terraform: access list support

This PR adds access list support to the Terraform provider. Since we stopped using gogoproto, generating new resources became increasingly complex. The access list terraform schema was generated from the protobuf types and not the ones in `api/types`, which causes all kind of small oddities from a user PoV, and made this PR way more complex. User-facing limitations: - the `metadata` field is nested under the `header` one because of the protobuf structure - the traits is not a map but a list of structs, each struct with a key and a value attribute Non user-facing limitations the PR had to work around: - the protobuf time is different from go's time, I initially wanted to create `ProtoTimeType`/`ProtoTimeValue` but we cannot embbed a protobuf timestamp directly (because it contains a lock, the terraform value must be a reference, which is not supported by the protoc generator). The workaround is to use custom types (`Timestamp` and `Duration`). - the provider has to do the conversion between the proto type and the api/type. This required writing a new provider template for new non-gogo resources (`gen/plural_data_source_new.go.tpl` and `gen/plural_resources_new.go.tpl`) - The time type difference caused conversion issues fixed by gravitational/teleport#32135
gravitational · Sep 27, 2023 · 0a5793d · 0a5793d
1 parent 68a52ad
commit 0a5793d
Show file tree

Hide file tree

Showing 42 changed files with 3,874 additions and 454 deletions.
diff --git a/terraform/Makefile b/terraform/Makefile
@@ -79,11 +79,19 @@ endif
 		--terraform_out=config=protoc-gen-terraform-devicetrust.yaml:./tfschema \
 		teleport/legacy/types/device.proto
 
-	@go run ./gen/main.go
+	@protoc \
+		-I$(API_MOD_PATH)/proto \
+		-I$(PROTOBUF_MOD_PATH) \
+		--plugin=$(GENTERRAFORMPATH)/protoc-gen-terraform \
+		--terraform_out=config=protoc-gen-terraform-accesslist.yaml:./tfschema \
+		teleport/accesslist/v1/accesslist.proto
+
 	mv ./tfschema/github.com/gravitational/teleport/api/types/types_terraform.go ./tfschema/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1/loginrule_terraform.go ./tfschema/loginrule/v1/
+	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1/accesslist_terraform.go ./tfschema/accesslist/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/types/device_terraform.go ./tfschema/devicetrust/v1/
 	rm -r ./tfschema/github.com/
+	@go run ./gen/main.go
 	@go run ./gen/main.go docs
 
 .PHONY: release

diff --git a/terraform/example/access_list.tf.example b/terraform/example/access_list.tf.example
@@ -0,0 +1,36 @@
+resource "teleport_access_list" "crane-operation" {
+  header = {
+    metadata = {
+      name = "crane-operation"
+      labels = {
+        example = "yes"
+      }
+    }
+  }
+  spec = {
+    description = "Used to grant access to the crane."
+    owners = [
+      {
+        name = "gru"
+        description = "The supervillain."
+      }
+    ]
+    membership_requires = {
+      roles = ["minion"]
+    }
+    ownership_requires = {
+      roles = ["supervillain"]
+    }
+    grants = {
+      roles = ["crane-operator"]
+      traits = [{
+        key = "allowed-machines"
+        values = ["crane", "forklift"]
+      }]
+    }
+    title = "Crane operation"
+    audit = {
+      frequency = "3600h"  // 150 days
+    }
+  }
+}
diff --git a/terraform/example/terraform.yaml b/terraform/example/terraform.yaml
@@ -28,6 +28,7 @@ spec:
         - login_rule
         - device
         - okta_import_rule
+        - access_list
         verbs: ['list','create','read','update','delete']
 version: v6
 ---