[Feature complete]Custom IAM Role modles, client, schema, implmementation and docs

Signed-off-by: GilTS <gil@terasky.com>

Author: GilTeraSky

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole'
 
 jobs:
   goreleaser:

.github/workflows/test.yml

@@ -3,7 +3,7 @@ name: Test and coverage
 on: [pull_request, push]
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole'
 jobs:
   build:
     name: Test and coverage

Makefile

@@ -22,7 +22,7 @@ ifeq ($(TEST_FLAGS),)
 endif
 
 ifeq ($(BUILD_TAGS),)
-	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate'
+	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner inspections custompolicytemplate customiamrole'
 endif
 
 .PHONY: build clean-up test gofmt vet lint acc-test website-lint website-lint-fix

docs/resources/custom_iam_role.md

@@ -0,0 +1,169 @@
+---
+Title: "Custom IAM Role Resource"
+Description: |-
+   Creating a custom IAM role.
+---
+
+# Custom IAM Role Resource
+
+This resource enables users to create custom IAM roles in TMC.
+
+For more information regarding custom roles, see [Custom Role][custom-role].
+
+[custom-role]: https://docs.vmware.com/en/VMware-Tanzu-Mission-Control/services/tanzumc-using/GUID-F314ED9E-2736-48CC-A1BB-CB9C32900B30.html
+
+## Example Usage
+
+```terraform
+resource "tanzu-mission-control_custom_iam_role" "demo-role" {
+  name = "tf-custom-role"
+
+  spec {
+    is_deprecated = false
+
+    aggregation_rule {
+      cluster_role_selector {
+        match_labels = {
+          key = "value"
+        }
+      }
+
+      cluster_role_selector {
+        match_expression {
+          key      = "aa"
+          operator = "Exists"
+          values   = ["aa", "bb", "cc"]
+        }
+      }
+    }
+
+    allowed_scopes = [
+      "ORGANIZATION",
+      "CLUSTER_GROUP",
+      "CLUSTER"
+    ]
+
+    tanzu_permissions = []
+
+    kubernetes_permissions {
+      rule {
+        resources  = ["deployments"]
+        verbs      = ["get", "list"]
+        api_groups = ["*"]
+      }
+
+      rule {
+        verbs      = ["get", "list"]
+        api_groups = ["*"]
+        url_paths  = ["/healthz"]
+      }
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the iam role
+- `spec` (Block List, Min: 1, Max: 1) Spec block of iam role (see [below for nested schema](#nestedblock--spec))
+
+### Optional
+
+- `meta` (Block List, Max: 1) Metadata for the resource (see [below for nested schema](#nestedblock--meta))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--spec"></a>
+### Nested Schema for `spec`
+
+Required:
+
+- `allowed_scopes` (List of String) The allowed scopes for the iam role.
+Valid values are (ORGANIZATION, MANAGEMENT_CLUSTER, PROVISIONER, CLUSTER_GROUP, CLUSTER, WORKSPACE, NAMESPACE)
+
+Optional:
+
+- `aggregation_rule` (Block List, Max: 1) Aggregation rules for the iam role. (see [below for nested schema](#nestedblock--spec--aggregation_rule))
+- `is_deprecated` (Boolean) Flag representing whether role is deprecated.
