Added custom policy template resource

Signed-off-by: GilTS <gil@terasky.com>

Author: GilTeraSky

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner custompolicytemplate'
 
 jobs:
   goreleaser:

.github/workflows/test.yml

@@ -3,7 +3,7 @@ name: Test and coverage
 on: [pull_request, push]
 
 env:
-  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+  BUILD_TAGS: 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner custompolicytemplate'
 jobs:
   build:
     name: Test and coverage

Makefile

@@ -22,7 +22,11 @@ ifeq ($(TEST_FLAGS),)
 endif
 
 ifeq ($(BUILD_TAGS),)
+<<<<<<< HEAD
 	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster provisioner'
+=======
+	BUILD_TAGS := 'akscluster cluster clustergroup credential ekscluster gitrepository iampolicy kustomization namespace custompolicy imagepolicy networkpolicy quotapolicy securitypolicy sourcesecret workspace tanzupackage tanzupackages packagerepository packageinstall clustersecret integration mutationpolicy helmfeature helmrelease backupschedule targetlocation dataprotection tanzukubernetescluster clusterclass managementcluster custompolicytemplate'
+>>>>>>> 46f9c4b (Added custom policy template resource)
 endif
 
 .PHONY: build clean-up test gofmt vet lint acc-test website-lint website-lint-fix

docs/resources/custom_policy_template.md

@@ -0,0 +1,152 @@
+---
+Title: "Custom Policy Template Resource"
+Description: |-
+   Creating a custom policy template.
+---
+
+# Custom Policy Template Resource
+
+This resource enables users to create custom policy template in TMC.
+
+For more information regarding custom policy template, see [Custom Policy Template][custom-policy-template].
+
+[custom-policy-template]: https://docs.vmware.com/en/VMware-Tanzu-Mission-Control/services/tanzumc-using/GUID-F147492B-04FD-4CFD-8D1F-66E36D40D49C.html
+
+## Example Usage
+
+```terraform
+resource "tanzu-mission-control_custom_policy_template" "sample" {
+  name = "tf-custom-template-test"
+
+  spec {
+    object_type   = "ConstraintTemplate"
+    template_type = "OPAGatekeeper"
+
+    data_inventory {
+      kind    = "ConfigMap"
+      group   = "admissionregistration.k8s.io"
+      version = "v1"
+    }
+
+    data_inventory {
+      kind    = "Deployment"
+      group   = "extensions"
+      version = "v1"
+    }
+
+    template_manifest = <<YAML
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: tf-custom-template-test
+  annotations:
+    description: Requires Pods to have readiness and/or liveness probes.
+spec:
+  crd:
+    spec:
+      names:
+        kind: tf-custom-template-test
+      validation:
+        openAPIV3Schema:
+          properties:
+            probes:
+              type: array
+              items:
+                type: string
+            probeTypes:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredprobes
+        probe_type_set = probe_types {
+          probe_types := {type | type := input.parameters.probeTypes[_]}
+        }
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          probe := input.parameters.probes[_]
+          probe_is_missing(container, probe)
+          msg := get_violation_message(container, input.review, probe)
+        }
+        probe_is_missing(ctr, probe) = true {
+          not ctr[probe]
+        }
+        probe_is_missing(ctr, probe) = true {
+          probe_field_empty(ctr, probe)
+        }
+        probe_field_empty(ctr, probe) = true {
+          probe_fields := {field | ctr[probe][field]}
+          diff_fields := probe_type_set - probe_fields
+          count(diff_fields) == count(probe_type_set)
+        }
+        get_violation_message(container, review, probe) = msg {
+          msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe])
+        }
+YAML
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the custom policy template
+- `spec` (Block List, Min: 1, Max: 1) Spec block of the custom policy template (see [below for nested schema](#nestedblock--spec))
+
+### Optional
+
+- `meta` (Block List, Max: 1) Metadata for the resource (see [below for nested schema](#nestedblock--meta))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--spec"></a>
+### Nested Schema for `spec`
+
+Required:
+
+- `template_manifest` (String) YAML formatted Kubernetes resource.
+The Kubernetes object has to be of the type defined in ObjectType ('ConstraintTemplate').
+The object name must match the name of the wrapping policy template.
+This will be applied on the cluster after a policy is created using this version of the template.
+This contains the latest version of the object. For previous versions, check Versions API.
+
+Optional:
+
+- `data_inventory` (Block List) List of Kubernetes api-resource kinds that need to be synced/replicated in Gatekeeper in order to enforce policy rules on those resources.
+Note: This is used for OPAGatekeeper based templates, and should be used if the policy enforcement logic in Rego code uses cached data using "data.inventory" fields. (see [below for nested schema](#nestedblock--spec--data_inventory))
+- `is_deprecated` (Boolean) Flag representing whether the custom policy template is deprecated.
+- `object_type` (String) The type of Kubernetes resource encoded in Object.
+Currently, we only support OPAGatekeeper based 'ConstraintTemplate' object.
+- `template_type` (String) The type of policy template.
+Currently, we only support 'OPAGatekeeper' based policy templates.
+
+<a id="nestedblock--spec--data_inventory"></a>
+### Nested Schema for `spec.data_inventory`
+
+Required:
+
+- `group` (String) API resource group
+- `kind` (String) API resource kind
+- `version` (String) API resource version
+
+
+
+<a id="nestedblock--meta"></a>
+### Nested Schema for `meta`
+
+Optional:
+
+- `annotations` (Map of String) Annotations for the resource
+- `description` (String) Description of the resource
+- `labels` (Map of String) Labels for the resource
+
+Read-Only:
+
+- `resource_version` (String) Resource version of the resource
+- `uid` (String) UID of the resource

