Merge pull request #114 from hashicorp/sync-public-and-internal-provider

[auto] Sync with Public Provider

CHANGELOG.md

@@ -1,3 +1,19 @@
+## v0.66.0 (July 13, 2023)
+
+FEATURES:
+
+* Adds `hcp_packer_run_task` data source. [[GH-547](https://github.com/hashicorp/terraform-provider-hcp/pull/547)]
+* Adds `hcp_packer_run_task` resource. [[GH-547](https://github.com/hashicorp/terraform-provider-hcp/pull/547)]
+
+IMPROVEMENTS:
+
+* Updated Auth Guide to reflect the impact to the provider when using Project-Level Service Principals;  `project_id` within the provider configuration is needed. Fix for previous release in v0.64.0 [[GH-552](https://github.com/hashicorp/terraform-provider-hcp/pull/552)]
+* Updated Boundary `Tier` configuration to be case insensitive. [[GH-554](https://github.com/hashicorp/terraform-provider-hcp/pull/554)]
+## v0.65.0 (July 10, 2023)
+
+FEATURES:
+
+* Adds `tier` to the `hcp_boundary_cluster` resource to manage the cluster pricing and feature set. [[GH-544](https://github.com/hashicorp/terraform-provider-hcp/pull/544)]
 ## v0.64.0 (July 07, 2023)
 
 FEATURES:

docs/data-sources/boundary_cluster.md

@@ -39,6 +39,7 @@ If a project is not configured in the HCP Provider config block, the oldest proj
 - `id` (String) The ID of this resource.
 - `maintenance_window_config` (List of Object) (see [below for nested schema](#nestedatt--maintenance_window_config))
 - `state` (String) The state of the Boundary cluster.
+- `tier` (String) The tier of the Boundary cluster.
 
 <a id="nestedblock--timeouts"></a>
 ### Nested Schema for `timeouts`

docs/data-sources/packer_run_task.md

@@ -0,0 +1,48 @@
+---
+page_title: "hcp_packer_run_task Data Source - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The Packer Run Task data source gets the configuration information needed to set up an HCP Packer Registry's run task.
+---
+
+# hcp_packer_run_task (Data Source)
+
+-> **Note:** This data source is currently in public beta.
+
+-> **Note:** Use of this data source in the same workspace as an 
+`hcp_packer_run_task` resource (pointing to the same HCP Project) is
+discouraged. If this is not possible (ex: using a module containing the data
+source in the same workspace as a copy of the resource), use the `depends_on`
+meta-argument to mark the data source as dependent on the resource.
+
+The Packer Run Task data source gets the configuration information needed to set up an HCP Packer Registry's run task.
+
+## Example Usage
+
+```terraform
+data "hcp_packer_run_task" "registry" {}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `project_id` (String) The ID of the HCP project where the HCP Packer Registry is located. 
+If not specified, the project specified in the HCP Provider config block will be used, if configured.
+If a project is not configured in the HCP Provider config block, the oldest project in the organization will be used.
+- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-Only
+
+- `endpoint_url` (String) A unique HCP Packer URL, specific to your HCP organization and HCP Packer registry. The Terraform Cloud run task will send a payload to this URL for image validation.
+- `hmac_key` (String, Sensitive) A secret key that lets HCP Packer verify the run task request.
+- `id` (String) The ID of this resource.
+- `organization_id` (String) The ID of the HCP organization where this channel is located. Always the same as the associated channel.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `default` (String)

docs/guides/auth.md

@@ -25,6 +25,7 @@ The `client_id` and `client_secret` must come from a service principal key. Serv
 Follow these steps to create service principal with the `contributor` role and a service principal key.
 
 ### 1. Create a service principal
+-> **Note:** HCP has two types of Service Principals. Organization-Level Service Principals and Project-Level Service Principals. Either can be used with the HCP Terraform Provider. To read more about their differences please see our [documentation page](https://cloud.hashicorp.com/docs/hcp/admin/iam/service-principals).
 
