Add vcfa_api_token resource (#22)

Signed-off-by: abarreiro <abarreiro@vmware.com>

Author: adambarreiro

.changes/v1.0.0/22-features.md

@@ -0,0 +1 @@
+* **New Resource:** `vcfa_api_token` to manage API Tokens [GH-22]

vcfa/provider.go

@@ -74,6 +74,7 @@ var globalResourceMap = map[string]*schema.Resource{
 	"vcfa_org_oidc":                resourceVcfaOrgOidc(),               // 1.0
 	"vcfa_rights_bundle":           resourceVcfaRightsBundle(),          // 1.0
 	"vcfa_role":                    resourceVcfaRole(),                  // 1.0
+	"vcfa_api_token":               resourceVcfaApiToken(),              // 1.0
 }
 
 // Provider returns a terraform.ResourceProvider.
@@ -116,14 +117,14 @@ func Provider() *schema.Provider {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("VCFA_API_TOKEN", nil),
-				Description: "The API token used instead of username/password for VCFA API operations. (Requires VCFA 10.3.1+)",
+				Description: "The API token used instead of username/password for VCFA API operations",
 			},
 
 			"api_token_file": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("VCFA_API_TOKEN_FILE", nil),
-				Description: "The API token file instead of username/password for VCFA API operations. (Requires VCFA 10.3.1+)",
+				Description: "The API token file instead of username/password for VCFA API operations",
 			},
 
 			"allow_api_token_file": {

vcfa/resource_vcfa_api_token.go

@@ -0,0 +1,147 @@
+package vcfa
+
+import (
+	"context"
+	"fmt"
+	"github.com/hashicorp/go-cty/cty"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/vmware/go-vcloud-director/v3/govcd"
+	"log"
+)
+
+const labelVcfaApiToken = "API Token"
+
+func resourceVcfaApiToken() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceVcfaApiTokenCreate,
+		ReadContext:   resourceVcfaApiTokenRead,
+		DeleteContext: resourceVcfaApiTokenDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceVcfaApiTokenImport,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: fmt.Sprintf("Name of %s", labelVcfaApiToken),
+			},
+			"file_name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: fmt.Sprintf("Name of the file that the %s will be saved to", labelVcfaApiToken),
+			},
+			"allow_token_file": {
+				Type:     schema.TypeBool,
+				Required: true,
+				ForceNew: true,
+				Description: fmt.Sprintf("Set this to true if you understand the security risks of using"+
+					" %s files and agree to creating them", labelVcfaApiToken),
+				ValidateDiagFunc: func(i interface{}, path cty.Path) diag.Diagnostics {
+					value := i.(bool)
+					if !value {
+						return diag.Diagnostics{
+							diag.Diagnostic{
+								Severity: diag.Error,
+								Summary:  "This field must be set to true",
+								Detail: fmt.Sprintf("The %s file should be considered SENSITIVE INFORMATION. "+
+									"If you acknowledge that, set 'allow_token_file' to 'true'.", labelVcfaApiToken),
+								AttributePath: path,
+							},
+						}
+					}
+					return nil
+				},
+			},
+		},
+	}
+}
+
+func resourceVcfaApiTokenCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	vcdClient := meta.(*VCDClient)
+
+	// System Admin can't create API tokens outside SysOrg,
+	// just as Org admins can't create API tokens in other Orgs
+	org := vcdClient.SysOrg
+	if org == "" {
+		org = vcdClient.Org
+	}
+
+	tokenName := d.Get("name").(string)
+	token, err := vcdClient.CreateToken(org, tokenName)
+	if err != nil {
+		return diag.Errorf("[%s create] error creating %s: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+	d.SetId(token.Token.ID)
+
+	apiToken, err := token.GetInitialApiToken()
+	if err != nil {
+		return diag.Errorf("[%s create] error getting refresh token from %s: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+
+	filename := d.Get("file_name").(string)
+
+	err = govcd.SaveApiTokenToFile(filename, vcdClient.Client.UserAgent, apiToken)
+	if err != nil {
+		return diag.Errorf("[%s create] error saving %s to file: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+
+	return resourceVcfaApiTokenRead(ctx, d, meta)
+}
+
+func resourceVcfaApiTokenRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	vcdClient := meta.(*VCDClient)
+
+	token, err := vcdClient.GetTokenById(d.Id())
+	if govcd.ContainsNotFound(err) {
+		d.SetId("")
+		log.Printf("[DEBUG] %s no longer exists. Removing from tfstate", labelVcfaApiToken)
+	}
+	if err != nil {
+		return diag.Errorf("[%s read] error getting %s: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+
+	d.SetId(token.Token.ID)
+	dSet(d, "name", token.Token.Name)
+
+	return nil
+}
+
+func resourceVcfaApiTokenDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	vcdClient := meta.(*VCDClient)
+
+	token, err := vcdClient.GetTokenById(d.Id())
+	if err != nil {
+		return diag.Errorf("[%s delete] error getting %s: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+
+	err = token.Delete()
+	if err != nil {
+		return diag.Errorf("[%s delete] error deleting %s: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+
+	return nil
+}
+
+func resourceVcfaApiTokenImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	log.Printf("[TRACE] %s import initiated", labelVcfaApiToken)
+
+	vcdClient := meta.(*VCDClient)
+	sessionInfo, err := vcdClient.Client.GetSessionInfo()
+	if err != nil {
+		return []*schema.ResourceData{}, fmt.Errorf("[%s import] error getting username: %s", labelVcfaApiToken, err)
+	}
+
+	token, err := vcdClient.GetTokenByNameAndUsername(d.Id(), sessionInfo.User.Name)
+	if err != nil {
+		return []*schema.ResourceData{}, fmt.Errorf("[%s import] error getting %s by name: %s", labelVcfaApiToken, labelVcfaApiToken, err)
+	}
+
+	d.SetId(token.Token.ID)
+	dSet(d, "name", token.Token.Name)
+
+	return []*schema.ResourceData{d}, nil
+}