examples/resources/custom_policy_template/provider.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    tanzu-mission-control = {
+      source = "vmware/dev/tanzu-mission-control"
+    }
+  }
+}
+
+terraform {
+  backend "local" {
+    path = "./terraform.tfstate"
+  }
+}
+
+provider "tanzu-mission-control" {
+}

examples/resources/custom_policy_template/resource_custom_policy_template.tf

@@ -0,0 +1,72 @@
+resource "tanzu-mission-control_custom_policy_template" "sample" {
+  name = "tf-custom-template-test"
+
+  spec {
+    object_type   = "ConstraintTemplate"
+    template_type = "OPAGatekeeper"
+
+    data_inventory {
+      kind    = "ConfigMap"
+      group   = "admissionregistration.k8s.io"
+      version = "v1"
+    }
+
+    data_inventory {
+      kind    = "Deployment"
+      group   = "extensions"
+      version = "v1"
+    }
+
+    template_manifest = <<YAML
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: tf-custom-template-test
+  annotations:
+    description: Requires Pods to have readiness and/or liveness probes.
+spec:
+  crd:
+    spec:
+      names:
+        kind: tf-custom-template-test
+      validation:
+        openAPIV3Schema:
+          properties:
+            probes:
+              type: array
+              items:
+                type: string
+            probeTypes:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredprobes
+        probe_type_set = probe_types {
+          probe_types := {type | type := input.parameters.probeTypes[_]}
+        }
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          probe := input.parameters.probes[_]
+          probe_is_missing(container, probe)
+          msg := get_violation_message(container, input.review, probe)
+        }
+        probe_is_missing(ctr, probe) = true {
+          not ctr[probe]
+        }
+        probe_is_missing(ctr, probe) = true {
+          probe_field_empty(ctr, probe)
+        }
+        probe_field_empty(ctr, probe) = true {
+          probe_fields := {field | ctr[probe][field]}
+          diff_fields := probe_type_set - probe_fields
+          count(diff_fields) == count(probe_type_set)
+        }
+        get_violation_message(container, review, probe) = msg {
+          msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe])
+        }
+YAML
+  }
+}

