Add resource to validate GCP CloudProvider connections (#80)

* Add resource to validate GCP CloudProvider connections

Interface for this is a bit clumsy. In order for the cloudprovider to be
usable, we must issue an API call to validate the cloudprovider connection.
We can only do this after we've done all of the other things to put the
identity configuration in place. That means that we can't do it as part
of the create call for tlspc_cloudprovider_gcp (as we must take
parameters from that in order to set up the workload identity pool
provider).

However, this is effectively a write-once API. We can only ever validate
the connection, we can't unset that status once we've set it. That's not
a great mapping for terraform, but I think it's the best we can do.

* chore: Add resource and paramater descriptions

Signed-off-by: Peter Fiddes <[email protected]>

* chore: generate cloudprovider_gcp_validate docs file with tfplugindocs

Signed-off-by: Peter Fiddes <[email protected]>

---------

Signed-off-by: Peter Fiddes <[email protected]>
Co-authored-by: Peter Fiddes <[email protected]>

Author: aidy

docs/resources/cloudprovider_gcp_validate.md

@@ -0,0 +1,54 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "tlspc_cloudprovider_gcp_validate Resource - tlspc"
+subcategory: ""
+description: |-
+  Activates a GCP Cloud Provider configuration for usage.
+---
+
+# tlspc_cloudprovider_gcp_validate (Resource)
+
+Activates a GCP Cloud Provider configuration for usage.
+
+## Example Usage
+
+```terraform
+resource "tlspc_cloudprovider_gcp" "gcp-cloudprovider" {
+  name                               = "terraform-wif"
+  team                               = resource.tlspc_team.team.id
+  service_account_email              = resource.google_service_account.tlspc.email
+  project_number                     = data.google_project.project.number
+  workload_identity_pool_id          = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
+  workload_identity_pool_provider_id = "venafi-provider"
+}
+
+resource "google_iam_workload_identity_pool_provider" "tlspc" {
+  workload_identity_pool_id          = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
+  workload_identity_pool_provider_id = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.workload_identity_pool_provider_id
+  display_name                       = "Venafi TLSPC"
+  description                        = "Venafi WIF Pool Provider"
+  attribute_mapping = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.issuer_url
+  }
+}
+
+resource "tlspc_cloudprovider_gcp_validate" "gcp-cloudprovider-validation" {
+  cloudprovider_id = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.id
+  validate         = true
+  # pool provider required to be present for successful connection validation
+  depends_on = [
+    resource.google_iam_workload_identity_pool_provider.tlspc
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cloudprovider_id` (String) Reference to the tlspc_cloudprovider_gcp resource to validate.
+- `validate` (Boolean) Set to true to validate the GCP Cloud Provider connection.

examples/resources/tlspc_cloudprovider_gcp_validate/resource.tf

@@ -0,0 +1,30 @@
+resource "tlspc_cloudprovider_gcp" "gcp-cloudprovider" {
+  name                               = "terraform-wif"
+  team                               = resource.tlspc_team.team.id
+  service_account_email              = resource.google_service_account.tlspc.email
+  project_number                     = data.google_project.project.number
+  workload_identity_pool_id          = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
+  workload_identity_pool_provider_id = "venafi-provider"
+}
+
+resource "google_iam_workload_identity_pool_provider" "tlspc" {
+  workload_identity_pool_id          = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
+  workload_identity_pool_provider_id = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.workload_identity_pool_provider_id
+  display_name                       = "Venafi TLSPC"
+  description                        = "Venafi WIF Pool Provider"
+  attribute_mapping = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.issuer_url
+  }
+}
+
+resource "tlspc_cloudprovider_gcp_validate" "gcp-cloudprovider-validation" {
+  cloudprovider_id = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.id
+  validate         = true
+  # pool provider required to be present for successful connection validation
+  depends_on = [
+    resource.google_iam_workload_identity_pool_provider.tlspc
+  ]
+}