vcfa/resource_vcfa_api_token_test.go

@@ -0,0 +1,103 @@
+//go:build api || ALL || functional
+
+package vcfa
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+// TODO: TM: Review whether this test should be skipped when an API Token or service account
+// is provided instead of user + password, in test configuration
+func TestAccVcfaApiToken(t *testing.T) {
+	preTestChecks(t)
+
+	var params = StringMap{
+		"TokenName": t.Name(),
+		"FileName":  t.Name(),
+	}
+	testParamsNotEmpty(t, params)
+
+	filename := params["FileName"].(string)
+
+	configText := templateFill(testAccVcfaApiToken, params)
+	if vcfaShortTest {
+		t.Skip(acceptanceTestsSkipped)
+		return
+	}
+	t.Cleanup(deleteApiTokenFile(filename, t))
+	debugPrintf("#[DEBUG] CONFIGURATION: %s", configText)
+
+	resourceName := "vcfa_api_token.custom"
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviders,
+		CheckDestroy:      testAccCheckApiTokenDestroy(params["TokenName"].(string)),
+		Steps: []resource.TestStep{
+			{
+				Config: configText,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", t.Name()),
+					testCheckFileExists(params["FileName"].(string)),
+				),
+			},
+		},
+	})
+	postTestChecks(t)
+}
+
+// #nosec G101 -- No hardcoded credentials here
+const testAccVcfaApiToken = `
+resource "vcfa_api_token" "custom" {
+  name = "{{.TokenName}}"		
+
+  file_name        = "{{.FileName}}"
+  allow_token_file = true
+}
+`
+
+// This is a helper function that attempts to remove created API token file no matter of the test outcome
+func deleteApiTokenFile(filename string, t *testing.T) func() {
+	return func() {
+		err := os.Remove(filename)
+		if err != nil {
+			t.Errorf("Failed to delete file: %s", err)
+		}
+	}
+}
+
+func testCheckFileExists(filename string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		filename = filepath.Clean(filename)
+		_, err := os.ReadFile(filename)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+func testAccCheckApiTokenDestroy(tokenName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		conn := testAccProvider.Meta().(*VCDClient)
+
+		for _, rs := range s.RootModule().Resources {
+			if rs.Type != "vcfa_api_token" || rs.Primary.Attributes["name"] != tokenName {
+				continue
+			}
+
+			_, err := conn.GetTokenById(rs.Primary.ID)
+			if err == nil {
+				return fmt.Errorf("error: %s still exists post-destroy", labelVcfaApiToken)
+			}
+
+			return nil
+		}
+
+		return nil
+	}
+}

