Adding ACL User resources, data sources and documentation (#405)

* Adding ACL User resources, data sources and documentation

---------

Co-authored-by: Will May <[email protected]>

.github/workflows/terraform_provider.yml

@@ -110,7 +110,7 @@ jobs:
         env:
           REDISCLOUD_ACCESS_KEY: ${{ secrets.REDISCLOUD_ACCESS_KEY_QA }}
           REDISCLOUD_SECRET_KEY: ${{ secrets.REDISCLOUD_SECRET_KEY_QA }}
-          REDISCLOUD_URL: https://api-cloudapi.qa.redislabs.com/v1
+          REDISCLOUD_URL: https://api-k8s-cloudapi.qa.redislabs.com/v1
           AWS_TEST_CLOUD_ACCOUNT_NAME: "${{ secrets.AWS_TEST_CLOUD_ACCOUNT_NAME }}"
           AWS_PEERING_REGION: ${{ secrets.AWS_PEERING_REGION }}
           AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}

GNUmakefile

@@ -9,8 +9,8 @@ PROVIDER_VERSION = 99.99.99
 PLUGINS_PATH = ~/.terraform.d/plugins
 PLUGINS_PROVIDER_PATH=$(PROVIDER_HOSTNAME)/$(PROVIDER_NAMESPACE)/$(PROVIDER_TYPE)/$(PROVIDER_VERSION)/$(PROVIDER_TARGET)
 
-# Use a parallelism of 2 by default for tests, overriding whatever GOMAXPROCS is set to.
-TEST_PARALLELISM?=2
+# Use a parallelism of 4 by default for tests, overriding whatever GOMAXPROCS is set to.
+TEST_PARALLELISM?=4
 TESTARGS?=-short
 
 bin:

docs/data-sources/rediscloud_acl_rule.md

@@ -7,7 +7,8 @@ description: |-
 
 # Data Source: rediscloud_acl_rule
 
-The Rule (a.k.a Redis Rule, Redis ACL) data source allows access to an existing Rule within your Redis Enterprise Cloud Account.
+The Rule (a.k.a Redis Rule, Redis ACL) data source allows access to an existing Rule within your Redis Enterprise Cloud
+Account.
 
 ## Example Usage
 

docs/data-sources/rediscloud_acl_user.md

@@ -0,0 +1,32 @@
+---
+layout: "rediscloud"
+page_title: "Redis Cloud: rediscloud_acl_user"
+description: |-
+  ACL User data source in the Terraform provider Redis Cloud.
+---
+
+# Data Source: rediscloud_acl_user
+
+The User data source allows access to an existing Rule within your Redis Enterprise Cloud Account.
+
+## Example Usage
+
+```hcl
+data "rediscloud_acl_user" "example" {
+  name = "fast-admin-john"
+}
+
+output "rediscloud_acl_user" {
+  value = data.rediscloud_acl_user.example.id
+}
+```
+
+## Argument Reference
+
+* `name` - (Required) The name of the User to filter returned subscriptions
+
+## Attribute reference
+
+* `id` - Identifier of the found User.
+* `name` - The User's name.
+* `role` - The name of the User's Role.

docs/resources/rediscloud_acl_role.md

@@ -12,34 +12,59 @@ Creates a Role in your Redis Enterprise Cloud Account.
 ## Example Usage
 
 ```hcl
-resource "rediscloud_acl_role" "role-resource" {
+resource "rediscloud_acl_role" "role-resource-implicit" {
   name = "fast-admin"
   rules {
-    name = "cache-reader-rule"
+    # An implicit dependency is recommended
+    name = rediscloud_acl_role.cache_reader.name
+    # Implicit dependencies used throughout
     databases {
-      subscription = 123456
-      database = 9829
-      regions = ["us-east-1", "us-east-2"]
+      subscription = rediscloud_active_active_subscription_database.subscription-resource-1.id
+      database     = rediscloud_active_active_subscription_database.database-resource-1.db_id
+      regions      = [
+        for r in rediscloud_active_active_subscription_database.database-resource-1.override_region : r.name
+      ]
+    }
+    databases {
+      subscription = rediscloud_subscription.subscription-resource-2.id
+      database     = rediscloud_subscription_database.database-resource-2.db_id
     }
+  }
+}
+
+resource "rediscloud_acl_role" "role-resource-explicit" {
+  name = "fast-admin"
+  rules {
+    name = "cache-reader"
+    # Active-Active database omitted for brevity
     databases {
       subscription = 123456
-      database = 9830
+      database     = 9830
     }
   }
+  # An explicit resource dependency can be used if preferred
+  depends_on = [
+    rediscloud_acl_rule.cache_reader,
+    rediscloud_subscription.subscription-resource-2,
+    rediscloud_subscription_database.database-resource-2
+  ]
 }
 ```
 
 ## Argument Reference
 
 The following arguments are supported:
 
-* `name` - (Required) A meaningful name for the role. Must be unique. **This can be modified, but since the Role is referred to
-  by name (and not ID), this could break existing references. See the [User](rediscloud_acl_user.md) resource documentation.**
+* `name` - (Required) A meaningful name for the role. Must be unique. **This can be modified, but since the Role is
+  referred to
+  by name (and not ID), this could break existing references. See the [User](rediscloud_acl_user.md) resource
+  documentation.**
 * `rules` - (Required, minimum 1) A list of rule association objects, documented below.
 
