Feature: add policy to resource definition

.github/workflows/ci.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - main
+      - feature/add-policy-to-resource-definition
     paths-ignore:
        - 'README.md'
 
@@ -15,6 +16,7 @@ on:
       - 'README.md'
     branches:
       - main
+      - feature/add-policy-to-resource-definition
 
 # Ensures only 1 action runs per PR and previous is canceled on new trigger
 concurrency:
@@ -118,7 +120,7 @@ jobs:
     name: Matrix Acceptance Tests
     needs: build
     runs-on: ubuntu-latest
-    if: "!github.event.pull_request.head.repo.fork"
+#    if: "!github.event.pull_request.head.repo.fork"
     timeout-minutes: 15
     strategy:
       fail-fast: false
@@ -169,7 +171,7 @@ jobs:
 
   cleanup:
     name: Cleanup
-    if: "!github.event.pull_request.head.repo.fork"
+#    if: "!github.event.pull_request.head.repo.fork"
     needs: tests-acceptance
     runs-on: ubuntu-latest
     timeout-minutes: 15

docs/resources/resource.md

@@ -26,10 +26,18 @@ resource "twingate_group" "aws" {
   name = "aws_group"
 }
 
+resource "twingate_group" "devops" {
+  name = "DevOps"
+}
+
 resource "twingate_service_account" "github_actions_prod" {
   name = "Github Actions PROD"
 }
 
+data "twingate_security_policy" "mfa" {
+  name = "Default Policy"
+}
+
 data "twingate_security_policy" "test_policy" {
   name = "Test Policy"
 }
@@ -41,19 +49,26 @@ resource "twingate_resource" "resource" {
 
   security_policy_id = data.twingate_security_policy.test_policy.id
 
-  protocols {
+  protocols = {
     allow_icmp = true
-    tcp  {
+    tcp = {
       policy = "RESTRICTED"
       ports = ["80", "82-83"]
     }
-    udp {
+    udp = {
       policy = "ALLOW_ALL"
     }
   }
 
+  dynamic "access" {
+    for_each = [twingate_group.devops.id, twingate_group.aws.id]
+    content {
+      security_policy_id = data.twingate_security_policy.mfa.id
+      group_id = access.value
+    }
+  }
+
   access {
-    group_ids = [twingate_group.aws.id]
     service_account_ids = [twingate_service_account.github_actions_prod.id]
   }
 }
@@ -70,13 +85,13 @@ resource "twingate_resource" "resource" {
 
 ### Optional
 
-- `access` (Block List, Max: 1) Restrict access to certain groups or service accounts (see [below for nested schema](#nestedblock--access))
+- `access` (Block Set) Restrict access to certain groups or service accounts (see [below for nested schema](#nestedblock--access))
 - `alias` (String) Set a DNS alias address for the Resource. Must be a DNS-valid name string.
 - `is_authoritative` (Boolean) Determines whether assignments in the access block will override any existing assignments. Default is `true`. If set to `false`, assignments made outside of Terraform will be ignored.
-- `is_browser_shortcut_enabled` (Boolean) Controls whether an "Open in Browser" shortcut will be shown for this Resource in the Twingate Client.
-- `is_visible` (Boolean) Controls whether this Resource will be visible in the main Resource list in the Twingate Client.
-- `protocols` (Block List, Max: 1) Restrict access to certain protocols and ports. By default or when this argument is not defined, there is no restriction, and all protocols and ports are allowed. (see [below for nested schema](#nestedblock--protocols))
-- `security_policy_id` (String) The ID of a `twingate_security_policy` to set as this Resource's Security Policy. Default is `Default Policy`
+- `is_browser_shortcut_enabled` (Boolean) Controls whether an "Open in Browser" shortcut will be shown for this Resource in the Twingate Client. Default is false.
+- `is_visible` (Boolean) Controls whether this Resource will be visible in the main Resource list in the Twingate Client. Default is true.
+- `protocols` (Attributes) Restrict access to certain protocols and ports. By default or when this argument is not defined, there is no restriction, and all protocols and ports are allowed. (see [below for nested schema](#nestedatt--protocols))
+- `security_policy_id` (String) The ID of a `twingate_security_policy` to set as this Resource's Security Policy. Default is `Default Policy`.
 
 ### Read-Only
 
@@ -87,44 +102,36 @@ resource "twingate_resource" "resource" {
 
 Optional:
 
-- `group_ids` (Set of String) List of Group IDs that will have permission to access the Resource.
+- `group_id` (String) Group ID that will have permission to access the Resource.
+- `security_policy_id` (String) The ID of a twingate_security_policy to use as the access policy for the group IDs in the access block
 - `service_account_ids` (Set of String) List of Service Account IDs that will have permission to access the Resource.
 
