From 8cae4354f7be4fa0101aa76bc01509798618ff14 Mon Sep 17 00:00:00 2001 From: Julien Duchesne Date: Wed, 28 Feb 2024 08:15:16 -0500 Subject: [PATCH] Describe the cloud access policy scopes needed for each resource (#1381) Closes https://github.com/grafana/terraform-provider-grafana/issues/1365 --- docs/resources/cloud_access_policy.md | 8 ++++++++ docs/resources/cloud_access_policy_token.md | 8 ++++++++ docs/resources/cloud_api_key.md | 8 ++++++++ docs/resources/cloud_plugin_installation.md | 8 ++++++++ docs/resources/cloud_stack.md | 8 ++++++++ docs/resources/cloud_stack_api_key.md | 6 ++++++ docs/resources/cloud_stack_service_account.md | 9 ++++++--- docs/resources/cloud_stack_service_account_token.md | 9 ++++++--- docs/resources/synthetic_monitoring_installation.md | 6 ++++++ internal/resources/cloud/resource_cloud_access_policy.go | 6 ++++++ .../cloud/resource_cloud_access_policy_token.go | 6 ++++++ internal/resources/cloud/resource_cloud_api_key.go | 6 ++++++ internal/resources/cloud/resource_cloud_plugin.go | 6 ++++++ internal/resources/cloud/resource_cloud_stack.go | 6 ++++++ internal/resources/cloud/resource_cloud_stack_api_key.go | 4 ++++ .../cloud/resource_cloud_stack_service_account.go | 9 ++++++--- .../cloud/resource_cloud_stack_service_account_token.go | 9 ++++++--- .../cloud/resource_synthetic_monitoring_installation.go | 4 ++++ 18 files changed, 114 insertions(+), 12 deletions(-) diff --git a/docs/resources/cloud_access_policy.md b/docs/resources/cloud_access_policy.md index 368b2bd2e..040a2f946 100644 --- a/docs/resources/cloud_access_policy.md +++ b/docs/resources/cloud_access_policy.md @@ -4,6 +4,8 @@ page_title: "grafana_cloud_access_policy Resource - terraform-provider-grafana" subcategory: "Cloud" description: |- Official documentation https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/API documentation https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-an-access-policy + Required access policy scopes: + accesspolicies:readaccesspolicies:writeaccesspolicies:delete --- # grafana_cloud_access_policy (Resource) @@ -11,6 +13,12 @@ description: |- * [Official documentation](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/) * [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-an-access-policy) +Required access policy scopes: + +* accesspolicies:read +* accesspolicies:write +* accesspolicies:delete + ## Example Usage ```terraform diff --git a/docs/resources/cloud_access_policy_token.md b/docs/resources/cloud_access_policy_token.md index ed52a027e..97a1bb74d 100644 --- a/docs/resources/cloud_access_policy_token.md +++ b/docs/resources/cloud_access_policy_token.md @@ -4,6 +4,8 @@ page_title: "grafana_cloud_access_policy_token Resource - terraform-provider-gra subcategory: "Cloud" description: |- Official documentation https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/API documentation https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-a-token + Required access policy scopes: + accesspolicies:readaccesspolicies:writeaccesspolicies:delete --- # grafana_cloud_access_policy_token (Resource) @@ -11,6 +13,12 @@ description: |- * [Official documentation](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/) * [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-a-token) +Required access policy scopes: + +* accesspolicies:read +* accesspolicies:write +* accesspolicies:delete + ## Example Usage ```terraform diff --git a/docs/resources/cloud_api_key.md b/docs/resources/cloud_api_key.md index 54527612a..b3be45ff3 100644 --- a/docs/resources/cloud_api_key.md +++ b/docs/resources/cloud_api_key.md @@ -6,6 +6,8 @@ description: |- This resource is deprecated and will be removed in a future release. Please use grafanacloudaccess_policy instead. Manages a single API key on the Grafana Cloud portal (on the organization level) * API documentation https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#api-keys + Required access policy scopes: + api-keys:readapi-keys:writeapi-keys:delete --- # grafana_cloud_api_key (Resource) @@ -15,6 +17,12 @@ This resource is deprecated and will be removed in a future release. Please use Manages a single API key on the Grafana Cloud portal (on the organization level) * [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#api-keys) +Required access policy scopes: + +* api-keys:read +* api-keys:write +* api-keys:delete + ## Example Usage ```terraform