Add support for Azure BYOK exocompute (#205)

docs/data-sources/azure_permissions.md

@@ -103,6 +103,7 @@ resource "polaris_azure_subscription" "subscription" {
 
 - `feature` (String) RSC feature. Note that the feature name must be given in the `EXAMPLE_FEATURE_NAME` style. Possible values are `AZURE_SQL_DB_PROTECTION`, `AZURE_SQL_MI_PROTECTION`,  `CLOUD_NATIVE_ARCHIVAL`, `CLOUD_NATIVE_ARCHIVAL_ENCRYPTION`, `CLOUD_NATIVE_BLOB_PROTECTION`, `CLOUD_NATIVE_PROTECTION` and `EXOCOMPUTE`.
 - `features` (Set of String, Deprecated) RSC features. Possible values are `AZURE_SQL_DB_PROTECTION`, `AZURE_SQL_MI_PROTECTION`, `CLOUD_NATIVE_ARCHIVAL`, `CLOUD_NATIVE_ARCHIVAL_ENCRYPTION`, `CLOUD_NATIVE_BLOB_PROTECTION`, `CLOUD_NATIVE_PROTECTION` and `EXOCOMPUTE`. **Deprecated:** use `feature` instead.
+- `permission_groups` (Set of String) Permission groups for the RSC feature. Possible values are `BASIC`, `EXPORT_AND_RESTORE`, `FILE_LEVEL_RECOVERY`, `CLOUD_CLUSTER_ES`, `SNAPSHOT_PRIVATE_ACCESS`, `PRIVATE_ENDPOINTS`, `CUSTOMER_MANAGED_BASIC`, `ENCRYPTION`, `SQL_ARCHIVAL`, `RECOVERY` and `BACKUP_V2`.
 
 ### Read-Only
 

docs/resources/aws_private_container_registry.md

@@ -5,11 +5,7 @@ subcategory: ""
 description: |-
   The polaris_aws_private_container_registry resource enables the private container
   registry (PCR) feature for the RSC customer account. This disables the standard
-  Rubrik container registry. Once PCR has been enabled, it can only be disabled by
-  Rubrik customer support.
-  !> Note: Creating a polaris_aws_private_container_registry resource enables
-     the PCR feature for the RSC customer account. Destroying the resource will not
-     disabled PCR, it can only be disabled by contacting Rubrik customer support.
+  Rubrik container registry.
   ~> Note: Even though the polaris_aws_private_container_registry resource ID
      is an RSC cloud account ID, there can only be a single PCR per RSC customer
      account.
@@ -70,12 +66,7 @@ description: |-
 
 The `polaris_aws_private_container_registry` resource enables the private container
 registry (PCR) feature for the RSC customer account. This disables the standard
-Rubrik container registry. Once PCR has been enabled, it can only be disabled by
-Rubrik customer support.
-
-!> **Note:** Creating a `polaris_aws_private_container_registry` resource enables
-   the PCR feature for the RSC customer account. Destroying the resource will not
-   disabled PCR, it can only be disabled by contacting Rubrik customer support.
+Rubrik container registry.
 
 ~> **Note:** Even though the `polaris_aws_private_container_registry` resource ID
    is an RSC cloud account ID, there can only be a single PCR per RSC customer

docs/resources/azure_exocompute_cluster_attachment.md

@@ -0,0 +1,39 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "polaris_azure_exocompute_cluster_attachment Resource - terraform-provider-polaris"
+subcategory: ""
+description: |-
+  The polaris_azure_exocompute_cluster_attachment resource attaches an Azure AKS
+  cluster to a customer managed host Exocompute configuration, allowing RSC to use
+  the cluster for Exocompute operations.
+  The cluster name must be specified as <resource-group>/<cluster-name>, e.g.
+  my-resource-group/my-cluster.
+---
+
+# polaris_azure_exocompute_cluster_attachment (Resource)
+
+The `polaris_azure_exocompute_cluster_attachment` resource attaches an Azure AKS
+cluster to a customer managed host Exocompute configuration, allowing RSC to use
+the cluster for Exocompute operations.
+
+The cluster name must be specified as `<resource-group>/<cluster-name>`, e.g.
+`my-resource-group/my-cluster`.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cluster_name` (String) Azure AKS cluster name. Changing this forces a new resource to be created.
+- `exocompute_id` (String) RSC exocompute configuration ID (UUID). Changing this forces a new resource to be created.
+
+### Optional
+
+- `token_refresh` (Number) To force a refresh of the authentication token, part of the connection command and manifest, increase the value of this field. The token is valid for 24 hours.
+
+### Read-Only
+
+- `id` (String) RSC cluster ID (UUID).
+- `manifest` (String) Kubernetes manifest which can be passed to `kubectl apply` to create a connection between the cluster and RSC. See `connection_command` for an alternative connection method.

