VAULT-35711: Add new HCP Radar resource list as a TF data source (#1324)

* VAULT-35711: Add new HCP Radar resource list TF data source

* Correct guide to use resource_name instead of resource_uri.

* Edit the _testacc_vaultradar.yml.

* By using a map instead of a set in the for_each, the state and output become more human friendly because it include the radar resource uri.

* Rename data source, and used a nested structure to represent the uri filter and case insensitive.

Author: trentdibacco

.changelog/1324.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+Add preview of hcp_vault_radar_resources.
+```

.github/workflows/_testacc_vaultradar.yml

@@ -79,6 +79,7 @@ jobs:
           # RADAR_GITHUB_ENTERPRISE_TOKEN: ${{ secrets.RADAR_GITHUB_ENTERPRISE_TOKEN }}
           # RADAR_GITHUB_ENTERPRISE_TOKEN_2: ${{ secrets.RADAR_GITHUB_ENTERPRISE_TOKEN_2 }}
           # RADAR_HCP_RESOURCE_NAME ${{ secrets.RADAR_HCP_RESOURCE_NAME }}
+          # RADAR_RESOURCES_URI_LIKE_FILTER ${{ secrets.RADAR_RESOURCES_URI_LIKE_FILTER }}
         run: |
           go test \
             ./internal/provider/vaultradar \

docs/data-sources/vault_radar_resources.md

@@ -0,0 +1,75 @@
+---
+page_title: "Data Source hcp_vault_radar_resources - terraform-provider-hcp"
+subcategory: "HCP Vault Radar"
+description: |-
+  Retrieves a list of radar resource data.
+---
+
+# hcp_vault_radar_resources (Data Source)
+
+-> **Note:** This feature is currently in private beta.
+
+Retrieves a list of radar resource data.
+
+## Example Usage
+
+```terraform
+# Returns a list of Radar resources in the project with uri matching
+# that beginning with "git://github.com/hashicorp/" or "git://github.com/ibm/".
+data "hcp_vault_radar_resources" "example" {
+  uri_like_filter = {
+    values = [
+      "git://github.com/hashicorp/%",
+      "git://github.com/ibm/%"
+    ]
+    case_insensitive = false
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `uri_like_filter` (Attributes) Applies a filter to the radar resources based on their URIs. The filter uses the SQL LIKE operator, which allows for wildcard matching. (see [below for nested schema](#nestedatt--uri_like_filter))
+
+### Optional
+
+- `project_id` (String) The ID of the HCP project where Vault Radar is located. If not specified, the project specified in the HCP Provider config block will be used, if configured.
+
+### Read-Only
+
+- `resources` (Attributes List) List of Radar resources. (see [below for nested schema](#nestedatt--resources))
+
+<a id="nestedatt--uri_like_filter"></a>
+### Nested Schema for `uri_like_filter`
+
+Required:
+
+- `values` (List of String) URI like filters to apply radar resources. Each entry in the list will act like an or condition.
+
+Optional:
+
+- `case_insensitive` (Boolean) If true, the uri like filter will be case insensitive. Defaults to false.
+
+
+<a id="nestedatt--resources"></a>
+### Nested Schema for `resources`
+
+Read-Only:
+
+- `connection_url` (String) Radar resource connection url
+- `data_source_info` (String) Radar resource data source info
+- `data_source_name` (String) Radar resource data source name
+- `data_source_type` (String) Radar resource data source type
+- `description` (String) Radar resource description
+- `detector_type` (String) Radar resource detector type
+- `hcp_resource_id` (String) Radar resource HCP resource ID
+- `hcp_resource_name` (String) Radar resource HCP resource name
+- `hcp_resource_status` (String) Radar resource HCP resource status
+- `id` (String) Radar resource id
+- `name` (String) Radar resource name
+- `state` (String) Radar resource state
+- `uri` (String) Radar resource uri
+- `visibility` (String) Radar resource visibility

