add support for custom role in okta_group_role

docs/resources/group_role.md

@@ -15,6 +15,33 @@ resource "okta_group_role" "example" {
   group_id  = "<group id>"
   role_type = "READ_ONLY_ADMIN"
 }
+
+// Example for CUSTOM role
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource "okta_resource_set" "test" {
+  label       = "test"
+  description = "testing, testing"
+  resources = [
+    format("%s/api/v1/users", "https://tien-oie-2023-26-26.oktapreview.com"),
+  ]
+}
+
+resource "okta_admin_role_custom" "test" {
+  label       = "testt"
+  description = "testing, testing"
+  permissions = ["okta.apps.assignment.manage", "okta.users.manage", "okta.apps.manage"]
+}
+
+resource "okta_group_role" "test" {
+  group_id        = okta_group.test.id
+  role_id         = okta_admin_role_custom.test.id
+  resource_set_id = okta_resource_set.test.id
+  role_type       = "CUSTOM"
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -41,6 +68,8 @@ resource "okta_group_role" "example" {
 ### Optional
 
 - `disable_notifications` (Boolean) When this setting is enabled, the admins won't receive any of the default Okta administrator emails. These admins also won't have access to contact Okta Support and open support cases on behalf of your org.
+- `resource_set_id` (String) Resource Set ID. Required for role_type = `CUSTOM`
+- `role_id` (String) Role ID. Required for role_type = `CUSTOM`
 - `target_app_list` (Set of String) A list of app names (name represents set of app instances, like 'salesforce' or 'facebook'), or a combination of app name and app instance ID (like 'facebook.0oapsqQ6dv19pqyEo0g3') you would like as the targets of the admin role. - Only supported when used with the role type `APP_ADMIN`.
 - `target_group_list` (Set of String) A list of group IDs you would like as the targets of the admin role. - Only supported when used with the role types: `GROUP_MEMBERSHIP_ADMIN`, `HELP_DESK_ADMIN`, or `USER_ADMIN`.
 

examples/resources/okta_group_role/custom.tf

@@ -0,0 +1,25 @@
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource "okta_resource_set" "test" {
+  label       = "test"
+  description = "testing, testing"
+  resources = [
+    format("%s/api/v1/users", "https://tien-oie-2023-26-26.oktapreview.com"),
+  ]
+}
+
+resource "okta_admin_role_custom" "test" {
+  label       = "testt"
+  description = "testing, testing"
+  permissions = ["okta.apps.assignment.manage", "okta.users.manage", "okta.apps.manage"]
+}
+
+resource "okta_group_role" "test" {
+  group_id        = okta_group.test.id
+  role_id         = okta_admin_role_custom.test.id
+  resource_set_id = okta_resource_set.test.id
+  role_type       = "CUSTOM"
+}

examples/resources/okta_group_role/resource.tf

@@ -2,3 +2,30 @@ resource "okta_group_role" "example" {
   group_id  = "<group id>"
   role_type = "READ_ONLY_ADMIN"
 }
+
+// Example for CUSTOM role
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource "okta_resource_set" "test" {
+  label       = "test"
+  description = "testing, testing"
+  resources = [
+    format("%s/api/v1/users", "https://tien-oie-2023-26-26.oktapreview.com"),
+  ]
+}
+
+resource "okta_admin_role_custom" "test" {
+  label       = "testt"
+  description = "testing, testing"
+  permissions = ["okta.apps.assignment.manage", "okta.users.manage", "okta.apps.manage"]
+}
+
+resource "okta_group_role" "test" {
+  group_id        = okta_group.test.id
+  role_id         = okta_admin_role_custom.test.id
+  resource_set_id = okta_resource_set.test.id
+  role_type       = "CUSTOM"
+}

okta/resource_okta_group_role.go

@@ -96,6 +96,16 @@ func resourceGroupRole() *schema.Resource {
 				Description: "When this setting is enabled, the admins won't receive any of the default Okta administrator emails. These admins also won't have access to contact Okta Support and open support cases on behalf of your org.",
 				Default:     false,
 			},
+			"role_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Role ID. Required for role_type = `CUSTOM`",
+			},
+			"resource_set_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Resource Set ID. Required for role_type = `CUSTOM`",
+			},
 		},
 	}
 }
@@ -105,7 +115,14 @@ func resourceGroupRoleCreate(ctx context.Context, d *schema.ResourceData, m inte
 	roleType := d.Get("role_type").(string)
 	client := getOktaClientFromMetadata(m)
 	logger(m).Info("assigning role to group", "group_id", groupID, "role_type", roleType)
-	role, _, err := client.Group.AssignRoleToGroup(ctx, groupID, sdk.AssignRoleRequest{Type: roleType},
+	role, _, err := client.Group.AssignRoleToGroup(
+		ctx,
+		groupID,
+		sdk.AssignRoleRequest{
+			Type:        roleType,
+			Role:        d.Get("role_id").(string),
+			ResourceSet: d.Get("resource_set_id").(string),
+		},
 		&query.Params{DisableNotifications: boolPtr(d.Get("disable_notifications").(bool))})
 	if err != nil {
 		return diag.Errorf("failed to assign role %s to group %s: %v", roleType, groupID, err)

okta/resource_okta_group_role_test.go

@@ -59,3 +59,26 @@ func TestAccResourceOktaGroupAdminRole_crud(t *testing.T) {
 		},
 	})
 }
+
+func TestAccResourceOktaGroupCustomRole_crud(t *testing.T) {
+	resourceName := fmt.Sprintf("%s.test", groupRole)
+	mgr := newFixtureManager("resources", groupRole, t.Name())
+	config := mgr.GetFixtures("custom.tf", t)
+
+	oktaResourceTest(t, resource.TestCase{
+		PreCheck:          testAccPreCheck(t),
+		ErrorCheck:        testAccErrorChecks(t),
+		ProviderFactories: testAccProvidersFactories,
+		CheckDestroy:      checkResourceDestroy(group, doesGroupExist),
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "role_type", "CUSTOM"),
+					resource.TestCheckResourceAttrSet(resourceName, "role_id"),
+					resource.TestCheckResourceAttrSet(resourceName, "resource_set_id"),
+				),
+			},
+		},
+	})
+}

sdk/v2_assignRoleRequest.go

@@ -2,5 +2,7 @@
 package sdk
 
 type AssignRoleRequest struct {
-	Type string `json:"type,omitempty"`
+	Type        string `json:"type,omitempty"`
+	Role        string `json:"role,omitempty"`
+	ResourceSet string `json:"resource-set,omitempty"`
 }