cloud_connection terraform provider (#94)

JohnBlackwell · maciaszczykm · web-flow · commit 1af2b1c77be3 · 2025-07-01T13:28:55.000-04:00
Co-authored-by: Marcin Maciaszczyk &lt;marcin9yk@icloud.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,4 @@ example/**/.terraform/
 example/**/.terraform.lock.hcl
 example/**/terraform.tfstate*
 example/**/terraform.tfplan
+example/**/terraform.tfvars
diff --git a/example/cloudconnection/main.tf b/example/cloudconnection/main.tf
@@ -0,0 +1,98 @@
+terraform {
+  required_providers {
+    plural = {
+      source  = "pluralsh/plural"
+      version = "0.2.25"
+    }
+  }
+}
+
+provider "plural" {
+  use_cli = true
+}
+
+###############################################################################
+# (Optional) Input variables – move to variables.tf if you prefer
+###############################################################################
+
+variable "aws_access_key_id" {
+  type      = string
+  sensitive = true
+}
+
+variable "aws_secret_access_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "aws_region" {
+  type    = string
+  default = "us-east-1"
+}
+
+data "plural_user" "john" {
+  email = "john@plural.sh"
+}
+
+data "plural_user" "john_doe" {
+  email = "marcin@plural.sh"
+}
+
+###############################################################################
+# Resources
+###############################################################################
+
+# Group that will get read access to the cloud connection
+resource "plural_group" "cloud_admins" {
+  name        = "cloud-admins"
+  description = "Group with access to cloud connections"
+}
+
+# Cloud-connection resource (AWS example)
+resource "plural_cloud_connection" "aws" {
+  name           = "your-connection-name"
+  cloud_provider = "AWS"
+
+  configuration = {
+    aws = {
+      access_key_id     = var.aws_access_key_id
+      secret_access_key = var.aws_secret_access_key
+      region            = var.aws_region
+    }
+  }
+
+  read_bindings = [
+    {
+      id      = "1122"
+      user_id = data.plural_user.john.id
+    },
+    {
+      id      = "2233"
+      group_id = plural_group.cloud_admins.id
+    },
+    {
+      id      = "4444"
+      group_id = plural_group.cloud_admins.id
+    }
+  ]
+}
+
+###############################################################################
+# Outputs
+###############################################################################
+
+output "cloud_connection_id" {
+  value       = plural_cloud_connection.aws.id
+  description = "ID of the created cloud connection"
+}
+
+output "cloud_connection_details" {
+  value       = plural_cloud_connection.aws
+  description = "All attributes of the cloud connection"
+  sensitive   = true
+}
+
+output "group_id" {
+  value       = plural_group.cloud_admins.id
+  description = "ID of the created group"
+}
diff --git a/internal/common/bindings.go b/internal/common/bindings.go
@@ -6,7 +6,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
-	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	console "github.com/pluralsh/console/go/client"
 )
 
@@ -86,7 +85,36 @@ func bindingsFrom(bindings []*console.PolicyBindingFragment, config types.Set, c
 		d.Append(diags...)
 	}
 