docs/resources/azure_private_container_registry.md

@@ -0,0 +1,115 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "polaris_azure_private_container_registry Resource - terraform-provider-polaris"
+subcategory: ""
+description: |-
+  The polaris_azure_private_container_registry resource enables the private
+  container registry (PCR) feature for the RSC customer account. This disables the
+  standard Rubrik container registry.
+  ~> Note: Even though the polaris_azure_private_container_registry resource
+     ID is an RSC cloud account ID, there can only be a single PCR per RSC
+     customer account.
+  Exocompute Image Bundles
+  The following GraphQL query can be used to retrieve information about the image
+  bundles used by RSC for exocompute:
+  graphql
+  query ExotaskImageBundle {
+    exotaskImageBundle {
+      bundleImages {
+        name
+        sha
+        tag
+      }
+      bundleVersion
+      eksVersion
+      repoUrl
+    }
+  }
+  
+  The repoUrl field holds the URL to the RSC container registry from where the
+  RSC images can be pulled.
+  The following GraphQL mutation can be used to set the approved bundle version
+  for the RSC customer account:
+  graphql
+  mutation SetBundleApprovalStatus($input: SetBundleApprovalStatusInput!) {
+    setBundleApprovalStatus(input: $input)
+  }
+  
+  The input is an object with the following structure:
+  json
+  {
+    "input": {
+      "approvalStatus": "APPROVED",
+      "bundleVersion": "1.164",
+    }
+  }
+  
+  Where approvalStatus can be either APPROVED or REJECTED. bundleVersion
+  is the the bundle version being approved or rejected. bundleMetadata is
+  optional.
+---
+
+# polaris_azure_private_container_registry (Resource)
+
+The `polaris_azure_private_container_registry` resource enables the private
+container registry (PCR) feature for the RSC customer account. This disables the
+standard Rubrik container registry.
+
+~> **Note:** Even though the `polaris_azure_private_container_registry` resource
+   ID is an RSC cloud account ID, there can only be a single PCR per RSC
+   customer account.
+
+## Exocompute Image Bundles
+The following GraphQL query can be used to retrieve information about the image
+bundles used by RSC for exocompute:
+```graphql
+query ExotaskImageBundle {
+  exotaskImageBundle {
+    bundleImages {
+      name
+      sha
+      tag
+    }
+    bundleVersion
+    eksVersion
+    repoUrl
+  }
+}
+```
+The `repoUrl` field holds the URL to the RSC container registry from where the
+RSC images can be pulled.
+
+The following GraphQL mutation can be used to set the approved bundle version
+for the RSC customer account:
+```graphql
+mutation SetBundleApprovalStatus($input: SetBundleApprovalStatusInput!) {
+  setBundleApprovalStatus(input: $input)
+}
+```
+The input is an object with the following structure:
+```json
+{
+  "input": {
+    "approvalStatus": "APPROVED",
+    "bundleVersion": "1.164",
+  }
+}
+```
+Where `approvalStatus` can be either `APPROVED` or `REJECTED`. `bundleVersion`
+is the the bundle version being approved or rejected. `bundleMetadata` is
+optional.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `app_id` (String) Azure app registration application ID. Also known as the client ID.
+- `cloud_account_id` (String) RSC cloud account ID (UUID). Changing this forces a new resource to be created.
+- `url` (String) URL for customer provided private container registry.
+
+### Read-Only
+
+- `id` (String) RSC cloud account ID (UUID).

