add connectivity rule support (#338)

* add connectivity rule support

* set cr on namespace

* Update cloud-sdk reference

* fixing

* adding namespace update with cr example

* fix tests

* address comments

* fixing null case for connectivity rule ids

* fixing test

* address code comments

* add validator more than 1

* add RemoveResource state back in Read

Author: alice-yin

Makefile

@@ -15,3 +15,5 @@ testacc:
 test-namespace-export-sink:
 	TF_ACC=1 go test ./internal/provider -run TestAccNamespaceExportSink_GCS -v $(TESTARGS) -timeout 120m
 
+test-connectivity-rule:
+	TF_ACC=1 go test ./internal/provider -run TestAccNamespaceWithCodecServer -v $(TESTARGS) -timeout 120m

docs/data-sources/user.md

@@ -0,0 +1,40 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "temporalcloud_user Data Source - terraform-provider-temporalcloud"
+subcategory: ""
+description: |-
+  Fetches details about a User.
+---
+
+# temporalcloud_user (Data Source)
+
+Fetches details about a User.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) The unique identifier of the User.
+
+### Optional
+
+- `namespace_accesses` (Attributes Set) The set of namespace permissions for this user, including each namespace and its role. (see [below for nested schema](#nestedatt--namespace_accesses))
+
+### Read-Only
+
+- `account_access` (String) The role on the account. Must be one of admin, developer, or read (case-insensitive).
+- `created_at` (String) The creation time of the User.
+- `email` (String) The email of the User.
+- `state` (String) The current state of the User.
+- `updated_at` (String) The last update time of the User.
+
+<a id="nestedatt--namespace_accesses"></a>
+### Nested Schema for `namespace_accesses`
+
+Read-Only:
+
+- `namespace_id` (String) The namespace to assign permissions to.
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive)

docs/data-sources/users.md

@@ -0,0 +1,45 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "temporalcloud_users Data Source - terraform-provider-temporalcloud"
+subcategory: ""
+description: |-
+  Fetches details about all Users.
+---
+
+# temporalcloud_users (Data Source)
+
+Fetches details about all Users.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `id` (String) The unique identifier of the Users data source.
+- `users` (Attributes List) The list of Users. (see [below for nested schema](#nestedatt--users))
+
+<a id="nestedatt--users"></a>
+### Nested Schema for `users`
+
+Optional:
+
+- `namespace_accesses` (Attributes Set) The set of namespace permissions for this user, including each namespace and its role. (see [below for nested schema](#nestedatt--users--namespace_accesses))
+
+Read-Only:
+
+- `account_access` (String) The role on the account. Must be one of admin, developer, or read (case-insensitive).
+- `created_at` (String) The creation time of the User.
+- `email` (String) The email of the User.
+- `id` (String) The unique identifier of the User.
+- `state` (String) The current state of the User.
+- `updated_at` (String) The last update time of the User.
+
+<a id="nestedatt--users--namespace_accesses"></a>
+### Nested Schema for `users.namespace_accesses`
+
+Read-Only:
+
+- `namespace_id` (String) The namespace to assign permissions to.
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive)

docs/resources/connectivity_rule.md

@@ -0,0 +1,39 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "temporalcloud_connectivity_rule Resource - terraform-provider-temporalcloud"
+subcategory: ""
+description: |-
+  Provisions a Temporal Cloud Connectivity Rule.
+---
+
+# temporalcloud_connectivity_rule (Resource)
+
+Provisions a Temporal Cloud Connectivity Rule.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `connectivity_type` (String) The type of connectivity. Must be one of 'public' or 'private'.
+
+### Optional
+
+- `connection_id` (String) The connection ID of the private connection.
+- `gcp_project_id` (String) The GCP project ID. Required when cloud_provider is 'gcp'.
+- `region` (String) The region of the connection. Example: 'aws-us-west-2'.
+- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-Only
+
+- `id` (String) The unique identifier of the Connectivity Rule.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+- `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.

