feat(cloud-stack-service-accounts): Add rotating token resource (#2445)

Author: volcanonoodle

docs/resources/cloud_stack_service_account_rotating_token.md

@@ -0,0 +1,73 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_cloud_stack_service_account_rotating_token Resource - terraform-provider-grafana"
+subcategory: "Cloud"
+description: |-
+  Manages and rotates service account tokens of a Grafana Cloud stack using the Cloud API
+  This can be used to bootstrap a management service account token for a new stack
+  Official documentation https://grafana.com/docs/grafana/latest/administration/service-accounts/HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api
+  Required access policy scopes:
+  stack-service-accounts:write
+---
+
+# grafana_cloud_stack_service_account_rotating_token (Resource)
+
+Manages and rotates service account tokens of a Grafana Cloud stack using the Cloud API
+This can be used to bootstrap a management service account token for a new stack
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/)
+* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api)
+
+Required access policy scopes:
+
+* stack-service-accounts:write
+
+## Example Usage
+
+```terraform
+resource "grafana_cloud_stack_service_account" "cloud_sa" {
+  stack_slug = "<your stack slug>"
+
+  name        = "cloud service account"
+  role        = "Admin"
+  is_disabled = false
+}
+
+resource "grafana_cloud_stack_service_account_rotating_token" "foo" {
+  stack_slug = "<your stack slug>"
+
+  name_prefix                   = "key_foo"
+  service_account_id            = grafana_cloud_stack_service_account.cloud_sa.id
+  seconds_to_live               = 7776000 # 3 months
+  early_rotation_window_seconds = 604800  # 1 week
+}
+
+output "service_account_token_foo_key" {
+  value     = grafana_cloud_stack_service_account_token.foo.key
+  sensitive = true
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `early_rotation_window_seconds` (Number) Duration of the time window before expiring where the token can be rotated, in seconds.
+- `name_prefix` (String) Prefix for the name of the service account tokens created by this resource. The actual name will be stored in the computed field `name`, which will be in the format `<name_prefix>-<additional_characters>`.
+- `seconds_to_live` (Number) The token expiration in seconds.
+- `service_account_id` (String) The ID of the service account to which the token belongs.
+- `stack_slug` (String)
+
+### Optional
+
+- `delete_on_destroy` (Boolean) Deletes the service account token in Grafana when the resource is destroyed in Terraform, instead of leaving it to expire at its `expiration` time. Use it with `lifecycle { create_before_destroy = true }` to make sure that the new token is created before the old one is deleted. Defaults to `false`.
+
+### Read-Only
+
+- `expiration` (String) The expiration date of the service account token.
+- `has_expired` (Boolean) The status of the service account token.
+- `id` (String) The ID of this resource.
+- `key` (String, Sensitive) The key of the service account token.
+- `name` (String) The name of the service account token. It will start with `<name_prefix>-` and will have characters appended to it to make the name unique.
+- `ready_for_rotation` (Boolean) Signals that the service account token is expired or within the period to be early rotated.

docs/resources/cloud_stack_service_account_token.md

@@ -34,6 +34,8 @@ resource "grafana_cloud_stack_service_account" "cloud_sa" {
 }
 
 resource "grafana_cloud_stack_service_account_token" "foo" {
+  stack_slug = "<your stack slug>"
+
   name               = "key_foo"
   service_account_id = grafana_cloud_stack_service_account.cloud_sa.id
 }
@@ -49,17 +51,17 @@ output "service_account_token_foo_key" {
 
 ### Required
 
-- `name` (String)
-- `service_account_id` (String)
+- `name` (String) The name of the service account token.
+- `service_account_id` (String) The ID of the service account to which the token belongs.
 - `stack_slug` (String)
 
 ### Optional
 
-- `seconds_to_live` (Number)
+- `seconds_to_live` (Number) The key expiration in seconds. It is optional. If it is a positive number an expiration date for the key is set. If it is null, zero or is omitted completely (unless `api_key_max_seconds_to_live` configuration option is set) the key will never expire.
 
