feat(audit_trail): add new data source audit_trail_event

Author: estellesoulard

docs/data-sources/audit_trail_event.md

@@ -0,0 +1,79 @@
+---
+subcategory: "Audit Trail"
+page_title: "Scaleway: scaleway_audit_trail_event"
+---
+
+# scaleway_audit_trail_event
+
+Use this data source to get a list of existing Audit Trail events.
+For more information refer to the [Audit Trail API documentation](https://www.scaleway.com/en/developers/api/audit-trail/).
+
+## Example Usage
+
+```hcl
+# Retrieve all audit trail events on the default organization
+data "scaleway_audit_trail_event" "find_all" {
+  region = "fr-par"
+}
+
+# Retrieve audit trail events on a specific organization
+data "scaleway_audit_trail_event" "find_by_org" {
+  organization_id = "11111111-1111-1111-1111-111111111111"
+}
+
+# Retrieve audit trail events on a specific project
+data "scaleway_audit_trail_event" "find_by_project" {
+  region = "fr-par"
+  project_id = "11111111-1111-1111-1111-111111111111"
+}
+
+# Retrieve audit trail events for a specific type of resource
+data "scaleway_audit_trail_event" "find_by_resource_type" {
+  resource_type = "instance_server"
+}
+
+# Retrieve audit trail for a specific resource
+data "scaleway_audit_trail_event" "find_by_resource_id" {
+  resource_id = "11111111-1111-1111-1111-111111111111"
+}
+
+# Retrieve audit trail for a specific Scaleway product
+data "scaleway_audit_trail_event" "find_by_product_name" {
+  region = "nl-ams"
+  product_name = "secret-manager"
+}
+```
+
+## Argument Reference
+
+- `region` - (Optional) The [region](../guides/regions_and_zones.md#regions) you want to target. Defaults to the region specified in the [provider configuration](../index.md#region).
+- `organization_id` - (Optional. Defaults to [provider](../index.md#organization_id) `organization_id`) ID of the Organization containing the Audit Trail events.
+- `project_id` - (Optional) ID of the Project containing the Audit Trail events.
+- `resource_type` - (Optional) Type of the scaleway resources associated with the listed events. Possible values are: `secm_secret`, `secm_secret_version`, `kube_cluster`, `kube_pool`, `kube_node`, `kube_acl`, `keym_key`, `iam_user`, `iam_application`, `iam_group`, `iam_policy`, `iam_api_key`, `iam_ssh_key`, `iam_rule`, `iam_saml`, `iam_saml_certificate`, `secret_manager_secret`, `secret_manager_version`, `key_manager_key`, `account_user`, `account_organization`, `account_project`, `instance_server`, `instance_placement_group`, `instance_security_group`, `instance_volume`, `instance_snapshot`, `instance_image`, `apple_silicon_server`, `baremetal_server`, `baremetal_setting`, `ipam_ip`, `sbs_volume`, `sbs_snapshot`, `load_balancer_lb`, `load_balancer_ip`, `load_balancer_frontend`, `load_balancer_backend`, `load_balancer_route`, `load_balancer_acl`, `load_balancer_certificate`, `sfs_filesystem`, or `vpc_private_network`.
+- `resource_id` - (Optional) ID of the Scaleway resource associated with the listed events.
+- `product_name` - (Optional) Name of the Scaleway product in a hyphenated format.
+
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `events` - List of Audit Trail events matching the requested criteria.
+    - `id` - ID of the event. (UUID format)
+    - `recorded_at` - Timestamp of the event. (RFC 3339 format)
+    - `locality` - Locality of the resource attached to the event.
+    - `principal_id` - ID of the user or IAM application at the origin of the event.
+    - `organization_id` - ID of the Organization containing the Audit Trail events. (UUID format)
+    - `project_id` - Project of the resource attached to the event. (UUID format)
+    - `source_ip` - IP address at the origin of the event. (IP address)
+    - `user_agent` - User Agent at the origin of the event.
+    - `product_name` - Product name of the resource attached to the event.
+    - `service_name` - API name called to trigger the event.
+    - `method_name` - API method called to trigger the event.
+    - `resources` - List of resources attached to the event.
+        - `id` - ID of the resource attached to the event. (UUID format)
+        - `type` - Type of the Scaleway resource.
+    - `request_id` - Unique identifier of the request at the origin of the event. (UUID format)
+    - `request_body` - Request at the origin of the event.
+    - `status_code` - HTTP status code resulting of the API call.
+

internal/meta/errors.go

@@ -2,5 +2,8 @@ package meta
 
 import "errors"
 