docs/resources/azure_subscription.md

@@ -12,13 +12,15 @@ description: |-
        for disaster recovery and long-term retention.
     2. cloud_native_archival_encryption - Allows cloud archival locations to be
        encrypted with customer managed keys.
-    3. cloud_native_protection - Provides protection for Azure virtual machines and
+    3. cloud_native_blob_protection - Provides protection for Azure Blob Storage
+       through the rules and policies of SLA Domains.
+    4. cloud_native_protection - Provides protection for Azure virtual machines and
        managed disks through the rules and policies of SLA Domains.
-    4. exocompute - Provides snapshot indexing, file recovery, storage tiering, and
+    5. exocompute - Provides snapshot indexing, file recovery, storage tiering, and
        application-consistent protection of Azure objects.
-    5. sql_db_protection - Provides centralized database backup management and
+    6. sql_db_protection - Provides centralized database backup management and
        recovery in an Azure SQL Database deployment.
-    6. sql_mi_protection - Provides centralized database backup management and
+    7. sql_mi_protection - Provides centralized database backup management and
        recovery for an Azure SQL Managed Instance deployment.
   Each feature's permissions field can be used with the polaris_azure_permissions
   data source to inform RSC about permission updates when the Terraform configuration
@@ -48,13 +50,15 @@ Any combination of different RSC features can be enabled for a subscription:
      for disaster recovery and long-term retention.
   2. `cloud_native_archival_encryption` - Allows cloud archival locations to be
      encrypted with customer managed keys.
-  3. `cloud_native_protection` - Provides protection for Azure virtual machines and
+  3. `cloud_native_blob_protection` - Provides protection for Azure Blob Storage
+     through the rules and policies of SLA Domains.
+  4. `cloud_native_protection` - Provides protection for Azure virtual machines and
      managed disks through the rules and policies of SLA Domains.
-  4. `exocompute` - Provides snapshot indexing, file recovery, storage tiering, and
+  5. `exocompute` - Provides snapshot indexing, file recovery, storage tiering, and
      application-consistent protection of Azure objects.
-  5. `sql_db_protection` - Provides centralized database backup management and
+  6. `sql_db_protection` - Provides centralized database backup management and
      recovery in an Azure SQL Database deployment.
-  6. `sql_mi_protection` - Provides centralized database backup management and
+  7. `sql_mi_protection` - Provides centralized database backup management and
      recovery for an Azure SQL Managed Instance deployment.
 
 Each feature's `permissions` field can be used with the `polaris_azure_permissions`
@@ -173,6 +177,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Archival feature. Possible values are `BASIC`, `ENCRYPTION` and `SQL_ARCHIVAL`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 - `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
 - `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -196,6 +201,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Archival Encryption feature. Possible values are `BASIC` and `ENCRYPTION`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 - `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
 - `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -215,6 +221,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Blob Protection feature. Possible values are `BASIC` and `RECOVERY`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 
 Read-Only:
@@ -231,6 +238,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the Cloud Native Protection feature. Possible values are `BASIC`, `EXPORT_AND_RESTORE`, `FILE_LEVEL_RECOVERY`, `CLOUD_CLUSTER_ES` and `SNAPSHOT_PRIVATE_ACCESS`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 - `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
 - `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -250,6 +258,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the Exocompute feature. Possible values are `BASIC`, `PRIVATE_ENDPOINTS` and `CUSTOMER_MANAGED_BASIC`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 - `resource_group_name` (String) Name of the Azure resource group where RSC places all resources created by the feature. RSC assumes the resource group already exists. Changing this forces the RSC feature to be re-onboarded.
 - `resource_group_region` (String) Region of the Azure resource group. Should be specified in the standard Azure style, e.g. `eastus`. Changing this forces the RSC feature to be re-onboarded.
@@ -269,6 +278,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the SQL DB Protection feature. Possible values are `BASIC`, `RECOVERY` and `BACKUP_V2`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 
 Read-Only:
@@ -285,6 +295,7 @@ Required:
 
 Optional:
 
+- `permission_groups` (Set of String) Permission groups to assign to the SQL MI Protection feature. Possible values are `BASIC`, `RECOVERY` and `BACKUP_V2`.
 - `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `polaris_azure_permissions` data source.
 
