tf provider support for enable permission template capabilities

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner permissiontemplate'
 
 jobs:
   goreleaser:

.github/workflows/test.yml

@@ -3,7 +3,7 @@ name: Test and coverage
 on: [pull_request, push]
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner permissiontemplate'
 jobs:
   build:
     name: Test and coverage

Makefile

@@ -22,7 +22,7 @@ ifeq ($(TEST_FLAGS),)
 endif
 
 ifeq ($(BUILD_TAGS),)
-	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner permissiontemplate'
 endif
 
 .PHONY: build clean-up test gofmt vet lint acc-test website-lint website-lint-fix

docs/data-sources/permission_template.md

@@ -0,0 +1,128 @@
+---
+Title: "Permission Template Data Source"
+Description: |-
+    Retrieves an AWS CloudFormation permission template for creating credentials.
+---
+
+# Permission Template Data Source
+
+This data source enables users get an AWS CloudFormation template for creating the necessary assets in AWS when creating TMC credentials.
+
+**NOTE**: Currently, only the 'AWS_EC2' and 'AWS_EKS' capabilities are supported in conjunction with the 'DATA_PROTECTION' and 'MANAGED_K8S_PROVIDER' providers.
+
+# Data Protection Permission Template
+
+## Example Usage
+
+```terraform
+locals {
+  credentials_name = "test-permission-template-data-protection-tf-111"
+  tanzu_capability = "DATA_PROTECTION"
+  tanzu_provider   = "AWS_EC2"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "data_protection_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.eks_permissions.template_values != null ? data.tanzu-mission-control_permission_template.eks_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.eks_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "data_protection_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}
+```
+
+# EKS Permission Template
+
+## Example Usage
+
+```terraform
+locals {
+  credentials_name = "test-permission-template-eks-tf-43"
+  tanzu_capability = "MANAGED_K8S_PROVIDER"
+  tanzu_provider   = "AWS_EKS"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "eks_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.eks_permissions.template_values != null ? data.tanzu-mission-control_permission_template.eks_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.eks_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "aws_eks_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `credentials_name` (String) The name of the credentials to get permission template for.
+- `tanzu_capability` (String) The Tanzu capability of the credentials.
+When tanzu_capability is set to 'DATA_PROTECTION' tanzu_provider must be set to 'AWS_EC2'.
+When tanzu_capability is set to 'MANAGED_K8S_PROVIDER' tanzu_provider must be set to 'AWS_EKS'.
+Valid values are: [DATA_PROTECTION MANAGED_K8S_PROVIDER]
+- `tanzu_provider` (String) The Tanzu provider of the credentials.
+When tanzu_provider is set to 'AWS_EC2' tanzu_capability must be set to 'DATA_PROTECTION'.
+When tanzu_provider is set to 'AWS_EKS' tanzu_capability must be set to 'MANAGED_K8S_PROVIDER'.
+Valid values are: [AWS_EC2 AWS_EKS]
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `template` (String) Base64 encoded permission template.
+- `template_url` (String) URL for permission template.
+- `template_values` (Map of String) Values to be sent as parameters for the template.
+- `undefined_template_values` (Map of String) Values which are not defined in the template parameters definition.

examples/data-sources/permissiontemplate/example_usage_data_protection.tf

@@ -0,0 +1,40 @@
+locals {
+  credentials_name = "test-permission-template-data-protection-tf-111"
+  tanzu_capability = "DATA_PROTECTION"
+  tanzu_provider   = "AWS_EC2"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "data_protection_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.eks_permissions.template_values != null ? data.tanzu-mission-control_permission_template.eks_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.eks_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "data_protection_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}

examples/data-sources/permissiontemplate/example_usage_eks.tf

@@ -0,0 +1,40 @@
+locals {
+  credentials_name = "test-permission-template-eks-tf-43"
+  tanzu_capability = "MANAGED_K8S_PROVIDER"
+  tanzu_provider   = "AWS_EKS"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "eks_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.eks_permissions.template_values != null ? data.tanzu-mission-control_permission_template.eks_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.eks_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "aws_eks_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}

