feat: add audit object store policy, log target object store, and policy member resources

Implement three new Terraform resources for FlashBlade audit logging:

- flashblade_audit_object_store_policy: manages audit policies for object
  store operations with log target assignment
- flashblade_log_target_object_store: manages log targets that store audit
  logs in a bucket with prefix and rotation settings
- flashblade_audit_object_store_policy_member: assigns buckets as members
  of audit object store policies (CRD-only)

Each resource includes data source, mock handlers, client CRUD with
generics, full test coverage (779 tests, +25), HCL examples, and
generated documentation.

Author: SoulKyu

CONVENTIONS.md

@@ -448,7 +448,7 @@ func nullXxxDSConfig() map[string]tftypes.Value
 
 ### Coverage rules
 
-- **Total test count MUST NOT decrease.** Current baseline: **754 tests**.
+- **Total test count MUST NOT decrease.** Current baseline: **779 tests**.
 - Every new resource adds at minimum **8 tests** (4 client + 3 resource + 1 data source).
 - Every state upgrader adds at minimum **1 test**.
 - Run `make test` and `make lint` before every commit. Both must be clean.

ROADMAP.md

@@ -2,9 +2,9 @@
 
 FlashBlade REST API v2.22 (Purity//FB 4.6.7) coverage status for terraform-provider-flashblade.
 
-**Last updated:** 2026-04-08
+**Last updated:** 2026-04-09
 **Provider version:** v2.2
-**Total API sections:** 84 | **Covered:** ~39 | **Coverage of IaC-relevant CRUD:** ~70%
+**Total API sections:** 84 | **Covered:** ~41 | **Coverage of IaC-relevant CRUD:** ~72%
 
 ## Coverage Legend
 
@@ -97,6 +97,14 @@ FlashBlade REST API v2.22 (Purity//FB 4.6.7) coverage status for terraform-provi
 | SMTP | `flashblade_array_smtp` | Yes | Done | Singleton |
 | Syslog Servers | `flashblade_syslog_server` | Yes | Done | Full CRUD |
 
+### Audit
+
+| API Section | Resource | Data Source | Status | Notes |
+|-------------|----------|:----------:|--------|-------|
+| Audit Policies (Object Store) | `flashblade_audit_object_store_policy` | Yes | Done | Object store audit logging policies with log targets |
+| Audit Policies (Object Store) Members | `flashblade_audit_object_store_policy_member` | No | Done | Bucket-to-policy assignment (CRD) |
+| Log Targets (Object Store) | `flashblade_log_target_object_store` | Yes | Done | Audit log target to bucket with prefix + rotation |
+
 ### Quotas
 
 | API Section | Resource | Data Source | Status | Notes |
@@ -156,8 +164,8 @@ FlashBlade REST API v2.22 (Purity//FB 4.6.7) coverage status for terraform-provi
 | SSH CA Policies | Resource | Full CRUD | SSH certificate authority management | Deferred |
 | Data Eviction Policies | Resource | Full CRUD + FS members | Automatic data eviction | Deferred |
 | Audit Policies (FS) | Resource | Full CRUD + members | File system audit logging policies | Deferred |
-| Audit Policies (Object Store) | Resource | Full CRUD + members | Object store audit logging policies | Deferred |
-| Log Targets | Resource | Full CRUD | Audit log target configuration | Deferred |
+| Audit Policies (FS) members | Resource | Members endpoint | File system audit policy-to-FS association | Deferred |
+| Log Targets (File Systems) | Resource | Full CRUD | File system audit log target configuration | Deferred |
 
 ### Not Applicable for Terraform
 

docs/data-sources/audit_object_store_policy.md

@@ -0,0 +1,34 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "flashblade_audit_object_store_policy Data Source - flashblade"
+subcategory: ""
+description: |-
+  Reads an existing FlashBlade audit object store policy.
+---
+
+# flashblade_audit_object_store_policy (Data Source)
+
+Reads an existing FlashBlade audit object store policy.
+
+## Example Usage
+
+```terraform
+data "flashblade_audit_object_store_policy" "example" {
+  name = "my-audit-policy"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the audit object store policy to look up.
+
+### Read-Only
+
+- `enabled` (Boolean) Whether the audit object store policy is enabled.
+- `id` (String) The unique identifier of the audit object store policy.
+- `is_local` (Boolean) Whether the policy is defined on the local array.
+- `log_targets` (List of String) List of log target names configured for this policy.
+- `policy_type` (String) The type of the policy (e.g. 'audit').

