ydb-platform
diff --git a/‎internal/resources/externaldatasource/README.md‎
Lines changed: 136 additions & 0 deletions b/‎internal/resources/externaldatasource/README.md‎
Lines changed: 136 additions & 0 deletions
diff --git a/‎internal/resources/externaldatasource/auth_diff.go‎
Lines changed: 41 additions & 0 deletions b/‎internal/resources/externaldatasource/auth_diff.go‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎internal/resources/externaldatasource/create.go‎
Lines changed: 44 additions & 0 deletions b/‎internal/resources/externaldatasource/create.go‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎internal/resources/externaldatasource/delete.go‎
Lines changed: 35 additions & 0 deletions b/‎internal/resources/externaldatasource/delete.go‎
Lines changed: 35 additions & 0 deletions
@@ -0,0 +1,136 @@
+# ydb_external_data_source resource
+
+`ydb_external_data_source` resource is used to manage YDB [external data source](https://ydb.tech/docs/ru/concepts/datamodel/external_data_source) entity.
+
+All attributes are immutable. Any change triggers resource recreation (drop + create).
+
+## Example
+
+```tf
+resource "ydb_external_data_source" "object_storage" {
+    path              = "path/to/external_data_source"
+    connection_string = "grpc://localhost:2136/?database=/local"
+
+    source_type = "ObjectStorage"
+    location    = "localhost:12345"
+    auth_method = "NONE"
+}
+```
+
+```tf
+resource "ydb_external_data_source" "clickhouse" {
+    path              = "path/to/clickhouse_source"
+    connection_string = "grpc://localhost:2136/?database=/local"
+
+    source_type          = "ClickHouse"
+    location             = "clickhouse-host:9000"
+    auth_method          = "BASIC"
+    login                = "user"
+    password_secret_name = "my_password_secret"
+    database_name        = "default"
+    protocol             = "NATIVE"
+    use_tls              = true
+}
+```
+
+```tf
+resource "ydb_external_data_source" "postgresql" {
+    path              = "path/to/pg_source"
+    connection_string = "grpc://localhost:2136/?database=/local"
+
+    source_type                  = "PostgreSQL"
+    location                     = "rc1a-xxx.mdb.yandexcloud.net:6432"
+    auth_method                  = "MDB_BASIC"
+    service_account_id           = "sa-id-123"
+    service_account_secret_name  = "sa_secret"
+    login                        = "pguser"
+    password_secret_name         = "pg_pass"
+    database_name                = "mydb"
+    mdb_cluster_id               = "c9q1234567890"
+    use_tls                      = true
+}
+```
+
+```tf
+resource "ydb_external_data_source" "s3_aws" {
+    path              = "path/to/s3_source"
+    connection_string = "grpc://localhost:2136/?database=/local"
+
+    source_type                        = "ObjectStorage"
+    location                           = "s3.us-east-1.amazonaws.com"
+    auth_method                        = "AWS"
+    aws_access_key_id_secret_name      = "aws_key_id"
+    aws_secret_access_key_secret_name  = "aws_secret_key"
+    aws_region                         = "us-east-1"
+}
+```
+
+## Argument Reference
+
+### Required
+
+- `connection_string` (String) - Database connection string, e.g. `grpc://localhost:2136/?database=/local`.
+- `path` (String) - Path to the external data source within the database.
+- `source_type` (String) - Type of external data source: `ObjectStorage`, `ClickHouse`, `PostgreSQL`.
+- `location` (String) - Network address of the external data source (host:port or URL).
+
+### Optional
+
+- `auth_method` (String) - Authentication method. One of: `NONE`, `BASIC`, `MDB_BASIC`, `AWS`, `TOKEN`, `SERVICE_ACCOUNT`.
+- `database_name` (String) - Database name in the external source (for ClickHouse/PostgreSQL).
+- `protocol` (String) - Communication protocol: `NATIVE`, `HTTP`.
+- `use_tls` (Boolean) - Enable TLS for the external data source connection.
+- `mdb_cluster_id` (String) - Managed Database cluster ID.
+
+#### BASIC / MDB_BASIC auth parameters
+
+- `login` (String) - Username.
+- `password_secret_name` (String) - Secret name for the password.
+- `password_secret_path` (String) - Secret path for the password.
+
+> Specify either `password_secret_name` or `password_secret_path`, not both.
+
+#### MDB_BASIC additional parameters
+
+- `service_account_id` (String) - Service account ID.
+- `service_account_secret_name` (String) - Secret name for the service account.
+- `service_account_secret_path` (String) - Secret path for the service account.
+
+#### SERVICE_ACCOUNT auth parameters
+
+- `service_account_id` (String) - Service account ID.
+- `service_account_secret_name` (String) - Secret name for the service account.
+- `service_account_secret_path` (String) - Secret path for the service account.
+
+#### AWS auth parameters
+
+- `aws_access_key_id_secret_name` (String) - Secret name for AWS access key ID.