 Read-Only:

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/terraform-plugin-docs v0.16.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
-	github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.7
+	github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8
 )
 
 require (

go.sum

@@ -270,8 +270,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.7 h1:n3tfrj61TLoKKkywcboFjEb/sd+G53vJV13dfV14k3Q=
-github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.7/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
+github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8 h1:dU2PQJUQ4G0FcdivN2Y0/vYsu/9hZRvAYld2I9Tqvro=
+github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
 github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
 github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=

internal/provider/data_source_azure_permissions.go

@@ -159,6 +159,23 @@ func dataSourceAzurePermissions() *schema.Resource {
 					"`resource_group_not_data_actions` instead.",
 				Deprecated: "use `subscription_not_data_actions` and `resource_group_not_data_actions` instead.",
 			},
+			keyPermissionGroups: {
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+					ValidateFunc: validation.StringInSlice([]string{
+						"BASIC", "EXPORT_AND_RESTORE", "FILE_LEVEL_RECOVERY", "CLOUD_CLUSTER_ES",
+						"SNAPSHOT_PRIVATE_ACCESS", "PRIVATE_ENDPOINTS", "CUSTOMER_MANAGED_BASIC",
+						"ENCRYPTION", "SQL_ARCHIVAL", "RECOVERY", "BACKUP_V2",
+					}, false),
+				},
+				Optional:      true,
+				ConflictsWith: []string{keyFeatures},
+				Description: "Permission groups for the RSC feature. Possible values are `BASIC`, " +
+					"`EXPORT_AND_RESTORE`, `FILE_LEVEL_RECOVERY`, `CLOUD_CLUSTER_ES`, `SNAPSHOT_PRIVATE_ACCESS`, " +
+					"`PRIVATE_ENDPOINTS`, `CUSTOMER_MANAGED_BASIC`, `ENCRYPTION`, `SQL_ARCHIVAL`, `RECOVERY` and " +
+					"`BACKUP_V2`.",
+			},
 			keyResourceGroupActions: {
 				Type: schema.TypeList,
 				Elem: &schema.Schema{
@@ -238,8 +255,13 @@ func azurePermissionsRead(ctx context.Context, d *schema.ResourceData, m any) di
 	// Check both feature and features.
 	var perms []azure.Permissions
 	var groups []azure.PermissionGroupWithVersion
-	if f := d.Get(keyFeature).(string); f != "" {
-		perms, groups, err = azure.Wrap(client).ScopedPermissions(ctx, core.Feature{Name: f})
+	if featureName := d.Get(keyFeature).(string); featureName != "" {
+		var permGroups []core.PermissionGroup
+		for _, permGroup := range d.Get(keyPermissionGroups).(*schema.Set).List() {
+			permGroups = append(permGroups, core.PermissionGroup(permGroup.(string)))
+		}
+		feature := core.Feature{Name: featureName, PermissionGroups: permGroups}
+		perms, groups, err = azure.Wrap(client).ScopedPermissions(ctx, feature)
 	} else {
 		var features []core.Feature
 		for _, f := range d.Get(keyFeatures).(*schema.Set).List() {

internal/provider/names.go

@@ -111,7 +111,9 @@ const (
 	keyPolarisAWSPrivateContainerRegistry           = "polaris_aws_private_container_registry"
 	keyPolarisAzureArchivalLocation                 = "polaris_azure_archival_location"
 	keyPolarisAzureExocompute                       = "polaris_azure_exocompute"
+	keyPolarisAzureExocomputeClusterAttachment      = "polaris_azure_exocompute_cluster_attachment"
 	keyPolarisAzurePermissions                      = "polaris_azure_permissions"
+	keyPolarisAzurePrivateContainerRegistry         = "polaris_azure_private_container_registry"
 	keyPolarisAzureServicePrincipal                 = "polaris_azure_service_principal"
 	keyPolarisAzureSubscription                     = "polaris_azure_subscription"
 	keyPolarisCustomRole                            = "polaris_custom_role"