feat: Add grafana_cloud_access_policy_rotating_token resource (#2390)

Author: volcanonoodle

docs/resources/cloud_access_policy_rotating_token.md

@@ -0,0 +1,91 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_cloud_access_policy_rotating_token Resource - terraform-provider-grafana"
+subcategory: "Cloud"
+description: |-
+  Official documentation https://grafana.com/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/API documentation https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-a-token
+  Required access policy scopes:
+  accesspolicies:readaccesspolicies:writeaccesspolicies:delete
+  This is similar to the grafana_cloud_access_policy_token resource, but it represents a token that will be rotated automatically over time.
+---
+
+# grafana_cloud_access_policy_rotating_token (Resource)
+
+* [Official documentation](https://grafana.com/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/)
+* [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-a-token)
+
+Required access policy scopes:
+
+* accesspolicies:read
+* accesspolicies:write
+* accesspolicies:delete
+
+This is similar to the grafana_cloud_access_policy_token resource, but it represents a token that will be rotated automatically over time.
+
+## Example Usage
+
+```terraform
+data "grafana_cloud_organization" "current" {
+  slug = "<your org slug>"
+}
+
+resource "grafana_cloud_access_policy" "test" {
+  region       = "prod-us-east-0"
+  name         = "my-policy"
+  display_name = "My Policy"
+
+  scopes = ["metrics:read", "logs:read"]
+
+  realm {
+    type       = "org"
+    identifier = data.grafana_cloud_organization.current.id
+
+    label_policy {
+      selector = "{namespace=\"default\"}"
+    }
+  }
+}
+
+resource "grafana_cloud_access_policy_rotating_token" "test" {
+  region                = "prod-us-east-0"
+  access_policy_id      = grafana_cloud_access_policy.test.policy_id
+  name_prefix           = "my-policy-rotating-token"
+  display_name          = "My Policy Rotating Token"
+  expire_after          = "30d"
+  early_rotation_window = "24h"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `access_policy_id` (String) ID of the access policy for which to create a token.
+- `early_rotation_window` (String) Duration of the window before expiring where the token can be rotated (e.g. '24h', '30m', '1h30m').
+- `expire_after` (String) Duration after which the token will expire (e.g. '24h', '30m', '1h30m').
+- `name_prefix` (String) Prefix for the name of the access policy token. The actual name will be stored in the computed field `name`, which will be in the format '<name_prefix>-<expiration_timestamp>'
+- `region` (String) Region of the access policy. Should be set to the same region as the access policy. Use the region list API to get the list of available regions: https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#list-regions.
+
+### Optional
+
+- `delete_on_destroy` (Boolean) Deletes the token in Grafana Cloud when the resource is destroyed in Terraform, instead of leaving it to expire at its `expires_at` time. Use it with `lifecycle { create_before_destroy = true }` to make sure that the new token is created before the old one is deleted. Defaults to `false`.
+- `display_name` (String) Display name of the access policy token. Defaults to the name.
+
+### Read-Only
+
+- `created_at` (String) Creation date of the access policy token.
+- `expires_at` (String) Expiration date of the access policy token.
+- `id` (String) The ID of this resource.
+- `name` (String) Name of the access policy token.
+- `ready_for_rotation` (Boolean) Signals that the token is either expired or within the period to be early rotated.
+- `token` (String, Sensitive)
+- `updated_at` (String) Last update date of the access policy token.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import grafana_cloud_access_policy_rotating_token.name "{{ region }}:{{ tokenId }}"
+```

examples/resources/grafana_cloud_access_policy_rotating_token/import.sh

@@ -0,0 +1 @@
+terraform import grafana_cloud_access_policy_rotating_token.name "{{ region }}:{{ tokenId }}"

examples/resources/grafana_cloud_access_policy_rotating_token/resource.tf

@@ -0,0 +1,29 @@
+data "grafana_cloud_organization" "current" {
+  slug = "<your org slug>"
+}
+
+resource "grafana_cloud_access_policy" "test" {
+  region       = "prod-us-east-0"
+  name         = "my-policy"
+  display_name = "My Policy"
+
+  scopes = ["metrics:read", "logs:read"]
+
+  realm {
+    type       = "org"
+    identifier = data.grafana_cloud_organization.current.id
+
+    label_policy {
+      selector = "{namespace=\"default\"}"
+    }
+  }
+}
+
+resource "grafana_cloud_access_policy_rotating_token" "test" {
+  region                = "prod-us-east-0"
+  access_policy_id      = grafana_cloud_access_policy.test.policy_id
+  name_prefix           = "my-policy-rotating-token"
+  display_name          = "My Policy Rotating Token"
+  expire_after          = "30d"
+  early_rotation_window = "24h"
+}

internal/resources/cloud/catalog-resource.yaml

@@ -27,6 +27,19 @@ spec:
 ---
 apiVersion: backstage.io/v1alpha1
 kind: Component
+metadata:
+  name: resource-grafana_cloud_access_policy_rotating_token
+  title: grafana_cloud_access_policy_rotating_token (resource)
+  description: |
+    resource `grafana_cloud_access_policy_rotating_token` in Grafana Labs' Terraform Provider
+spec:
+  subcomponentOf: component:default/terraform-provider-grafana
+  type: terraform-resource
+  owner: group:default/identity-squad
+  lifecycle: production
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
 metadata:
   name: resource-grafana_cloud_org_member
   title: grafana_cloud_org_member (resource)

internal/resources/cloud/common.go

@@ -3,14 +3,16 @@ package cloud
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/grafana/grafana-com-public-clients/go/gcom"
-	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
 )
 
 func ClientRequestID() string {
@@ -115,3 +117,11 @@ func (r *basePluginFrameworkResource) Configure(ctx context.Context, req resourc
 
 	r.client = client.GrafanaCloudAPI
 }
+
+// Now returns the current time.
+// It can be overridden in tests to provide a different time.
+var Now = time.Now
+
+type getter interface {
+	GetOk(key string) (interface{}, bool)
+}

internal/resources/cloud/data_source_cloud_access_policies_test.go

@@ -2,16 +2,16 @@ package cloud_test
 
 import (
 	"fmt"
-	"time"
-
 	"testing"
+	"time"
 
 	"github.com/grafana/grafana-com-public-clients/go/gcom"
-	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
-	"github.com/grafana/terraform-provider-grafana/v4/internal/testutils"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
+	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
+	"github.com/grafana/terraform-provider-grafana/v4/internal/testutils"
 )
 
 func TestDataSourceAccessPolicy_Basic(t *testing.T) {
@@ -30,7 +30,7 @@ func TestDataSourceAccessPolicy_Basic(t *testing.T) {
 		"datadog:validate",
 	}
 
-	accessPolicyConfig := testAccCloudAccessPolicyTokenConfigBasic(randomName, randomName+"display", "prod-us-east-0", scopes, expiresAt)
+	accessPolicyConfig := testAccCloudAccessPolicyTokenConfigBasic(randomName, randomName+"display", "prod-us-east-0", scopes, expiresAt, false)
 	setItemMatcher := func(s *terraform.State) error {
 		return resource.TestCheckTypeSetElemNestedAttrs("data.grafana_cloud_access_policies.test", "access_policies.*", map[string]string{
 			"id":           *policy.Id,