[Do not merge] Add hcp_packer_bucket, `hcp_packer_bucket_iam_bindin…

…g`, and `hcp_packer_bucket_iam_policy` resources #866  (#852)

.changelog/852.txt

@@ -0,0 +1,5 @@
+```release-note:feature
+ New resource: Add `hcp_packer_bucket` resource for managing HCP Packer buckets
+ New Resource: Add `hcp_packer_bucket_iam_policy` resource for assigning a list of policy bindings to multiple principals for a HCP Packer Bucket
+ New resource: Add `hcp_packer_bucket_iam_binding` resource for assigning a single role to a principal for a HCP Packer Bucket
+ ```

docs/guides/packer-bucket-rbac.md

@@ -0,0 +1,55 @@
+---
+subcategory: ""
+page_title: "Managing HCP Packer Bucket IAM Policies"
+description: |-
+    A guide to using HCP Packer bucket resource along with binding or policy resource to manage bucket level access.
+---
+
+# Managing HCP Packer Bucket IAM Policies
+
+You can grant specific users, service principals, or groups contributor or admin level access to a specific HCP Packer bucket using either a `hcp_packer_bucket_iam_binding` or `hcp_packer_bucket_iam_policy` resource.  Whenever a user is invited to a project they will have read level access to all resources, but you can restrict which of the principals in your project can maintain specific buckets.
+
+A resource's policy is a list of bindings to assign roles to multiple users, groups, or service principals. The `hcp_packer_bucket_iam_policy` resource sets the Bucket IAM policy and replaces any existing policy.
+
+The following example assigns the role `contributor` to a user principal and a service principal for the `production` bucket.
+
+```terraform
+data "hcp_iam_policy" "mypolicy" {
+  bindings = [
+    {
+      role = "roles/contributor"
+      principals = [
+        "user-principal-id-1",
+        "service-principal-id-1",
+      ]
+    },
+  ]
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_policy" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  policy_data   = data.hcp_iam_policy.mypolicy.policy_data
+}
+```
+
+The following example assigns role contriubtor for a service principal to the production bucket, and also preserves existing bindings.
+
+```terraform
+resource "hcp_service_principal" "my-sp" {
+  name = "my-sp"
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_binding" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  principal_id  = hcp_service_principal.my-sp.resource_id
+  role          = "roles/contributor"
+}
+```

docs/resources/packer_bucket.md

@@ -0,0 +1,46 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "hcp_packer_bucket Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The Packer Bucket resource allows you to manage a bucket within an active HCP Packer Registry.
+---
+
+# hcp_packer_bucket (Resource)
+
+The Packer Bucket resource allows you to manage a bucket within an active HCP Packer Registry.
+
+## Example Usage
+
+```terraform
+resource "hcp_packer_bucket" "staging" {
+  name = "alpine"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The bucket's name.
+
+### Optional
+
+- `project_id` (String) The ID of the project to create the bucket under. If unspecified, the bucket will be created in the project the provider is configured with.
+
+### Read-Only
+
+- `created_at` (String) The creation time of this bucket
+- `organization_id` (String) The ID of the HCP organization where this bucket is located.
+- `resource_name` (String) The buckets's HCP resource name in the format `packer/project/<project_id>/packer/<name>`.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Using a HCP Packer Bucket Resource Name
+# packer/project/{project_id}/bucket/{bucket_name}
+terraform import hcp_packer_bucket.alpine packer/project/f709ec73-55d4-46d8-897d-816ebba28778/bucket/alpine
+```

docs/resources/packer_bucket_iam_binding.md

@@ -0,0 +1,38 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "hcp_packer_bucket_iam_binding Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  Updates the HCP Packer Bucket IAM policy to bind a role to a new member. Existing bindings are preserved.
+---
+
+# hcp_packer_bucket_iam_binding (Resource)
+
+Updates the HCP Packer Bucket IAM policy to bind a role to a new member. Existing bindings are preserved.
+
+## Example Usage
+
+```terraform
+resource "hcp_service_principal" "my-sp" {
+  name = "my-sp"
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_binding" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  principal_id  = hcp_service_principal.my-sp.resource_id
+  role          = "roles/contributor"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `principal_id` (String) The principal to bind to the given role.
+- `resource_name` (String) The bucket's resource name in the format packer/project/<project ID>/bucket/<bucket name>.
+- `role` (String) The role name to bind to the given principal.

docs/resources/packer_bucket_iam_policy.md

@@ -0,0 +1,58 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "hcp_packer_bucket_iam_policy Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  Sets the HCP Packer Bucket IAM policy and replaces any existing policy.
+---
+
+# hcp_packer_bucket_iam_policy (Resource)
+
+Sets the HCP Packer Bucket IAM policy and replaces any existing policy.
+
+## Example Usage
+
+```terraform
+data "hcp_iam_policy" "mypolicy" {
+  bindings = [