+- `kubernetes_permissions` (Block List, Max: 1) Kubernetes permissions for the iam role. (see [below for nested schema](#nestedblock--spec--kubernetes_permissions))
+- `tanzu_permissions` (List of String) Tanzu-specific permissions for the role.
+
+<a id="nestedblock--spec--aggregation_rule"></a>
+### Nested Schema for `spec.aggregation_rule`
+
+Required:
+
+- `cluster_role_selector` (Block List, Min: 1) Cluster role selector for the iam role. (see [below for nested schema](#nestedblock--spec--aggregation_rule--cluster_role_selector))
+
+<a id="nestedblock--spec--aggregation_rule--cluster_role_selector"></a>
+### Nested Schema for `spec.aggregation_rule.cluster_role_selector`
+
+Optional:
+
+- `match_expression` (Block List) List of label selector requirements.
+The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--aggregation_rule--cluster_role_selector--match_expression))
+- `match_labels` (Map of String) Map of {key,value} pairs.
+A single {key,value} in the match_labels map is equivalent to an element of match_expression, whose key field is "key", the operator is "In", and the values array contains only "value". 
+The requirements are ANDed.
+
+<a id="nestedblock--spec--aggregation_rule--cluster_role_selector--match_expression"></a>
+### Nested Schema for `spec.aggregation_rule.cluster_role_selector.match_expression`
+
+Required:
+
+- `key` (String) Key is the label key that the selector applies to.
+- `operator` (String) Operator represents a key's relationship to a set of values.
+Valid operators are "In", "NotIn", "Exists" and "DoesNotExist".
+
+Optional:
+
+- `values` (List of String) Values is an array of string values.
+If the operator is "In" or "NotIn", the values array must be non-empty.
+If the operator is "Exists" or "DoesNotExist", the values array must be empty.
+This array is replaced during a strategic merge patch.
+
+
+
+
+<a id="nestedblock--spec--kubernetes_permissions"></a>
+### Nested Schema for `spec.kubernetes_permissions`
+
+Required:
+
+- `rule` (Block List, Min: 1) Kubernetes rules. (see [below for nested schema](#nestedblock--spec--kubernetes_permissions--rule))
+
+<a id="nestedblock--spec--kubernetes_permissions--rule"></a>
+### Nested Schema for `spec.kubernetes_permissions.rule`
+
+Required:
+
+- `verbs` (List of String) Verbs.
+
+Optional:
+
+- `api_groups` (List of String) API groups.
+- `resource_names` (List of String) Restricts the rule to resources by name.
+- `resources` (List of String) Resources for the role.
+- `url_paths` (List of String) Non-resource urls for the role.
+
+
+
+
+<a id="nestedblock--meta"></a>
+### Nested Schema for `meta`
+
+Optional:
+
+- `annotations` (Map of String) Annotations for the resource
+- `description` (String) Description of the resource
+- `labels` (Map of String) Labels for the resource
+
+Read-Only:
+
+- `resource_version` (String) Resource version of the resource
+- `uid` (String) UID of the resource