docs/guides/vault-radar-resource-rbac.md

@@ -0,0 +1,85 @@
+---
+subcategory: ""
+page_title: "Managing Vault Radar Resource IAM Policies"
+description: |-
+    A guide to setting up and managing access to select Radar resources.
+---
+
+# Managing Vault Radar Resource IAM Policies
+
+-> **Note:** This feature is currently in private beta.
+
+Administrators can limit users' access to specific Vault Radar resources by using either `hcp_vault_radar_resource_iam_binding` or `hcp_vault_radar_resource_iam_policy`.
+
+Only users with no role at the organization or project level can be restricted to specific Radar resources.
+
+## Pre-requisites and Constraints
+* An IAM group should be created with the role `roles/vault-radar.developer` at the project level. This will allow the group's members to access Radar.
+* It's recommended to create a group for each team that will be require access to a select set of Radar resources.
+* Add users without any roles to the group created above.
+* Use the group created above to set the policy or binding for a select set of Radar resources.
+* Only the roles `roles/vault-radar.resource-viewer` or `roles/vault-radar.resource-contributor` can be applied to the policy or binding for Radar resources.
+
+## Sample Usage
+The following is an example of create a group with the role `roles/vault-radar.developer` at the project level and set the policy for a set of Radar resource that match a resource URI prefix with the role `roles/vault-radar.resource-viewer` for that group.
+
+```terraform
+variable "project_id" {
+  type = string
+}
+
+
+# Create a group for members with no roles.
+resource "hcp_group" "group" {
+  display_name = "my-developer-group"
+  description  = "my developer group managed by TF"
+}
+
+# Assign 'roles/vault-radar.developer' role on the group.
+# This allows the groups members access to Vault Radar.
+resource "hcp_project_iam_binding" "binding" {
+  project_id   = var.project_id
+  principal_id = hcp_group.group.resource_id
+  role         = "roles/vault-radar.developer"
+}
+
+# Create a policy that will grant Radar Resource Viewer access to the group.
+data "hcp_iam_policy" "policy" {
+  bindings = [
+    {
+      role       = "roles/vault-radar.resource-viewer"
+      principals = [hcp_group.group.resource_id]
+    }
+  ]
+}
+
+# Get the list of Radar resources intended to be accessed by the group.
+# This example uses a URI 'LIKE' filter to only include resources that start with "git://github.com/ibm/" or "git://github.com/hashicorp/".
+data "hcp_vault_radar_resources" "radar_resources" {
+  uri_like_filter = {
+    values = [
+      "git://github.com/ibm/%",
+      "git://github.com/hashicorp/%",
+    ]
+    case_insensitive = false
+  }
+}
+
+# Map the list of Radar resources to a map of Radar URIs to HCP resource names, and filter out any resources that are not registered.
+locals {
+  resources_uri_to_resource_name = {
+    for radar_resource in data.hcp_vault_radar_resources.radar_resources.resources : radar_resource.uri => radar_resource.hcp_resource_name
+    # This is done as a precaution to ensure that only valid resources are processed.
+    if radar_resource.hcp_resource_status == "registered"
+  }
+
+}
+
+# Create IAM policies for each Radar resource's HCP resource name that the group should have access to.
+# Note this will replace any existing policies for the resources. If that is not desired, consider using `hcp_vault_radar_resource_iam_binding` instead.
+resource "hcp_vault_radar_resource_iam_policy" "policy" {
+  for_each      = local.resources_uri_to_resource_name
+  resource_name = each.value
+  policy_data   = data.hcp_iam_policy.policy.policy_data
+}
+```

examples/data-sources/hcp_vault_radar_resources/data-source.tf

@@ -0,0 +1,11 @@
+# Returns a list of Radar resources in the project with uri matching
+# that beginning with "git://github.com/hashicorp/" or "git://github.com/ibm/".
+data "hcp_vault_radar_resources" "example" {
+  uri_like_filter = {
+    values = [
+      "git://github.com/hashicorp/%",
+      "git://github.com/ibm/%"
+    ]
+    case_insensitive = false
+  }
+}

examples/guides/vault_radar_resource_rbac/main.tf

@@ -0,0 +1,58 @@
+variable "project_id" {
+  type = string
+}
+
+
+# Create a group for members with no roles.
+resource "hcp_group" "group" {
+  display_name = "my-developer-group"
+  description  = "my developer group managed by TF"
+}
+
+# Assign 'roles/vault-radar.developer' role on the group.
+# This allows the groups members access to Vault Radar.
+resource "hcp_project_iam_binding" "binding" {
+  project_id   = var.project_id
+  principal_id = hcp_group.group.resource_id
+  role         = "roles/vault-radar.developer"
+}
+
+# Create a policy that will grant Radar Resource Viewer access to the group.
+data "hcp_iam_policy" "policy" {
+  bindings = [
+    {
+      role       = "roles/vault-radar.resource-viewer"
+      principals = [hcp_group.group.resource_id]
+    }
+  ]
+}
+
+# Get the list of Radar resources intended to be accessed by the group.
+# This example uses a URI 'LIKE' filter to only include resources that start with "git://github.com/ibm/" or "git://github.com/hashicorp/".
+data "hcp_vault_radar_resources" "radar_resources" {
+  uri_like_filter = {
+    values = [
+      "git://github.com/ibm/%",
+      "git://github.com/hashicorp/%",
+    ]
+    case_insensitive = false
+  }
+}
+
+# Map the list of Radar resources to a map of Radar URIs to HCP resource names, and filter out any resources that are not registered.
+locals {
+  resources_uri_to_resource_name = {
+    for radar_resource in data.hcp_vault_radar_resources.radar_resources.resources : radar_resource.uri => radar_resource.hcp_resource_name
+    # This is done as a precaution to ensure that only valid resources are processed.
+    if radar_resource.hcp_resource_status == "registered"
+  }
+
+}
+
+# Create IAM policies for each Radar resource's HCP resource name that the group should have access to.
+# Note this will replace any existing policies for the resources. If that is not desired, consider using `hcp_vault_radar_resource_iam_binding` instead.
+resource "hcp_vault_radar_resource_iam_policy" "policy" {
+  for_each      = local.resources_uri_to_resource_name
+  resource_name = each.value
+  policy_data   = data.hcp_iam_policy.policy.policy_data
+}

internal/clients/vault_radar.go

@@ -285,7 +285,6 @@ func ListRadarResources(ctx context.Context, client *Client, projectID string, b
 
 	res, err := client.RadarResourceService.ListResources(params, nil)
 	if err != nil {
-		tflog.Error(ctx, "Failed to list radar resources", map[string]interface{}{"error": err.Error()})
 		return nil, err
 	}
 

internal/provider/provider.go

@@ -219,6 +219,8 @@ func (p *ProviderFramework) DataSources(ctx context.Context) []func() datasource
 		waypoint.NewTemplateDataSource,
 		waypoint.NewAddOnDataSource,
 		waypoint.NewAddOnDefinitionDataSource,
+		// Radar
+		vaultradar.NewRadarResourcesDataSource,
 	}, packer.DataSourceSchemaBuilders...)
 }