 
-<a id="nestedblock--protocols"></a>
+<a id="nestedatt--protocols"></a>
 ### Nested Schema for `protocols`
 
-Required:
-
-- `tcp` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--protocols--tcp))
-- `udp` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--protocols--udp))
-
 Optional:
 
 - `allow_icmp` (Boolean) Whether to allow ICMP (ping) traffic
+- `tcp` (Attributes) (see [below for nested schema](#nestedatt--protocols--tcp))
+- `udp` (Attributes) (see [below for nested schema](#nestedatt--protocols--udp))
 
-<a id="nestedblock--protocols--tcp"></a>
+<a id="nestedatt--protocols--tcp"></a>
 ### Nested Schema for `protocols.tcp`
 
-Required:
-
-- `policy` (String) Whether to allow or deny all ports, or restrict protocol access within certain port ranges: Can be `RESTRICTED` (only listed ports are allowed), `ALLOW_ALL`, or `DENY_ALL`
-
 Optional:
 
-- `ports` (List of String) List of port ranges between 1 and 65535 inclusive, in the format `100-200` for a range, or `8080` for a single port
+- `policy` (String) Whether to allow or deny all ports, or restrict protocol access within certain port ranges: Can be `RESTRICTED` (only listed ports are allowed), `ALLOW_ALL`, or `DENY_ALL`
+- `ports` (Set of String) List of port ranges between 1 and 65535 inclusive, in the format `100-200` for a range, or `8080` for a single port
 
 
-<a id="nestedblock--protocols--udp"></a>
+<a id="nestedatt--protocols--udp"></a>
 ### Nested Schema for `protocols.udp`
 
-Required:
-
-- `policy` (String) Whether to allow or deny all ports, or restrict protocol access within certain port ranges: Can be `RESTRICTED` (only listed ports are allowed), `ALLOW_ALL`, or `DENY_ALL`
-
 Optional:
 
-- `ports` (List of String) List of port ranges between 1 and 65535 inclusive, in the format `100-200` for a range, or `8080` for a single port
+- `policy` (String) Whether to allow or deny all ports, or restrict protocol access within certain port ranges: Can be `RESTRICTED` (only listed ports are allowed), `ALLOW_ALL`, or `DENY_ALL`
+- `ports` (Set of String) List of port ranges between 1 and 65535 inclusive, in the format `100-200` for a range, or `8080` for a single port
 
 ## Import
 

examples/resources/twingate_resource/resource.tf

@@ -11,10 +11,18 @@ resource "twingate_group" "aws" {
   name = "aws_group"
 }
 
+resource "twingate_group" "devops" {
+  name = "DevOps"
+}
+
 resource "twingate_service_account" "github_actions_prod" {
   name = "Github Actions PROD"
 }
 
+data "twingate_security_policy" "mfa" {
+  name = "Default Policy"
+}
+
 data "twingate_security_policy" "test_policy" {
   name = "Test Policy"
 }
@@ -26,19 +34,26 @@ resource "twingate_resource" "resource" {
 
   security_policy_id = data.twingate_security_policy.test_policy.id
 
-  protocols {
+  protocols = {
     allow_icmp = true
-    tcp  {
+    tcp = {
       policy = "RESTRICTED"
       ports = ["80", "82-83"]
     }
-    udp {
+    udp = {
       policy = "ALLOW_ALL"
     }
   }
 
+  dynamic "access" {
+    for_each = [twingate_group.devops.id, twingate_group.aws.id]
+    content {
+      security_policy_id = data.twingate_security_policy.mfa.id
+      group_id = access.value
+    }
+  }
+
   access {
-    group_ids = [twingate_group.aws.id]
     service_account_ids = [twingate_service_account.github_actions_prod.id]
   }
 }

go.mod

@@ -11,8 +11,6 @@ require (
 	github.com/hashicorp/terraform-plugin-framework v1.4.2
 	github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
 	github.com/hashicorp/terraform-plugin-go v0.19.1
-	github.com/hashicorp/terraform-plugin-mux v0.12.0
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0
 	github.com/hashicorp/terraform-plugin-testing v1.5.1
 	github.com/hasura/go-graphql-client v0.10.0
 	github.com/iancoleman/strcase v0.3.0
@@ -57,6 +55,7 @@ require (
 	github.com/hashicorp/terraform-exec v0.19.0 // indirect
 	github.com/hashicorp/terraform-json v0.17.1 // indirect
 	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect

go.sum

@@ -158,8 +158,6 @@ github.com/hashicorp/terraform-plugin-go v0.19.1 h1:lf/jTGTeELcz5IIbn/94mJdmnTjR
 github.com/hashicorp/terraform-plugin-go v0.19.1/go.mod h1:5NMIS+DXkfacX6o5HCpswda5yjkSYfKzn1Nfl9l+qRs=
 github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0=
 github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow=
-github.com/hashicorp/terraform-plugin-mux v0.12.0 h1:TJlmeslQ11WlQtIFAfth0vXx+gSNgvMEng2Rn9z3WZY=
-github.com/hashicorp/terraform-plugin-mux v0.12.0/go.mod h1:8MR0AgmV+Q03DIjyrAKxXyYlq2EUnYBQP8gxAAA0zeM=
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0 h1:X7vB6vn5tON2b49ILa4W7mFAsndeqJ7bZFOGbVO+0Cc=
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0/go.mod h1:ydFcxbdj6klCqYEPkPvdvFKiNGKZLUs+896ODUXCyao=
 github.com/hashicorp/terraform-plugin-testing v1.5.1 h1:T4aQh9JAhmWo4+t1A7x+rnxAJHCDIYW9kXyo4sVO92c=

golangci.yml

@@ -22,6 +22,8 @@ linters-settings:
       - github.com/hashicorp/terraform-plugin-framework/datasource.DataSource
       - github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier.Set
       - github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier.Bool
+      - github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier.String
+      - github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier.Object
   errcheck:
     check-type-assertions: false
     check-blank: false

main.go

@@ -6,52 +6,27 @@ import (
 	"log"
 