 Once you have registered and logged into the HCP portal, navigate to the Access Control (IAM) page. Select the Service Principals tab and create a new service principal. Give it the role Contributor, since it will be writing resources.
 
@@ -37,6 +38,7 @@ Once the service principal is created, navigate to its detail page by selecting
 Save the client ID and secret as the environment variables HCP_CLIENT_ID and HCP_CLIENT_SECRET.
 
 Or, configure the provider with the client ID and secret by copy-pasting the values directly into provider config.
+-> **Warning:** Hard-coded credentials are not recommended in Terraform configuration outside of local testing and risks secret exposure if committed to a code repository.
 
 ```terraform
 // Credentials can be set explicitly or via the environment variables HCP_CLIENT_ID and HCP_CLIENT_SECRET
@@ -45,6 +47,7 @@ provider "hcp" {
   client_secret = "service-principal-key-client-secret"
 }
 ```
+-> **Note:** If a [Project-Level Service Principal](https://cloud.hashicorp.com/docs/hcp/admin/iam/service-principals) is used, specify the default `project_id` in your provider configuration.
 
 ```bash
 HCP_CLIENT_ID="..."

docs/guides/packer-run-tasks-with-terraform.md

@@ -0,0 +1,51 @@
+---
+subcategory: ""
+page_title: "Packer Run Tasks with Terraform - HCP Provider"
+description: |-
+    A guide to integrating HCP Packer with Terraform using Run Tasks. 
+---
+
+# Adding an HCP Packer Run Task to Terraform Cloud or Terraform Enterprise
+
+You can add an HCP Packer Run Task to Terraform Cloud or Terraform Enterprise
+by combining the HCP Terraform Provider and the 
+[Terraform Cloud/Enterprise Provider](https://registry.terraform.io/providers/hashicorp/tfe).
+
+## Using the `hcp_packer_run_task` Data Source
+
+If the Terraform workspace where this config will live already has an
+`hcp_packer_run_task` resource, you should use the resource instead.
+
+```terraform
+data "hcp_packer_run_task" "registry" {}
+
+resource "tfe_organization_run_task" "hcp_packer" {
+  name        = "HCP_Packer"
+  description = "Ensure usage of compliant images from HCP Packer."
+  enabled     = true
+
+  url      = data.hcp_packer_run_task.registry.endpoint_url
+  hmac_key = data.hcp_packer_run_task.registry.hmac_key
+}
+```
+
+## Using the `hcp_packer_run_task` Resource
+
+If the Terraform workspace where this config will live does not already have a
+`hcp_packer_run_task` resource and you don't need to be able to regenerate the
+HMAC Key in that workspace, you should use the data source instead.
+
+```terraform
+resource "hcp_packer_run_task" "registry" {
+  regenerate_hmac = false
+}
+
+resource "tfe_organization_run_task" "hcp_packer" {
+  name        = "HCP_Packer"
+  description = "Ensure usage of compliant images from HCP Packer."
+  enabled     = true
+
+  url      = hcp_packer_run_task.registry.endpoint_url
+  hmac_key = hcp_packer_run_task.registry.hmac_key
+}
+```

docs/index.md

@@ -38,7 +38,7 @@ terraform {
   required_providers {
     hcp = {
       source  = "hashicorp/hcp"
-      version = "~> 0.64.0"
+      version = "~> 0.66.0"
     }
   }
 }
@@ -125,5 +125,6 @@ resource "hcp_vault_cluster" "example" {
 - `client_id` (String) The OAuth2 Client ID for API operations.
 - `client_secret` (String) The OAuth2 Client Secret for API operations.
 - `project_id` (String) The default project in which resources should be created.
+-> **Note:** See the [authentication guide](guides/auth.md) about a use case when specifying `project_id` is needed.
 
 For more information about HCP, please review our [documentation page](https://cloud.hashicorp.com/docs/hcp).

docs/resources/boundary_cluster.md

@@ -33,6 +33,7 @@ resource "hcp_boundary_cluster" "example" {
 
 - `cluster_id` (String) The ID of the Boundary cluster
 - `password` (String, Sensitive) The password of the initial admin user. This must be at least 8 characters in length. Note that this may show up in logs, and it will be stored in the state file.
