terraform: access list support

This PR adds access list support to the Terraform provider. Since we
stopped using gogoproto, generating new resources became increasingly
complex.

The access list terraform schema was generated from the protobuf types
and not the ones in `api/types`, which causes all kind of small oddities
from a user PoV, and made this PR way more complex.

User-facing limitations:
- the `metadata` field is nested under the `header` one because of the
  protobuf structure
- the traits is not a map but a list of structs, each struct with a key
  and a value attribute

Non user-facing limitations the PR had to work around:
- the protobuf time is different from go's time, I initially wanted to
  create `ProtoTimeType`/`ProtoTimeValue` but we cannot embbed a
  protobuf timestamp directly (because it contains a lock, the terraform
  value must be a reference, which is not supported by the protoc
  generator). The workaround is to use custom types (`Timestamp` and
  `Duration`).
- the provider has to do the conversion between the proto type and the
  api/type. This required writing a new provider template for new
  non-gogo resources (`gen/plural_data_source_new.go.tpl` and
  `gen/plural_resources_new.go.tpl`)
- The time type difference caused conversion issues fixed by
  gravitational/teleport#32135

access/msteams/plugindata.go

@@ -40,6 +40,7 @@ type TeamsMessage struct {
 func DecodePluginData(dataMap map[string]string) (PluginData, error) {
 	data := PluginData{}
 	var errors []error
+	var err error
 
 	accessRequestData, err := plugindata.DecodeAccessRequestData(dataMap)
 	if err != nil {
@@ -81,6 +82,11 @@ func EncodePluginData(data PluginData) (map[string]string, error) {
 
 	var errors []error
 
+	result, err := plugindata.EncodeAccessRequestData(data.AccessRequestData)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	var encodedMessages []string
 	for _, msg := range data.TeamsData {
 		jsonMessage, err := json.Marshal(msg)

terraform/Makefile

@@ -79,11 +79,19 @@ endif
 		--terraform_out=config=protoc-gen-terraform-devicetrust.yaml:./tfschema \
 		teleport/legacy/types/device.proto
 
-	@go run ./gen/main.go
+	@protoc \
+		-I$(API_MOD_PATH)/proto \
+		-I$(PROTOBUF_MOD_PATH) \
+		--plugin=$(GENTERRAFORMPATH)/protoc-gen-terraform \
+		--terraform_out=config=protoc-gen-terraform-accesslist.yaml:./tfschema \
+		teleport/accesslist/v1/accesslist.proto
+
 	mv ./tfschema/github.com/gravitational/teleport/api/types/types_terraform.go ./tfschema/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1/loginrule_terraform.go ./tfschema/loginrule/v1/
+	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1/accesslist_terraform.go ./tfschema/accesslist/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/types/device_terraform.go ./tfschema/devicetrust/v1/
 	rm -r ./tfschema/github.com/
+	@go run ./gen/main.go
 	@go run ./gen/main.go docs
 
 .PHONY: release

terraform/example/access_list.tf.example

@@ -0,0 +1,36 @@
+resource "teleport_access_list" "crane-operation" {
+  header = {
+    metadata = {
+      name = "crane-operation"
+      labels = {
+        example = "yes"
+      }
+    }
+  }
+  spec = {
+    description = "Used to grant access to the crane."
+    owners = [
+      {
+        name = "gru"
+        description = "The supervillain."
+      }
+    ]
+    membership_requires = {
+      roles = ["minion"]
+    }
+    ownership_requires = {
+      roles = ["supervillain"]
+    }
+    grants = {
+      roles = ["crane-operator"]
+      traits = [{
+        key = "allowed-machines"
+        values = ["crane", "forklift"]
+      }]
+    }
+    title = "Crane operation"
+    audit = {
+      frequency = "3600h"  // 150 days
+    }
+  }
+}

terraform/example/terraform.yaml

@@ -28,6 +28,7 @@ spec:
         - login_rule
         - device
         - okta_import_rule
+        - access_list
         verbs: ['list','create','read','update','delete']
 version: v6
 ---