internal/provider/cloudprovider_gcp_validate_resource.go

@@ -0,0 +1,207 @@
+// Copyright (c) Venafi, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package provider
+
+import (
+	"context"
+	"fmt"
+
+	"terraform-provider-tlspc/internal/tlspc"
+
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+var (
+	_ resource.Resource                = &cloudProviderGCPValidateResource{}
+	_ resource.ResourceWithConfigure   = &cloudProviderGCPValidateResource{}
+	_ resource.ResourceWithImportState = &cloudProviderGCPValidateResource{}
+)
+
+type cloudProviderGCPValidateResource struct {
+	client *tlspc.Client
+}
+
+func NewCloudProviderGCPValidateResource() resource.Resource {
+	return &cloudProviderGCPValidateResource{}
+}
+
+func (r *cloudProviderGCPValidateResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_cloudprovider_gcp_validate"
+}
+
+func (r *cloudProviderGCPValidateResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		MarkdownDescription: "Activates a GCP Cloud Provider configuration for usage.",
+		Attributes: map[string]schema.Attribute{
+			"cloudprovider_id": schema.StringAttribute{
+				Required:            true,
+				MarkdownDescription: "Reference to the tlspc_cloudprovider_gcp resource to validate.",
+			},
+			"validate": schema.BoolAttribute{
+				Required:            true,
+				MarkdownDescription: "Set to true to validate the GCP Cloud Provider connection.",
+			},
+		},
+	}
+}
+
+func (r *cloudProviderGCPValidateResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+
+	client, ok := req.ProviderData.(*tlspc.Client)
+
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			fmt.Sprintf("Expected *tlspc.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+
+		return
+	}
+
+	r.client = client
+}
+
+type cloudProviderGCPValidateResourceModel struct {
+	CloudProviderID types.String `tfsdk:"cloudprovider_id"`
+	Validate        types.Bool   `tfsdk:"validate"`
+}
+
+func (r *cloudProviderGCPValidateResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan cloudProviderGCPValidateResourceModel
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if !plan.Validate.ValueBool() {
+		resp.Diagnostics.AddError(
+			"Error validating GCP Cloud Provider Connection",
+			"Validate can only be set to true",
+		)
+		return
+	}
+
+	validated, err := r.client.ValidateCloudProviderGCP(ctx, plan.CloudProviderID.ValueString())
+
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error validating GCP Cloud Provider Connection",
+			"Could validate GCP Cloud Provider: "+err.Error(),
+		)
+		return
+	}
+
+	if !validated {
+		resp.Diagnostics.AddError(
+			"Error validating GCP Cloud Provider Connection",
+			"Could validate GCP Cloud Provider connection",
+		)
+		return
+	}
+
+	plan.Validate = types.BoolValue(validated)
+
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *cloudProviderGCPValidateResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var state cloudProviderGCPValidateResourceModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	validated, err := r.client.GetCloudProviderGCPValidation(ctx, state.CloudProviderID.ValueString())
+	// Really, we should parse the error here and conditionally either bomb out, or set the validated status to false
+	// The api isn't really built around giving us a good way of determining whether or not it's an error with the request
+	// or if the connection requires validation. For now, set the state to false, we can only ever attempt to set it to true,
+	// so this should be reasonably safe and sane.
+	_ = err
+	/*
+		if err != nil {
+			resp.Diagnostics.AddError(
+				"Error retrieving GCP Cloud Provider Connection validation state",
+				"Could not retrieve state: "+err.Error(),
+			)
+			return
+		}
+	*/
+
+	state.Validate = types.BoolValue(validated)
+
+	diags = resp.State.Set(ctx, state)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *cloudProviderGCPValidateResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var state, plan cloudProviderGCPValidateResourceModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	diags = req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if !plan.Validate.ValueBool() {
+		if state.Validate.ValueBool() {
+			resp.Diagnostics.AddError(
+				"Error updating GCP Cloud Provider Connection validation",
+				"Can not unvalidate connection status",
+			)
+		} else {
+			resp.Diagnostics.AddError(
+				"Error validating GCP Cloud Provider Connection",
+				"Validate can only be set to true",
+			)
+		}
+		return
+	}
+
+	validated, err := r.client.ValidateCloudProviderGCP(ctx, state.CloudProviderID.ValueString())
+
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error validating GCP Cloud Provider Connection",
+			"Could validate GCP Cloud Provider: "+err.Error(),
+		)
+		return
+	}
+
+	plan.Validate = types.BoolValue(validated)
+
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *cloudProviderGCPValidateResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var state cloudProviderGCPValidateResourceModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Can't delete validated state. Nothing to do here.
+}
+
+func (r *cloudProviderGCPValidateResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+	// Retrieve import ID and save to id attribute
+	resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+}

internal/provider/provider.go

@@ -103,6 +103,7 @@ func (p *tlspcProvider) Resources(ctx context.Context) []func() resource.Resourc
 		NewFireflySubCAResource,
 		NewFireflyPolicyResource,
 		NewCloudProviderGCPResource,
+		NewCloudProviderGCPValidateResource,
 	}
 }
 

internal/tlspc/graphql.go

@@ -219,3 +219,40 @@ func (c *Client) DeleteCloudProviderGCP(ctx context.Context, id string) error {
 
 	return err
 }
+
+func (c *Client) GetCloudProviderGCPValidation(ctx context.Context, id string) (bool, error) {
+	gql := c.GetGraphQLClient()
+
+	cpId, err := uuid.Parse(id)
+	if err != nil {
+		return false, err
+	}
+
+	resp, err := graphql.GetGCPProviderDetails(ctx, gql, cpId)
+	if err != nil {
+		return false, err
+	}
+
+	details, ok := resp.CloudProviderDetails.(*graphql.GetGCPProviderDetailsCloudProviderDetailsGCPProviderDetails)
+	if !ok {
+		return false, errors.New("Error retrieving GCP CloudProvider status")
+	}
+
+	return details.CloudProvider.Status == graphql.CloudProviderStatusValidated, nil
+}
+
+func (c *Client) ValidateCloudProviderGCP(ctx context.Context, id string) (bool, error) {
+	gql := c.GetGraphQLClient()
+
+	cpId, err := uuid.Parse(id)
+	if err != nil {
+		return false, err
+	}
+
+	resp, err := graphql.ValidateGCPProvider(ctx, gql, cpId)
+	if err != nil {
+		return false, err
+	}
+
+	return resp.ValidateCloudProvider.Result == graphql.CloudProviderStatusValidated, nil
+}

internal/tlspc/graphql/genqlient.graphql

@@ -90,3 +90,21 @@ mutation UpdateGCPProvider($Id: UUID!, $Name: String!, $Team: UUID!, $Project: S
 mutation DeleteGCPProvider($Id: UUID!) {
     deleteCloudProvider(cloudProviderId: [$Id])
 }
+
+query GetGCPProviderDetails($Id: UUID!) {
+    cloudProviderDetails(cloudProviderId: $Id) {
+        ... on GCPProviderDetails {
+            cloudProvider {
+                id
+                status
+            }
+        }
+    }
+}
+
+mutation ValidateGCPProvider($Id: UUID!) {
+    validateCloudProvider(cloudProviderId: $Id) {
+        result
+        details
+    }
+}