+- `tier` (String) The tier that the HCP Boundary cluster will be provisioned as, 'Standard' or 'Plus'.
 - `username` (String) The username of the initial admin user. This must be at least 3 characters in length, alphanumeric, hyphen, or period.
 
 ### Optional

docs/resources/packer_run_task.md

@@ -0,0 +1,55 @@
+---
+page_title: "hcp_packer_run_task Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The Packer Run Task resource allows you to regenerate the HMAC key for an HCP Packer Registry's run task.
+  If you do not need to regenerate the HMAC key, it is recommended to use the hcp_packer_run_task data source instead.
+---
+
+# hcp_packer_run_task (Resource)
+
+-> **Note:** This resource is currently in public beta.
+
+The Packer Run Task resource allows you to regenerate the HMAC key for an HCP Packer Registry's run task.
+
+If you do not need to regenerate the HMAC key, it is recommended to use the `hcp_packer_run_task` data source instead.
+
+## Example Usage
+
+```terraform
+resource "hcp_packer_run_task" "registry" {}
+
+# Configuring the HMAC Key to regenerate on apply
+# NOTE: While `regenerate_hmac` is set to `true` the key will be regenerated on every apply.
+resource "hcp_packer_run_task" "registry" {
+  regenerate_hmac = true
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `project_id` (String) The ID of the HCP project where the HCP Packer Registry is located. 
+If not specified, the project specified in the HCP Provider config block will be used, if configured.
+If a project is not configured in the HCP Provider config block, the oldest project in the organization will be used.
+- `regenerate_hmac` (Boolean) If true, the HMAC Key (`hmac_key`) will be regenerated during `terraform apply`. While set to true, the key will be regenerated on every `terraform apply` until `regenerate_hmac` is set to false or removed from the config.
+- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-Only
+
+- `endpoint_url` (String) A unique HCP Packer URL, specific to your HCP organization and HCP Packer registry. The Terraform Cloud run task will send a payload to this URL for image validation.
+- `hmac_key` (String, Sensitive) A secret key that lets HCP Packer verify the run task request.
+- `id` (String) The ID of this resource.
+- `organization_id` (String) The ID of the HCP organization where this channel is located. Always the same as the associated channel.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String)
+- `default` (String)
+- `delete` (String)
+- `update` (String)

examples/data-sources/hcp_packer_run_task/data-source.tf

@@ -0,0 +1 @@
+data "hcp_packer_run_task" "registry" {}

examples/guides/packer_run_tasks_with_terraform/data.tf

@@ -0,0 +1,10 @@
+data "hcp_packer_run_task" "registry" {}
+
+resource "tfe_organization_run_task" "hcp_packer" {
+  name        = "HCP_Packer"
+  description = "Ensure usage of compliant images from HCP Packer."
+  enabled     = true
+
+  url      = data.hcp_packer_run_task.registry.endpoint_url
+  hmac_key = data.hcp_packer_run_task.registry.hmac_key
+}

examples/guides/packer_run_tasks_with_terraform/resource.tf

@@ -0,0 +1,12 @@
+resource "hcp_packer_run_task" "registry" {
+  regenerate_hmac = false
+}
+
+resource "tfe_organization_run_task" "hcp_packer" {
+  name        = "HCP_Packer"
+  description = "Ensure usage of compliant images from HCP Packer."
+  enabled     = true
+
+  url      = hcp_packer_run_task.registry.endpoint_url
+  hmac_key = hcp_packer_run_task.registry.hmac_key
+}

examples/provider/provider.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     hcp = {
       source  = "hashicorp/hcp"
-      version = "~> 0.64.0"
+      version = "~> 0.66.0"
     }
   }
 }

examples/resources/hcp_packer_run_task/resource.tf

@@ -0,0 +1,7 @@
+resource "hcp_packer_run_task" "registry" {}
+
+# Configuring the HMAC Key to regenerate on apply
+# NOTE: While `regenerate_hmac` is set to `true` the key will be regenerated on every apply.
