Merge branch 'main' into feat/dataprotection-clustergroup

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole permissiontemplate'
 
 jobs:
   goreleaser:

.github/workflows/test.yml

@@ -3,7 +3,7 @@ name: Test and coverage
 on: [pull_request, push]
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole permissiontemplate'
 jobs:
   build:
     name: Test and coverage

Makefile

@@ -22,7 +22,7 @@ ifeq ($(TEST_FLAGS),)
 endif
 
 ifeq ($(BUILD_TAGS),)
-	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole permissiontemplate'
 endif
 
 .PHONY: build clean-up test gofmt vet lint acc-test website-lint website-lint-fix

docs/data-sources/akscluster.md

@@ -109,6 +109,7 @@ Optional:
 - `api_server_access_config` (Block List, Max: 1) API Server Access Config (see [below for nested schema](#nestedblock--spec--config--api_server_access_config))
 - `auto_upgrade_config` (Block List, Max: 1) Auto Upgrade Config (see [below for nested schema](#nestedblock--spec--config--auto_upgrade_config))
 - `disk_encryption_set` (String) Resource ID of the disk encryption set to use for enabling
+- `identity_config` (Block List, Max: 1) Managed Identity Config (see [below for nested schema](#nestedblock--spec--config--identity_config))
 - `linux_config` (Block List, Max: 1) Linux Config (see [below for nested schema](#nestedblock--spec--config--linux_config))
 - `node_resource_group_name` (String) Name of the resource group containing nodepools.
 - `sku` (Block List, Max: 1) Azure Kubernetes Service SKU (see [below for nested schema](#nestedblock--spec--config--sku))
@@ -212,6 +213,23 @@ Optional:
 - `upgrade_channel` (String) Upgrade Channel. Allowed values include: NONE, PATCH, STABLE, RAPID or NODE_IMAGE
 
 
+<a id="nestedblock--spec--config--identity_config"></a>
+### Nested Schema for `spec.config.identity_config`
+
+Optional:
+
+- `type` (String) Type of managed identity used by the cluster (default IDENTITY_TYPE_SYSTEM_ASSIGNED). Allowed values include: IDENTITY_TYPE_SYSTEM_ASSIGNED or IDENTITY_TYPE_USER_ASSIGNED
+- `user_assigned` (Block List, Max: 1) User Assigned Managed Identity Config (see [below for nested schema](#nestedblock--spec--config--identity_config--user_assigned))
+
+<a id="nestedblock--spec--config--identity_config--user_assigned"></a>
+### Nested Schema for `spec.config.identity_config.user_assigned`
+
+Required:
+
+- `resource_id` (String) The ARM resource ID of user assigned identity in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'
+
+
+
 <a id="nestedblock--spec--config--linux_config"></a>
 ### Nested Schema for `spec.config.linux_config`
 

docs/data-sources/ekscluster.md

@@ -48,10 +48,12 @@ data "tanzu-mission-control_ekscluster" "tf_eks_cluster" {
 - `meta` (Block List, Max: 1) Metadata for the resource (see [below for nested schema](#nestedblock--meta))
 - `ready_wait_timeout` (String) Wait timeout duration until cluster resource reaches READY state. Accepted timeout duration values like 5s, 45m, or 3h, higher than zero
 - `spec` (Block List, Max: 1) Spec for the cluster (see [below for nested schema](#nestedblock--spec))
+- `wait_for_kubeconfig` (Boolean) Wait until pinniped extension is ready to provide kubeconfig
 
 ### Read-Only
 
 - `id` (String) The ID of this resource.
+- `kubeconfig` (String) Kubeconfig for connecting to newly created cluster base64 encoded. This will only be returned if you have elected to wait for kubeconfig.
 - `status` (Map of String) Status of the cluster
 
