Merge pull request #859 from 131/role_n_permission

feat: (dbaas/logs) role & permission

Author: amstuta

ovh/provider.go

@@ -229,6 +229,8 @@ func Provider() *schema.Provider {
 			"ovh_cloud_project_user_s3_policy":                               resourceCloudProjectUserS3Policy(),
 			"ovh_cloud_project_workflow_backup":                              resourceCloudProjectWorkflowBackup(),
 			"ovh_dbaas_logs_cluster":                                         resourceDbaasLogsCluster(),
+			"ovh_dbaas_logs_role":                                            resourceDbaasLogsRole(),
+			"ovh_dbaas_logs_role_permission_stream":                          resourceDbaasLogsRolePermissionStream(),
 			"ovh_dbaas_logs_input":                                           resourceDbaasLogsInput(),
 			"ovh_dbaas_logs_output_graylog_stream":                           resourceDbaasLogsOutputGraylogStream(),
 			"ovh_dbaas_logs_output_opensearch_alias":                         resourceDbaasLogsOutputOpensearchAlias(),

ovh/resource_dbaas_logs_role.go

@@ -0,0 +1,181 @@
+package ovh
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/url"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/ovh/terraform-provider-ovh/ovh/helpers"
+)
+
+func resourceDbaasLogsRole() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceDbaasLogsRoleCreate,
+		ReadContext:   resourceDbaasLogsRoleRead,
+		UpdateContext: resourceDbaasLogsRoleUpdate,
+		DeleteContext: resourceDbaasLogsRoleDelete,
+		Importer: &schema.ResourceImporter{
+			State: resourceDbaasLogsRoleImportState,
+		},
+		Schema: map[string]*schema.Schema{
+			"service_name": {
+				Type:        schema.TypeString,
+				Description: "The service name",
+				Required:    true,
+			},
+			"name": {
+				Type:        schema.TypeString,
+				Description: "The role name",
+				Required:    true,
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Description: "The role description",
+				Required:    true,
+			},
+			// Computed fields from the API response
+			"created_at": {
+				Type:        schema.TypeString,
+				Description: "Role creation date",
+				Computed:    true,
+			},
+			"nb_member": {
+				Type:        schema.TypeInt,
+				Description: "Number of members in the role",
+				Computed:    true,
+			},
+			"nb_permission": {
+				Type:        schema.TypeInt,
+				Description: "Number of permissions assigned to the role",
+				Computed:    true,
+			},
+			"role_id": {
+				Type:        schema.TypeString,
+				Description: "Role identifier",
+				Computed:    true,
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Description: "Role last update date",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+// resourceDbaasLogsRoleCreate creates a new role using an asynchronous operation.
+func resourceDbaasLogsRoleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+
+	log.Printf("[DEBUG] Creating dbaas logs role for service: %s", serviceName)
+
+	opts := (&DbaasLogsRoleCreateOpts{}).FromResource(d)
+	opRes := &DbaasLogsOperation{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role", url.PathEscape(serviceName))
+	if err := config.OVHClient.Post(endpoint, opts, opRes); err != nil {
+		return diag.Errorf("Error calling POST %s:\n\t%q", endpoint, err)
+	}
+
+	// Wait for asynchronous operation to complete.
+	op, err := waitForDbaasLogsOperation(ctx, config.OVHClient, serviceName, opRes.OperationId)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	if op.RoleId == nil {
+		return diag.Errorf("Role Id is nil. This should not happen: operation %s/%s", serviceName, opRes.OperationId)
+	}
+	d.SetId(*op.RoleId)
+
+	return resourceDbaasLogsRoleRead(ctx, d, meta)
+}
+
+// resourceDbaasLogsRoleRead reads the role resource.
+func resourceDbaasLogsRoleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+	roleId := d.Id()
+
+	log.Printf("[DEBUG] Reading dbaas logs role for service: %s, role: %s", serviceName, roleId)
+
+	role := &DbaasLogsRole{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s", url.PathEscape(serviceName), url.PathEscape(roleId))
+	if err := config.OVHClient.Get(endpoint, role); err != nil {
+		return diag.FromErr(helpers.CheckDeleted(d, err, endpoint))
+	}
+
+	for k, v := range role.ToMap() {
+		if k != "role_id" {
+			d.Set(k, v)
+		} else {
+			d.SetId(fmt.Sprint(v))
+		}
+	}
+
+	return nil
+}
+
+// resourceDbaasLogsRoleUpdate updates the role using an asynchronous operation.
+func resourceDbaasLogsRoleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+	roleId := d.Id()
+
+	log.Printf("[DEBUG] Updating dbaas logs role for service: %s, role: %s", serviceName, roleId)
+
+	opts := (&DbaasLogsRoleCreateOpts{}).FromResource(d)
+	opRes := &DbaasLogsOperation{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s", url.PathEscape(serviceName), url.PathEscape(roleId))
+	if err := config.OVHClient.Put(endpoint, opts, opRes); err != nil {
+		return diag.Errorf("Error calling PUT %s:\n\t%q", endpoint, err)
+	}
+
+	// Wait for asynchronous operation to complete.
+	if _, err := waitForDbaasLogsOperation(ctx, config.OVHClient, serviceName, opRes.OperationId); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return resourceDbaasLogsRoleRead(ctx, d, meta)
+}
+
+// resourceDbaasLogsRoleDelete deletes the role using an asynchronous operation.
+func resourceDbaasLogsRoleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+	roleId := d.Id()
+
+	log.Printf("[DEBUG] Deleting dbaas logs role for service: %s, role: %s", serviceName, roleId)
+	opRes := &DbaasLogsOperation{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s", url.PathEscape(serviceName), url.PathEscape(roleId))
+	if err := config.OVHClient.Delete(endpoint, opRes); err != nil {
+		return diag.FromErr(helpers.CheckDeleted(d, err, endpoint))
+	}
+
+	// Wait for asynchronous operation to complete.
+	if _, err := waitForDbaasLogsOperation(ctx, config.OVHClient, serviceName, opRes.OperationId); err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId("")
+	return nil
+}
+
+// resourceDbaasLogsRoleImportState allows importing a role using service_name/roleId format.
+func resourceDbaasLogsRoleImportState(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	givenID := d.Id()
+	splitID := strings.SplitN(givenID, "/", 2)
+	if len(splitID) != 2 {
+		return nil, fmt.Errorf("Import ID must be in service_name/roleId format")
+	}
+	serviceName := splitID[0]
+	roleId := splitID[1]
+	d.SetId(roleId)
+	d.Set("service_name", serviceName)
+
+	return []*schema.ResourceData{d}, nil
+}

