feat(gooddata-sdk): [AUTO] Add DeclarativeIpAllowlistPolicy schema to declarative org config

Author: yenkins-admin

packages/gooddata-sdk/src/gooddata_sdk/__init__.py

@@ -133,6 +133,9 @@
 from gooddata_sdk.catalog.organization.layout.export_template import (
     CatalogDeclarativeExportTemplate,
 )
+from gooddata_sdk.catalog.organization.layout.ip_allowlist_policy import (
+    CatalogDeclarativeIpAllowlistPolicy,
+)
 from gooddata_sdk.catalog.organization.layout.notification_channel import (
     CatalogDeclarativeNotificationChannel,
     CatalogWebhook,

packages/gooddata-sdk/src/gooddata_sdk/catalog/organization/layout/ip_allowlist_policy.py

@@ -0,0 +1,22 @@
+# (C) 2025 GoodData Corporation
+from __future__ import annotations
+
+import builtins
+
+from attrs import define, field
+from gooddata_api_client.model.declarative_ip_allowlist_policy import DeclarativeIpAllowlistPolicy
+
+from gooddata_sdk.catalog.base import Base
+from gooddata_sdk.catalog.identifier import CatalogDeclarativeUserGroupIdentifier, CatalogUserIdentifier
+
+
+@define(kw_only=True)
+class CatalogDeclarativeIpAllowlistPolicy(Base):
+    id: str
+    allowed_sources: list[str] = field(factory=list)
+    user_groups: list[CatalogDeclarativeUserGroupIdentifier] = field(factory=list)
+    users: list[CatalogUserIdentifier] = field(factory=list)
+
+    @staticmethod
+    def client_class() -> builtins.type[DeclarativeIpAllowlistPolicy]:
+        return DeclarativeIpAllowlistPolicy

packages/gooddata-sdk/src/gooddata_sdk/catalog/organization/service.py

@@ -31,6 +31,7 @@
 )
 from gooddata_sdk.catalog.organization.entity_model.setting import CatalogOrganizationSetting
 from gooddata_sdk.catalog.organization.layout.identity_provider import CatalogDeclarativeIdentityProvider
+from gooddata_sdk.catalog.organization.layout.ip_allowlist_policy import CatalogDeclarativeIpAllowlistPolicy
 from gooddata_sdk.catalog.organization.layout.notification_channel import CatalogDeclarativeNotificationChannel
 from gooddata_sdk.client import GoodDataApiClient
 from gooddata_sdk.utils import load_all_entities, load_all_entities_dict
@@ -742,3 +743,35 @@ def switch_active_identity_provider(self, identity_provider_id: str) -> None:
             )
         except Exception as e:
             raise ValueError(f"Error switching active identity provider: {str(e)}")
+
+    def get_declarative_ip_allowlist_policies(self) -> list[CatalogDeclarativeIpAllowlistPolicy]:
+        """Get all declarative IP allowlist policies for the current organization.
+
+        IP allowlist policies are returned as part of the full organization layout.
+
+        Returns:
+            list[CatalogDeclarativeIpAllowlistPolicy]:
+                List of declarative IP allowlist policies.
+        """
+        org_layout = self._layout_api.get_organization_layout(_check_return_type=False)
+        policies = getattr(org_layout, "ip_allowlist_policies", None) or []
+        return [CatalogDeclarativeIpAllowlistPolicy.from_api(policy) for policy in policies]
+
+    def put_declarative_ip_allowlist_policies(
+        self, ip_allowlist_policies: list[CatalogDeclarativeIpAllowlistPolicy]
+    ) -> None:
+        """Put declarative IP allowlist policies for the current organization.
+
+        Reads the full organization layout, replaces the ip_allowlist_policies field,
+        and writes the full layout back. All other organization settings are preserved.
+
+        Args:
+            ip_allowlist_policies (list[CatalogDeclarativeIpAllowlistPolicy]):
+                List of declarative IP allowlist policies to set.
+
+        Returns:
+            None
+        """
+        org_layout = self._layout_api.get_organization_layout(_check_return_type=False)
+        org_layout.ip_allowlist_policies = [policy.to_api() for policy in ip_allowlist_policies]
+        self._layout_api.set_organization_layout(org_layout, _check_return_type=False)

packages/gooddata-sdk/tests/catalog/test_catalog_organization.py

@@ -6,6 +6,7 @@
 from gooddata_api_client.exceptions import NotFoundException
 from gooddata_sdk import (
     CatalogCspDirective,
+    CatalogDeclarativeIpAllowlistPolicy,
     CatalogDeclarativeNotificationChannel,
     CatalogJwk,
     CatalogOrganization,
@@ -14,6 +15,7 @@
     CatalogWebhook,
     GoodDataSdk,
 )
+from gooddata_sdk.catalog.identifier import CatalogDeclarativeUserGroupIdentifier, CatalogUserIdentifier
 from tests_support.vcrpy_utils import get_vcr
 
 from .conftest import safe_delete
@@ -563,3 +565,36 @@ def test_layout_notification_channels(test_config, snapshot_notification_channel
 #         sdk.catalog_organization.put_declarative_identity_providers([])
 #         idps = sdk.catalog_organization.get_declarative_identity_providers()
 #         assert len(idps) == 0
+
+
+@gd_vcr.use_cassette(str(_fixtures_dir / "layout_ip_allowlist_policies.yaml"))
+def test_layout_ip_allowlist_policies(test_config):
+    sdk = GoodDataSdk.create(host_=test_config["host"], token_=test_config["token"])
+
+    original_policies = sdk.catalog_organization.get_declarative_ip_allowlist_policies()
+
+    new_policies = [
+        CatalogDeclarativeIpAllowlistPolicy(
+            id="admin-vpn-only",
+            allowed_sources=["203.0.113.10/32", "198.51.100.0/24"],
+            user_groups=[
+                CatalogDeclarativeUserGroupIdentifier(id="group.admins", type="userGroup"),
+            ],
+            users=[
+                CatalogUserIdentifier(id="employee123", type="user"),
+            ],
+        ),
+    ]
+
+    try:
+        sdk.catalog_organization.put_declarative_ip_allowlist_policies(new_policies)
+        result = sdk.catalog_organization.get_declarative_ip_allowlist_policies()
+        assert len(result) == 1
+        assert result[0].id == "admin-vpn-only"
+        assert result[0].allowed_sources == ["203.0.113.10/32", "198.51.100.0/24"]
+        assert len(result[0].user_groups) == 1
+        assert result[0].user_groups[0].id == "group.admins"
+        assert len(result[0].users) == 1
+        assert result[0].users[0].id == "employee123"
+    finally:
+        sdk.catalog_organization.put_declarative_ip_allowlist_policies(original_policies)