docs/resources/namespace.md

@@ -130,6 +130,19 @@ resource "temporalcloud_namespace" "terraform3" {
     prevent_destroy = true
   }
 }
+
+// Attaching connectivity rules to a namespace
+resource "temporalcloud_namespace" "terraform4" {
+  name               = "terraform4"
+  regions            = ["aws-us-east-1"]
+  accepted_client_ca = base64encode(tls_self_signed_cert.ca.cert_pem)
+  retention_days     = 14
+  // This is a placeholder rule ID. Please create a connectivity rule first,
+  // then replace this value with the actual ID returned after creation.
+  connectivity_rule_ids = [
+    "0f806bg8-fe63-461c-81b3-17e3tcb0574b"
+  ]
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -147,6 +160,7 @@ resource "temporalcloud_namespace" "terraform3" {
 - `api_key_auth` (Boolean) If true, Temporal Cloud will enable API key authentication for this namespace.
 - `certificate_filters` (Attributes List) A list of filters to apply to client certificates when initiating a connection Temporal Cloud. If present, connections will only be allowed from client certificates whose distinguished name properties match at least one of the filters. Empty lists are not allowed, omit the attribute instead. (see [below for nested schema](#nestedatt--certificate_filters))
 - `codec_server` (Attributes) A codec server is used by the Temporal Cloud UI to decode payloads for all users interacting with this namespace, even if the workflow history itself is encrypted. (see [below for nested schema](#nestedatt--codec_server))
+- `connectivity_rule_ids` (List of String) The IDs of the connectivity rules for this namespace.
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 
 ### Read-Only

examples/resources/temporalcloud_connectivityrule/resource.tf

@@ -0,0 +1,32 @@
+terraform {
+  required_providers {
+    temporalcloud = {
+      source = "temporalio/temporalcloud"
+    }
+  }
+}
+
+provider "temporalcloud" {
+
+}
+
+// Create Public Connectivity Rule
+resource "temporalcloud_connectivity_rule" "public_rule" {
+  connectivity_type = "public"
+}
+
+// Create Private Connectivity Rule for AWS
+resource "temporalcloud_connectivity_rule" "private_aws" {
+  connectivity_type = "private"
+  connection_id     = "vpce-12345678"
+  region            = "aws-us-west-2"
+}
+
+// Create Private Connectivity Rule for GCP
+resource "temporalcloud_connectivity_rule" "private_gcp" {
+  connectivity_type = "private"
+  connection_id     = "vpce-12345678"
+  region            = "gcp-us-central1"
+  gcp_project_id    = "my-gcp-project-id"
+}
+

examples/resources/temporalcloud_namespace/resource.tf

@@ -109,3 +109,16 @@ resource "temporalcloud_namespace" "terraform3" {
     prevent_destroy = true
   }
 }
+
+// Attaching connectivity rules to a namespace
+resource "temporalcloud_namespace" "terraform4" {
+  name               = "terraform4"
+  regions            = ["aws-us-east-1"]
+  accepted_client_ca = base64encode(tls_self_signed_cert.ca.cert_pem)
+  retention_days     = 14
+  // This is a placeholder rule ID. Please create a connectivity rule first,
+  // then replace this value with the actual ID returned after creation.
+  connectivity_rule_ids = [
+    "0f806bg8-fe63-461c-81b3-17e3tcb0574b"
+  ]
+}

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/hashicorp/terraform-plugin-testing v1.13.1
 	github.com/jpillora/maplock v0.0.0-20160420012925-5c725ac6e22a
 	go.temporal.io/api v1.50.0
-	go.temporal.io/cloud-sdk v0.3.1
+	go.temporal.io/cloud-sdk v0.4.1
 	go.temporal.io/sdk v1.35.0
 	google.golang.org/grpc v1.73.0
 	google.golang.org/protobuf v1.36.6

go.sum

@@ -238,8 +238,8 @@ go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt
 go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.temporal.io/api v1.50.0 h1:7s8Cn+fKfNx9G0v2Ge9We6X2WiCA3JvJ9JryeNbx1Bc=
 go.temporal.io/api v1.50.0/go.mod h1:iaxoP/9OXMJcQkETTECfwYq4cw/bj4nwov8b3ZLVnXM=
-go.temporal.io/cloud-sdk v0.3.1 h1:yhS0XnPOnsu80opXIgFnihGU3tBeHHQA479GHUo/cv8=
-go.temporal.io/cloud-sdk v0.3.1/go.mod h1:AueDDyuayosk+zalfrnuftRqnRQTHwD0HYwNgEQc0YE=
+go.temporal.io/cloud-sdk v0.4.1 h1:hvf6Hqto+1lwlfpvSLOKO/0ATpoYC8Cfh1w0gjWo39A=
+go.temporal.io/cloud-sdk v0.4.1/go.mod h1:AueDDyuayosk+zalfrnuftRqnRQTHwD0HYwNgEQc0YE=
 go.temporal.io/sdk v1.35.0 h1:lRNAQ5As9rLgYa7HBvnmKyzxLcdElTuoFJ0FXM/AsLQ=
 go.temporal.io/sdk v1.35.0/go.mod h1:1q5MuLc2MEJ4lneZTHJzpVebW2oZnyxoIOWX3oFVebw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=