diff --git a/docs/resources/cloud_plugin_installation.md b/docs/resources/cloud_plugin_installation.md index aa8b454f4..6490aaffb 100644 --- a/docs/resources/cloud_plugin_installation.md +++ b/docs/resources/cloud_plugin_installation.md @@ -5,6 +5,8 @@ subcategory: "Cloud" description: |- Manages Grafana Cloud Plugin Installations. Plugin Catalog https://grafana.com/grafana/plugins/ + Required access policy scopes: + stack-plugins:readstack-plugins:writestack-plugins:delete --- # grafana_cloud_plugin_installation (Resource) @@ -13,6 +15,12 @@ Manages Grafana Cloud Plugin Installations. * [Plugin Catalog](https://grafana.com/grafana/plugins/) +Required access policy scopes: + +* stack-plugins:read +* stack-plugins:write +* stack-plugins:delete + ## Example Usage ```terraform diff --git a/docs/resources/cloud_stack.md b/docs/resources/cloud_stack.md index 46dfec378..6a2b414bb 100644 --- a/docs/resources/cloud_stack.md +++ b/docs/resources/cloud_stack.md @@ -4,12 +4,20 @@ page_title: "grafana_cloud_stack Resource - terraform-provider-grafana" subcategory: "Cloud" description: |- Official documentation https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#stacks/ + Required access policy scopes: + stacks:readstacks:writestacks:delete --- # grafana_cloud_stack (Resource) * [Official documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#stacks/) +Required access policy scopes: + +* stacks:read +* stacks:write +* stacks:delete + ## Example Usage ```terraform diff --git a/docs/resources/cloud_stack_api_key.md b/docs/resources/cloud_stack_api_key.md index 119ba7abe..b8be28837 100644 --- a/docs/resources/cloud_stack_api_key.md +++ b/docs/resources/cloud_stack_api_key.md @@ -6,6 +6,8 @@ description: |- Manages API keys of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management API key for a new stack HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/auth/ + Required access policy scopes: + stack-api-keys:write !> Deprecated: please use grafana_cloud_stack_service_account and grafana_cloud_stack_service_account_token instead, see https://grafana.com/docs/grafana/next/administration/api-keys/#migrate-api-keys-to-grafana-service-accounts-using-terraform. --- @@ -16,6 +18,10 @@ This can be used to bootstrap a management API key for a new stack * [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/auth/) +Required access policy scopes: + +* stack-api-keys:write + !> Deprecated: please use `grafana_cloud_stack_service_account` and `grafana_cloud_stack_service_account_token` instead, see https://grafana.com/docs/grafana/next/administration/api-keys/#migrate-api-keys-to-grafana-service-accounts-using-terraform. diff --git a/docs/resources/cloud_stack_service_account.md b/docs/resources/cloud_stack_service_account.md index 164cbd8c9..e0145e3a8 100644 --- a/docs/resources/cloud_stack_service_account.md +++ b/docs/resources/cloud_stack_service_account.md @@ -3,22 +3,25 @@ page_title: "grafana_cloud_stack_service_account Resource - terraform-provider-grafana" subcategory: "Cloud" description: |- - Note: This resource is available only with Grafana 9.1+. Manages service accounts of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management service account for a new stack Official documentation https://grafana.com/docs/grafana/latest/administration/service-accounts/HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api + Required access policy scopes: + stack-service-accounts:write --- # grafana_cloud_stack_service_account (Resource) -**Note:** This resource is available only with Grafana 9.1+. - Manages service accounts of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management service account for a new stack * [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/) * [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api) +Required access policy scopes: + +* stack-service-accounts:write + ## Example Usage ```terraform diff --git a/docs/resources/cloud_stack_service_account_token.md b/docs/resources/cloud_stack_service_account_token.md index ea4dfe426..40c62b027 100644 --- a/docs/resources/cloud_stack_service_account_token.md +++ b/docs/resources/cloud_stack_service_account_token.md @@ -3,22 +3,25 @@ page_title: "grafana_cloud_stack_service_account_token Resource - terraform-provider-grafana" subcategory: "Cloud" description: |- - Note: This resource is available only with Grafana 9.1+. Manages service