internal/client/http_client.go

@@ -51,6 +51,7 @@ import (
 	helmchartsorgclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/organization/helmcharts"
 	iamorganizationclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/organization/iam_policy"
 	policyorganizationclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/organization/policy"
+	permissiontemplateclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/permissiontemplate"
 	provisionerclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/provisioner"
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/proxy"
 	tanzukubernetesclusterclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/tanzukubernetescluster"
@@ -144,6 +145,7 @@ func newHTTPClient(httpClient *transport.Client) *TanzuMissionControl {
 		ClusterClassResourceService:                   clusterclassclient.New(httpClient),
 		TanzuKubernetesClusterResourceService:         tanzukubernetesclusterclient.New(httpClient),
 		ProvisionerResourceService:                    provisionerclient.New(httpClient),
+		PermissionTemplateService:                     permissiontemplateclient.New(httpClient),
 	}
 }
 
@@ -202,4 +204,5 @@ type TanzuMissionControl struct {
 	ClusterClassResourceService                   clusterclassclient.ClientService
 	TanzuKubernetesClusterResourceService         tanzukubernetesclusterclient.ClientService
 	ProvisionerResourceService                    provisionerclient.ClientService
+	PermissionTemplateService                     permissiontemplateclient.ClientService
 }

internal/client/permissiontemplate/permission_template_resource.go

@@ -0,0 +1,79 @@
+/*
+Copyright © 2023 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+*/
+
+package permissiontemplateclient
+
+import (
+	"net/url"
+
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/transport"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/helper"
+	credentialsmodels "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/credential"
+	permissiontemplatemodels "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/permissiontemplate"
+)
+
+const (
+	// API Paths.
+	apiPath = "v1alpha1/account/credentials:permissiontemplate"
+
+	// Query Params.
+	capabilityQueryParam = "capability"
+	providerQueryParam   = "provider"
+)
+
+// New creates a new permission template resource service API client.
+func New(transport *transport.Client) ClientService {
+	return &Client{Client: transport}
+}
+
+/*
+Client for permission template resource service API.
+*/
+type Client struct {
+	*transport.Client
+}
+
+// ClientService is the interface for Client methods.
+type ClientService interface {
+	PermissionTemplateResourceServiceGenerate(request *permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateRequest) (*permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateResponse, error)
+
+	PermissionTemplateResourceServiceGet(request *permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateRequest) (*permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateResponse, error)
+}
+
+/*
+PermissionTemplateResourceServiceGenerate generates a permission template.
+*/
+func (c *Client) PermissionTemplateResourceServiceGenerate(request *permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateRequest) (*permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateResponse, error) {
+	response := &permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateResponse{}
+	err := c.Create(apiPath, request, response)
+
+	return response, err
+}
+
+/*
+PermissionTemplateResourceServiceGet gets an existing permission template.
+*/
+func (c *Client) PermissionTemplateResourceServiceGet(request *permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateRequest) (*permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateResponse, error) {
+	response := &permissiontemplatemodels.VmwareTanzuManageV1alpha1AccountCredentialPermissionTemplateResponse{}
+	requestURL := helper.ConstructRequestURL(apiPath, request.FullName.Name)
+
+	queryParams := url.Values{}
+
+	if request.Capability != "" {
+		queryParams.Add(capabilityQueryParam, request.Capability)
+	}
+
+	if *request.Provider != credentialsmodels.VmwareTanzuManageV1alpha1AccountCredentialProviderPROVIDERUNSPECIFIED {
+		queryParams.Add(providerQueryParam, string(*request.Provider))
+	}
+
+	if len(queryParams) > 0 {
+		requestURL = requestURL.AppendQueryParams(queryParams)
+	}
+
+	err := c.Get(requestURL.String(), response)
+
+	return response, err
+}