+- `aws_access_key_id_secret_path` (String) - Secret path for AWS access key ID.
+- `aws_secret_access_key_secret_name` (String) - Secret name for AWS secret access key.
+- `aws_secret_access_key_secret_path` (String) - Secret path for AWS secret access key.
+- `aws_region` (String) - AWS region.
+
+#### TOKEN auth parameters
+
+- `token_secret_name` (String) - Secret name for the token.
+- `token_secret_path` (String) - Secret path for the token.
+
+## Validation
+
+The provider validates `auth_method` parameters before sending requests to YDB:
+
+- **Unsupported parameters** - fields belonging to a different auth method are rejected (e.g. `aws_region` with `AUTH_METHOD = "BASIC"`).
+- **Required parameters** - mandatory fields for each auth method must be provided (e.g. `login` for `BASIC`).
+- **Secret name/path exclusivity** - for each secret, specify either `*_secret_name` or `*_secret_path`, not both.
+- **No mixed secret types** - within a single auth method, all secrets must use the same reference type (all `*_name` or all `*_path`).
+
+## Data Source
+
+`ydb_external_data_source` data source reads an existing external data source. Only `connection_string` and `path` are required; all other attributes are computed.
+
+```tf
+data "ydb_external_data_source" "example" {
+    path              = "path/to/external_data_source"
+    connection_string = "grpc://localhost:2136/?database=/local"
+}
+```
@@ -0,0 +1,41 @@
+package externaldatasource
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// ValidateResourceDiffAuth validates auth fields from the planned diff (CustomizeDiff / plan).
+func ValidateResourceDiffAuth(d *schema.ResourceDiff) error {
+	return validateResourceAuth(resourceFromDiff(d))
+}
+
+// ValidateResourceDiffSourceType validates auth_method and properties against source_type.
+func ValidateResourceDiffSourceType(d *schema.ResourceDiff) error {
+	return validateSourceType(resourceFromDiff(d))
+}
+
+func resourceFromDiff(d *schema.ResourceDiff) *Resource {
+	vals := make(map[string]string, len(allStringAttrKeys))
+	for _, k := range allStringAttrKeys {
+		vals[k] = diffString(d, k)
+	}
+	r := &Resource{Values: vals}
+	if v, ok := d.GetOk("use_tls"); ok {
+		if b, ok := v.(bool); ok {
+			r.UseTLS = &b
+		}
+	}
+	return r
+}
+
+func diffString(d *schema.ResourceDiff, key string) string {
+	v := d.Get(key)
+	if v == nil {
+		return ""
+	}
+	s, ok := v.(string)
+	if !ok {
+		return ""
+	}
+	return s
+}
@@ -0,0 +1,44 @@
+package externaldatasource
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	tbl "github.com/ydb-platform/terraform-provider-ydb/internal/table"
+)
+
+func (h *Handler) Create(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	r, err := resourceSchemaToResource(d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	db, err := tbl.CreateDBConnection(ctx, tbl.ClientParams{
+		DatabaseEndpoint: r.getConnectionString(),
+		AuthCreds:        h.authCreds,
+	})
+	if err != nil {
+		return diag.Errorf("failed to initialize client: %s", err)
+	}
+	defer func() { _ = db.Close(ctx) }()
+
+	databaseEndpoint := d.Get("connection_string").(string)
+	databaseURL, err := url.Parse(databaseEndpoint)
+	if err != nil {
+		return diag.Errorf("failed to parse database endpoint: %s", err)
+	}
+	fullPath := databaseURL.Query().Get("database") + "/" + r.Path
+
+	q := PrepareCreateQuery(fullPath, r)
+	err = db.Query().Exec(ctx, q)
+	if err != nil {
+		return diag.Errorf("failed to create external data source: %s", err)
+	}
+
+	d.SetId(databaseEndpoint + "?path=" + r.Path)
+
+	return h.Read(ctx, d, meta)
+}
@@ -0,0 +1,35 @@
+package externaldatasource
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/ydb-platform/terraform-provider-ydb/internal/helpers"
+	tbl "github.com/ydb-platform/terraform-provider-ydb/internal/table"
+)
+
+func (h *Handler) Delete(ctx context.Context, d *schema.ResourceData, _ interface{}) diag.Diagnostics {
+	entity, err := helpers.ParseYDBEntityID(d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	db, err := tbl.CreateDBConnection(ctx, tbl.ClientParams{
+		DatabaseEndpoint: entity.PrepareFullYDBEndpoint(),
+		AuthCreds:        h.authCreds,
+	})
+	if err != nil {
+		return diag.Errorf("failed to initialize client: %s", err)
+	}
+	defer func() { _ = db.Close(ctx) }()
+
+	q := PrepareDropQuery(entity.GetFullEntityPath())
+	err = db.Query().Exec(ctx, q)
+	if err != nil {
+		return diag.Errorf("failed to drop external data source %q: %s", entity.GetEntityPath(), err)
+	}
+
+	return nil
+}