account tokens of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management service account token for a new stack Official documentation https://grafana.com/docs/grafana/latest/administration/service-accounts/HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api + Required access policy scopes: + stack-service-accounts:write --- # grafana_cloud_stack_service_account_token (Resource) -**Note:** This resource is available only with Grafana 9.1+. - Manages service account tokens of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management service account token for a new stack * [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/) * [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api) +Required access policy scopes: + +* stack-service-accounts:write + ## Example Usage ```terraform diff --git a/docs/resources/synthetic_monitoring_installation.md b/docs/resources/synthetic_monitoring_installation.md index e6c0cedfa..604e6d56c 100644 --- a/docs/resources/synthetic_monitoring_installation.md +++ b/docs/resources/synthetic_monitoring_installation.md @@ -8,6 +8,8 @@ description: |- This resource cannot be imported but it can be used on an existing Synthetic Monitoring installation without issues. Note that this resource must be used on a provider configured with Grafana Cloud credentials. Official documentation https://grafana.com/docs/grafana-cloud/monitor-public-endpoints/installation/API documentation https://github.com/grafana/synthetic-monitoring-api-go-client/blob/main/docs/API.md#apiv1registerinstall + Required access policy scopes: + stacks:read --- # grafana_synthetic_monitoring_installation (Resource) @@ -21,6 +23,10 @@ This resource cannot be imported but it can be used on an existing Synthetic Mon * [Official documentation](https://grafana.com/docs/grafana-cloud/monitor-public-endpoints/installation/) * [API documentation](https://github.com/grafana/synthetic-monitoring-api-go-client/blob/main/docs/API.md#apiv1registerinstall) +Required access policy scopes: + +* stacks:read + ## Example Usage ```terraform diff --git a/internal/resources/cloud/resource_cloud_access_policy.go b/internal/resources/cloud/resource_cloud_access_policy.go index f2251de8b..3dd344f95 100644 --- a/internal/resources/cloud/resource_cloud_access_policy.go +++ b/internal/resources/cloud/resource_cloud_access_policy.go @@ -20,6 +20,12 @@ func ResourceAccessPolicy() *schema.Resource { Description: ` * [Official documentation](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/) * [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-an-access-policy) + +Required access policy scopes: + +* accesspolicies:read +* accesspolicies:write +* accesspolicies:delete `, CreateContext: CreateCloudAccessPolicy, diff --git a/internal/resources/cloud/resource_cloud_access_policy_token.go b/internal/resources/cloud/resource_cloud_access_policy_token.go index 40ded7a1f..ed0168bd6 100644 --- a/internal/resources/cloud/resource_cloud_access_policy_token.go +++ b/internal/resources/cloud/resource_cloud_access_policy_token.go @@ -19,6 +19,12 @@ func ResourceAccessPolicyToken() *schema.Resource { Description: ` * [Official documentation](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/) * [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#create-a-token) + +Required access policy scopes: + +* accesspolicies:read +* accesspolicies:write +* accesspolicies:delete `, CreateContext: CreateCloudAccessPolicyToken, diff --git a/internal/resources/cloud/resource_cloud_api_key.go b/internal/resources/cloud/resource_cloud_api_key.go index 8659915a0..0722e00f6 100644 --- a/internal/resources/cloud/resource_cloud_api_key.go +++ b/internal/resources/cloud/resource_cloud_api_key.go @@ -20,6 +20,12 @@ func ResourceAPIKey() *schema.Resource { Manages a single API key on the Grafana Cloud portal (on the organization level) * [API documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#api-keys) + +Required access policy scopes: + +* api-keys:read +* api-keys:write +* api-keys:delete `, CreateContext: ResourceAPIKeyCreate, ReadContext: ResourceAPIKeyRead, diff --git a/internal/resources/cloud/resource_cloud_plugin.go b/internal/resources/cloud/resource_cloud_plugin.go index fd270bf3e..c59195732 100644 --- a/internal/resources/cloud/resource_cloud_plugin.go +++ b/internal/resources/cloud/resource_cloud_plugin.go @@ -16,6 +16,12 @@ func