 ### Read-Only
 
-- `expiration` (String)
-- `has_expired` (Boolean)
+- `expiration` (String) The expiration date of the service account token.
+- `has_expired` (Boolean) The status of the service account token.
 - `id` (String) The ID of this resource.
-- `key` (String, Sensitive)
+- `key` (String, Sensitive) The key of the service account token.

examples/resources/grafana_cloud_stack_service_account_rotating_token/resource.tf

@@ -0,0 +1,21 @@
+resource "grafana_cloud_stack_service_account" "cloud_sa" {
+  stack_slug = "<your stack slug>"
+
+  name        = "cloud service account"
+  role        = "Admin"
+  is_disabled = false
+}
+
+resource "grafana_cloud_stack_service_account_rotating_token" "foo" {
+  stack_slug = "<your stack slug>"
+
+  name_prefix                   = "key_foo"
+  service_account_id            = grafana_cloud_stack_service_account.cloud_sa.id
+  seconds_to_live               = 7776000 # 3 months
+  early_rotation_window_seconds = 604800  # 1 week
+}
+
+output "service_account_token_foo_key" {
+  value     = grafana_cloud_stack_service_account_token.foo.key
+  sensitive = true
+}

examples/resources/grafana_cloud_stack_service_account_token/resource.tf

@@ -7,6 +7,8 @@ resource "grafana_cloud_stack_service_account" "cloud_sa" {
 }
 
 resource "grafana_cloud_stack_service_account_token" "foo" {
+  stack_slug = "<your stack slug>"
+
   name               = "key_foo"
   service_account_id = grafana_cloud_stack_service_account.cloud_sa.id
 }

internal/resources/cloud/catalog-resource.yaml

@@ -118,6 +118,19 @@ spec:
 ---
 apiVersion: backstage.io/v1alpha1
 kind: Component
+metadata:
+  name: resource-grafana_cloud_stack_service_account_rotating_token
+  title: grafana_cloud_stack_service_account_rotating_token (resource)
+  description: |
+    resource `grafana_cloud_stack_service_account_rotating_token` in Grafana Labs' Terraform Provider
+spec:
+  subcomponentOf: component:default/terraform-provider-grafana
+  type: terraform-resource
+  owner: group:default/identity-squad
+  lifecycle: production
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
 metadata:
   name: resource-grafana_cloud_stack_service_account_token
   title: grafana_cloud_stack_service_account_token (resource)