website/docs/index.html.markdown

@@ -51,9 +51,51 @@ data "vcfa_tm_version" "version" {
   condition         = ">= 10.7.0"
   fail_if_not_match = false
 }
+```
+
+## Example usage (API token)
+
+```hcl
+provider "vcfa" {
+  api_token            = var.api_token
+  auth_type            = "api_token"
+  org                  = "System"
+  url                  = var.vcfa_url
+  allow_unverified_ssl = var.vcfa_allow_unverified_ssl
+  logging              = true # Enables logging
+  logging_file         = "vcfa.log"
+}
+
+# Fetch the Tenant Manager version
+data "vcfa_tm_version" "version" {
+  condition         = ">= 10.7.0"
+  fail_if_not_match = false
+}
+```
+
+## Example usage (API token file)
 
+```hcl
+provider "vcfa" {
+  api_token_file       = "token.json"
+  auth_type            = "api_token_file"
+  org                  = "System"
+  url                  = var.vcfa_url
+  allow_unverified_ssl = var.vcfa_allow_unverified_ssl
+  logging              = true # Enables logging
+  logging_file         = "vcfa.log"
+}
+
+# Fetch the Tenant Manager version
+data "vcfa_tm_version" "version" {
+  condition         = ">= 10.7.0"
+  fail_if_not_match = false
+}
 ```
 
+The file containing the API Token can be generated by using the 
+[`api_token`](/providers/vmware/vcfa/latest/docs/resources/api_token) resource.
+
 ## Argument Reference
 
 The following arguments are used to configure the VMware Cloud Foundation Automation Provider:

website/docs/r/api_token.html.markdown

@@ -0,0 +1,57 @@
+---
+layout: "vcfa"
+page_title: "VMware Cloud Foundation Automation: vcfa_api_token"
+sidebar_current: "docs-vcfa-resource-api-token"
+description: |-
+  Provides a resource to manage API Tokens. API Tokens are an easy way to authenticate to VCFA. 
+  They are user-based and have the same role as the user.
+---
+
+# vcfa\_api\_token 
+
+Provides a resource to manage API Tokens. API Tokens are an easy way to authenticate to VCFA. 
+They are user-based and have the same role as the user.
+
+## Example usage
+
+```hcl
+resource "vcfa_api_token" "example_token" {
+  name             = "example_token"
+  file_name        = "example_token.json"
+  allow_token_file = true
+}
+```
+
+## Argument reference
+
+The following arguments are supported:
+
+* `name` - (Required) The unique name of the API Token for a specific user.
+* `file_name` - (Required) The name of the file which will be created containing the API Token. The file will have the following
+JSON contents:
+```json
+{
+  "token_type": "API Token",
+  "refresh_token": "24JVMAQvaayIDuA7wayPPfa376mrfraB",
+  "updated_by": "terraform-provider-vcfa/ (darwin/amd64; isProvider:true)",
+  "updated_on": "2025-01-29T10:00:43+01:00"
+ }
+```
+* `allow_token_file` - (Required) An additional check that the user is aware that the file contains
+  SENSITIVE information. Must be set to `true` or it will return a validation error.
+
+## Importing
+
+~> **Note:** The current implementation of Terraform import can only import resources into the state. It does not generate
+configuration. However, an experimental feature in Terraform 1.5+ allows also code generation.
+See [Importing resources][importing-resources] for more information.
+
+An existing API Token can be [imported][docs-import] into this resource via supplying
+the full dot separated path. An example is below:
+
+```
+terraform import vcfa_api_token.example_token example_token
+```
+
+[docs-import]: https://www.terraform.io/docs/import/
+[provider-api-token-file]: /providers/vmware/vcfa/latest/docs#api_token_file

website/vcfa.erb

@@ -143,6 +143,9 @@
             <li<%= sidebar_current("docs-vcfa-resource-role") %>>
               <a href="/docs/providers/vcfa/r/role.html">vcfa_role</a>
             </li>
+            <li<%= sidebar_current("docs-vcfa-resource-api-token") %>>
+              <a href="/docs/providers/vcfa/r/api_token.html">vcfa_api_token</a>
+            </li>
            </ul>
         </li>
       </ul>