 The `rules` list supports:
 
-* `name` (Required) - Name of the Rule.
+* `name` (Required) - Name of the Rule. It is recommended an implicit dependency is used here. `depends_on` could be
+  used instead by waiting for a Rule resource with a matching `name`.
 * `databases` - (Required, minimum 1) a list of database association objects, documented below.
 
 The `databases` list supports:
@@ -48,14 +73,14 @@ The `databases` list supports:
 * `database` (Required) - ID of the database to which the Rule should apply.
 * `regions` (Optional) - For databases in Active/Active subscriptions only, the regions to which the Rule should apply.
 
-
 ### Timeouts
 
-The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions:
+The `timeouts` block allows you to
+specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions:
 
-* `create` - (Defaults to 3 mins) Used when creating the Role.
-* `update` - (Defaults to 3 mins) Used when updating the Role.
-* `delete` - (Defaults to 1 mins) Used when destroying the Role.
+* `create` - (Defaults to 5 mins) Used when creating the Role.
+* `update` - (Defaults to 5 mins) Used when updating the Role.
+* `delete` - (Defaults to 5 mins) Used when destroying the Role.
 
 ## Attribute reference
 
@@ -75,6 +100,7 @@ The `databases` list is made of objects with:
 * `regions` The regions to which the Rule should apply, if appropriate to the database.
 
 ## Import
+
 `rediscloud_acl_role` can be imported using the Identifier of the Role, e.g.
 
 ```

docs/resources/rediscloud_acl_rule.md

@@ -22,17 +22,21 @@ resource "rediscloud_acl_rule" "rule-resource" {
 
 The following arguments are supported:
 
-* `name` - (Required) A meaningful name for the rule. Must be unique. **This can be modified, but since the Rule is referred to
-  by name (and not ID), this could break existing references. See the [Role](rediscloud_acl_role.md) resource documentation.**
-* `rule` - (Required) The ACL rule itself, build up as permissions/restrictions written in the [ACL Syntax](https://docs.redis.com/latest/rc/security/access-control/data-access-control/configure-acls/#define-permissions-with-acl-syntax).
+* `name` - (Required) A meaningful name for the rule. Must be unique. **This can be modified, but since the Rule is
+  referred to
+  by name (and not ID), this could break existing references. See the [Role](rediscloud_acl_role.md) resource
+  documentation.**
+* `rule` - (Required) The ACL rule itself, build up as permissions/restrictions written in
+  the [ACL Syntax](https://docs.redis.com/latest/rc/security/access-control/data-access-control/configure-acls/#define-permissions-with-acl-syntax).
 
 ### Timeouts
 
-The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions:
+The `timeouts` block allows you to
+specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions:
 
-* `create` - (Defaults to 3 mins) Used when creating the Rule.
-* `update` - (Defaults to 3 mins) Used when updating the Rule.
-* `delete` - (Defaults to 1 mins) Used when destroying the Rule.
+* `create` - (Defaults to 5 mins) Used when creating the Rule.
+* `update` - (Defaults to 5 mins) Used when updating the Rule.
+* `delete` - (Defaults to 5 mins) Used when destroying the Rule.
 
 ## Attribute reference
 
@@ -41,6 +45,7 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 * `rule` - The ACL Rule itself.
 
 ## Import
+
 `rediscloud_acl_rule` can be imported using the Identifier of the Rule, e.g.
 
 ```

docs/resources/rediscloud_acl_user.md

@@ -0,0 +1,69 @@
+---
+layout: "rediscloud"
+page_title: "Redis Cloud: rediscloud_acl_user"
+description: |-
+  ACL User resource in the Terraform provider Redis Cloud.
+---
+
+# Resource: rediscloud_acl_user
+
+Creates a User in your Redis Enterprise Cloud Account.
+
+## Example Usage
+
+```hcl
+resource "rediscloud_acl_user" "user-resource-implicit" {
+  name     = "fast-admin-john"
+  # An implicit dependency is recommended
+  role     = rediscloud_acl_role.fast_admin.name
+  password = "mY.passw0rd"
+}
+
+resource "rediscloud_acl_user" "user-resource-explicit" {
+  name     = "fast-admin-john"
+  role     = "fast-admin"
+  password = "mY.passw0rd"
+
+  # An explicit resource dependency can be used if preferred
+  depends_on = [
+    rediscloud_acl_role.fast_admin
+  ]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required, change forces recreation) A meaningful name for the User. Must be unique. An error occurs if a
+  user tries to connect to
+  a `memcached` database with the username `admin`.
+* `role` - (Required) The name of the Role held by the User. It is recommended an implicit dependency is used
+  here. `depends_on` could be used instead by waiting for a Role resource with a matching `name`.
+* `password` - (Required, change forces recreation) The password for this ACL User. Must contain a lower-case letter, a
+  upper-case letter, a
+  number and a special character. Can be updated but since it is not returned by the API, we have no way of detecting
+  drift, so the entity would be entirely replaced. Take special care with multiple versions of Terraform State.
+
+### Timeouts
+
+The `timeouts` block allows you to
+specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions:
+
+* `create` - (Defaults to 5 mins) Used when creating the User.
+* `update` - (Defaults to 5 mins) Used when updating the User.
+* `delete` - (Defaults to 5 mins) Used when destroying the User.
+
+## Attribute reference
+
+* `id` - Identifier of the User created.
+* `name` - The User's name.
+* `role` - The User's role name.
+
+## Import
+
+`rediscloud_acl_user` can be imported using the Identifier of the User, e.g.
+
+```
+$ terraform import rediscloud_acl_user.user-resource 123456
+```