ovh/resource_dbaas_logs_role_permission_stream.go

@@ -0,0 +1,171 @@
+package ovh
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/url"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/ovh/terraform-provider-ovh/ovh/helpers"
+)
+
+func resourceDbaasLogsRolePermissionStream() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceDbaasLogsRolePermissionStreamCreate,
+		ReadContext:   resourceDbaasLogsRolePermissionStreamRead,
+		DeleteContext: resourceDbaasLogsRolePermissionStreamDelete,
+		Importer: &schema.ResourceImporter{
+			State: resourceDbaasLogsRolePermissionStreamImportState,
+		},
+		Schema: map[string]*schema.Schema{
+			"service_name": {
+				Type:        schema.TypeString,
+				Description: "Service name",
+				Required:    true,
+				ForceNew:    true,
+			},
+			"role_id": {
+				Type:        schema.TypeString,
+				Description: "Role ID to which the permission will be appended",
+				Required:    true,
+				ForceNew:    true,
+			},
+			"stream_id": {
+				Type:        schema.TypeString,
+				Description: "Graylog stream ID to be associated as a permission",
+				Required:    true,
+				ForceNew:    true,
+			},
+			// Computed fields from the API GET response.
+			"permission_id": {
+				Type:        schema.TypeString,
+				Description: "Permission ID",
+				Computed:    true,
+			},
+			"permission_type": {
+				Type:        schema.TypeString,
+				Description: "Permission type (e.g., READ_ONLY)",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+// resourceDbaasLogsRolePermissionStreamCreate adds a stream permission to a role.
+func resourceDbaasLogsRolePermissionStreamCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+	roleId := d.Get("role_id").(string)
+	streamId := d.Get("stream_id").(string)
+
+	log.Printf("[DEBUG] Adding Graylog stream permission: service=%s, role=%s", serviceName, roleId)
+
+	opts := (&DbaasLogsRolePermissionStreamOpts{}).FromResource(d)
+	res := &DbaasLogsOperation{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s/permission/stream", url.PathEscape(serviceName), url.PathEscape(roleId))
+	if err := config.OVHClient.Post(endpoint, opts, res); err != nil {
+		return diag.Errorf("Error calling POST %s:\n\t%q", endpoint, err)
+	}
+
+	// Wait for the asynchronous operation to complete.
+	if _, err := waitForDbaasLogsOperation(ctx, config.OVHClient, serviceName, res.OperationId); err != nil {
+		return diag.FromErr(err)
+	}
+
+	// Retrieve the full list of permission IDs for the role.
+	listEndpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s/permission", url.PathEscape(serviceName), url.PathEscape(roleId))
+	var permissionIDs []string
+	if err := config.OVHClient.Get(listEndpoint, &permissionIDs); err != nil {
+		return diag.Errorf("Error retrieving permissions list (%s):\n\t%q", listEndpoint, err)
+	}
+
+	// Iterate over each permission ID to retrieve full details and filter by streamId.
+	var foundPermission *DbaasLogsRolePermissionStream
+	for _, pid := range permissionIDs {
+		permEndpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s/permission/%s", url.PathEscape(serviceName), url.PathEscape(roleId), url.PathEscape(pid))
+		var permission DbaasLogsRolePermissionStream
+		if err := config.OVHClient.Get(permEndpoint, &permission); err != nil {
+			// Optionally, log error and continue with next permission.
+			log.Printf("[WARN] Failed to get permission details for ID %s: %v", pid, err)
+			continue
+		}
+		if permission.StreamId == streamId {
+			foundPermission = &permission