ResourcePluginInstallation() *schema.Resource { Manages Grafana Cloud Plugin Installations. * [Plugin Catalog](https://grafana.com/grafana/plugins/) + +Required access policy scopes: + +* stack-plugins:read +* stack-plugins:write +* stack-plugins:delete `, Schema: map[string]*schema.Schema{ "stack_slug": { diff --git a/internal/resources/cloud/resource_cloud_stack.go b/internal/resources/cloud/resource_cloud_stack.go index 544ae3f2a..9d2b63614 100644 --- a/internal/resources/cloud/resource_cloud_stack.go +++ b/internal/resources/cloud/resource_cloud_stack.go @@ -33,6 +33,12 @@ func ResourceStack() *schema.Resource { Description: ` * [Official documentation](https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#stacks/) + +Required access policy scopes: + +* stacks:read +* stacks:write +* stacks:delete `, CreateContext: CreateStack, diff --git a/internal/resources/cloud/resource_cloud_stack_api_key.go b/internal/resources/cloud/resource_cloud_stack_api_key.go index 48f9ef6a2..7bd55a2e8 100644 --- a/internal/resources/cloud/resource_cloud_stack_api_key.go +++ b/internal/resources/cloud/resource_cloud_stack_api_key.go @@ -24,6 +24,10 @@ This can be used to bootstrap a management API key for a new stack * [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/auth/) +Required access policy scopes: + +* stack-api-keys:write + !> Deprecated: please use ` + "`grafana_cloud_stack_service_account`" + ` and ` + "`grafana_cloud_stack_service_account_token`" + ` instead, see https://grafana.com/docs/grafana/next/administration/api-keys/#migrate-api-keys-to-grafana-service-accounts-using-terraform. `, diff --git a/internal/resources/cloud/resource_cloud_stack_service_account.go b/internal/resources/cloud/resource_cloud_stack_service_account.go index bd7ee41bc..5f8250055 100644 --- a/internal/resources/cloud/resource_cloud_stack_service_account.go +++ b/internal/resources/cloud/resource_cloud_stack_service_account.go @@ -21,13 +21,16 @@ func ResourceStackServiceAccount() *schema.Resource { return &schema.Resource{ Description: ` -**Note:** This resource is available only with Grafana 9.1+. - Manages service accounts of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management service account for a new stack * [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/) -* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api)`, +* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api) + +Required access policy scopes: + +* stack-service-accounts:write +`, CreateContext: createStackServiceAccount, ReadContext: readStackServiceAccount, diff --git a/internal/resources/cloud/resource_cloud_stack_service_account_token.go b/internal/resources/cloud/resource_cloud_stack_service_account_token.go index ee06071ed..8d8aa58c2 100644 --- a/internal/resources/cloud/resource_cloud_stack_service_account_token.go +++ b/internal/resources/cloud/resource_cloud_stack_service_account_token.go @@ -16,13 +16,16 @@ import ( func ResourceStackServiceAccountToken() *schema.Resource { return &schema.Resource{ Description: ` -**Note:** This resource is available only with Grafana 9.1+. - Manages service account tokens of a Grafana Cloud stack using the Cloud API This can be used to bootstrap a management service account token for a new stack * [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/) -* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api)`, +* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api) + +Required access policy scopes: + +* stack-service-accounts:write +`, CreateContext: stackServiceAccountTokenCreate, ReadContext: stackServiceAccountTokenRead, diff --git a/internal/resources/cloud/resource_synthetic_monitoring_installation.go b/internal/resources/cloud/resource_synthetic_monitoring_installation.go index 85be62c42..f117f39e8 100644 --- a/internal/resources/cloud/resource_synthetic_monitoring_installation.go +++ b/internal/resources/cloud/resource_synthetic_monitoring_installation.go @@ -32,6 +32,10 @@ This resource cannot be imported but it can be used on an existing Synthetic Mon * [Official documentation](https://grafana.com/docs/grafana-cloud/monitor-public-endpoints/installation/) * [API documentation](https://github.com/grafana/synthetic-monitoring-api-go-client/blob/main/docs/API.md#apiv1registerinstall) + +Required access policy scopes: + +* stacks:read `, CreateContext: ResourceInstallationCreate, ReadContext: ResourceInstallationRead,