feat(iam, secretsmanager): add secretsmanager IAM rolebinding resources

[rubenhoenle]

Description

relates to STACKITTPR-497

---

IAM role binding API

This PR introduces the IAM role binding resources for the secretsmanager API. More services will adopt the role binding API in the future, so I've chosen a pretty generic approach for the implementation which allows us to implement further role binding resources with as little as possible effort.

Note: The IAM role binding API is a standardized API, so all upcoming role binding resources will look exactly the same. That's why using a generic approach is even possible at all 😅

Implementation of new role binding resource

Due to the generic implementation you only have to define some callback functions when implementing another role binding resource. It's pretty straightforward and is only ~40 lines of code.

terraform-provider-stackit/stackit/internal/services/iam/rolebindings/services/secretsmanager/secret_group.go

Lines 13 to 51 in 9df5f98

	func NewSecretsmanagerSecretGroupRoleBindingResource() resource.Resource {
	return &generic.RoleBindingResource[secretsmanagerV1Alpha.APIClient]{
	ApiName: "secretsmanager",
	ResourceType: "secret_group",
	ApiClientFactory: secretsmanagerUtils.ConfigureV1AlphaClient,
	ExecCreateRequest: func(ctx context.Context, client *secretsmanagerV1Alpha.APIClient, region, resourceId, role, subject string) (generic.GenericRoleBindingResponse, error) {
	payload := secretsmanagerV1Alpha.AddSecretGroupRoleBindingsPayload{
	Role: role,
	Subject: subject,
	}
	return client.DefaultAPI.AddSecretGroupRoleBindings(ctx, region, resourceId).AddSecretGroupRoleBindingsPayload(payload).Execute()
	},
	ExecReadRequest: func(ctx context.Context, client *secretsmanagerV1Alpha.APIClient, region, resourceId, role, subject string) (generic.GenericRoleBindingResponse, error) {
	payload := secretsmanagerV1Alpha.GetSecretGroupRoleBindingsPayload{
	Role: role,
	Subject: subject,
	}
	return client.DefaultAPI.GetSecretGroupRoleBindings(ctx, region, resourceId).GetSecretGroupRoleBindingsPayload(payload).Execute()
	},
	ExecUpdateRequest: func(ctx context.Context, client *secretsmanagerV1Alpha.APIClient, region, resourceId, role, subject string) (generic.GenericRoleBindingResponse, error) {
	payload := secretsmanagerV1Alpha.EditSecretGroupRoleBindingsPayload{
	Role: role,
	Subject: subject,
	}
	return client.DefaultAPI.EditSecretGroupRoleBindings(ctx, region, resourceId).EditSecretGroupRoleBindingsPayload(payload).Execute()
	},
	ExecDeleteRequest: func(ctx context.Context, client *secretsmanagerV1Alpha.APIClient, region, resourceId, role, subject string) error {
	payload := secretsmanagerV1Alpha.RemoveSecretGroupRoleBindingsPayload{
	Role: role,
	Subject: subject,
	}
	return client.DefaultAPI.RemoveSecretGroupRoleBindings(ctx, region, resourceId).RemoveSecretGroupRoleBindingsPayload(payload).Execute()
	},
	}
	}

These two lines below determine the name of your resource, e.g. here it would be stackit_secretsmanager_instance_role_binding

terraform-provider-stackit/stackit/internal/services/iam/rolebindings/services/secretsmanager/secret_group.go

Lines 15 to 16 in 9df5f98

	ApiName: "secretsmanager",
	ResourceType: "secret_group",

Acceptance tests for new role binding resource

For the acceptance tests I implemented a builder pattern which allows us to implement the tests for every resource without duplicating all the boilerplate code every time.

This is how to implement an acceptance test for the stackit_secretsmanager_instance_role_binding resource:

First you define your terraform config like you know it:

terraform-provider-stackit/stackit/internal/services/iam/rolebindings/services/secretsmanager/testdata/instance.tf

Lines 1 to 15 in 9df5f98

	variable "project_id" {}
	variable "instance_name" {}
	variable "role" {}
	variable "subject" {}
	resource "stackit_secretsmanager_instance" "instance" {
	project_id = var.project_id
	name = var.instance_name
	}
	resource "stackit_secretsmanager_instance_role_binding" "role_binding" {
	resource_id = stackit_secretsmanager_instance.instance.instance_id
	role = var.role
	subject = var.subject
	}

