feat(opensearch): security plugin (#1341)

CHANGELOG.md

@@ -13,6 +13,7 @@ nav_order: 1
 - Fix service IP filters normalization
 - Fix improper omitting in `ToAPI`
 - Fix Kafka Topic perfomance
+- Add OpenSearch Security Plugin support (`aiven_opensearch_security_plugin_config` resource)
 
 ## [4.8.1] - 2023-08-23
 

docs/data-sources/opensearch_security_plugin_config.md

@@ -0,0 +1,36 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "aiven_opensearch_security_plugin_config Data Source - terraform-provider-aiven"
+subcategory: ""
+description: |-
+  The OpenSearch Security Plugin Config data source provides information about an existing Aiven OpenSearch Security Plugin Config.
+---
+
+# aiven_opensearch_security_plugin_config (Data Source)
+
+The OpenSearch Security Plugin Config data source provides information about an existing Aiven OpenSearch Security Plugin Config.
+
+## Example Usage
+
+```terraform
+data "aiven_opensearch_security_plugin_config" "os-sec-config" {
+  project      = aiven_project.os-project.project
+  service_name = aiven_opensearch.os.service_name
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project` (String) Identifies the project this resource belongs to. To set up proper dependencies please refer to this variable as a reference. This property cannot be changed, doing so forces recreation of the resource.
+- `service_name` (String) Specifies the name of the service that this resource belongs to. To set up proper dependencies please refer to this variable as a reference. This property cannot be changed, doing so forces recreation of the resource.
+
+### Read-Only
+
+- `admin_enabled` (Boolean) Whether the os-sec-admin user is enabled. This indicates whether the user management with the security plugin is enabled. This is always true when the os-sec-admin password was set at least once.
+- `admin_password` (String, Sensitive) The password for the os-sec-admin user.
+- `available` (Boolean) Whether the security plugin is available. This is always true for recently created services.
+- `enabled` (Boolean) Whether the security plugin is enabled. This is always true for recently created services.
+- `id` (String) The ID of this resource.

docs/resources/opensearch_acl_config.md

@@ -3,18 +3,18 @@
 page_title: "aiven_opensearch_acl_config Resource - terraform-provider-aiven"
 subcategory: ""
 description: |-
-  The OpenSearch resource allows the creation and management of Aiven OpenSearch services.
+  The OpenSearch ACL Config resource allows the creation and management of Aiven OpenSearch ACLs.
 ---
 
 # aiven_opensearch_acl_config (Resource)
 
-The OpenSearch resource allows the creation and management of Aiven OpenSearch services.
+The OpenSearch ACL Config resource allows the creation and management of Aiven OpenSearch ACLs.
 
