feat(grafanaplane/cloud): add opinionated AccessPolicy and AccessPolicyToken resources (#35)

Author: Duologic

docs/cloud.md

@@ -4,6 +4,16 @@
 
 ## Index
 
+* [`obj accessPolicy`](#obj-accesspolicy)
+  * [`fn addToken(secretName, secretNamespace)`](#fn-accesspolicyaddtoken)
+  * [`fn forOrg(name, namespace, scopes)`](#fn-accesspolicyfororg)
+  * [`fn forStackResource(stackResource, namespace)`](#fn-accesspolicyforstackresource)
+  * [`fn new(name, namespace, scopes)`](#fn-accesspolicynew)
+  * [`fn withStack(id, region)`](#fn-accesspolicywithstack)
+* [`obj accessPolicyToken`](#obj-accesspolicytoken)
+  * [`fn forAccessPolicyResource(accessPolicyResource)`](#fn-accesspolicytokenforaccesspolicyresource)
+  * [`fn new(secretName, secretNamespace)`](#fn-accesspolicytokennew)
+  * [`fn withAccessPolicyId(id)`](#fn-accesspolicytokenwithaccesspolicyid)
 * [`obj stack`](#obj-stack)
   * [`fn new(name, namespace, cloudProviderConfigName, secretName="<name>-providerconfig-token")`](#fn-stacknew)
 * [`obj stackServiceAccount`](#obj-stackserviceaccount)
@@ -13,6 +23,131 @@
 
 ## Fields
 
+### obj accessPolicy
+
+
+#### fn accessPolicy.addToken
+
+```jsonnet
+accessPolicy.addToken(secretName, secretNamespace)
+```
+
+PARAMETERS:
+
+* **secretName** (`string`)
+* **secretNamespace** (`string`)
+
+`addToken` creates a new Access Policy Token under this Access Policy, the token will be available in the provider secret.
+
+#### fn accessPolicy.forOrg
+
+```jsonnet
+accessPolicy.forOrg(name, namespace, scopes)
+```
+
+PARAMETERS:
+
+* **name** (`string`)
+* **namespace** (`string`)
+* **scopes** (`array`)
+
+`forOrg` configures the `realm` to an org `slug`.
+
+#### fn accessPolicy.forStackResource
+
+```jsonnet
+accessPolicy.forStackResource(stackResource, namespace)
+```
+
+PARAMETERS:
+
+* **stackResource** (`string`)
+* **namespace** (`string`)
+
+`forStackResource` configures the `realm` for a `stackResource`.
+
+ The `stackResource` is in the `stack` key returned by `cloud.stack.new()`.
+
+#### fn accessPolicy.new
+
+```jsonnet
+accessPolicy.new(name, namespace, scopes)
+```
+
+PARAMETERS:
+
+* **name** (`string`)
+* **namespace** (`string`)
+* **scopes** (`array`)
+
+`new` creates a new Access Policy.
+
+For `scopes`, see https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/#scopes for possible values.
+
+A valid Access Policy also needs a `realm`, use one of the following functions:
+- `withStack`: reference a stack by its identifier (id).
+- `forStackResource`: reference a stack by a Crossplane resource.
+- `forOrg`: set realm to org level
+
+#### fn accessPolicy.withStack
+
+```jsonnet
+accessPolicy.withStack(id, region)
+```
+
+PARAMETERS:
+
+* **id** (`string`)
+* **region** (`string`)
+
+`withStack` configures the `realm` to a stack `id`.
+### obj accessPolicyToken
+
+
+#### fn accessPolicyToken.forAccessPolicyResource
+
+```jsonnet
+accessPolicyToken.forAccessPolicyResource(accessPolicyResource)
+```
+
+PARAMETERS:
+
+* **accessPolicyResource** (`object`)
+
+`forAccessPolicyResource` configures the Access Policy` for a `accessPolicyResource`.
+
+ The `accessPolicyResource` is in the `accessPolicy` key returned by `cloud.accessPolicy.new()`.
+
+#### fn accessPolicyToken.new
+
+```jsonnet
+accessPolicyToken.new(secretName, secretNamespace)
+```
+
+PARAMETERS:
+
+* **secretName** (`string`)
+* **secretNamespace** (`string`)
+
+`new` creates a new Access Policy Token.
+
+Tip: use `accessPolicy.addToken()` to automatically link the token to the right Access Policy.
+
+A valid Access Policy Token also needs an Access Policy, use one of the following functions:
+- `withAccessPolicyId`: reference a policy by its identifier (id)
+- `forAccessPolicyResource`: reference a policy by a Crossplane resource.
+
+#### fn accessPolicyToken.withAccessPolicyId
+
+```jsonnet
+accessPolicyToken.withAccessPolicyId(id)
+```
+
+PARAMETERS:
+
+* **id** (`string`)
+
+`withAccessPolicyId` configures the Access Policy to a policy `id`.
 ### obj stack
 