Now you use the role binding acc test builder instead of writing all the boilerplate:

terraform-provider-stackit/stackit/internal/services/iam/rolebindings/services/secretsmanager/iam_rolebindings_secretsmanager_acc_test.go

Lines 16 to 45 in 9df5f98

	var (
	//go:embed testdata/instance.tf
	instanceConfig string
	)
	func TestAccSecretsManagerInstanceRoleBindings(t *testing.T) {
	variables := config.Variables{
	"project_id": config.StringVariable(testutil.ProjectId),
	"instance_name": config.StringVariable("tf-acc-" + acctest.RandStringFromCharSet(8, acctest.CharSetAlpha)),
	"role": config.StringVariable("owner"),
	"subject": config.StringVariable(testutil.TestProjectServiceAccountEmail),
	}
	variablesUpdated := func() config.Variables {
	tempConfig := make(config.Variables, len(variables))
	maps.Copy(tempConfig, variables)
	tempConfig["role"] = config.StringVariable("editor")
	return tempConfig
	}
	providerConfig := testutil.NewConfigBuilder().Experiments(testutil.ExperimentIAM).BuildProviderConfig()
	tc := rolebindings_testing.NewRoleBindingAccTestBuilder(providerConfig, "secretsmanager", "instance", "role_binding").
	CreateStep(instanceConfig, variables, "stackit_secretsmanager_instance.instance", "instance_id").
	ImportStep(variables).
	UpdateStep(instanceConfig, variablesUpdated(), "stackit_secretsmanager_instance.instance", "instance_id").
	Build()
	resource.Test(t, tc)
	}

Generation of docs

But not only implementation of new role binding resources is trivial and less effort. You also don't have to provide examples and import statement for new resources on your own. Instead they are generated for you automatically:

terraform-provider-stackit/templates/resources.md.tmpl

Lines 26 to 33 in 9df5f98

	## Example Usage
	```terraform
	resource "{{.Name}}" "role_binding" {
	resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
	role = "owner"
	subject = "john.doe@example.com"
	}

terraform-provider-stackit/templates/resources.md.tmpl

Lines 50 to 57 in 9df5f98

	## Import
	```terraform
	# Only use the import statement, if you want to import an existing folder role assignment
	import {
	to = {{.Name}}.import-example
	id = "${var.region},${var.resource_id},${var.role},${var.subject}"
	}

---

Checklist

• Issue was linked above
• Code format was applied: make fmt
• Examples were added / adjusted (see examples/ directory)
• Docs are up-to-date: make generate-docs (will be checked by CI)
• Unit tests got implemented or updated
• Acceptance tests got implemented or updated (see e.g. here)
• Unit tests are passing: make test (will be checked by CI)
• No linter issues: make lint (will be checked by CI)

[h3adex]

Looks nice 👍

[github-actions]

Merging this branch will increase overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/stackitcloud/terraform-provider-stackit/stackit	1.27% (-0.01%)	👎
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1	0.00% (ø)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/generic	9.02% (+9.02%)	👍
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/rolebindings-testing	0.00% (ø)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/services/secretsmanager	0.00% (ø)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/secretsmanager	0.00% (ø)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/secretsmanager/utils	77.78% (ø)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/testdestroy	0.00% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/generic/resource.go	9.02% (+9.02%)	122 (+122)	11 (+11)	111 (+111)	👍
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/rolebindings-testing/acc_test_builder.go	0.00% (ø)	24 (+24)	0	24 (+24)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/rolebindings.go	0.00% (ø)	1 (+1)	0	1 (+1)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/services/secretsmanager/instance.go	0.00% (ø)	9 (+9)	0	9 (+9)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/services/secretsmanager/secret_group.go	0.00% (ø)	9 (+9)	0	9 (+9)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/secretsmanager/utils/util.go	77.78% (ø)	18 (+9)	14 (+7)	4 (+2)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/testdestroy/acc_destroy.go	0.00% (ø)	6 (+6)	0	6 (+6)
github.com/stackitcloud/terraform-provider-stackit/stackit/internal/testdestroy/secretsmanager.go	0.00% (ø)	19 (+19)	0	19 (+19)
github.com/stackitcloud/terraform-provider-stackit/stackit/provider.go	1.27% (-0.01%)	158 (+1)	2	156 (+1)	👎

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

• github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/generic/resource_test.go
• github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/iam/rolebindings/v1/services/secretsmanager/iam_rolebindings_secretsmanager_acc_test.go
• github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/secretsmanager/secretsmanager_acc_test.go
• github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/secretsmanager/utils/util_test.go