Add support for the Permission Template

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole permissiontemplate'
 
 jobs:
   goreleaser:

.github/workflows/test.yml

@@ -3,7 +3,7 @@ name: Test and coverage
 on: [pull_request, push]
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole permissiontemplate'
 jobs:
   build:
     name: Test and coverage

Makefile

@@ -22,7 +22,7 @@ ifeq ($(TEST_FLAGS),)
 endif
 
 ifeq ($(BUILD_TAGS),)
-	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate'
+	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole permissiontemplate'
 endif
 
 .PHONY: build clean-up test gofmt vet lint acc-test website-lint website-lint-fix

docs/data-sources/permission_template.md

@@ -0,0 +1,128 @@
+---
+Title: "Permission Template Data Source"
+Description: |-
+    Retrieves an AWS CloudFormation permission template for creating credentials.
+---
+
+# Permission Template Data Source
+
+This data source enables users get an AWS CloudFormation template for creating the necessary assets in AWS when creating TMC credentials.
+
+**NOTE**: Currently, only the 'AWS_EC2' and 'AWS_EKS' capabilities are supported in conjunction with the 'DATA_PROTECTION' and 'MANAGED_K8S_PROVIDER' providers.
+
+# Data Protection Permission Template
+
+## Example Usage
+
+```terraform
+locals {
+  credentials_name = "test-permission-template-data-protection-tf-111"
+  tanzu_capability = "DATA_PROTECTION"
+  tanzu_provider   = "AWS_EC2"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "data_protection_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.data_protection_permissions.template_values != null ? data.tanzu-mission-control_permission_template.data_protection_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.data_protection_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "data_protection_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}
+```
+
+# EKS Permission Template
+
+## Example Usage
+
+```terraform
+locals {
+  credentials_name = "test-permission-template-eks-tf-43"
+  tanzu_capability = "MANAGED_K8S_PROVIDER"
+  tanzu_provider   = "AWS_EKS"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "eks_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.eks_permissions.template_values != null ? data.tanzu-mission-control_permission_template.eks_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.eks_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "aws_eks_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `credentials_name` (String) The name of the credentials to get permission template for.
+- `tanzu_capability` (String) The Tanzu capability of the credentials.
+When tanzu_capability is set to 'DATA_PROTECTION' tanzu_provider must be set to 'AWS_EC2'.
+When tanzu_capability is set to 'MANAGED_K8S_PROVIDER' tanzu_provider must be set to 'AWS_EKS'.
+Valid values are: [DATA_PROTECTION MANAGED_K8S_PROVIDER]
+- `tanzu_provider` (String) The Tanzu provider of the credentials.
+When tanzu_provider is set to 'AWS_EC2' tanzu_capability must be set to 'DATA_PROTECTION'.
+When tanzu_provider is set to 'AWS_EKS' tanzu_capability must be set to 'MANAGED_K8S_PROVIDER'.
+Valid values are: [AWS_EC2 AWS_EKS]
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `template` (String) Base64 encoded permission template.
+- `template_url` (String) URL for permission template.
+- `template_values` (Map of String) Values to be sent as parameters for the template.
+- `undefined_template_values` (Map of String) Values which are not defined in the template parameters definition.