+resource "hcp_packer_run_task" "registry" {
+  regenerate_hmac = true
+}

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/go-openapi/strfmt v0.21.3
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
+	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/hcp-sdk-go v0.49.0
 	github.com/hashicorp/terraform-plugin-docs v0.13.0
@@ -45,7 +46,6 @@ require (
 	github.com/hashicorp/go-hclog v1.4.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.4.8 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/hc-install v0.5.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.16.1 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect

internal/clients/packer.go

@@ -235,3 +235,38 @@ func ListBuckets(ctx context.Context, client *Client, loc *sharedmodels.Hashicor
 		nextPage = pagination.NextPageToken
 	}
 }
+
+// GetRunTask queries the HCP Packer Registry for the API information needed to configure a run task
+func GetRunTask(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation) (*packermodels.HashicorpCloudPackerGetRegistryTFCRunTaskAPIResponse, error) {
+	params := packer_service.NewPackerServiceGetRegistryTFCRunTaskAPIParamsWithContext(ctx)
+	params.LocationOrganizationID = loc.OrganizationID
+	params.LocationProjectID = loc.ProjectID
+	params.TaskType = "validation"
+
+	req, err := client.Packer.PackerServiceGetRegistryTFCRunTaskAPI(params, nil)
+	if err != nil {
+		if err, ok := err.(*packer_service.PackerServiceGetRegistryTFCRunTaskAPIDefault); ok {
+			return nil, errors.New(err.Payload.Message)
+		}
+		return nil, fmt.Errorf("unexpected error format received by GetRunTask. Got: %v", err)
+	}
+
+	return req.Payload, nil
+}
+
+// RegenerateHMAC triggers the HCP Packer Registry's run task HMAC Key to be regenerated
+func RegenerateHMAC(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation) (*packermodels.HashicorpCloudPackerRegenerateTFCRunTaskHmacKeyResponse, error) {
+	params := packer_service.NewPackerServiceRegenerateTFCRunTaskHmacKeyParamsWithContext(ctx)
+	params.LocationOrganizationID = loc.OrganizationID
+	params.LocationProjectID = loc.ProjectID
+
+	req, err := client.Packer.PackerServiceRegenerateTFCRunTaskHmacKey(params, nil)
+	if err != nil {
+		if err, ok := err.(*packer_service.PackerServiceRegenerateTFCRunTaskHmacKeyDefault); ok {
+			return nil, errors.New(err.Payload.Message)
+		}
+		return nil, fmt.Errorf("unexpected error format received by RegenerateHMAC. Got: %v", err)
+	}
+
+	return req.Payload, nil
+}

internal/provider/data_source_boundary_cluster.go

@@ -56,6 +56,11 @@ If a project is not configured in the HCP Provider config block, the oldest proj
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
+			"tier": {
+				Description: "The tier of the Boundary cluster.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
 			"maintenance_window_config": {
 				Type:     schema.TypeList,
 				Computed: true,

internal/provider/data_source_packer_bucket_names.go

@@ -8,7 +8,6 @@ import (
 	"log"
 
 	packermodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2021-04-30/models"
-	sharedmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-shared/v1/models"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -52,18 +51,8 @@ func dataSourcePackerBucketNames() *schema.Resource {
 
 func dataSourcePackerBucketsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*clients.Client)
-
-	projectID, err := GetProjectID(d.Get("project_id").(string), client.Config.ProjectID)
+	loc, err := getAndUpdateLocationResourceData(d, client)
 	if err != nil {
-		return diag.Errorf("unable to retrieve project ID: %v", err)
-	}
-
-	loc := &sharedmodels.HashicorpCloudLocationLocation{
-		OrganizationID: client.Config.OrganizationID,
-		ProjectID:      projectID,
-	}
-
-	if err := setLocationData(d, loc); err != nil {
 		return diag.FromErr(err)
 	}
 

internal/provider/data_source_packer_bucket_names_test.go

@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package provider
 
 import (