feat(tco): [119799597] support custom policy attachment (#2842)

* add tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment

* add changelog

* update

---------

Co-authored-by: mikatong <[email protected]>

Author: tongyiming

.changelog/2842.txt

@@ -0,0 +1,4 @@
+
+```release-note:new-resource
+tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment
+```

tencentcloud/provider.go

@@ -1689,6 +1689,7 @@ Tencent Cloud Organization (TCO)
     tencentcloud_identity_center_external_saml_identity_provider
     tencentcloud_identity_center_role_configuration
     tencentcloud_identity_center_role_configuration_permission_policy_attachment
+    tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment
     tencentcloud_identity_center_user_sync_provisioning
     tencentcloud_identity_center_role_assignment
     tencentcloud_invite_organization_member_operation

tencentcloud/provider.md

@@ -0,0 +1,242 @@
+package tco
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	organization "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/organization/v20210331"
+
+	tccommon "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/common"
+	"github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+)
+
+func ResourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentCreate,
+		Read:   resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentRead,
+		Delete: resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+		Schema: map[string]*schema.Schema{
+			"zone_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Space ID.",
+			},
+
+			"role_configuration_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Permission configuration ID.",
+			},
+
+			"role_policy_document": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Role policy document.",
+			},
+
+			"role_policy_name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Role policy name.",
+			},
+
+			"role_policy_type": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Role policy type.",
+			},
+
+			"add_time": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Role policy add time.",
+			},
+		},
+	}
+}
+
+func resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
+	defer tccommon.LogElapsed("resource.tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.create")()
+	defer tccommon.InconsistentCheck(d, meta)()
+
+	logId := tccommon.GetLogId(tccommon.ContextNil)
+
+	ctx := tccommon.NewResourceLifeCycleHandleFuncContext(context.Background(), logId, d, meta)
+
+	var (
+		zoneId              string
+		roleConfigurationId string
+		rolePolicyName      string
+	)
+	var (
+		request  = organization.NewAddPermissionPolicyToRoleConfigurationRequest()
+		response = organization.NewAddPermissionPolicyToRoleConfigurationResponse()
+	)
+
+	if v, ok := d.GetOk("zone_id"); ok {
+		zoneId = v.(string)
+		request.ZoneId = helper.String(zoneId)
+	}
+
+	if v, ok := d.GetOk("role_configuration_id"); ok {
+		roleConfigurationId = v.(string)
+		request.RoleConfigurationId = helper.String(roleConfigurationId)
+	}
+
+	if v, ok := d.GetOk("role_policy_name"); ok {
+		rolePolicyName = v.(string)
+		request.RolePolicyNames = []*string{helper.String(rolePolicyName)}
+	}
+
+	if v, ok := d.GetOk("role_policy_document"); ok {
+		request.CustomPolicyDocument = helper.String(v.(string))
+	}
+
+	request.RolePolicyType = helper.String("Custom")
+
+	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+		result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseOrganizationClient().AddPermissionPolicyToRoleConfigurationWithContext(ctx, request)
+		if e != nil {
+			return tccommon.RetryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+		}
+		response = result
+		return nil
+	})
+	if err != nil {
+		log.Printf("[CRITAL]%s create identity center role configuration permission policy attachment failed, reason:%+v", logId, err)
+		return err
+	}
+
+	_ = response
+
+	d.SetId(strings.Join([]string{zoneId, roleConfigurationId, rolePolicyName}, tccommon.FILED_SP))
+
+	return resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentRead(d, meta)
+}
+
+func resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
+	defer tccommon.LogElapsed("resource.tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.read")()
+	defer tccommon.InconsistentCheck(d, meta)()
+
+	logId := tccommon.GetLogId(tccommon.ContextNil)
+
+	ctx := tccommon.NewResourceLifeCycleHandleFuncContext(context.Background(), logId, d, meta)
+
+	service := OrganizationService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+
+	idSplit := strings.Split(d.Id(), tccommon.FILED_SP)
+	if len(idSplit) != 3 {
+		return fmt.Errorf("id is broken,%s", d.Id())
+	}
+	zoneId := idSplit[0]
+	roleConfigurationId := idSplit[1]
+	rolePolicyName := idSplit[2]
+
+	_ = d.Set("zone_id", zoneId)
+
+	_ = d.Set("role_configuration_id", roleConfigurationId)
+
+	_ = d.Set("role_policy_name", rolePolicyName)
+
+	respData, err := service.DescribeIdentityCenterRoleConfigurationPermissionPolicyAttachmentById(ctx, zoneId, roleConfigurationId, "Custom")
+	if err != nil {
+		return err
+	}
+
+	if respData == nil {
+		d.SetId("")
+		log.Printf("[WARN]%s resource `identity_center_role_configuration_permission_policy_attachment` [%s] not found, please check if it has been deleted.\n", logId, d.Id())
+		return nil
+	}
+
+	if respData.RolePolicies != nil {
+		var rolePolicie *organization.RolePolicie
+		for _, r := range respData.RolePolicies {
+			if rolePolicyName == rolePolicyName {
+				rolePolicie = r
+				break
+			}
+		}
+
+		if rolePolicie.RolePolicyName != nil {
+			_ = d.Set("role_policy_name", rolePolicie.RolePolicyName)
+		}
+
+		if rolePolicie.RolePolicyType != nil {
+			_ = d.Set("role_policy_type", rolePolicie.RolePolicyType)
+		}
+
+		if rolePolicie.RolePolicyDocument != nil {
+			_ = d.Set("role_policy_document", rolePolicie.RolePolicyDocument)
+		}
+
+		if rolePolicie.AddTime != nil {
+			_ = d.Set("add_time", rolePolicie.AddTime)
+		}
+
+	}
+
+	return nil
+}
+
+func resourceTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
+	defer tccommon.LogElapsed("resource.tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.delete")()
+	defer tccommon.InconsistentCheck(d, meta)()
+
+	logId := tccommon.GetLogId(tccommon.ContextNil)
+	ctx := tccommon.NewResourceLifeCycleHandleFuncContext(context.Background(), logId, d, meta)
+
+	idSplit := strings.Split(d.Id(), tccommon.FILED_SP)
+	if len(idSplit) != 3 {
+		return fmt.Errorf("id is broken,%s", d.Id())
+	}
+	zoneId := idSplit[0]
+	roleConfigurationId := idSplit[1]
+	rolePolicyName := idSplit[2]
+
+	var (
+		request  = organization.NewRemovePermissionPolicyFromRoleConfigurationRequest()
+		response = organization.NewRemovePermissionPolicyFromRoleConfigurationResponse()
+	)
+
+	request.ZoneId = helper.String(zoneId)
+
+	request.RoleConfigurationId = helper.String(roleConfigurationId)
+
+	request.RolePolicyType = helper.String("Custom")
+
+	request.RolePolicyId = helper.Int64(0)
+
+	request.RolePolicyName = helper.String(rolePolicyName)
+
+	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+		result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseOrganizationClient().RemovePermissionPolicyFromRoleConfigurationWithContext(ctx, request)
+		if e != nil {
+			return tccommon.RetryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+		}
+		response = result
+		return nil
+	})
+	if err != nil {
+		log.Printf("[CRITAL]%s delete identity center role configuration permission policy attachment failed, reason:%+v", logId, err)
+		return err
+	}
+
+	_ = response
+	return nil
+}