docs/resources/custom_iam_role.md

@@ -0,0 +1,169 @@
+---
+Title: "Custom IAM Role Resource"
+Description: |-
+   Creating a custom IAM role.
+---
+
+# Custom IAM Role Resource
+
+This resource enables users to create custom IAM roles in TMC.
+
+For more information regarding custom roles, see [Custom Role][custom-role].
+
+[custom-role]: https://docs.vmware.com/en/VMware-Tanzu-Mission-Control/services/tanzumc-using/GUID-F314ED9E-2736-48CC-A1BB-CB9C32900B30.html
+
+## Example Usage
+
+```terraform
+resource "tanzu-mission-control_custom_iam_role" "demo-role" {
+  name = "tf-custom-role"
+
+  spec {
+    is_deprecated = false
+
+    aggregation_rule {
+      cluster_role_selector {
+        match_labels = {
+          key = "value"
+        }
+      }
+
+      cluster_role_selector {
+        match_expression {
+          key      = "aa"
+          operator = "Exists"
+          values   = ["aa", "bb", "cc"]
+        }
+      }
+    }
+
+    allowed_scopes = [
+      "ORGANIZATION",
+      "CLUSTER_GROUP",
+      "CLUSTER"
+    ]
+
+    tanzu_permissions = []
+
+    kubernetes_permissions {
+      rule {
+        resources  = ["deployments"]
+        verbs      = ["get", "list"]
+        api_groups = ["*"]
+      }
+
+      rule {
+        verbs      = ["get", "list"]
+        api_groups = ["*"]
+        url_paths  = ["/healthz"]
+      }
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the iam role
+- `spec` (Block List, Min: 1, Max: 1) Spec block of iam role (see [below for nested schema](#nestedblock--spec))
+
+### Optional
+
+- `meta` (Block List, Max: 1) Metadata for the resource (see [below for nested schema](#nestedblock--meta))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--spec"></a>
+### Nested Schema for `spec`
+
+Required:
+
+- `allowed_scopes` (List of String) The allowed scopes for the iam role.
+Valid values are (ORGANIZATION, MANAGEMENT_CLUSTER, PROVISIONER, CLUSTER_GROUP, CLUSTER, WORKSPACE, NAMESPACE)
+
+Optional:
+
+- `aggregation_rule` (Block List, Max: 1) Aggregation rules for the iam role. (see [below for nested schema](#nestedblock--spec--aggregation_rule))
+- `is_deprecated` (Boolean) Flag representing whether role is deprecated.
+- `kubernetes_permissions` (Block List, Max: 1) Kubernetes permissions for the iam role. (see [below for nested schema](#nestedblock--spec--kubernetes_permissions))
+- `tanzu_permissions` (List of String) Tanzu-specific permissions for the role.
+
+<a id="nestedblock--spec--aggregation_rule"></a>
+### Nested Schema for `spec.aggregation_rule`
+
+Required:
+
+- `cluster_role_selector` (Block List, Min: 1) Cluster role selector for the iam role. (see [below for nested schema](#nestedblock--spec--aggregation_rule--cluster_role_selector))
+
+<a id="nestedblock--spec--aggregation_rule--cluster_role_selector"></a>
+### Nested Schema for `spec.aggregation_rule.cluster_role_selector`
+
+Optional:
+
+- `match_expression` (Block List) List of label selector requirements.
+The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--aggregation_rule--cluster_role_selector--match_expression))
+- `match_labels` (Map of String) Map of {key,value} pairs.
+A single {key,value} in the match_labels map is equivalent to an element of match_expression, whose key field is "key", the operator is "In", and the values array contains only "value". 
+The requirements are ANDed.
+
+<a id="nestedblock--spec--aggregation_rule--cluster_role_selector--match_expression"></a>
+### Nested Schema for `spec.aggregation_rule.cluster_role_selector.match_expression`
+
+Required:
+
+- `key` (String) Key is the label key that the selector applies to.
+- `operator` (String) Operator represents a key's relationship to a set of values.
+Valid operators are "In", "NotIn", "Exists" and "DoesNotExist".
+
+Optional:
+
+- `values` (List of String) Values is an array of string values.
+If the operator is "In" or "NotIn", the values array must be non-empty.
+If the operator is "Exists" or "DoesNotExist", the values array must be empty.
+This array is replaced during a strategic merge patch.
+
+
+
+
+<a id="nestedblock--spec--kubernetes_permissions"></a>
+### Nested Schema for `spec.kubernetes_permissions`
+
+Required:
+
+- `rule` (Block List, Min: 1) Kubernetes rules. (see [below for nested schema](#nestedblock--spec--kubernetes_permissions--rule))
+
+<a id="nestedblock--spec--kubernetes_permissions--rule"></a>
+### Nested Schema for `spec.kubernetes_permissions.rule`
+
+Required:
+
+- `verbs` (List of String) Verbs.
+
+Optional:
+
+- `api_groups` (List of String) API groups.
+- `resource_names` (List of String) Restricts the rule to resources by name.
+- `resources` (List of String) Resources for the role.
+- `url_paths` (List of String) Non-resource urls for the role.
+
+
+
+
+<a id="nestedblock--meta"></a>
+### Nested Schema for `meta`
+
+Optional:
+
+- `annotations` (Map of String) Annotations for the resource
+- `description` (String) Description of the resource
+- `labels` (Map of String) Labels for the resource
+
+Read-Only:
+
+- `resource_version` (String) Resource version of the resource
+- `uid` (String) UID of the resource

examples/data-sources/permissiontemplate/example_usage_data_protection.tf

@@ -0,0 +1,40 @@
+locals {
+  credentials_name = "test-permission-template-data-protection-tf-111"
+  tanzu_capability = "DATA_PROTECTION"
+  tanzu_provider   = "AWS_EC2"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "data_protection_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.data_protection_permissions.template_values != null ? data.tanzu-mission-control_permission_template.data_protection_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.data_protection_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "data_protection_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}