-// ErrProjectIDNotFound is returned when no region can be detected
+// ErrProjectIDNotFound is returned when no project ID can be detected
 var ErrProjectIDNotFound = errors.New("could not detect project id")
+
+// ErrOrganizationIDNotFound is returned when no organization ID can be detected
+var ErrOrganizationIDNotFound = errors.New("could not detect organization id")

internal/meta/extractors.go

@@ -116,6 +116,24 @@ func ExtractProjectID(d terraformResourceData, m any) (projectID string, isDefau
 	return "", false, ErrProjectIDNotFound
 }
 
+// ExtractOrganizationID will try to guess the organization id from the following:
+//   - organization_id field of the resource data
+//   - default organization_id from config
+func ExtractOrganizationID(d terraformResourceData, m any) (organizationID string, err error) {
+	rawOrgID, exist := d.GetOk("organization_id")
+
+	if exist {
+		return rawOrgID.(string), nil
+	}
+
+	defaultOrgID, defaultOrgIDExists := m.(*Meta).ScwClient().GetDefaultOrganizationID()
+	if defaultOrgIDExists {
+		return defaultOrgID, nil
+	}
+
+	return "", ErrOrganizationIDNotFound
+}
+
 func ExtractScwClient(m any) *scw.Client {
 	return m.(*Meta).ScwClient()
 }

