Add RegistryAccount resource type

aidy · aidy · commit 37e7d7bc827e · 2024-11-13T11:33:44.000Z
Although registry accounts are just service accounts, they have
distinctly different behaviour to other service accounts: user/pass
rather than keys, and inability to rotate credentials.

Rather than trying to make the Service Account resource type handle both
cases, and have to have the user do conditional behaviour based on what
type of service account it is, I think it makes sense to just make a new
type of resource.
diff --git a/docs/resources/registry_account.md b/docs/resources/registry_account.md
@@ -0,0 +1,29 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "tlspc_registry_account Resource - tlspc"
+subcategory: ""
+description: |-
+  
+---
+
+# tlspc_registry_account (Resource)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `credential_lifetime` (Number)
+- `name` (String)
+- `owner` (String)
+- `scopes` (Set of String)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `oci_account_name` (String)
+- `oci_registry_token` (String, Sensitive)
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -84,6 +84,7 @@ func (p *tlspcProvider) Resources(ctx context.Context) []func() resource.Resourc
 	return []func() resource.Resource{
 		NewTeamResource,
 		NewServiceAccountResource,
+		NewRegistryAccountResource,
 	}
 }
 
diff --git a/internal/provider/registry_account_resource.go b/internal/provider/registry_account_resource.go
@@ -0,0 +1,226 @@
+// Copyright (c) Venafi, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package provider
+
+import (
+	"context"
+	"fmt"
+
+	"terraform-provider-tlspc/internal/tlspc"
+
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+var (
+	_ resource.Resource                = &registryAccountResource{}
+	_ resource.ResourceWithConfigure   = &registryAccountResource{}
+	_ resource.ResourceWithImportState = &registryAccountResource{}
+)
+
+type registryAccountResource struct {
+	client *tlspc.Client
+}
+
+func NewRegistryAccountResource() resource.Resource {
+	return &registryAccountResource{}
+}
+
+func (r *registryAccountResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_registry_account"
+}
+
+func (r *registryAccountResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Computed: true,
+			},
+			"name": schema.StringAttribute{
+				Required: true,
+			},
+			"owner": schema.StringAttribute{
+				Required: true,
+			},
+			"scopes": schema.SetAttribute{
+				Required:    true,
+				ElementType: types.StringType,
+			},
+			"oci_account_name": schema.StringAttribute{
+				Computed: true,
+			},
+			"oci_registry_token": schema.StringAttribute{
+				Computed:  true,
+				Sensitive: true,
+			},
+			"credential_lifetime": schema.Int32Attribute{
+				Required: true,
+			},
+		},
+	}
+}
+
+func (r *registryAccountResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+
+	client, ok := req.ProviderData.(*tlspc.Client)
+
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			fmt.Sprintf("Expected *tlspc.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+
+		return
+	}
+
+	r.client = client
+}
+
+type registryAccountResourceModel struct {
+	ID                 types.String   `tfsdk:"id"`
+	Name               types.String   `tfsdk:"name"`
+	Owner              types.String   `tfsdk:"owner"`
+	Scopes             []types.String `tfsdk:"scopes"`
+	OciAccountName     types.String   `tfsdk:"oci_account_name"`
+	OciRegistryToken   types.String   `tfsdk:"oci_registry_token"`
+	CredentialLifetime types.Int32    `tfsdk:"credential_lifetime"`
+}
+
+func (r *registryAccountResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan registryAccountResourceModel
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	scopes := []string{}
+	for _, v := range plan.Scopes {
+		scopes = append(scopes, v.ValueString())
+	}
+
+	registryAccount := tlspc.ServiceAccount{
+		Name:               plan.Name.ValueString(),
+		Owner:              plan.Owner.ValueString(),
+		Scopes:             scopes,
+		CredentialLifetime: plan.CredentialLifetime.ValueInt32(),
+		AuthenticationType: "ociToken",
+	}
+