 <a id="nestedblock--meta"></a>

docs/data-sources/inspection_results.md

@@ -0,0 +1,46 @@
+---
+Title: "Inspection Results Data Source"
+Description: |-
+    Get inspection results
+---
+
+# Inspection Results Data Source
+
+This data source enables users to get a specific cluster inspection results.
+
+## Example Usage
+
+```terraform
+data "tanzu-mission-control_inspection_results" "demo" {
+  management_cluster_name = "MGMT_CLS_NAME"
+  provisioner_name        = "PROVISIONER_NAME"
+  cluster_name            = "CLS_NAME"
+  name                    = "INSPECTION_NAME"
+}
+
+output "inspection_report" {
+  value = jsondecode(data.tanzu-mission-control_inspection_results.demo.status.report)
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cluster_name` (String) Cluster name.
+- `management_cluster_name` (String) Management cluster name.
+- `name` (String) Inspection name.
+- `provisioner_name` (String) Cluster provisioner name.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `status` (Map of String) Status of inspection resource
+
+## Status Field ##
+
+Status field is a key-value pair of type string-string and it contains the following keys:
+* phase - The phase which the inspection is in.
+* phase_info - Information about the phase.
+* report - JSON encoded string of the report data in the inspection.

docs/data-sources/inspections.md

@@ -0,0 +1,59 @@
+---
+Title: "Inspections Data Source"
+Description: |-
+    List cluster inspections
+---
+
+# Inspections Data Source
+
+This data source enables users to list cluster inspections.
+
+## Example Usage
+
+```terraform
+data "tanzu-mission-control_inspections" "demo" {
+   management_cluster_name = "MGMT_CLS_NAME"
+   provisioner_name        = "PROVISIONER_NAME"
+   cluster_name            = "CLS_NAME"
+ }
+
+ output "inspections" {
+   value = data.tanzu-mission-control_inspections.demo.inspections
+ }
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cluster_name` (String) Cluster name.
+- `management_cluster_name` (String) Management cluster name.
+- `provisioner_name` (String) Cluster provisioner name.
+
+### Optional
+
+- `name` (String) Inspection name.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `inspections` (List of Object) Inspection objects. (see [below for nested schema](#nestedatt--inspections))
+- `total_count` (String) Total count of inspections returned.
+
+<a id="nestedatt--inspections"></a>
+### Nested Schema for `inspections`
+
+Read-Only:
+
+- `cluster_name` (String)
+- `management_cluster_name` (String)
+- `name` (String)
+- `provisioner_name` (String)
+- `status` (Map of String)
+
+## Status Field ##
+
+Status field is a key-value pair of type string-string and it contains the following keys:
+* phase - The phase which the inspection is in.
+* phase_info - Information about the phase.

docs/data-sources/permission_template.md

@@ -0,0 +1,128 @@
+---
+Title: "Permission Template Data Source"
+Description: |-
+    Retrieves an AWS CloudFormation permission template for creating credentials.
+---
+
+# Permission Template Data Source
+
+This data source enables users get an AWS CloudFormation template for creating the necessary assets in AWS when creating TMC credentials.
+
+**NOTE**: Currently, only the 'AWS_EC2' and 'AWS_EKS' capabilities are supported in conjunction with the 'DATA_PROTECTION' and 'MANAGED_K8S_PROVIDER' providers.
+
+# Data Protection Permission Template
+
+## Example Usage
+
+```terraform
+locals {
+  credentials_name = "test-permission-template-data-protection-tf-111"
+  tanzu_capability = "DATA_PROTECTION"
+  tanzu_provider   = "AWS_EC2"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "data_protection_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.data_protection_permissions.template_values != null ? data.tanzu-mission-control_permission_template.data_protection_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.data_protection_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "data_protection_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}
+```
+
+# EKS Permission Template
+
+## Example Usage
+
+```terraform
+locals {
+  credentials_name = "test-permission-template-eks-tf-43"
+  tanzu_capability = "MANAGED_K8S_PROVIDER"
+  tanzu_provider   = "AWS_EKS"
+
+  stack_message  = split("\n", aws_cloudformation_stack.crendetials_permission_template.outputs.Message)
+  permission_arn = element(local.stack_message, length(local.stack_message) - 1)
+}
+
+
+data "tanzu-mission-control_permission_template" "eks_permissions" {
+  credentials_name = local.credentials_name
+  tanzu_capability = local.tanzu_capability
+  tanzu_provider   = local.tanzu_provider
+}
+
+
+resource "aws_cloudformation_stack" "crendetials_permission_template" {
+  name          = local.credentials_name
+  parameters    = data.tanzu-mission-control_permission_template.eks_permissions.template_values != null ? data.tanzu-mission-control_permission_template.eks_permissions.template_values : {}
+  template_body = base64decode(data.tanzu-mission-control_permission_template.eks_permissions.template)
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+}
+
+resource "tanzu-mission-control_credential" "aws_eks_cred" {
+  name = local.credentials_name
+
+  spec {
+    capability = local.tanzu_capability
+    provider   = local.tanzu_provider
+
+    data {
+      aws_credential {
+        iam_role {
+          arn = local.permission_arn
+        }
+      }
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `credentials_name` (String) The name of the credentials to get permission template for.
+- `tanzu_capability` (String) The Tanzu capability of the credentials.
+When tanzu_capability is set to 'DATA_PROTECTION' tanzu_provider must be set to 'AWS_EC2'.
+When tanzu_capability is set to 'MANAGED_K8S_PROVIDER' tanzu_provider must be set to 'AWS_EKS'.
+Valid values are: [DATA_PROTECTION MANAGED_K8S_PROVIDER]
+- `tanzu_provider` (String) The Tanzu provider of the credentials.
+When tanzu_provider is set to 'AWS_EC2' tanzu_capability must be set to 'DATA_PROTECTION'.
+When tanzu_provider is set to 'AWS_EKS' tanzu_capability must be set to 'MANAGED_K8S_PROVIDER'.
+Valid values are: [AWS_EC2 AWS_EKS]
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `template` (String) Base64 encoded permission template.
+- `template_url` (String) URL for permission template.
+- `template_values` (Map of String) Values to be sent as parameters for the template.
+- `undefined_template_values` (Map of String) Values which are not defined in the template parameters definition.

