Merge pull request #70 from wallix/develop

Develop

Author: bsimonWallix

CHANGELOG.md

@@ -1,5 +1,13 @@
 # changelog
 
+## 0.14.5 (August 25, 2025)
+
+ENHANCEMENTS:
+
+- **resource/wallix-bastion_authorization**: added support for session sharing functionality with new
+  `authorize_session_sharing` (boolean) and `session_sharing_mode` (enum: "view_only", "view_control")
+  arguments, enabling users to configure session sharing permissions for authorizations.
+
 ## 0.14.4 (March 3, 2025)
 
 FEATURES:

bastion/resource_authorization.go

@@ -15,11 +15,13 @@ type jsonAuthorization struct {
 	ApprovalRequired           bool      `json:"approval_required"`
 	AuthorizePasswordRetrieval bool      `json:"authorize_password_retrieval"`
 	AuthorizeSessions          bool      `json:"authorize_sessions"`
+	AuthorizeSessionSharing    bool      `json:"authorize_session_sharing"`
 	IsCritical                 bool      `json:"is_critical"`
 	IsRecorded                 bool      `json:"is_recorded"`
 	ID                         string    `json:"id,omitempty"`
 	AuthorizationName          string    `json:"authorization_name"`
 	Description                string    `json:"description"`
+	SessionSharingMode         string    `json:"session_sharing_mode,omitempty"`
 	TargetGroup                string    `json:"target_group,omitempty"`
 	UserGroup                  string    `json:"user_group,omitempty"`
 	HasComment                 *bool     `json:"has_comment,omitempty"`
@@ -73,6 +75,25 @@ func resourceAuthorization() *schema.Resource {
 				RequiredWith: []string{"subprotocols"},
 				AtLeastOneOf: []string{"authorize_sessions", "authorize_password_retrieval"},
 			},
+			"authorize_session_sharing": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				RequiredWith: []string{"session_sharing_mode"},
+			},
+			"session_sharing_mode": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: func(val any, key string) ([]string, []error) {
+					v := val.(string)
+					var errs []error
+					if v != "" && v != "view_only" && v != "view_control" {
+						errs = append(errs, fmt.Errorf("%q must be either 'view_only' or 'view_control', got: %s", key, v))
+					}
+
+					return nil, errs
+				},
+				RequiredWith: []string{"authorize_session_sharing"},
+			},
 			"subprotocols": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -337,7 +358,9 @@ func prepareAuthorizationJSON(d *schema.ResourceData, newResource bool) jsonAuth
 		AuthorizationName:          d.Get("authorization_name").(string),
 		AuthorizePasswordRetrieval: d.Get("authorize_password_retrieval").(bool),
 		AuthorizeSessions:          d.Get("authorize_sessions").(bool),
+		AuthorizeSessionSharing:    d.Get("authorize_session_sharing").(bool),
 		Description:                d.Get("description").(string),
+		SessionSharingMode:         d.Get("session_sharing_mode").(string),
 		ApprovalRequired:           d.Get("approval_required").(bool),
 		IsCritical:                 d.Get("is_critical").(bool),
 		IsRecorded:                 d.Get("is_recorded").(bool),
@@ -428,6 +451,12 @@ func fillAuthorization(d *schema.ResourceData, jsonData jsonAuthorization) {
 	if tfErr := d.Set("authorize_sessions", jsonData.AuthorizeSessions); tfErr != nil {
 		panic(tfErr)
 	}
+	if tfErr := d.Set("authorize_session_sharing", jsonData.AuthorizeSessionSharing); tfErr != nil {
+		panic(tfErr)
+	}
+	if tfErr := d.Set("session_sharing_mode", jsonData.SessionSharingMode); tfErr != nil {
+		panic(tfErr)
+	}
 	if tfErr := d.Set("subprotocols", jsonData.SubProtocols); tfErr != nil {
 		panic(tfErr)
 	}

bastion/resource_authorization_test.go

@@ -32,6 +32,41 @@ func TestAccResourceAuthorization_basic(t *testing.T) {
 	})
 }
 