+	created, err := r.client.CreateServiceAccount(registryAccount)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error creating registryAccount",
+			"Could not create registryAccount, unexpected error: "+err.Error(),
+		)
+		return
+	}
+	plan.ID = types.StringValue(created.ID)
+	plan.OciAccountName = types.StringValue(created.OciAccountName)
+	plan.OciRegistryToken = types.StringValue(created.OciRegistryToken)
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *registryAccountResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var state registryAccountResourceModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	sa, err := r.client.GetServiceAccount(state.ID.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Reading Registry Account",
+			"Could not read registryaccount ID "+state.ID.ValueString()+": "+err.Error(),
+		)
+		return
+	}
+
+	state.ID = types.StringValue(sa.ID)
+	state.Name = types.StringValue(sa.Name)
+	state.Owner = types.StringValue(sa.Owner)
+
+	scopes := []types.String{}
+	for _, v := range sa.Scopes {
+		scopes = append(scopes, types.StringValue(v))
+	}
+	state.Scopes = scopes
+
+	diags = resp.State.Set(ctx, state)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *registryAccountResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var plan, state registryAccountResourceModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	diags = req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	scopes := []string{}
+	for _, v := range plan.Scopes {
+		scopes = append(scopes, v.ValueString())
+	}
+
+	registryAccount := tlspc.ServiceAccount{
+		ID:                 state.ID.ValueString(),
+		Name:               plan.Name.ValueString(),
+		Owner:              plan.Owner.ValueString(),
+		Scopes:             scopes,
+		CredentialLifetime: plan.CredentialLifetime.ValueInt32(),
+		AuthenticationType: "ociToken",
+	}
+
+	err := r.client.UpdateServiceAccount(registryAccount)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error updating registryAccount",
+			"Could not update registryAccount, unexpected error: "+err.Error(),
+		)
+		return
+	}
+	plan.ID = state.ID
+	plan.OciAccountName = state.OciAccountName
+	plan.OciRegistryToken = state.OciRegistryToken
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *registryAccountResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var state registryAccountResourceModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	err := r.client.DeleteServiceAccount(state.ID.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Deleting Service Account",
+			"Could not delete Service Account ID "+state.ID.ValueString()+": "+err.Error(),
+		)
+		return
+	}
+}
+
+func (r *registryAccountResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+	// Retrieve import ID and save to id attribute
+	resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+}
diff --git a/internal/tlspc/tlspc.go b/internal/tlspc/tlspc.go
@@ -292,6 +292,8 @@ type ServiceAccount struct {
 	CredentialLifetime int32    `json:"credentialLifetime"`
 	PublicKey          string   `json:"publicKey"`
 	AuthenticationType string   `json:"authenticationType"`
+	OciAccountName     string   `json:"ociAccountName"`
+	OciRegistryToken   string   `json:"ociRegistryToken"`
 }
 
 func (c *Client) CreateServiceAccount(sa ServiceAccount) (*ServiceAccount, error) {

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,7 @@ func (p *tlspcProvider) Resources(ctx context.Context) []func() resource.Resourc`
`84`	`84`	`return []func() resource.Resource{`
`85`	`85`	`NewTeamResource,`
`86`	`86`	`NewServiceAccountResource,`
	`87`	`+ NewRegistryAccountResource,`
`87`	`88`	`}`
`88`	`89`	`}`
`89`	`90`
Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,8 @@ type ServiceAccount struct {`
`292`	`292`	CredentialLifetime int32 `json:"credentialLifetime"`
`293`	`293`	PublicKey string `json:"publicKey"`
`294`	`294`	AuthenticationType string `json:"authenticationType"`
	`295`	+ OciAccountName string `json:"ociAccountName"`
	`296`	+ OciRegistryToken string `json:"ociRegistryToken"`
`295`	`297`	`}`
`296`	`298`
`297`	`299`	`func (c Client) CreateServiceAccount(sa ServiceAccount) (ServiceAccount, error) {`