internal/client/custompolicytemplate/custompolicytemplate_resource.go

@@ -0,0 +1,81 @@
+/*
+Copyright © 2023 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+*/
+
+package custompolicytemplateclient
+
+import (
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/transport"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/helper"
+	custompolicytemplatemodels "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/custompolicytemplate"
+)
+
+const (
+	customPolicyTemplateAPIVersionAndGroup = "v1alpha1/policy/templates"
+)
+
+// New creates a new custom policy template resource service API client.
+func New(transport *transport.Client) ClientService {
+	return &Client{Client: transport}
+}
+
+/*
+Client for custom policy template resource service API.
+*/
+type Client struct {
+	*transport.Client
+}
+
+// ClientService is the interface for Client methods.
+type ClientService interface {
+	CustomPolicyTemplateResourceServiceCreate(request *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData) (*custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData, error)
+
+	CustomPolicyTemplateResourceServiceUpdate(request *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData) (*custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData, error)
+
+	CustomPolicyTemplateResourceServiceDelete(fn *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateFullName) error
+
+	CustomPolicyTemplateResourceServiceGet(fn *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateFullName) (*custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData, error)
+}
+
+/*
+CustomPolicyTemplateResourceServiceGet gets an custom policy template.
+*/
+func (c *Client) CustomPolicyTemplateResourceServiceGet(fullName *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateFullName) (*custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData, error) {
+	requestURL := helper.ConstructRequestURL(customPolicyTemplateAPIVersionAndGroup, fullName.Name).String()
+	resp := &custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData{}
+	err := c.Get(requestURL, resp)
+
+	return resp, err
+}
+
+/*
+CustomPolicyTemplateResourceServiceCreate creates an custom policy template.
+*/
+func (c *Client) CustomPolicyTemplateResourceServiceCreate(request *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData) (*custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData, error) {
+	response := &custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData{}
+	requestURL := helper.ConstructRequestURL(customPolicyTemplateAPIVersionAndGroup).String()
+	err := c.Create(requestURL, request, response)
+
+	return response, err
+}
+
+/*
+CustomPolicyTemplateResourceServiceUpdate updates an custom policy template.
+*/
+func (c *Client) CustomPolicyTemplateResourceServiceUpdate(request *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData) (*custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData, error) {
+	response := &custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateData{}
+	requestURL := helper.ConstructRequestURL(customPolicyTemplateAPIVersionAndGroup, request.Template.FullName.Name).String()
+	err := c.Update(requestURL, request, response)
+
+	return response, err
+}
+
+/*
+CustomPolicyTemplateResourceServiceDelete deletes an custom policy template.
+*/
+func (c *Client) CustomPolicyTemplateResourceServiceDelete(fullName *custompolicytemplatemodels.VmwareTanzuManageV1alpha1PolicyTemplateFullName) error {
+	requestURL := helper.ConstructRequestURL(customPolicyTemplateAPIVersionAndGroup, fullName.Name).String()
+
+	return c.Delete(requestURL)
+}

internal/client/http_client.go

@@ -38,6 +38,7 @@ import (
 	policyclustergroupclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/clustergroup/policy"
 	sourcesecretclustergroupclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/clustergroup/sourcesecret"
 	credentialclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/credential"
+	custompolicytemplateclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/custompolicytemplate"
 	eksclusterclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/ekscluster"
 	eksnodepoolclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/ekscluster/nodepool"
 	integrationclient "github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/integration"
@@ -144,6 +145,7 @@ func newHTTPClient(httpClient *transport.Client) *TanzuMissionControl {
 		ClusterClassResourceService:                   clusterclassclient.New(httpClient),
 		TanzuKubernetesClusterResourceService:         tanzukubernetesclusterclient.New(httpClient),
 		ProvisionerResourceService:                    provisionerclient.New(httpClient),
+		CustomPolicyTemplateResourceService:           custompolicytemplateclient.New(httpClient),
 	}
 }
 
@@ -202,4 +204,5 @@ type TanzuMissionControl struct {
 	ClusterClassResourceService                   clusterclassclient.ClientService
 	TanzuKubernetesClusterResourceService         tanzukubernetesclusterclient.ClientService
 	ProvisionerResourceService                    provisionerclient.ClientService
+	CustomPolicyTemplateResourceService           custompolicytemplateclient.ClientService
 }