internal/resources/cloud/resource_cloud_stack_service_account_rotating_token.go

@@ -0,0 +1,158 @@
+package cloud
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/grafana/grafana-com-public-clients/go/gcom"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
+)
+
+func resourceStackServiceAccountRotatingToken() *common.Resource {
+	schema := &schema.Resource{
+		Description: `
+Manages and rotates service account tokens of a Grafana Cloud stack using the Cloud API
+This can be used to bootstrap a management service account token for a new stack
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/)
+* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api)
+
+Required access policy scopes:
+
+* stack-service-accounts:write
+`,
+
+		// We use the same function for Read and Update because fields are only updated in the Terraform state,
+		// not in Grafana, for this resource.
+		CreateContext: withClient[schema.CreateContextFunc](stackServiceAccountRotatingTokenCreate),
+		ReadContext:   withClient[schema.ReadContextFunc](stackServiceAccountRotatingTokenRead),
+		UpdateContext: withClient[schema.UpdateContextFunc](stackServiceAccountRotatingTokenRead),
+		DeleteContext: withClient[schema.DeleteContextFunc](stackServiceAccountRotatingTokenDelete),
+
+		CustomizeDiff: func(ctx context.Context, d *schema.ResourceDiff, meta any) error {
+			secondsToLive := d.Get("seconds_to_live").(int)
+			earlyRotationWindowSec := d.Get("early_rotation_window_seconds").(int)
+
+			if earlyRotationWindowSec > secondsToLive {
+				return fmt.Errorf("`early_rotation_window_seconds` cannot be greater than `seconds_to_live`")
+			}
+
+			// We need to use GetChange() to get the value from the state because Get() omits computed values that are
+			// not being changed.
+			hasExpired, _ := d.GetChange("has_expired")
+			if hasExpired != nil && hasExpired.(bool) {
+				return d.SetNew("ready_for_rotation", true)
+			}
+
+			expirationState, _ := d.GetChange("expiration")
+			if expirationState != nil && expirationState.(string) != "" {
+				// We save the expiration time in Golang's native layout when we read the resource, so we
+				// need to use that same layout here. We should ideally switch to a standard format like
+				// RFC3339.
+				expiration, err := time.Parse("2006-01-02 15:04:05 -0700 MST", expirationState.(string))
+				if err != nil {
+					return fmt.Errorf("could not parse 'expiration' while calculating custom diff: %w", err)
+				}
+				if Now().After(expiration.Add(-1 * time.Duration(earlyRotationWindowSec) * time.Second)) {
+					return d.SetNew("ready_for_rotation", true)
+				}
+			}
+
+			return nil
+		},
+
+		Schema: stackServiceAccountTokenResourceWithCustomSchema(map[string]*schema.Schema{
+			"name_prefix": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+				Description: "Prefix for the name of the service account tokens created by this resource. " +
+					"The actual name will be stored in the computed field `name`, which will be in the format " +
+					"`<name_prefix>-<additional_characters>`.",
+			},
+			"seconds_to_live": {
+				Type:         schema.TypeInt,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.IntAtLeast(0),
+				Description:  "The token expiration in seconds.",
+			},
+			"early_rotation_window_seconds": {
+				Type:         schema.TypeInt,
+				Required:     true,
+				ValidateFunc: validation.IntAtLeast(0),
+				Description:  "Duration of the time window before expiring where the token can be rotated, in seconds.",
+			},
+			"delete_on_destroy": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+				Description: "Deletes the service account token in Grafana when the resource " +
+					"is destroyed in Terraform, instead of leaving it to expire at its `expiration` " +
+					"time. Use it with `lifecycle { create_before_destroy = true }` to make sure " +
+					"that the new token is created before the old one is deleted.",
+			},
+			// Computed
+			"name": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: "The name of the service account token. It will start with `<name_prefix>-` and will have " +
+					"characters appended to it to make the name unique.",
+			},
+			"ready_for_rotation": {
+				Type:     schema.TypeBool,
+				Computed: true,
+				ForceNew: true,
+				Description: "Signals that the service account token is expired or " +
+					"within the period to be early rotated.",
+			},
+		}),
+	}
+
+	return common.NewLegacySDKResource(
+		common.CategoryCloud,
+		"grafana_cloud_stack_service_account_rotating_token",
+		nil,
+		schema,
+	)
+}
+
+func stackServiceAccountRotatingTokenCreate(ctx context.Context, d *schema.ResourceData, cloudClient *gcom.APIClient) diag.Diagnostics {
+	namePrefix := d.Get("name_prefix").(string)
+	ttl := d.Get("seconds_to_live").(int)
+
+	expiration := Now().Add(time.Duration(ttl) * time.Second)
+	name := fmt.Sprintf("%s-%d", namePrefix, expiration.Unix())
+
+	errDiag := stackServiceAccountTokenCreateHelper(ctx, d, cloudClient, name)
+	if errDiag.HasError() {
+		return errDiag
+	}
+
+	// Fill the true resource's state by performing a read
+	return stackServiceAccountRotatingTokenRead(ctx, d, cloudClient)
+}
+
+func stackServiceAccountRotatingTokenRead(ctx context.Context, d *schema.ResourceData, cloudClient *gcom.APIClient) diag.Diagnostics {
+	return stackServiceAccountTokenRead(ctx, d, cloudClient)
+}
+
+func stackServiceAccountRotatingTokenDelete(ctx context.Context, d *schema.ResourceData, cloudClient *gcom.APIClient) diag.Diagnostics {
+	if !d.Get("delete_on_destroy").(bool) {
+		return diag.Diagnostics{
+			diag.Diagnostic{
+				Severity: diag.Warning,
+				Summary:  "Rotating tokens do not get deleted by default.",
+				Detail: "The Service Account token will not be deleted and will expire automatically at its expiration time. " +
+					"If it does not have an expiration, it will need to be deleted manually. To change this behaviour " +
+					"enable `delete_on_destroy`.",
+			},
+		}
+	}
+	return stackServiceAccountTokenDelete(ctx, d, cloudClient)
+}