return diag.FromErr(internalError.HandleAPIError(data, err))
+		}
+
+		alreadyEnabledDomains = append(alreadyEnabledDomains, domainList.Domains...)
+
+		if !domainList.HasNext() {
+			break
+		}
+
+		checkpoint = domainList.Next
+	}
+
+	data.SetId(organizationID)
+
+	domainsToAdd := expandOrganizationDiscoveryDomains(data.GetRawConfig().GetAttr("discovery_domains"))
+
+	if diagnostics := guardAgainstErasingUnwantedDiscoveryDomains(
+		organizationID,
+		alreadyEnabledDomains,
+		domainsToAdd,
+	); diagnostics.HasError() {
+		data.SetId("")
+		return diagnostics
+	}
+
+	if len(domainsToAdd) > len(alreadyEnabledDomains) {
+		var result *multierror.Error
+
+		for _, domain := range domainsToAdd {
+			err := api.Organization.CreateDiscoveryDomain(ctx, organizationID, domain)
+			result = multierror.Append(result, err)
+		}
+
+		if result.ErrorOrNil() != nil {
+			return diag.FromErr(result.ErrorOrNil())
+		}
+	}
+
+	return readOrganizationDiscoveryDomains(ctx, data, meta)
+}
+
+func readOrganizationDiscoveryDomains(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := meta.(*config.Config).GetAPI()
+
+	var domains []*management.OrganizationDiscoveryDomain
+	var checkpoint string
+	for {
+		var opts []management.RequestOption
+		if checkpoint != "" {
+			opts = append(opts, management.From(checkpoint))
+		}
+		opts = append(opts, management.Take(100))
+
+		domainList, err := api.Organization.DiscoveryDomains(
+			ctx,
+			data.Id(),
+			opts...,
+		)
+		if err != nil {
+			return diag.FromErr(internalError.HandleAPIError(data, err))
+		}
+
+		domains = append(domains, domainList.Domains...)
+
+		if !domainList.HasNext() {
+			break
+		}
+
+		checkpoint = domainList.Next
+	}
+
+	result := multierror.Append(
+		data.Set("organization_id", data.Id()),
+		flattenOrganizationDiscoveryDomains(data, domains),
+	)
+
+	return diag.FromErr(result.ErrorOrNil())
+}
+
+func updateOrganizationDiscoveryDomains(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := meta.(*config.Config).GetAPI()
+
+	organizationID := data.Id()
+
+	// We are using the data from expandOrganizationDiscoveryDomains and not value.Difference to preserve the nilness of the data.
+	domains := expandOrganizationDiscoveryDomains(data.GetRawConfig().GetAttr("discovery_domains"))
+	domainMap := make(map[string]*management.OrganizationDiscoveryDomain)
+	for _, domain := range domains {
+		domainMap[domain.GetDomain()] = domain
+	}
+
+	toAdd, toRemove := value.Difference(data, "discovery_domains")
+	var result *multierror.Error
+
+	for _, rmDomain := range toRemove {
+		domain := rmDomain.(map[string]interface{})
+		domainID := domain["id"].(string)
+
+		err := api.Organization.DeleteDiscoveryDomain(ctx, organizationID, domainID)
+		if internalError.IsStatusNotFound(err) {
+			err = nil
+		}
+
+		result = multierror.Append(result, err)
+	}
+
+	for _, addDomain := range toAdd {
+		domain := addDomain.(map[string]interface{})
+		domainName := domain["domain"].(string)
+
+		err := api.Organization.CreateDiscoveryDomain(ctx, organizationID, domainMap[domainName])
+		result = multierror.Append(result, err)
+	}
+
+	if result.ErrorOrNil() != nil {
+		return diag.FromErr(result.ErrorOrNil())
+	}
+
+	return readOrganizationDiscoveryDomains(ctx, data, meta)
+}
+
+func deleteOrganizationDiscoveryDomains(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := meta.(*config.Config).GetAPI()
+
+	// Fetch all current discovery domains to get their IDs.
+	var domains []*management.OrganizationDiscoveryDomain
+	var checkpoint string
+	for {
+		var opts []management.RequestOption
+		if checkpoint != "" {
+			opts = append(opts, management.From(checkpoint))
+		}
+		opts = append(opts, management.Take(100))
+
+		domainList, err := api.Organization.DiscoveryDomains(
+			ctx,
+			data.Id(),
+			opts...,
+		)
+		if err != nil {
+			return diag.FromErr(internalError.HandleAPIError(data, err))
+		}
+
+		domains = append(domains, domainList.Domains...)
+
+		if !domainList.HasNext() {
+			break
+		}
+
+		checkpoint = domainList.Next
+	}
+
+	var result *multierror.Error
+
+	for _, domain := range domains {
+		err := api.Organization.DeleteDiscoveryDomain(ctx, data.Id(), domain.GetID())
+		if internalError.IsStatusNotFound(err) {
+			err = nil
+		}
+
+		result = multierror.Append(result, err)
+	}
+
+	return diag.FromErr(result.ErrorOrNil())
+}
+
+func guardAgainstErasingUnwantedDiscoveryDomains(
+	organizationID string,
+	alreadyEnabled []*management.OrganizationDiscoveryDomain,
+	desired []*management.OrganizationDiscoveryDomain,
+) diag.Diagnostics {
+	if len(alreadyEnabled) == 0 {
+		return nil
+	}
+
+	alreadyEnabledDomains := make([]string, 0)
+	for _, domain := range alreadyEnabled {
+		alreadyEnabledDomains = append(alreadyEnabledDomains, domain.GetDomain())
+	}
+
+	desiredDomains := make([]string, 0)
+	for _, domain := range desired {
+		desiredDomains = append(desiredDomains, domain.GetDomain())
+	}
+
+	if !cmp.Equal(alreadyEnabledDomains, desiredDomains) {
+		return diag.Diagnostics{
+			diag.Diagnostic{
+				Severity: diag.Error,
+				Summary:  "Organization with non empty enabled discovery domains",
+				Detail: fmt.Sprintf("Detected an organization (%s) with already enabled discovery domains. Import the "+
+					"auth0_organization_discovery_domains resource instead of creating it.", organizationID),
+			},
+		}
+	}
+
+	return nil
+}