+    {
+      role = "roles/contributor"
+      principals = [
+        "user-principal-id-1",
+        "service-principal-id-1",
+      ]
+    },
+  ]
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_policy" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  policy_data   = data.hcp_iam_policy.mypolicy.policy_data
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `policy_data` (String) The policy to apply.
+- `resource_name` (String) The bucket's resource name in the format packer/project/<project ID>/bucket/<bucket name>.
+
+### Read-Only
+
+- `etag` (String) The etag captures the existing state of the policy.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Using a HCP Packer Bucket Resource Name
+# packer/project/{project_id}/bucket/{bucket_name}
+terraform import hcp_packer_bucket.alpine packer/project/f709ec73-55d4-46d8-897d-816ebba28778/bucket/alpine
+```

examples/guides/packer_bucket_rbac/iam_binding_resource.tf

@@ -0,0 +1,13 @@
+resource "hcp_service_principal" "my-sp" {
+  name = "my-sp"
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_binding" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  principal_id  = hcp_service_principal.my-sp.resource_id
+  role          = "roles/contributor"
+}

examples/guides/packer_bucket_rbac/iam_policy_resource.tf

@@ -0,0 +1,20 @@
+data "hcp_iam_policy" "mypolicy" {
+  bindings = [
+    {
+      role = "roles/contributor"
+      principals = [
+        "user-principal-id-1",
+        "service-principal-id-1",
+      ]
+    },
+  ]
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_policy" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  policy_data   = data.hcp_iam_policy.mypolicy.policy_data
+}

examples/resources/hcp_packer_bucket/import.sh

@@ -0,0 +1,4 @@
+# Using a HCP Packer Bucket Resource Name
+# packer/project/{project_id}/bucket/{bucket_name}
+terraform import hcp_packer_bucket.alpine packer/project/f709ec73-55d4-46d8-897d-816ebba28778/bucket/alpine
+

examples/resources/hcp_packer_bucket/resource.tf

@@ -0,0 +1,3 @@
+resource "hcp_packer_bucket" "staging" {
+  name = "alpine"
+}

examples/resources/hcp_packer_bucket_iam_binding/resource.tf

@@ -0,0 +1,13 @@
+resource "hcp_service_principal" "my-sp" {
+  name = "my-sp"
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_binding" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  principal_id  = hcp_service_principal.my-sp.resource_id
+  role          = "roles/contributor"
+}

examples/resources/hcp_packer_bucket_iam_policy/import.sh

@@ -0,0 +1,4 @@
+# Using a HCP Packer Bucket Resource Name
+# packer/project/{project_id}/bucket/{bucket_name}
+terraform import hcp_packer_bucket.alpine packer/project/f709ec73-55d4-46d8-897d-816ebba28778/bucket/alpine
+

examples/resources/hcp_packer_bucket_iam_policy/resource.tf

@@ -0,0 +1,20 @@
+data "hcp_iam_policy" "mypolicy" {
+  bindings = [
+    {
+      role = "roles/contributor"
+      principals = [
+        "user-principal-id-1",
+        "service-principal-id-1",
+      ]
+    },
+  ]
+}
+
+resource "hcp_packer_bucket" "production" {
+  name = "production"
+}
+
+resource "hcp_packer_bucket_iam_policy" "example" {
+  resource_name = hcp_packer_bucket.production.resource_name
+  policy_data   = data.hcp_iam_policy.mypolicy.policy_data
+}

internal/clients/packerv2/bucket.go

@@ -49,3 +49,19 @@ func ListBuckets(ctx context.Context, client *clients.Client, loc *sharedmodels.
 		nextPage = pagination.NextPageToken
 	}
 }
+
+func CreateBucket(ctx context.Context, client *clients.Client, loc *sharedmodels.HashicorpCloudLocationLocation, name string) (*Bucket, error) {
+	params := packerservice.NewPackerServiceCreateBucketParams()
+	params.SetLocationOrganizationID(loc.OrganizationID)
+	params.SetLocationProjectID(loc.ProjectID)
+	params.Body = &packermodels.HashicorpCloudPacker20230101CreateBucketBody{
+		Name: name,
+	}
+
+	resp, err := client.PackerV2.PackerServiceCreateBucket(params, nil)
+
+	if err != nil {
+		return nil, formatGRPCError[*packerservice.PackerServiceGetBucketDefault](err)
+	}
+	return resp.GetPayload().Bucket, nil
+}

internal/provider/packer/packer.go

@@ -6,13 +6,18 @@ package packer
 import (
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
-	"github.com/hashicorp/terraform-provider-hcp/internal/provider/packer/sources/artifact"
-	"github.com/hashicorp/terraform-provider-hcp/internal/provider/packer/sources/version"
+	"github.com/hashicorp/terraform-provider-hcp/internal/provider/packer/datasources/artifact"
+	"github.com/hashicorp/terraform-provider-hcp/internal/provider/packer/datasources/version"
+	"github.com/hashicorp/terraform-provider-hcp/internal/provider/packer/resources/bucket"
 )
 
 // ResourceSchemaBuilders is a list of all HCP Packer resources exposed by the
 // Framework provider. To add a new resource, add a new function to this list.
-var ResourceSchemaBuilders []func() resource.Resource = []func() resource.Resource{}
+var ResourceSchemaBuilders []func() resource.Resource = []func() resource.Resource{
+	bucket.NewPackerBucketResource,
+	bucket.NewPackerBucketIAMPolicyResource,
+	bucket.NewPackerBucketAppIAMBindingResource,
+}
 
 // DataSourceSchemaBuilders is a list of all HCP Packer data sources exposed by the
 // Framework provider. To add a new data source, add a new function to this list.