 

grafanaplane/cloud.libsonnet

@@ -7,7 +7,7 @@ local raw = import './zz/main.libsonnet';
 {
   '#': d.package.newSub('cloud', ''),
 
-  local this = self,
+  local root = self,
   local validStackSlug(slug) =
     xtd.ascii.isLower(slug[0])
     && std.all(
@@ -39,8 +39,8 @@ local raw = import './zz/main.libsonnet';
         + raw.cloud.v1alpha1.stack.spec.parameters.forProvider.withName(name)
         + raw.cloud.v1alpha1.stack.spec.parameters.forProvider.withSlug(name),
 
-      serviceAccount: this.stackServiceAccount.fromStackResource(self.stack, namespace),
-      token: this.stackServiceAccountToken.fromStackServiceAccountResource(self.serviceAccount, namespace, secretName),
+      serviceAccount: root.stackServiceAccount.fromStackResource(self.stack, namespace),
+      token: root.stackServiceAccountToken.fromStackServiceAccountResource(self.serviceAccount, namespace, secretName),
       grafanaProviderConfig: global.providerConfig.new(name + '-grafana', secretName, namespace, 'instanceCredentials'),
     },
   },
@@ -91,4 +91,160 @@ local raw = import './zz/main.libsonnet';
         stackServiceAccountResource.spec.parameters.providerConfigRef
       ),
   },
+
+  accessPolicy: {
+    local forProvider = raw.cloud.v1alpha1.accessPolicy.spec.parameters.forProvider,
+
+    '#new': d.func.new(
+      |||
+        `new` creates a new Access Policy.
+
+        For `scopes`, see https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/#scopes for possible values.
+
+        A valid Access Policy also needs a `realm`, use one of the following functions:
+        - `withStack`: reference a stack by its identifier (id).
+        - `forStackResource`: reference a stack by a Crossplane resource.
+        - `forOrg`: set realm to org level
+      |||,
+      [
+        d.argument.new('name', d.T.string),
+        d.argument.new('namespace', d.T.string),
+        d.argument.new('scopes', d.T.array),
+      ]
+    ),
+    new(name, namespace, scopes): {
+      accessPolicy:
+        raw.cloud.v1alpha1.accessPolicy.new(name)
+        + raw.cloud.v1alpha1.accessPolicy.metadata.withNamespace(namespace)
+        + forProvider.withName(name)
+        + forProvider.withScopes(scopes),
+    },
+
+    '#withStack': d.func.new(
+      '`withStack` configures the `realm` to a stack `id`.',
+      [
+        d.argument.new('id', d.T.string),
+        d.argument.new('region', d.T.string),
+      ]
+    ),
+    withStack(id, region): {
+      accessPolicy+:
+        forProvider.withRealm(
+          forProvider.realm.withType('stack')
+          + forProvider.realm.withIdentifier(id)
+        )
+        + forProvider.withRegion(region),
+    },
+
+    '#forStackResource': d.func.new(
+      |||
+        `forStackResource` configures the `realm` for a `stackResource`.
+
+         The `stackResource` is in the `stack` key returned by `cloud.stack.new()`.
+      |||,
+      [
+        d.argument.new('stackResource', d.T.string),
+        d.argument.new('namespace', d.T.string),
+      ]
+    ),
+    forStackResource(stackResource, namespace=stackResource.metadata.namespace): {
+      accessPolicy+:
+        forProvider.withRealm(
+          forProvider.realm.withType('stack')
+          + forProvider.realm.stackSelector.withMatchLabels({
+            'crossplane.io/claim-name': stackResource.metadata.name,
+            'crossplane.io/claim-namespace': namespace,
+          })
+        )
