resource/gitlab_group_access_token: support resource for Group Access Tokens. Closes #835

Closes #835

Author: timofurrer

docs/resources/group_access_token.md

@@ -0,0 +1,64 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "gitlab_group_access_token Resource - terraform-provider-gitlab"
+subcategory: ""
+description: |-
+  This resource allows you to create and manage Group Access Token for your GitLab Groups. (Introduced in GitLab 14.7)
+---
+
+# gitlab_group_access_token (Resource)
+
+This resource allows you to create and manage Group Access Token for your GitLab Groups. (Introduced in GitLab 14.7)
+
+## Example Usage
+
+```terraform
+resource "gitlab_group_access_token" "example" {
+  group        = "25"
+  name         = "Example project access token"
+  expires_at   = "2020-03-14"
+  access_level = "developer"
+
+  scopes = ["api"]
+}
+
+resource "gitlab_group_variable" "example" {
+  group = "25"
+  key   = "gat"
+  value = gitlab_group_access_token.example.token
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **group** (String) The ID or path of the group to add the group access token to.
+- **name** (String) The name of the group access token.
+- **scopes** (Set of String) The scope for the group access token. It determines the actions which can be performed when authenticating with this token. Valid values are: `api`, `read_api`, `read_registry`, `write_registry`, `read_repository`, `write_repository`.
+
+### Optional
+
+- **access_level** (String) The access level for the group access token. Valid values are: `guest`, `reporter`, `developer`, `maintainer`.
+- **expires_at** (String) The token expires at midnight UTC on that date. The date must be in the format YYYY-MM-DD. Default is never.
+- **id** (String) The ID of this resource.
+
+### Read-Only
+
+- **active** (Boolean) True if the token is active.
+- **created_at** (String) Time the token has been created, RFC3339 format.
+- **revoked** (Boolean) True if the token is revoked.
+- **token** (String, Sensitive) The group access token. This is only populated when creating a new group access token. This attribute is not available for imported resources.
+- **user_id** (Number) The user id associated to the token.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# A GitLab Group Access Token can be imported using a key composed of `<group-id>:<token-id>`, e.g.
+terraform import gitlab_group_access_token.example "12345:1"
+
+# ATTENTION: the `token` resource attribute is not available for imported resources as this information cannot be read from the GitLab API.
+```

examples/resources/gitlab_group_access_token/import.sh

@@ -0,0 +1,4 @@
+# A GitLab Group Access Token can be imported using a key composed of `<group-id>:<token-id>`, e.g.
+terraform import gitlab_group_access_token.example "12345:1"
+
+# ATTENTION: the `token` resource attribute is not available for imported resources as this information cannot be read from the GitLab API.

examples/resources/gitlab_group_access_token/resource.tf

@@ -0,0 +1,14 @@
+resource "gitlab_group_access_token" "example" {
+  group        = "25"
+  name         = "Example project access token"
+  expires_at   = "2020-03-14"
+  access_level = "developer"
+
+  scopes = ["api"]
+}
+
+resource "gitlab_group_variable" "example" {
+  group = "25"
+  key   = "gat"
+  value = gitlab_group_access_token.example.token
+}