 	"github.com/Twingate/terraform-provider-twingate/twingate"
-	twingateV2 "github.com/Twingate/terraform-provider-twingate/twingate/v2"
-	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
-	"github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server"
-
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
-	"github.com/hashicorp/terraform-plugin-mux/tf5to6server"
-	"github.com/hashicorp/terraform-plugin-mux/tf6muxserver"
 )
 
 var (
 	version = "dev"
 )
 
+const registry = "registry.terraform.io/Twingate/twingate"
+
 func main() {
 	var debug bool
 
 	flag.BoolVar(&debug, "debug", false, "set to true to run the provider with support for debuggers")
 	flag.Parse()
 
-	ctx := context.Background()
-	upgradedSdkProvider, err := tf5to6server.UpgradeServer(ctx, twingate.Provider(version).GRPCProvider)
-	if err != nil {
-		log.Fatal(err)
-	}
-	providers := []func() tfprotov6.ProviderServer{
-		func() tfprotov6.ProviderServer {
-			return upgradedSdkProvider
+	err := providerserver.Serve(context.Background(), twingate.New(version),
+		providerserver.ServeOpts{
+			Debug:           debug,
+			Address:         registry,
+			ProtocolVersion: 6,
 		},
-		providerserver.NewProtocol6(twingateV2.New(version)()),
-	}
-
-	muxServer, err := tf6muxserver.NewMuxServer(ctx, providers...)
-
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	var serveOpts []tf6server.ServeOpt
-	if debug {
-		serveOpts = append(serveOpts, tf6server.WithManagedDebug())
-	}
-
-	err = tf6server.Serve(
-		"registry.terraform.io/Twingate/twingate",
-		muxServer.ProviderServer,
-		serveOpts...,
 	)
 
 	if err != nil {

twingate/internal/attr/common.go

@@ -6,4 +6,5 @@ const (
 	RemoteNetworkID = "remote_network_id"
 	Type            = "type"
 	IsActive        = "is_active"
+	GroupIDs        = "group_ids"
 )

twingate/internal/attr/helper.go

@@ -5,6 +5,7 @@ import "strings"
 const (
 	attrFirstElement  = ".0"
 	attrPathSeparator = ".0."
+	attrSeparator     = "."
 	attrLenSymbol     = ".#"
 )
 
@@ -18,10 +19,24 @@ func First(attributes ...string) string {
 	return attr + attrFirstElement
 }
 
+func FirstAttr(attributes ...string) string {
+	attr := PathAttr(attributes...)
+
+	if attr == "" {
+		return ""
+	}
+
+	return attr + attrFirstElement
+}
+
 func Path(attributes ...string) string {
 	return strings.Join(attributes, attrPathSeparator)
 }
 
+func PathAttr(attributes ...string) string {
+	return strings.Join(attributes, attrSeparator)
+}
+
 func Len(attributes ...string) string {
 	attr := Path(attributes...)
 
@@ -31,3 +46,13 @@ func Len(attributes ...string) string {
 
 	return attr + attrLenSymbol
 }
+
+func LenAttr(attributes ...string) string {
+	attr := PathAttr(attributes...)
+
+	if attr == "" {
+		return ""
+	}
+
+	return attr + attrLenSymbol
+}

twingate/internal/attr/resource.go

@@ -2,7 +2,7 @@ package attr
 
 const (
 	Access                   = "access"
-	GroupIDs                 = "group_ids"
+	GroupID                  = "group_id"
 	ServiceAccountIDs        = "service_account_ids"
 	IsAuthoritative          = "is_authoritative"
 	Policy                   = "policy"

twingate/internal/client/query/resource-create.go

@@ -1,7 +1,7 @@
 package query
 
 type CreateResource struct {
-	ResourceEntityResponse `graphql:"resourceCreate(name: $name, address: $address, remoteNetworkId: $remoteNetworkId, groupIds: $groupIds, protocols: $protocols, isVisible: $isVisible, isBrowserShortcutEnabled: $isBrowserShortcutEnabled, alias: $alias, securityPolicyId: $securityPolicyId)"`
+	ResourceEntityResponse `graphql:"resourceCreate(name: $name, address: $address, remoteNetworkId: $remoteNetworkId, protocols: $protocols, isVisible: $isVisible, isBrowserShortcutEnabled: $isBrowserShortcutEnabled, alias: $alias, securityPolicyId: $securityPolicyId)"`
 }
 
 func (q CreateResource) IsEmpty() bool {