+func TestAccResourceAuthorization_sessionSharing(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceAuthorizationSessionSharingViewOnly(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"wallix-bastion_authorization.testacc_Authorization_sharing",
+						"id"),
+					resource.TestCheckResourceAttr(
+						"wallix-bastion_authorization.testacc_Authorization_sharing",
+						"authorize_session_sharing", "true"),
+					resource.TestCheckResourceAttr(
+						"wallix-bastion_authorization.testacc_Authorization_sharing",
+						"session_sharing_mode", "view_only"),
+				),
+			},
+			{
+				Config: testAccResourceAuthorizationSessionSharingViewControl(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"wallix-bastion_authorization.testacc_Authorization_sharing",
+						"authorize_session_sharing", "true"),
+					resource.TestCheckResourceAttr(
+						"wallix-bastion_authorization.testacc_Authorization_sharing",
+						"session_sharing_mode", "view_control"),
+				),
+			},
+		},
+		PreventPostDestroyRefresh: true,
+	})
+}
+
 // nolint: lll, nolintlint
 func testAccResourceAuthorizationCreate() string {
 	return `
@@ -41,8 +76,22 @@ resource "wallix-bastion_authorization" "testacc_Authorization" {
   target_group       = wallix-bastion_targetgroup.testacc_Authorization.group_name
   authorize_sessions = true
   subprotocols = [
-    "RDP_CLIPBOARD_UP", "RDP_CLIPBOARD_DOWN", "RDP_PRINTER", "RDP_COM_PORT", "RDP_DRIVE", "RDP_SMARTCARD", "RDP_CLIPBOARD_FILE", "RDP_AUDIO_OUTPUT",
-    "SSH_SHELL_SESSION", "SSH_REMOTE_COMMAND", "SSH_SCP_UP", "SSH_SCP_DOWN", "SSH_X11", "SSH_DIRECT_TCPIP", "SSH_REVERSE_TCPIP", "SSH_AUTH_AGENT",
+    "RDP_CLIPBOARD_UP",
+    "RDP_CLIPBOARD_DOWN",
+    "RDP_PRINTER",
+    "RDP_COM_PORT",
+    "RDP_DRIVE",
+    "RDP_SMARTCARD",
+    "RDP_CLIPBOARD_FILE",
+    "RDP_AUDIO_OUTPUT",
+    "SSH_SHELL_SESSION",
+    "SSH_REMOTE_COMMAND",
+    "SSH_SCP_UP",
+    "SSH_SCP_DOWN",
+    "SSH_X11",
+    "SSH_DIRECT_TCPIP",
+    "SSH_REVERSE_TCPIP",
+    "SSH_AUTH_AGENT",
     "SFTP_SESSION",
     "RDP",
     "VNC",
@@ -51,10 +100,12 @@ resource "wallix-bastion_authorization" "testacc_Authorization" {
     "RAWTCPIP",
   ]
 }
+
 resource "wallix-bastion_usergroup" "testacc_Authorization" {
   group_name = "testacc_Authorization"
   timeframes = ["allthetime"]
 }
+
 resource "wallix-bastion_targetgroup" "testacc_Authorization" {
   group_name = "testacc_Authorization"
 }
@@ -70,9 +121,25 @@ resource "wallix-bastion_authorization" "testacc_Authorization" {
   target_group                 = wallix-bastion_targetgroup.testacc_Authorization.group_name
   authorize_password_retrieval = true
   authorize_sessions           = true
+  authorize_session_sharing    = true
+  session_sharing_mode         = "view_control"
   subprotocols = [
-    "RDP_CLIPBOARD_UP", "RDP_CLIPBOARD_DOWN", "RDP_PRINTER", "RDP_COM_PORT", "RDP_DRIVE", "RDP_SMARTCARD", "RDP_CLIPBOARD_FILE", "RDP_AUDIO_OUTPUT",