-	setValue, diags := types.SetValue(basetypes.ObjectType{AttrTypes: PolicyBindingAttrTypes}, values)
+	setValue, diags := types.SetValue(types.ObjectType{AttrTypes: PolicyBindingAttrTypes}, values)
+	d.Append(diags...)
+	return setValue
+}
+
+func BindingsFromReadOnly(bindings []*console.PolicyBindingFragment, ctx context.Context, d *diag.Diagnostics) types.Set {
+	if len(bindings) == 0 {
+		return types.SetNull(types.ObjectType{AttrTypes: PolicyBindingAttrTypes})
+	}
+
+	values := make([]attr.Value, len(bindings))
+	for i, binding := range bindings {
+		value := PolicyBinding{
+			ID: types.StringPointerValue(binding.ID),
+		}
+
+		if binding.User != nil {
+			value.UserID = types.StringValue(binding.User.ID)
+		}
+
+		if binding.Group != nil {
+			value.GroupID = types.StringValue(binding.Group.ID)
+		}
+
+		objValue, diags := types.ObjectValueFrom(ctx, PolicyBindingAttrTypes, value)
+		values[i] = objValue
+		d.Append(diags...)
+	}
+
+	setValue, diags := types.SetValue(types.ObjectType{AttrTypes: PolicyBindingAttrTypes}, values)
 	d.Append(diags...)
 	return setValue
 }
diff --git a/internal/datasource/cloud_connection.go b/internal/datasource/cloud_connection.go
@@ -0,0 +1,109 @@
+package datasource
+
+import (
+	"context"
+	"fmt"
+
+	"terraform-provider-plural/internal/client"
+	"terraform-provider-plural/internal/common"
+	"terraform-provider-plural/internal/model"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+func NewCloudConnectionDataSource() datasource.DataSource {
+	return &cloudConnectionDataSource{}
+}
+
+type cloudConnectionDataSource struct {
+	client *client.Client
+}
+
+func (d *cloudConnectionDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_cloud_connection"
+}
+
+func (d *cloudConnectionDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Description:         "Internal identifier of this cloud connection",
+				MarkdownDescription: "Internal identifier of this cloud connection",
+				Optional:            true,
+				Computed:            true,
+				Validators:          []validator.String{stringvalidator.ExactlyOneOf(path.MatchRoot("name"))},
+			},
+			"name": schema.StringAttribute{
+				Description:         "Human-readable name of this cloud connection.",
+				MarkdownDescription: "Human-readable name of this cloud connection.",
+				Optional:            true,
+				Computed:            true,
+				Validators:          []validator.String{stringvalidator.ExactlyOneOf(path.MatchRoot("id"))},
+			},
+			"cloud_provider": schema.StringAttribute{
+				Description:         "The cloud provider of this cloud connection.",
+				MarkdownDescription: "The cloud provider of this cloud connection.",
+				Required:            true,
+				Validators:          []validator.String{stringvalidator.OneOf("AWS", "GCP", "AZURE")},
+			},
+			"configuration": schema.SingleNestedAttribute{
+				Description:         "Cloud provider configuration",
+				MarkdownDescription: "Cloud provider configuration",
+				Required:            true,
+			},
+			"read_bindings": schema.SetAttribute{
+				Description:         "The read bindings for this cloud connection.",
+				MarkdownDescription: "The read bindings for this cloud connection.",
+				Optional:            true,
+				ElementType:         types.ObjectType{AttrTypes: common.PolicyBindingAttrTypes},
+			},
+		},
+	}
+}
+
+func (d *cloudConnectionDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+
+	data, ok := req.ProviderData.(*common.ProviderData)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Cloud Connection Resource Configure Type",
+			fmt.Sprintf("Expected *common.ProviderData, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	d.client = data.Client
+}
+
+func (d *cloudConnectionDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
+	data := new(model.CloudConnection)
+	resp.Diagnostics.Append(req.Config.Get(ctx, data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if data.Id.IsNull() && data.Name.IsNull() {
+		resp.Diagnostics.AddError(
+			"Missing Cloud Connection ID and Name",
+			"The provider could not read cloud connection data. ID or name needs to be specified.",
+		)
+		return
+	}
+
+	response, err := d.client.GetCloudConnection(ctx, data.Id.ValueStringPointer(), data.Name.ValueStringPointer())
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to read cloud connection, got error: %s", err))
+		return
+	}
+
+	data.From(response.CloudConnection, ctx, &resp.Diagnostics)
+	resp.Diagnostics.Append(resp.State.Set(ctx, data)...)
+}
diff --git a/internal/model/cloud_connection.go b/internal/model/cloud_connection.go
@@ -0,0 +1,104 @@
+package model
+
+import (
+	"context"
+
+	"terraform-provider-plural/internal/common"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	console "github.com/pluralsh/console/go/client"
+)
+
+type CloudConnection struct {
+	Id            types.String                  `tfsdk:"id"`
+	Name          types.String                  `tfsdk:"name"`
+	CloudProvider types.String                  `tfsdk:"cloud_provider"`
+	Configuration *CloudConnectionConfiguration `tfsdk:"configuration"`
+	ReadBindings  types.Set                     `tfsdk:"read_bindings"`
+}
+
+type CloudConnectionConfiguration struct {
+	AWS   *AwsCloudConnectionAttributes   `tfsdk:"aws"`
+	GCP   *GcpCloudConnectionAttributes   `tfsdk:"gcp"`
+	Azure *AzureCloudConnectionAttributes `tfsdk:"azure"`
+}
+
+func (c *CloudConnectionConfiguration) Attributes() *console.CloudConnectionConfigurationAttributes {
+	if c == nil {
+		return nil
+	}
+
+	if c.AWS != nil {
+		return &console.CloudConnectionConfigurationAttributes{AWS: c.AWS.Attributes()}
+	}
+
+	if c.Azure != nil {
+		return &console.CloudConnectionConfigurationAttributes{Azure: c.Azure.Attributes()}
+	}
+
+	if c.GCP != nil {
+		return &console.CloudConnectionConfigurationAttributes{GCP: c.GCP.Attributes()}
+	}
+
+	return nil
+}
+
+type AwsCloudConnectionAttributes struct {
+	AccessKeyID     types.String `tfsdk:"access_key_id"`
+	SecretAccessKey types.String `tfsdk:"secret_access_key"`
+	Region          types.String `tfsdk:"region"`
+}
+
+func (c *AwsCloudConnectionAttributes) Attributes() *console.AWSCloudConnectionAttributes {
+	return &console.AWSCloudConnectionAttributes{
+		AccessKeyID:     c.AccessKeyID.ValueString(),
+		SecretAccessKey: c.SecretAccessKey.ValueString(),
+		Region:          c.Region.ValueString(),
+	}
+}
+
+type GcpCloudConnectionAttributes struct {
+	ServiceAccountKey types.String `tfsdk:"service_account_key"`
+	ProjectID         types.String `tfsdk:"project_id"`
+}
+
+func (c *GcpCloudConnectionAttributes) Attributes() *console.GCPCloudConnectionAttributes {
+	return &console.GCPCloudConnectionAttributes{
+		ServiceAccountKey: c.ServiceAccountKey.ValueString(),
+		ProjectID:         c.ProjectID.ValueString(),
+	}
+}
+
+type AzureCloudConnectionAttributes struct {
+	SubscriptionID types.String `tfsdk:"subscription_id"`
+	TenantID       types.String `tfsdk:"tenant_id"`
+	ClientID       types.String `tfsdk:"client_id"`
+	ClientSecret   types.String `tfsdk:"client_secret"`
+}
+
+func (c *AzureCloudConnectionAttributes) Attributes() *console.AzureCloudConnectionAttributes {
+	return &console.AzureCloudConnectionAttributes{
+		SubscriptionID: c.SubscriptionID.ValueString(),
+		TenantID:       c.TenantID.ValueString(),
+		ClientID:       c.ClientID.ValueString(),
+		ClientSecret:   c.ClientSecret.ValueString(),
+	}
+}
+
+func (c *CloudConnection) Attributes(ctx context.Context, d *diag.Diagnostics) console.CloudConnectionAttributes {
+	return console.CloudConnectionAttributes{
+		Name:          c.Name.ValueString(),
+		Provider:      console.Provider(c.CloudProvider.ValueString()),
+		Configuration: *c.Configuration.Attributes(),
+		ReadBindings:  common.SetToPolicyBindingAttributes(c.ReadBindings, ctx, d),
+	}
+}
+
+func (c *CloudConnection) From(cc *console.CloudConnectionFragment, ctx context.Context, d *diag.Diagnostics) {
+	c.Id = types.StringValue(cc.ID)
+	c.Name = types.StringValue(cc.Name)
+	c.CloudProvider = types.StringValue(string(cc.Provider))
+	c.ReadBindings = common.BindingsFromReadOnly(cc.ReadBindings, ctx, d)
+}
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -211,6 +211,7 @@ func (p *PluralProvider) Resources(_ context.Context) []func() resource.Resource
 		r.NewOIDCProviderResourceResource,
 		r.NewSCMWebhookResource,
 		r.NewObservabilityWebhookResource,
+		r.NewCloudConnectionResource,
 	}
 }
 