internal/services/audittrail/event_data_source.go

@@ -0,0 +1,246 @@
+package audittrail
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	audittrailSDK "github.com/scaleway/scaleway-sdk-go/api/audit_trail/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/verify"
+)
+
+func DataSourceEvent() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: DataSourceEventsRead,
+		Schema: map[string]*schema.Schema{
+			"organization_id": {
+				Type:             schema.TypeString,
+				Description:      "Organization containing the listed events",
+				Optional:         true,
+				ValidateDiagFunc: verify.IsUUID(),
+			},
+			"region": regional.Schema(),
+			"project_id": {
+				Type:             schema.TypeString,
+				Description:      "Project containing the listed events",
+				Optional:         true,
+				ValidateDiagFunc: verify.IsUUID(),
+			},
+			"resource_type": {
+				Type:             schema.TypeString,
+				Description:      "Type of the scaleway resources associated with the listed events",
+				Optional:         true,
+				ValidateDiagFunc: verify.ValidateEnum[audittrailSDK.ResourceType](),
+			},
+			"resource_id": {
+				Type:             schema.TypeString,
+				Description:      "ID of the Scaleway resource associated with the listed events",
+				Optional:         true,
+				ValidateDiagFunc: verify.IsUUID(),
+			},
+			"product_name": {
+				Type:        schema.TypeString,
+				Description: "Scaleway product associated with the listed events",
+				Optional:    true,
+			},
+			"events": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "List of Audit Trail events",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:        schema.TypeString,
+							Description: "ID of the event",
+							Computed:    true,
+						},
+						"recorded_at": {
+							Type:        schema.TypeString,
+							Description: "Timestamp of the event",
+							Computed:    true,
+						},
+						"locality": {
+							Type:        schema.TypeString,
+							Description: "Locality of the resource attached to the event",
+							Computed:    true,
+						},
+						"principal_id": {
+							Type:        schema.TypeString,
+							Description: "ID of the user or IAM application at the origin of the event",
+							Computed:    true,
+						},
+						"organization_id": {
+							Type:        schema.TypeString,
+							Description: "Organization of the resource attached to the event",
+							Computed:    true,
+						},
+						"project_id": {
+							Type:        schema.TypeString,
+							Description: "Project of the resource attached to the event",
+							Computed:    true,
+						},
+						"source_ip": {
+							Type:        schema.TypeString,
+							Description: "IP address at the origin of the event",
+							Computed:    true,
+						},
+						"user_agent": {
+							Type:        schema.TypeString,
+							Description: "User Agent at the origin of the event",
+							Computed:    true,
+						},
+						"product_name": {
+							Type:        schema.TypeString,
+							Description: "Product name of the resource attached to the event",
+							Computed:    true,
+						},
+						"service_name": {
+							Type:        schema.TypeString,
+							Description: "API name called to trigger the event",
+							Computed:    true,
+						},
+						"method_name": {
+							Type:        schema.TypeString,
+							Description: "API method called to trigger the event",
+							Computed:    true,
+						},
+						"resources": {
+							Type:        schema.TypeList,
+							Description: "List of resources attached to the event",
+							Computed:    true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"id": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "ID of the resource attached to the event",
+									},
+									"type": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: "Type of the Scaleway resource",
+									},
+								},
+							},
+						},
+						"request_id": {
+							Type:        schema.TypeString,
+							Description: "Unique identifier of the request at the origin of the event",
+							Computed:    true,
+						},
+						"request_body": {
+							Type:        schema.TypeString,
+							Description: "Request at the origin of the event",
+							Computed:    true,
+						},
+						"status_code": {
+							Type:        schema.TypeString,
+							Description: "HTTP status code resulting of the API call",
+							Computed:    true,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func DataSourceEventsRead(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics {
+	auditTrailAPI, region, orgID, err := newAPIWithRegionAndOrgID(d, m)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	req := audittrailSDK.ListEventsRequest{
+		OrganizationID: orgID,
+		Region:         region,
+	}
+
+	if projectID, ok := d.GetOk("project_id"); ok {
+		req.ProjectID = types.ExpandStringPtr(projectID)
+	}
+
+	if resourceType, ok := d.GetOk("resource_type"); ok {
+		req.ResourceType = audittrailSDK.ResourceType(resourceType.(string))
+	}
+
+	if productName, ok := d.GetOk("product_name"); ok {
+		req.ProductName = types.ExpandStringPtr(productName)
+	}
+
+	if resourceID, ok := d.GetOk("resource_id"); ok {
+		req.ResourceID = types.ExpandStringPtr(resourceID)
+	}
+
+	res, err := auditTrailAPI.ListEvents(&req, scw.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(uuid.New().String())
+	_ = d.Set("organization_id", orgID)
+	_ = d.Set("region", region)
+
+	flattenedEvents, err := flattenEvents(res.Events)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	_ = d.Set("events", flattenedEvents)
+
+	return nil
+}
+
+func flattenEvents(events []*audittrailSDK.Event) ([]map[string]any, error) {
+	flattenedEvents := make([]map[string]any, len(events))
+	for i, event := range events {
+		var principalID string
+
+		if event.Principal != nil {
+			principalID = event.Principal.ID
+		}
+
+		requestBody, err := scw.EncodeJSONObject(*event.RequestBody, scw.NoEscape)
+
+		if err != nil {
+			return nil, err
+		}
+
+		flattenedEvents[i] = map[string]any{
+			"id":              event.ID,
+			"recorded_at":     event.RecordedAt.String(),
+			"locality":        event.Locality,
+			"principal_id":    principalID,
+			"organization_id": event.OrganizationID,
+			"project_id":      event.ProjectID,
+			"source_ip":       event.SourceIP.String(),
+			"user_agent":      event.UserAgent,
+			"product_name":    event.ProductName,
+			"service_name":    event.ServiceName,
+			"method_name":     event.MethodName,
+			"resources":       flattenResources(event.Resources),
+			"request_id":      event.RequestID,
+			"request_body":    requestBody,
+			"status_code":     fmt.Sprint(event.StatusCode),
+		}
+	}
+
+	return flattenedEvents, nil
+}
+
+func flattenResources(resources []*audittrailSDK.Resource) []map[string]any {
+	flattenedResources := make([]map[string]any, len(resources))
+	for i, r := range resources {
+		flattenedResources[i] = map[string]any{
+			"id":   r.ID,
+			"type": string(r.Type),
+		}
+	}
+
+	return flattenedResources
+}

internal/services/audittrail/helpers.go

@@ -0,0 +1,32 @@
+package audittrail
+
+import (
+	"fmt"
+	"slices"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	audittrailSDK "github.com/scaleway/scaleway-sdk-go/api/audit_trail/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/meta"
+)
+
+// newAPIWithRegionAndProjectID returns a new Audit Trail API, with region and projectID
+func newAPIWithRegionAndOrgID(d *schema.ResourceData, m any) (*audittrailSDK.API, scw.Region, string, error) {
+	api := audittrailSDK.NewAPI(meta.ExtractScwClient(m))
+
+	region, err := meta.ExtractRegion(d, m)
+	if err != nil {
+		return nil, "", "", err
+	}
+	// In audit trail sdk-go so far only fr-par and nl-ams are supported
+	if !slices.Contains(api.Regions(), region) {
+		return nil, "", "", fmt.Errorf("invalid api region, expected one of %s, got: %s", api.Regions(), region)
+	}
+
+	orgID, err := meta.ExtractOrganizationID(d, m)
+	if err != nil {
+		return nil, "", "", err
+	}
+
+	return api, region, orgID, nil
+}