-    "SSH_SHELL_SESSION", "SSH_REMOTE_COMMAND", "SSH_SCP_UP", "SSH_SCP_DOWN", "SSH_X11", "SSH_DIRECT_TCPIP", "SSH_REVERSE_TCPIP", "SSH_AUTH_AGENT",
+    "RDP_CLIPBOARD_UP",
+    "RDP_CLIPBOARD_DOWN",
+    "RDP_PRINTER",
+    "RDP_COM_PORT",
+    "RDP_DRIVE",
+    "RDP_SMARTCARD",
+    "RDP_CLIPBOARD_FILE",
+    "RDP_AUDIO_OUTPUT",
+    "SSH_SHELL_SESSION",
+    "SSH_REMOTE_COMMAND",
+    "SSH_SCP_UP",
+    "SSH_SCP_DOWN",
+    "SSH_X11",
+    "SSH_DIRECT_TCPIP",
+    "SSH_REVERSE_TCPIP",
+    "SSH_AUTH_AGENT",
     "SFTP_SESSION",
     "RDP",
     "VNC",
@@ -93,16 +160,73 @@ resource "wallix-bastion_authorization" "testacc_Authorization" {
   mandatory_ticket  = true
   single_connection = true
 }
+
 resource "wallix-bastion_usergroup" "testacc_Authorization" {
   group_name = "testacc_Authorization"
   timeframes = ["allthetime"]
 }
+
 resource "wallix-bastion_usergroup" "testacc_Authorization2" {
   group_name = "testacc_Authorization2"
   timeframes = ["allthetime"]
 }
+
 resource "wallix-bastion_targetgroup" "testacc_Authorization" {
   group_name = "testacc_Authorization"
 }
 `
 }
+
+// nolint: lll, nolintlint
+func testAccResourceAuthorizationSessionSharingViewOnly() string {
+	return `
+resource "wallix-bastion_authorization" "testacc_Authorization_sharing" {
+  authorization_name        = "testacc_Authorization_sharing"
+  user_group                = wallix-bastion_usergroup.testacc_Authorization_sharing.group_name
+  target_group              = wallix-bastion_targetgroup.testacc_Authorization_sharing.group_name
+  authorize_sessions        = true
+  authorize_session_sharing = true
+  session_sharing_mode      = "view_only"
+  subprotocols = [
+    "RDP",
+    "SSH_SHELL_SESSION",
+  ]
+}
+
+resource "wallix-bastion_usergroup" "testacc_Authorization_sharing" {
+  group_name = "testacc_Authorization_sharing"
+  timeframes = ["allthetime"]
+}
+
+resource "wallix-bastion_targetgroup" "testacc_Authorization_sharing" {
+  group_name = "testacc_Authorization_sharing"
+}
+`
+}
+
+// nolint: lll, nolintlint
+func testAccResourceAuthorizationSessionSharingViewControl() string {
+	return `
+resource "wallix-bastion_authorization" "testacc_Authorization_sharing" {
+  authorization_name        = "testacc_Authorization_sharing"
+  user_group                = wallix-bastion_usergroup.testacc_Authorization_sharing.group_name
+  target_group              = wallix-bastion_targetgroup.testacc_Authorization_sharing.group_name
+  authorize_sessions        = true
+  authorize_session_sharing = true
+  session_sharing_mode      = "view_control"
+  subprotocols = [
+    "RDP",
+    "SSH_SHELL_SESSION",
+  ]
+}
+
+resource "wallix-bastion_usergroup" "testacc_Authorization_sharing" {
+  group_name = "testacc_Authorization_sharing"
+  timeframes = ["allthetime"]
+}
+
+resource "wallix-bastion_targetgroup" "testacc_Authorization_sharing" {
+  group_name = "testacc_Authorization_sharing"
+}
+`
+}