tencentcloud/services/tco/resource_tc_identity_center_role_configuration_permission_custom_policy_attachment.go

@@ -0,0 +1,35 @@
+Provides a resource to create a organization identity_center_role_configuration_permission_custom_policy_attachment
+
+Example Usage
+
+```hcl
+resource "tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment" "identity_center_role_configuration_permission_custom_policy_attachment" {
+    zone_id = "z-xxxxxx"
+    role_configuration_id = "rc-xxxxxx"
+    role_policy_name = "CustomPolicy"
+	role_policy_document = <<-EOF
+{
+    "version": "2.0",
+    "statement": [
+        {
+            "effect": "allow",
+            "action": [
+                "vpc:AcceptAttachCcnInstances"
+            ],
+            "resource": [
+                "*"
+            ]
+        }
+    ]
+}
+EOF
+}
+```
+
+Import
+
+organization identity_center_role_configuration_permission_custom_policy_attachment can be imported using the id, e.g.
+
+```
+terraform import tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment ${zoneId}#${roleConfigurationId}#${rolePolicyName}
+```

tencentcloud/services/tco/resource_tc_identity_center_role_configuration_permission_custom_policy_attachment.md

@@ -0,0 +1,66 @@
+package tco_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	tcacctest "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/acctest"
+)
+
+func TestAccTencentCloudIdentityCenterRoleConfigurationPermissionCustomPolicyAttachmentResource_basic(t *testing.T) {
+	t.Parallel()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			tcacctest.AccPreCheck(t)
+		},
+		Providers: tcacctest.AccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityCenterRoleConfigurationPermissionPolicyAttachmentCustomPolicy,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment", "id"),
+					resource.TestCheckResourceAttrSet("tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment", "role_policy_document"),
+					resource.TestCheckResourceAttrSet("tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment", "role_configuration_id"),
+					resource.TestCheckResourceAttr("tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment", "role_policy_name", "CustomPolicy"),
+					resource.TestCheckResourceAttr("tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment", "zone_id", "z-s64jh54hbcra"),
+				),
+			},
+			{
+				ResourceName:      "tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment.identity_center_role_configuration_permission_custom_policy_attachment",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+const testAccIdentityCenterRoleConfigurationPermissionPolicyAttachmentCustomPolicy = `
+resource "tencentcloud_identity_center_role_configuration" "identity_center_role_configuration" {
+    zone_id = "z-s64jh54hbcra"
+    role_configuration_name = "tf-test-custom-policy"
+    description = "test"
+}
+
+resource "tencentcloud_identity_center_role_configuration_permission_custom_policy_attachment" "identity_center_role_configuration_permission_custom_policy_attachment" {
+    zone_id = "z-s64jh54hbcra"
+    role_configuration_id = tencentcloud_identity_center_role_configuration.identity_center_role_configuration.role_configuration_id
+    role_policy_name = "CustomPolicy"
+	role_policy_document = <<-EOF
+{
+    "version": "2.0",
+    "statement": [
+        {
+            "effect": "allow",
+            "action": [
+                "vpc:AcceptAttachCcnInstances"
+            ],
+            "resource": [
+                "*"
+            ]
+        }
+    ]
+}
+EOF
+}
+`