docs/data-sources/log_target_object_store.md

@@ -0,0 +1,33 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "flashblade_log_target_object_store Data Source - flashblade"
+subcategory: ""
+description: |-
+  Reads an existing FlashBlade log target object store.
+---
+
+# flashblade_log_target_object_store (Data Source)
+
+Reads an existing FlashBlade log target object store.
+
+## Example Usage
+
+```terraform
+data "flashblade_log_target_object_store" "example" {
+  name = "my-log-target"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the log target object store to look up.
+
+### Read-Only
+
+- `bucket_name` (String) The name of the bucket where audit logs are stored.
+- `id` (String) The unique identifier of the log target object store.
+- `log_name_prefix` (String) The prefix of audit log object names in the bucket.
+- `log_rotate_duration` (Number) The rotation interval for audit logs in milliseconds.

docs/resources/audit_object_store_policy.md

@@ -0,0 +1,61 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "flashblade_audit_object_store_policy Resource - flashblade"
+subcategory: ""
+description: |-
+  Manages a FlashBlade audit object store policy that controls audit logging for object store operations.
+---
+
+# flashblade_audit_object_store_policy (Resource)
+
+Manages a FlashBlade audit object store policy that controls audit logging for object store operations.
+
+## Example Usage
+
+```terraform
+resource "flashblade_audit_object_store_policy" "example" {
+  name    = "my-audit-policy"
+  enabled = true
+
+  log_targets = ["my-log-target"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the audit object store policy. Not renameable; changing forces replacement.
+
+### Optional
+
+- `enabled` (Boolean) Whether the audit object store policy is enabled.
+- `log_targets` (List of String) List of log target names to receive audit events from this policy.
+- `timeouts` (Attributes) (see [below for nested schema](#nestedatt--timeouts))
+
+### Read-Only
+
+- `id` (String) The unique identifier of the audit object store policy.
+- `is_local` (Boolean) Whether the policy is defined on the local array (read-only).
+- `policy_type` (String) The type of the policy (e.g. 'audit'). Read-only, set by the array.
+
+<a id="nestedatt--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+- `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+- `read` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.
+- `update` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+terraform import flashblade_audit_object_store_policy.example my-audit-policy
+```

docs/resources/audit_object_store_policy_member.md

@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "flashblade_audit_object_store_policy_member Resource - flashblade"
+subcategory: ""
+description: |-
+  Assigns a bucket as a member of a FlashBlade audit object store policy.
+---
+
+# flashblade_audit_object_store_policy_member (Resource)
+
+Assigns a bucket as a member of a FlashBlade audit object store policy.
+
+## Example Usage
+
+```terraform
+resource "flashblade_audit_object_store_policy_member" "example" {
+  policy_name = "my-audit-policy"
+  member_name = "my-bucket"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `member_name` (String) The name of the bucket to assign to the policy. Changing this forces a new resource.
+- `policy_name` (String) The name of the audit object store policy. Changing this forces a new resource.
+
+### Optional
+
+- `timeouts` (Attributes) (see [below for nested schema](#nestedatt--timeouts))
+
+<a id="nestedatt--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+- `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+- `read` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+terraform import flashblade_audit_object_store_policy_member.example my-audit-policy/my-bucket
+```

docs/resources/log_target_object_store.md

@@ -0,0 +1,60 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "flashblade_log_target_object_store Resource - flashblade"
+subcategory: ""
+description: |-
+  Manages a FlashBlade log target object store that stores audit logs in a bucket.
+---
+
+# flashblade_log_target_object_store (Resource)
+
+Manages a FlashBlade log target object store that stores audit logs in a bucket.
+
+## Example Usage
+
+```terraform
+resource "flashblade_log_target_object_store" "example" {
+  name                = "my-log-target"
+  bucket_name         = "audit-logs"
+  log_name_prefix     = "audit"
+  log_rotate_duration = 86400000
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `bucket_name` (String) The name of the bucket where audit logs will be stored.
+- `name` (String) The name of the log target object store. Not renameable; changing forces replacement.
+
+### Optional
+
+- `log_name_prefix` (String) The prefix of audit log object names in the bucket.
+- `log_rotate_duration` (Number) The rotation interval for audit logs in milliseconds.
+- `timeouts` (Attributes) (see [below for nested schema](#nestedatt--timeouts))
+
+### Read-Only
+
+- `id` (String) The unique identifier of the log target object store.
+
+<a id="nestedatt--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+- `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+- `read` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.
+- `update` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+terraform import flashblade_log_target_object_store.example my-log-target
+```

examples/data-sources/flashblade_audit_object_store_policy/data-source.tf

@@ -0,0 +1,3 @@
+data "flashblade_audit_object_store_policy" "example" {
+  name = "my-audit-policy"
+}

examples/data-sources/flashblade_log_target_object_store/data-source.tf

@@ -0,0 +1,3 @@
+data "flashblade_log_target_object_store" "example" {
+  name = "my-log-target"
+}

examples/resources/flashblade_audit_object_store_policy/import.sh

@@ -0,0 +1 @@
+terraform import flashblade_audit_object_store_policy.example my-audit-policy