+        // region is a required attribute,
+        // this'll require that `stackResource` has regionSlug configured
+        + forProvider.withRegion(stackResource.spec.parameters.forProvider.regionSlug),
+    },
+
+    '#forOrg': d.func.new(
+      |||
+        `forOrg` configures the `realm` to an org `slug`.
+      |||,
+      [
+        d.argument.new('name', d.T.string),
+        d.argument.new('namespace', d.T.string),
+        d.argument.new('scopes', d.T.array),
+      ]
+    ),
+    forOrg(slug, region='prod-us-east-0'): {
+      accessPolicy+:
+        forProvider.withRealm(
+          forProvider.realm.withType('org')
+          + forProvider.realm.withIdentifier(slug)
+        )
+        // region is a required attribute,
+        // it is a bit unclear what this needs to be for an 'org' policy
+        + forProvider.withRegion(region),
+    },
+
+    '#addToken': d.func.new(
+      |||
+        `addToken` creates a new Access Policy Token under this Access Policy, the token will be available in the provider secret.
+      |||,
+      [
+        d.argument.new('secretName', d.T.string),
+        d.argument.new('secretNamespace', d.T.string),
+      ]
+    ),
+    addToken(secretName, secretNamespace): {
+      local this = self,
+      tokens+: {
+        [secretName]:
+          root.accessPolicyToken.new(secretName, secretNamespace)
+          + root.accessPolicyToken.forAccessPolicyResource(this.accessPolicy),
+      },
+    },
+  },
+
+  accessPolicyToken: {
+    local parameters = raw.cloud.v1alpha1.accessPolicyToken.spec.parameters,
+
+    '#new': d.func.new(
+      |||
+        `new` creates a new Access Policy Token.
+
+        Tip: use `accessPolicy.addToken()` to automatically link the token to the right Access Policy.
+
+        A valid Access Policy Token also needs an Access Policy, use one of the following functions:
+        - `withAccessPolicyId`: reference a policy by its identifier (id)
+        - `forAccessPolicyResource`: reference a policy by a Crossplane resource.
+      |||,
+      [
+        d.argument.new('secretName', d.T.string),
+        d.argument.new('secretNamespace', d.T.string),
+      ]
+    ),
+    new(secretName, secretNamespace):
+      raw.cloud.v1alpha1.accessPolicyToken.new(secretName)
+      + parameters.forProvider.withName(secretName)
+      + parameters.writeConnectionSecretToRef.withName(secretName)
+      + parameters.writeConnectionSecretToRef.withNamespace(secretNamespace),
+
+    '#withAccessPolicyId': d.func.new(
+      '`withAccessPolicyId` configures the Access Policy to a policy `id`.',
+      [d.argument.new('id', d.T.string)]
+    ),
+    withAccessPolicyId(id):
+      parameters.forProvider.withAccessPolicyId(id),
+
+    '#forAccessPolicyResource': d.func.new(
+      |||
+        `forAccessPolicyResource` configures the Access Policy` for a `accessPolicyResource`.
+
+         The `accessPolicyResource` is in the `accessPolicy` key returned by `cloud.accessPolicy.new()`.
+      |||,
+      [d.argument.new('accessPolicyResource', d.T.object)]
+    ),
+    forAccessPolicyResource(accessPolicyResource):
+      parameters.forProvider.withRegion(accessPolicyResource.spec.parameters.forProvider.region)
+      + parameters.forProvider.accessPolicySelector.withMatchLabels({
+        'crossplane.io/claim-name': accessPolicyResource.metadata.name,
+        'crossplane.io/claim-namespace': accessPolicyResource.metadata.namespace,
+      }),
+  },
 }