examples/resources/custom_iam_role/resource_custom_iam_role.tf

@@ -0,0 +1,45 @@
+resource "tanzu-mission-control_custom_iam_role" "demo-role" {
+  name = "tf-custom-role"
+
+  spec {
+    is_deprecated = false
+
+    aggregation_rule {
+      cluster_role_selector {
+        match_labels = {
+          key = "value"
+        }
+      }
+
+      cluster_role_selector {
+        match_expression {
+          key      = "aa"
+          operator = "Exists"
+          values   = ["aa", "bb", "cc"]
+        }
+      }
+    }
+
+    allowed_scopes = [
+      "ORGANIZATION",
+      "CLUSTER_GROUP",
+      "CLUSTER"
+    ]
+
+    tanzu_permissions = []
+
+    kubernetes_permissions {
+      rule {
+        resources  = ["deployments"]
+        verbs      = ["get", "list"]
+        api_groups = ["*"]
+      }
+
+      rule {
+        verbs      = ["get", "list"]
+        api_groups = ["*"]
+        url_paths  = ["/healthz"]
+      }
+    }
+  }
+}

internal/client/customiamrole/customiamrole_resource.go

@@ -0,0 +1,81 @@
+/*
+Copyright © 2023 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+*/
+
+package customiamrole
+
+import (
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/transport"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/helper"
+	customiamrolemodels "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/customiamrole"
+)
+
+const (
+	iamRoleAPIVersionAndGroup = "v1alpha1/iam/roles"
+)
+
+// New creates a new custom iam role resource service API client.
+func New(transport *transport.Client) ClientService {
+	return &Client{Client: transport}
+}
+
+/*
+Client for custom iam role resource service API.
+*/
+type Client struct {
+	*transport.Client
+}
+
+// ClientService is the interface for Client methods.
+type ClientService interface {
+	CustomIAMRoleResourceServiceCreate(request *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData) (*customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData, error)
+
+	CustomIAMRoleResourceServiceUpdate(request *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData) (*customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData, error)
+
+	CustomIAMRoleResourceServiceDelete(fn *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleFullName) error
+
+	CustomIAMRoleResourceServiceGet(fn *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleFullName) (*customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData, error)
+}
+
+/*
+CustomIAMRoleResourceServiceGet gets a custom iam role.
+*/
+func (c *Client) CustomIAMRoleResourceServiceGet(fullName *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleFullName) (*customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData, error) {
+	requestURL := helper.ConstructRequestURL(iamRoleAPIVersionAndGroup, fullName.Name).String()
+	resp := &customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData{}
+	err := c.Get(requestURL, resp)
+
+	return resp, err
+}
+
+/*
+CustomIAMRoleResourceServiceCreate creates a custom iam role.
+*/
+func (c *Client) CustomIAMRoleResourceServiceCreate(request *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData) (*customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData, error) {
+	response := &customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData{}
+	requestURL := helper.ConstructRequestURL(iamRoleAPIVersionAndGroup).String()
+	err := c.Create(requestURL, request, response)
+
+	return response, err
+}
+
+/*
+CustomIAMRoleResourceServiceUpdate updates a custom iam role.
+*/
+func (c *Client) CustomIAMRoleResourceServiceUpdate(request *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData) (*customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData, error) {
+	response := &customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleData{}
+	requestURL := helper.ConstructRequestURL(iamRoleAPIVersionAndGroup, request.Role.FullName.Name).String()
+	err := c.Update(requestURL, request, response)
+
+	return response, err
+}
+
+/*
+CustomIAMRoleResourceServiceDelete deletes a custom iam role.
+*/
+func (c *Client) CustomIAMRoleResourceServiceDelete(fullName *customiamrolemodels.VmwareTanzuManageV1alpha1IamRoleFullName) error {
+	requestURL := helper.ConstructRequestURL(iamRoleAPIVersionAndGroup, fullName.Name).String()
+
+	return c.Delete(requestURL)
+}

internal/client/http_client.go

@@ -39,6 +39,7 @@ import (
 	sourcesecretclustergroupclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/clustergroup/sourcesecret"
 	credentialclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/credential"
 	custompolicytemplateclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/custompolicytemplate"
+	customiamroleclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/customiamrole"
 	eksclusterclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/ekscluster"
 	eksnodepoolclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/ekscluster/nodepool"
 	inspectionsclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/inspections"
@@ -150,6 +151,7 @@ func newHTTPClient(httpClient *transport.Client) *TanzuMissionControl {
 		ProvisionerResourceService:                    provisionerclient.New(httpClient),
 		CustomPolicyTemplateResourceService:           custompolicytemplateclient.New(httpClient),
 		RecipeResourceService:                         recipeclient.New(httpClient),
+		CustomIAMRoleResourceService:                  customiamroleclient.New(httpClient),
 	}
 }
 
@@ -211,4 +213,5 @@ type TanzuMissionControl struct {
 	InspectionsResourceService                    inspectionsclient.ClientService
 	CustomPolicyTemplateResourceService           custompolicytemplateclient.ClientService
 	RecipeResourceService                         recipeclient.ClientService
+	CustomIAMRoleResourceService                  customiamroleclient.ClientService
 }

internal/models/customiamrole/aggregeation_rule.go

@@ -0,0 +1,41 @@
+/*
+Copyright © 2023 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+*/
+
+package customiamrolemodels
+
+import (
+	"github.com/go-openapi/swag"
+)
+
+// VmwareTanzuManageV1alpha1IamRoleAggregationRule AggregationRule for a role.
+//
+// swagger:model vmware.tanzu.manage.v1alpha1.iam.role.AggregationRule
+type VmwareTanzuManageV1alpha1IamRoleAggregationRule struct {
+
+	// Label based Cluster Role Selector.
+	ClusterRoleSelectors []*K8sIoApimachineryPkgApisMetaV1LabelSelector `json:"clusterRoleSelectors"`
+}
+
+// MarshalBinary interface implementation.
+func (m *VmwareTanzuManageV1alpha1IamRoleAggregationRule) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation.
+func (m *VmwareTanzuManageV1alpha1IamRoleAggregationRule) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1IamRoleAggregationRule
+
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}