go.mod

@@ -3,7 +3,7 @@ module github.com/RedisLabs/terraform-provider-rediscloud
 go 1.19
 
 require (
-	github.com/RedisLabs/rediscloud-go-api v0.5.1
+	github.com/RedisLabs/rediscloud-go-api v0.5.2
 	github.com/bflad/tfproviderlint v0.29.0
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.26.1

go.sum

@@ -7,8 +7,8 @@ github.com/Microsoft/go-winio v0.4.16 h1:FtSW/jqD+l4ba5iPBj9CODVtgfYAD8w2wS923g/
 github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
 github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 h1:YoJbenK9C67SkzkDfmQuVln04ygHj3vjZfd9FL+GmQQ=
 github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
-github.com/RedisLabs/rediscloud-go-api v0.5.1 h1:3g+qhS5U3arNO890go17DyAbDseZuxTLEewASRMofu8=
-github.com/RedisLabs/rediscloud-go-api v0.5.1/go.mod h1:cfuU+p/rgB+TObm0cq+AkyxwXWra8JOrPLKKj+nv7lM=
+github.com/RedisLabs/rediscloud-go-api v0.5.2 h1:wwfUEbrH2oMOwk32ZLQpu/cVYpAgHsp1oqX40+ro/ns=
+github.com/RedisLabs/rediscloud-go-api v0.5.2/go.mod h1:cfuU+p/rgB+TObm0cq+AkyxwXWra8JOrPLKKj+nv7lM=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=

provider/datasource_rediscloud_acl_role.go

@@ -11,7 +11,7 @@ import (
 
 func dataSourceRedisCloudAclRole() *schema.Resource {
 	return &schema.Resource{
-		Description: "The ACL Role grants a number of permissions to databases.",
+		Description: "The ACL Role grants a number of permissions to databases",
 		ReadContext: dataSourceRedisCloudAclRoleRead,
 
 		Schema: map[string]*schema.Schema{
@@ -21,34 +21,34 @@ func dataSourceRedisCloudAclRole() *schema.Resource {
 				Required:    true,
 			},
 			"rules": {
-				Description: "This Role's permissions and the databases to which they apply.",
+				Description: "This Role's permissions and the databases to which they apply",
 				Type:        schema.TypeSet,
 				Computed:    true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"name": {
-							Description: "The name of the Rule.",
+							Description: "The name of the Rule",
 							Type:        schema.TypeString,
 							Computed:    true,
 						},
 						"databases": {
-							Description: "The databases to which this Rule applies.",
+							Description: "The databases to which this Rule applies",
 							Type:        schema.TypeSet,
 							Computed:    true,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"subscription": {
-										Description: "The name of the Rule.",
+										Description: "The name of the Rule",
 										Type:        schema.TypeInt,
 										Computed:    true,
 									},
 									"database": {
-										Description: "The databases to which this Rule applies.",
+										Description: "The databases to which this Rule applies",
 										Type:        schema.TypeInt,
 										Computed:    true,
 									},
 									"regions": {
-										Description: "The regional deployments of this database to which the Rule applies. Only relevant to Active/Active databases, otherwise omit.",
+										Description: "The regional deployments of this database to which the Rule applies. Only relevant to Active/Active databases, otherwise omit",
 										Type:        schema.TypeSet,
 										Computed:    true,
 										Elem: &schema.Schema{

provider/datasource_rediscloud_acl_rule.go

@@ -11,7 +11,7 @@ import (
 
 func dataSourceRedisCloudAclRule() *schema.Resource {
 	return &schema.Resource{
-		Description: "The ACL Rule (known also as RedisRule) allows fine-grained permissions to be assigned to a subset of ACL Users.",
+		Description: "The ACL Rule (known also as RedisRule) allows fine-grained permissions to be assigned to a subset of ACL Users",
 		ReadContext: dataSourceRedisCloudAclRuleRead,
 
 		Schema: map[string]*schema.Schema{