 ## Example Usage
 
 ```terraform
 data "aiven_project" "foo" {
-		  project = "example_project"
+  project = "example_project"
 }
 
 resource "aiven_opensearch" "bar" {

docs/resources/opensearch_security_plugin_config.md

@@ -0,0 +1,79 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "aiven_opensearch_security_plugin_config Resource - terraform-provider-aiven"
+subcategory: ""
+description: |-
+  The OpenSearch Security Plugin Config resource allows the creation and management of AivenOpenSearch Security Plugin config.
+---
+
+# aiven_opensearch_security_plugin_config (Resource)
+
+The OpenSearch Security Plugin Config resource allows the creation and management of AivenOpenSearch Security Plugin config.
+
+## Example Usage
+
+```terraform
+data "aiven_project" "foo" {
+  project = "example_project"
+}
+
+resource "aiven_opensearch" "bar" {
+  project                 = data.aiven_project.foo.project
+  cloud_name              = "google-europe-west1"
+  plan                    = "startup-4"
+  service_name            = "example_service_name"
+  maintenance_window_dow  = "monday"
+  maintenance_window_time = "10:00:00"
+}
+
+resource "aiven_opensearch_user" "foo" {
+  service_name = aiven_opensearch.bar.service_name
+  project      = data.aiven_project.foo.project
+  username     = "user-example"
+}
+
+resource "aiven_opensearch_security_config" "foo" {
+  project        = data.aiven_project.foo.project
+  service_name   = aiven_opensearch.bar.service_name
+  admin_password = "ThisIsATest123^=^"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `admin_password` (String, Sensitive) The password for the os-sec-admin user.
+- `project` (String) Identifies the project this resource belongs to. To set up proper dependencies please refer to this variable as a reference. This property cannot be changed, doing so forces recreation of the resource.
+- `service_name` (String) Specifies the name of the service that this resource belongs to. To set up proper dependencies please refer to this variable as a reference. This property cannot be changed, doing so forces recreation of the resource.
+
+### Optional
+
+- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-Only
+
+- `admin_enabled` (Boolean) Whether the os-sec-admin user is enabled. This indicates whether the user management with the security plugin is enabled. This is always true when the os-sec-admin password was set at least once.
+- `available` (Boolean) Whether the security plugin is available. This is always true for recently created services.
+- `enabled` (Boolean) Whether the security plugin is enabled. This is always true for recently created services.
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String)
+- `default` (String)
+- `delete` (String)
+- `read` (String)
+- `update` (String)
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import aiven_opensearch_security_plugin_config.foo project/service_name
+```

examples/data-sources/aiven_opensearch_security_plugin_config/data-source.tf

@@ -0,0 +1,4 @@
+data "aiven_opensearch_security_plugin_config" "os-sec-config" {
+  project      = aiven_project.os-project.project
+  service_name = aiven_opensearch.os.service_name
+}

examples/resources/aiven_opensearch_acl_config/resource.tf

@@ -1,5 +1,5 @@
 data "aiven_project" "foo" {
-		  project = "example_project"
+  project = "example_project"
 }
 
 resource "aiven_opensearch" "bar" {

examples/resources/aiven_opensearch_security_plugin_config/import.sh

@@ -0,0 +1 @@
+terraform import aiven_opensearch_security_plugin_config.foo project/service_name

examples/resources/aiven_opensearch_security_plugin_config/resource.tf

@@ -0,0 +1,24 @@
+data "aiven_project" "foo" {
+  project = "example_project"
+}
+
+resource "aiven_opensearch" "bar" {
+  project                 = data.aiven_project.foo.project
+  cloud_name              = "google-europe-west1"
+  plan                    = "startup-4"
+  service_name            = "example_service_name"
+  maintenance_window_dow  = "monday"
+  maintenance_window_time = "10:00:00"
+}
+
+resource "aiven_opensearch_user" "foo" {
+  service_name = aiven_opensearch.bar.service_name
+  project      = data.aiven_project.foo.project
+  username     = "user-example"
+}
+
+resource "aiven_opensearch_security_config" "foo" {
+  project        = data.aiven_project.foo.project
+  service_name   = aiven_opensearch.bar.service_name
+  admin_password = "ThisIsATest123^=^"
+}

internal/schemautil/helpers.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/aiven/aiven-go-client"
 	"github.com/docker/go-units"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 )
 
 // ResourceStateOrResourceDiff either *schema.ResourceState or *schema.ResourceDiff
@@ -178,3 +179,16 @@ func DetermineMixedOrganizationConstraintIDToStore(
 
 	return r.Account.OrganizationId, nil
 }
+
+// StringToDiagWarning is a function that converts a string to a diag warning.
+func StringToDiagWarning(msg string) diag.Diagnostics {
+	return diag.Diagnostics{{
+		Severity: diag.Warning,
+		Summary:  msg,
+	}}
+}
+
+// ErrorToDiagWarning is a function that converts an error to a diag warning.
+func ErrorToDiagWarning(err error) diag.Diagnostics {
+	return StringToDiagWarning(err.Error())
+}

internal/sdkprovider/provider/provider.go

@@ -118,10 +118,11 @@ func Provider(version string) *schema.Provider {
 			"aiven_flink_application_version": flink.DatasourceFlinkApplicationVersion(),
 
 			// opensearch
-			"aiven_opensearch":            opensearch.DatasourceOpenSearch(),
-			"aiven_opensearch_user":       opensearch.DatasourceOpenSearchUser(),
-			"aiven_opensearch_acl_config": opensearch.DatasourceOpenSearchACLConfig(),
-			"aiven_opensearch_acl_rule":   opensearch.DatasourceOpenSearchACLRule(),
+			"aiven_opensearch":                        opensearch.DatasourceOpenSearch(),
+			"aiven_opensearch_user":                   opensearch.DatasourceOpenSearchUser(),
+			"aiven_opensearch_acl_config":             opensearch.DatasourceOpenSearchACLConfig(),
+			"aiven_opensearch_acl_rule":               opensearch.DatasourceOpenSearchACLRule(),
+			"aiven_opensearch_security_plugin_config": opensearch.DatasourceOpenSearchSecurityPluginConfig(),
 
 			// kafka
 			"aiven_kafka":                        kafka.DatasourceKafka(),
@@ -217,10 +218,11 @@ func Provider(version string) *schema.Provider {
 			"aiven_flink_application_deployment": flink.ResourceFlinkApplicationDeployment(),
 
 			// opensearch
-			"aiven_opensearch":            opensearch.ResourceOpenSearch(),
-			"aiven_opensearch_user":       opensearch.ResourceOpenSearchUser(),
-			"aiven_opensearch_acl_config": opensearch.ResourceOpenSearchACLConfig(),
-			"aiven_opensearch_acl_rule":   opensearch.ResourceOpenSearchACLRule(),
+			"aiven_opensearch":                        opensearch.ResourceOpenSearch(),
+			"aiven_opensearch_user":                   opensearch.ResourceOpenSearchUser(),
+			"aiven_opensearch_acl_config":             opensearch.ResourceOpenSearchACLConfig(),
+			"aiven_opensearch_acl_rule":               opensearch.ResourceOpenSearchACLRule(),
+			"aiven_opensearch_security_plugin_config": opensearch.ResourceOpenSearchSecurityPluginConfig(),
 
 			// kafka
 			"aiven_kafka":                        kafka.ResourceKafka(),

internal/sdkprovider/service/opensearch/opensearch_acl_config.go

@@ -1,3 +1,4 @@
+// Package opensearch implements the Aiven OpenSearch service.
 package opensearch
 
 import (
@@ -30,7 +31,7 @@ var aivenOpenSearchACLConfigSchema = map[string]*schema.Schema{
 
 func ResourceOpenSearchACLConfig() *schema.Resource {
 	return &schema.Resource{
-		Description:   "The OpenSearch resource allows the creation and management of Aiven OpenSearch services.",
+		Description:   "The OpenSearch ACL Config resource allows the creation and management of Aiven OpenSearch ACLs.",
 		CreateContext: resourceOpenSearchACLConfigUpdate,
 		ReadContext:   resourceOpenSearchACLConfigRead,
 		UpdateContext: resourceOpenSearchACLConfigUpdate,