@@ -226,6 +227,7 @@ func (p *PluralProvider) DataSources(_ context.Context) []func() datasource.Data
 		ds.NewPRAutomationDataSource,
 		ds.NewInfrastructureStackDataSource,
 		ds.NewServiceContextDataSource,
+		ds.NewCloudConnectionDataSource,
 	}
 }
 
diff --git a/internal/resource/cloud_connection.go b/internal/resource/cloud_connection.go

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,7 @@ func (p *PluralProvider) Resources(_ context.Context) []func() resource.Resource`
`211`	`211`	`r.NewOIDCProviderResourceResource,`
`212`	`212`	`r.NewSCMWebhookResource,`
`213`	`213`	`r.NewObservabilityWebhookResource,`
	`214`	`+ r.NewCloudConnectionResource,`
`214`	`215`	`}`
`215`	`216`	`}`
`216`	`217`
`@@ -226,6 +227,7 @@ func (p *PluralProvider) DataSources(_ context.Context) []func() datasource.Data`
`226`	`227`	`ds.NewPRAutomationDataSource,`
`227`	`228`	`ds.NewInfrastructureStackDataSource,`
`228`	`229`	`ds.NewServiceContextDataSource,`
	`230`	`+ ds.NewCloudConnectionDataSource,`
`229`	`231`	`}`
`230`	`232`	`}`
`231`	`233`