internal/provider/resource_gitlab_group_access_token.go

@@ -0,0 +1,237 @@
+package provider
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"strconv"
+	"time"
+
+	"github.com/hashicorp/go-cty/cty"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	gitlab "github.com/xanzy/go-gitlab"
+)
+
+var validGroupAccessTokenScopes = []string{
+	"api",
+	"read_api",
+	"read_registry",
+	"write_registry",
+	"read_repository",
+	"write_repository",
+}
+var validAccessLevels = []string{
+	"guest",
+	"reporter",
+	"developer",
+	"maintainer",
+}
+
+var _ = registerResource("gitlab_group_access_token", func() *schema.Resource {
+	return &schema.Resource{
+		Description: "This resource allows you to create and manage Group Access Token for your GitLab Groups. (Introduced in GitLab 14.7)",
+
+		CreateContext: resourceGitlabGroupAccessTokenCreate,
+		ReadContext:   resourceGitlabGroupAccessTokenRead,
+		DeleteContext: resourceGitlabGroupAccessTokenDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"group": {
+				Description: "The ID or path of the group to add the group access token to.",
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+			},
+			"name": {
+				Description: "The name of the group access token.",
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+			},
+			"scopes": {
+				Description: fmt.Sprintf("The scope for the group access token. It determines the actions which can be performed when authenticating with this token. Valid values are: %s.", renderValueListForDocs(validGroupAccessTokenScopes)),
+				Type:        schema.TypeSet,
+				Required:    true,
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validation.StringInSlice(validGroupAccessTokenScopes, false),
+				},
+			},
+			"access_level": {
+				Description:      fmt.Sprintf("The access level for the group access token. Valid values are: %s.", renderValueListForDocs(validAccessLevels)),
+				Type:             schema.TypeString,
+				Optional:         true,
+				ForceNew:         true,
+				Default:          accessLevelValueToName[gitlab.MaintainerPermissions],
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice(validAccessLevels, false)),
+			},
+			"expires_at": {
+				Description: "The token expires at midnight UTC on that date. The date must be in the format YYYY-MM-DD. Default is never.",
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				ValidateDiagFunc: func(i interface{}, p cty.Path) diag.Diagnostics {
+					v := i.(string)
+
+					if _, err := time.Parse("2006-01-02", v); err != nil {
+						return diag.Errorf("expected %q to be a valid YYYY-MM-DD date, got %q: %+v", p, i, err)
+					}
+
+					return nil
+				},
+			},
+			"token": {
+				Description: "The group access token. This is only populated when creating a new group access token. This attribute is not available for imported resources.",
+				Type:        schema.TypeString,
+				Computed:    true,
+				Sensitive:   true,
+			},
+			"active": {
+				Description: "True if the token is active.",
+				Type:        schema.TypeBool,
+				Computed:    true,
+			},
+			"created_at": {
+				Description: "Time the token has been created, RFC3339 format.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+			"revoked": {
+				Description: "True if the token is revoked.",
+				Type:        schema.TypeBool,
+				Computed:    true,
+			},
+			"user_id": {
+				Description: "The user id associated to the token.",
+				Type:        schema.TypeInt,
+				Computed:    true,
+			},
+		},
+	}
+})
+
+func resourceGitlabGroupAccessTokenCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*gitlab.Client)
+
+	group := d.Get("group").(string)
+	options := &gitlab.CreateGroupAccessTokenOptions{
+		Name:   gitlab.String(d.Get("name").(string)),
+		Scopes: stringSetToStringSlice(d.Get("scopes").(*schema.Set)),
+	}
+	if v, ok := d.GetOk("access_level"); ok {
+		accessLevel := accessLevelNameToValue[v.(string)]
+		options.AccessLevel = &accessLevel
+	}
+
+	log.Printf("[DEBUG] create gitlab GroupAccessToken %s (scopes: %s, access_level: %v) for group ID %s", *options.Name, options.Scopes, options.AccessLevel, group)
+
+	if v, ok := d.GetOk("expires_at"); ok {
+		parsedExpiresAt, err := time.Parse("2006-01-02", v.(string))
+		if err != nil {
+			return diag.Errorf("Invalid expires_at date: %v", err)
+		}
+		parsedExpiresAtISOTime := gitlab.ISOTime(parsedExpiresAt)
+		options.ExpiresAt = &parsedExpiresAtISOTime
+		log.Printf("[DEBUG] create gitlab GroupAccessToken %s with expires_at %s for group ID %s", *options.Name, *options.ExpiresAt, group)
+	}
+
+	groupAccessToken, _, err := client.GroupAccessTokens.CreateGroupAccessToken(group, options, gitlab.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	log.Printf("[DEBUG] created gitlab GroupAccessToken %d - %s for group ID %s", groupAccessToken.ID, *options.Name, group)
+
+	tokenId := strconv.Itoa(groupAccessToken.ID)
+	d.SetId(buildTwoPartID(&group, &tokenId))
+	// NOTE: the token can only be read once after creating it
+	d.Set("token", groupAccessToken.Token)
+
+	return resourceGitlabGroupAccessTokenRead(ctx, d, meta)
+}
+
+func resourceGitlabGroupAccessTokenRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	group, tokenId, err := parseTwoPartID(d.Id())
+	if err != nil {
+		return diag.Errorf("Error parsing ID: %s", d.Id())
+	}
+
+	client := meta.(*gitlab.Client)
+
+	groupAccessTokenId, err := strconv.Atoi(tokenId)
+	if err != nil {
+		return diag.Errorf("%s cannot be converted to int", tokenId)
+	}
+
+	log.Printf("[DEBUG] read gitlab GroupAccessToken %d, group ID %s", groupAccessTokenId, group)
+
+	//there is a slight possibility to not find an existing item, for example
+	// 1. item is #101 (ie, in the 2nd page)
+	// 2. I load first page (ie. I don't find my target item)
+	// 3. A concurrent operation remove item 99 (ie, my target item shift to 1st page)
+	// 4. a concurrent operation add an item
+	// 5: I load 2nd page  (ie. I don't find my target item)
+	// 6. Total pages and total items properties are unchanged (from the perspective of the reader)
+
+	page := 1
+	for page != 0 {
+		groupAccessTokens, response, err := client.GroupAccessTokens.ListGroupAccessTokens(group, &gitlab.ListGroupAccessTokensOptions{Page: page, PerPage: 100}, gitlab.WithContext(ctx))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+
+		for _, groupAccessToken := range groupAccessTokens {
+			if groupAccessToken.ID == groupAccessTokenId {
+
+				d.Set("group", group)
+				d.Set("name", groupAccessToken.Name)
+				if groupAccessToken.ExpiresAt != nil {
+					d.Set("expires_at", groupAccessToken.ExpiresAt.String())
+				}
+				d.Set("active", groupAccessToken.Active)
+				d.Set("created_at", groupAccessToken.CreatedAt.Format(time.RFC3339))
+				d.Set("access_level", accessLevelValueToName[groupAccessToken.AccessLevel])
+				d.Set("revoked", groupAccessToken.Revoked)
+				d.Set("user_id", groupAccessToken.UserID)
+
+				err = d.Set("scopes", groupAccessToken.Scopes)
+				if err != nil {
+					return diag.FromErr(err)
+				}
+
+				return nil
+			}
+		}
+
+		page = response.NextPage
+	}
+
+	log.Printf("[DEBUG] failed to read gitlab GroupAccessToken %d, group ID %s", groupAccessTokenId, group)
+	d.SetId("")
+	return nil
+}
+
+func resourceGitlabGroupAccessTokenDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+
+	group, tokenId, err := parseTwoPartID(d.Id())
+	if err != nil {
+		return diag.Errorf("Error parsing ID: %s", d.Id())
+	}
+
+	client := meta.(*gitlab.Client)
+
+	groupAccessTokenId, err := strconv.Atoi(tokenId)
+	if err != nil {
+		return diag.Errorf("%s cannot be converted to int", tokenId)
+	}
+
+	log.Printf("[DEBUG] Delete gitlab GroupAccessToken %s", d.Id())
+	_, err = client.GroupAccessTokens.DeleteGroupAccessToken(group, groupAccessTokenId, gitlab.WithContext(ctx))
+	return diag.FromErr(err)
+}