docs/resources/authorization.md

@@ -30,57 +30,62 @@ The following arguments are supported:
 
 -> **Note:** At least one of `authorize_password_retrieval` or `authorize_sessions` arguments is required.
 
-- **authorization_name** (Required, String)  
+- **authorization_name** (Required, String)
   The authorization name.
-- **user_group** (Required, String, Forces new resource)  
+- **user_group** (Required, String, Forces new resource)
   The user group.
-- **target_group** (Required, String, Force new resource)  
+- **target_group** (Required, String, Force new resource)
   The target group.
-- **description** (Optional, String)  
+- **description** (Optional, String)
   The authorization description.
-- **authorize_password_retrieval** (Optional, Boolean)  
+- **authorize_password_retrieval** (Optional, Boolean)
   Authorize password retrieval.
-- **authorize_sessions** (Optional, Boolean)  
+- **authorize_sessions** (Optional, Boolean)
   Authorize sessions via proxies.
   `subprotocols` need to be set.
-- **subprotocols** (Optional, List of String)  
-  The authorization subprotocols.  
-- **is_critical** (Optional, Boolean)  
+- **authorize_session_sharing** (Optional, Boolean)
+  Enable Session Sharing.
+- **session_sharing_mode** (Optional, String)
+  The Session Sharing Mode. Must be `view_only` or `view_control`
+  `authorize_session_sharing` need to be enabled.
+- **subprotocols** (Optional, List of String)
+  The authorization subprotocols.
+- **is_critical** (Optional, Boolean)
   Define if it's critical.
-- **is_recorded** (Optional, Boolean)  
+- **is_recorded** (Optional, Boolean)
   Define if it's recorded.
-- **approval_required** (Optional, Boolean)  
+- **approval_required** (Optional, Boolean)
   Approval is required to connect to targets.
   `approvers` need to be set.
-- **approvers** (Optional, List of String)  
-  The approvers user groups.  
+- **approvers** (Optional, List of String)
+  The approvers user groups.
   `approval_required` need to be set.
-- **active_quorum** (Optional, Number)  
+- **active_quorum** (Optional, Number)
   The quorum for active periods (-1: approval workflow with automatic approval,
-  0: no approval workflow (direct connection), > 0: quorum to reach).  
+  0: no approval workflow (direct connection), > 0: quorum to reach).
   Defaults to `-1`.
-- **inactive_quorum** (Optional, Number)  
+- **inactive_quorum** (Optional, Number)
   The quorum for inactive periods (-1: approval workflow with automatic approval,
-  0: no connection allowed, > 0: quorum to reach).  
+  0: no connection allowed, > 0: quorum to reach).
   Defaults to `-1`.
-- **approval_timeout** (Optional, Number)  
+- **approval_timeout** (Optional, Number)
   Set a timeout in minutes after which the approval will be automatically closed info connection has
   been initiated (i.e. the user won't be able to connect). 0: no timeout.
-- **has_comment** (Optional, Boolean)  
+- **has_comment** (Optional, Boolean)
   Comment is allowed in approval.
-- **has_ticket** (Optional, Boolean)  
+- **has_ticket** (Optional, Boolean)
   Ticket is allowed in approval.
-- **mandatory_comment** (Optional, Boolean)  
+- **mandatory_comment** (Optional, Boolean)
   Comment is mandatory in approval.
-- **mandatory_ticket** (Optional, Boolean)  
+- **mandatory_ticket** (Optional, Boolean)
   Ticket is mandatory in approval.
-- **single_connection** (Optional, Boolean)  
+- **single_connection** (Optional, Boolean)
   Limit to one single connection during the approval period (i.e. if the user disconnects, he will
   not be allowed to start a new session during the original requested time).
 
 ## Attribute Reference
 
-- **id** (String)  
+- **id** (String)
   Internal id of authorization in bastion.
 
 ## Import