+			break
+		}
+	}
+
+	if foundPermission == nil {
+		return diag.Errorf("No permission found for streamId %s", streamId)
+	}
+
+	d.SetId(foundPermission.PermissionId)
+	return resourceDbaasLogsRolePermissionStreamRead(ctx, d, meta)
+}
+
+// resourceDbaasLogsRolePermissionStreamRead reads the details of a permission.
+func resourceDbaasLogsRolePermissionStreamRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+	roleId := d.Get("role_id").(string)
+	permissionId := d.Id()
+
+	log.Printf("[DEBUG] Reading permission: service=%s, role=%s, permission=%s", serviceName, roleId, permissionId)
+
+	permission := &DbaasLogsRolePermissionStream{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s/permission/%s", url.PathEscape(serviceName), url.PathEscape(roleId), url.PathEscape(permissionId))
+	if err := config.OVHClient.Get(endpoint, permission); err != nil {
+		return diag.FromErr(helpers.CheckDeleted(d, err, endpoint))
+	}
+
+	d.Set("permission_id", permission.PermissionId)
+	d.Set("permission_type", permission.PermissionType)
+	d.Set("stream_id", permission.StreamId)
+
+	return nil
+}
+
+// resourceDbaasLogsRolePermissionStreamDelete deletes the specified permission.
+func resourceDbaasLogsRolePermissionStreamDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	config := meta.(*Config)
+	serviceName := d.Get("service_name").(string)
+	roleId := d.Get("role_id").(string)
+	permissionId := d.Id()
+
+	log.Printf("[DEBUG] Deleting permission: service=%s, role=%s, permission=%s", serviceName, roleId, permissionId)
+
+	res := &DbaasLogsOperation{}
+	endpoint := fmt.Sprintf("/dbaas/logs/%s/role/%s/permission/%s", url.PathEscape(serviceName), url.PathEscape(roleId), url.PathEscape(permissionId))
+	if err := config.OVHClient.Delete(endpoint, res); err != nil {
+		return diag.FromErr(helpers.CheckDeleted(d, err, endpoint))
+	}
+
+	// Wait for the asynchronous deletion operation to complete.
+	if _, err := waitForDbaasLogsOperation(ctx, config.OVHClient, serviceName, res.OperationId); err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId("")
+	return nil
+}
+
+// resourceDbaasLogsRolePermissionStreamImportState imports a permission given an ID in the format "service_name/role_id/permission_id".
+func resourceDbaasLogsRolePermissionStreamImportState(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	givenID := d.Id()
+	splitID := strings.SplitN(givenID, "/", 3)
+	if len(splitID) != 3 {
+		return nil, fmt.Errorf("Import ID must be in service_name/role_id/permission_id format")
+	}
+	serviceName := splitID[0]
+	roleId := splitID[1]
+	permissionId := splitID[2]
+
+	d.Set("service_name", serviceName)
+	d.Set("role_id", roleId)
+	d.SetId(permissionId)
+
+	return []*schema.ResourceData{d}, nil
+}

ovh/types_dbaas_logs_permission_stream.go

@@ -0,0 +1,22 @@
+package ovh
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// DbaasLogsRolePermissionStreamOpts holds the payload for appending a stream permission.
+type DbaasLogsRolePermissionStreamOpts struct {
+	StreamId string `json:"streamId"`
+}
+
+func (opts *DbaasLogsRolePermissionStreamOpts) FromResource(d *schema.ResourceData) *DbaasLogsRolePermissionStreamOpts {
+	opts.StreamId = d.Get("stream_id").(string)
+	return opts
+}
+
+// DbaasLogsRolePermission represents the permission as returned by the GET endpoint.
+type DbaasLogsRolePermissionStream struct {
+	PermissionId   string `json:"permissionId"`
+	PermissionType string `json:"permissionType"`
+	StreamId       string `json:"streamId"`
+}