docs/guides/tanzu-mission-control_policy.md

@@ -275,3 +275,8 @@ resource "tanzu-mission-control_custom_policy" "cluster_group_scoped_tmc-block-r
 }
 ```
 
+## Custom Template and Custom Policy
+
+Template provides a declarative definition of a policy, which can be used to apply custom constraints on managed kubernetes resources.
+Custom policy consumes these declared custom templates to enforce specific policies. One must create the custom template before consuming it the custom policy.
+Please refer to custom policy template and custom policy terraform scripts within examples.

docs/resources/akscluster.md

@@ -130,6 +130,7 @@ Optional:
 - `api_server_access_config` (Block List, Max: 1) API Server Access Config (see [below for nested schema](#nestedblock--spec--config--api_server_access_config))
 - `auto_upgrade_config` (Block List, Max: 1) Auto Upgrade Config (see [below for nested schema](#nestedblock--spec--config--auto_upgrade_config))
 - `disk_encryption_set` (String) Resource ID of the disk encryption set to use for enabling
+- `identity_config` (Block List, Max: 1) Managed Identity Config (see [below for nested schema](#nestedblock--spec--config--identity_config))
 - `linux_config` (Block List, Max: 1) Linux Config (see [below for nested schema](#nestedblock--spec--config--linux_config))
 - `node_resource_group_name` (String) Name of the resource group containing nodepools.
 - `sku` (Block List, Max: 1) Azure Kubernetes Service SKU (see [below for nested schema](#nestedblock--spec--config--sku))
@@ -233,6 +234,23 @@ Optional:
 - `upgrade_channel` (String) Upgrade Channel. Allowed values include: NONE, PATCH, STABLE, RAPID or NODE_IMAGE
 
 
+<a id="nestedblock--spec--config--identity_config"></a>
+### Nested Schema for `spec.config.identity_config`
+
+Optional:
+
+- `type` (String) Type of managed identity used by the cluster (default IDENTITY_TYPE_SYSTEM_ASSIGNED). Allowed values include: IDENTITY_TYPE_SYSTEM_ASSIGNED or IDENTITY_TYPE_USER_ASSIGNED
+- `user_assigned` (Block List, Max: 1) User Assigned Managed Identity Config (see [below for nested schema](#nestedblock--spec--config--identity_config--user_assigned))
+
+<a id="nestedblock--spec--config--identity_config--user_assigned"></a>
+### Nested Schema for `spec.config.identity_config.user_assigned`
+
+Required:
+
+- `resource_id` (String) The ARM resource ID of user assigned identity in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'
+
+
+
 <a id="nestedblock--spec--config--linux_config"></a>
 ### Nested Schema for `spec.config.linux_config`