Add the service_account resource

The cockroach_service_account resource allows the creation of service accounts via terraform.
cockroachdb · Apr 25, 2024 · 124f1f8 · 124f1f8
1 parent e977791
commit 124f1f8
Show file tree

Hide file tree

Showing 12 changed files with 542 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## Added
+
+- The [cockroach_service_account](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs/resources/service_account) resource was added.
+
 ## [1.4.1] - 2024-04-04
 
 ## Added

diff --git a/docs/resources/service_account.md b/docs/resources/service_account.md
@@ -0,0 +1,57 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_service_account Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  CockroachDB Cloud service account. A service account represents a non-person user. By default a service account has no access but it can be accompanied by either a cockroachuserrole_grants user_role_grants resource or any number of cockroachuserrole_grant user_role_grant resources to grant it roles.
+---
+
+# cockroach_service_account (Resource)
+
+CockroachDB Cloud service account. A service account represents a non-person user. By default a service account has no access but it can be accompanied by either a [cockroach_user_role_grants](user_role_grants) resource or any number of [cockroach_user_role_grant](user_role_grant) resources to grant it roles.
+
+## Example Usage
+
+```terraform
+resource "cockroach_service_account" "prod_sa" {
+  name        = "Prod cluster SA"
+  description = "A service account used for managing access to the prod cluster"
+}
+
+resource "cockroach_user_role_grants" "prod_sa" {
+  user_id = cockroach_service_account.prod_sa.id
+  roles = [
+    {
+      role_name     = "CLUSTER_ADMIN",
+      resource_type = "CLUSTER",
+      resource_id   = cockroach_cluster.prod.id
+    }
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the service account.
+
+### Optional
+
+- `description` (String) Description of the service account.
+
+### Read-Only
+
+- `created_at` (String) Creation time of the service account.
+- `creator_name` (String) Name of the creator of the service account.
+- `id` (String) The ID of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# format <resource> <service account id>
+terraform import cockroach_service_account.api_service_account 1f69fdd2-600a-4cfc-a9ba-16995df0d77d
+```
diff --git a/docs/resources/user_role_grant.md b/docs/resources/user_role_grant.md
@@ -3,13 +3,13 @@
 page_title: "cockroach_user_role_grant Resource - terraform-provider-cockroach"
 subcategory: ""
 description: |-
-  A role grant for a user. This resource is recommended to be used when a user's roles are managed across multiple terraform projects or in conjunction with console UI granted roles. For authoritative management over a user's roles, use the userrolegrants user_role_grants resource.
+  A role grant for a user. This resource is recommended to be used when a user's roles are managed across multiple terraform projects or in conjunction with console UI granted roles. For authoritative management over a user's roles, use the cockroachuserrole_grants user_role_grants resource.
   As with all terraform resources, care must be taken to limit management of the same resource to a single project.
 ---
 
 # cockroach_user_role_grant (Resource)
 
-A role grant for a user. This resource is recommended to be used when a user's roles are managed across multiple terraform projects or in conjunction with console UI granted roles. For authoritative management over a user's roles, use the [user_role_grants](user_role_grants) resource.
+A role grant for a user. This resource is recommended to be used when a user's roles are managed across multiple terraform projects or in conjunction with console UI granted roles. For authoritative management over a user's roles, use the [cockroach_user_role_grants](user_role_grants) resource.
 
  As with all terraform resources, care must be taken to limit management of the same resource to a single project.
 

diff --git a/docs/resources/user_role_grants.md b/docs/resources/user_role_grants.md
@@ -3,12 +3,12 @@
 page_title: "cockroach_user_role_grants Resource - terraform-provider-cockroach"
 subcategory: ""
 description: |-
-  Manage all the role grants for a user. This resource is authoritative.  If role grants are added elsewhere, for example, via the console UI or another terraform project, using this resource will try to reset them. Use the userrolegrant user_role_grant resource for non-authoritative role grants.
+  Manage all the role grants for a user. This resource is authoritative.  If role grants are added elsewhere, for example, via the console UI or another terraform project, using this resource will try to reset them. Use the cockroachuserrole_grant user_role_grant resource for non-authoritative role grants.
 ---
 
 # cockroach_user_role_grants (Resource)
 
-Manage all the role grants for a user. This resource is authoritative.  If role grants are added elsewhere, for example, via the console UI or another terraform project, using this resource will try to reset them. Use the [user_role_grant](user_role_grant) resource for non-authoritative role grants.
+Manage all the role grants for a user. This resource is authoritative.  If role grants are added elsewhere, for example, via the console UI or another terraform project, using this resource will try to reset them. Use the [cockroach_user_role_grant](user_role_grant) resource for non-authoritative role grants.
 
 ## Example Usage
 

diff --git a/examples/resources/cockroach_service_account/import.sh b/examples/resources/cockroach_service_account/import.sh
@@ -0,0 +1,2 @@
+# format <resource> <service account id>
+terraform import cockroach_service_account.api_service_account 1f69fdd2-600a-4cfc-a9ba-16995df0d77d
diff --git a/examples/resources/cockroach_service_account/resource.tf b/examples/resources/cockroach_service_account/resource.tf
@@ -0,0 +1,15 @@
+resource "cockroach_service_account" "prod_sa" {
+  name        = "Prod cluster SA"
+  description = "A service account used for managing access to the prod cluster"
+}
+
+resource "cockroach_user_role_grants" "prod_sa" {
+  user_id = cockroach_service_account.prod_sa.id
+  roles = [
+    {
+      role_name     = "CLUSTER_ADMIN",
+      resource_type = "CLUSTER",
+      resource_id   = cockroach_cluster.prod.id
+    }
+  ]
+}
diff --git a/internal/provider/models.go b/internal/provider/models.go
@@ -310,6 +310,14 @@ type IdentityMapEntry struct {
 	IsRegex       types.Bool   `tfsdk:"is_regex"`
 }
 
+type ServiceAccount struct {
+	ID          types.String `tfsdk:"id"`
+	Name        types.String `tfsdk:"name"`
+	Description types.String `tfsdk:"description"`
+	CreatedAt   types.String `tfsdk:"created_at"`
+	CreatorName types.String `tfsdk:"creator_name"`
+}
+
 func (e *APIErrorMessage) String() string {
 	return fmt.Sprintf("%v-%v", e.Code, e.Message)
 }
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -144,6 +144,7 @@ func (p *provider) Resources(_ context.Context) []func() resource.Resource {
 		NewVersionDeferralResource,
 		NewFolderResource,
 		NewApiOidcConfigResource,
+		NewServiceAccountResource,
 	}
 }