Support DiscoveryConfig in terraform provider

.github/workflows/lint.yaml

@@ -274,7 +274,7 @@ jobs:
       - name: Check if Terraform resources are up to date
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
         # The protoc-gen-terraform version must match the version in integrations/terraform/Makefile
-        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform/v3@v3.0.2 && make terraform-resources-up-to-date
+        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform/v3@v3.0.3 && make terraform-resources-up-to-date
 
       - name: Check if the Access Monitoring reference is up to date
         # We have to add the current directory as a safe directory or else git commands will not work as expected.

api/proto/teleport/legacy/types/types.proto

@@ -9042,9 +9042,9 @@ message AWSMatcher {
   // KubeAppDiscovery controls whether Kubernetes App Discovery will be enabled for agents running on
   // discovered clusters, currently only affects AWS EKS discovery in integration mode.
   bool KubeAppDiscovery = 8 [(gogoproto.jsontag) = "kube_app_discovery,omitempty"];
-  // SetupAccessForARN is the role that the discovery service should create EKS Access Entries for.
+  // SetupAccessForARN is the role that the Discovery Service should create EKS Access Entries for.
   // This value should match the IAM identity that Teleport Kubernetes Service uses.
-  // If this value is empty, the discovery service will attempt to set up access for its own identity (self).
+  // If this value is empty, the Discovery Service will attempt to set up access for its own identity (self).
   string SetupAccessForARN = 9 [(gogoproto.jsontag) = "setup_access_for_arn,omitempty"];
 }
 

docs/pages/reference/infrastructure-as-code/terraform-provider/data-sources/data-sources.mdx

@@ -23,6 +23,7 @@ The Teleport Terraform provider supports the following data-sources:
   - [`teleport_cluster_maintenance_config`](./cluster_maintenance_config.mdx)
   - [`teleport_cluster_networking_config`](./cluster_networking_config.mdx)
   - [`teleport_database`](./database.mdx)
+  - [`teleport_discovery_config`](./discovery_config.mdx)
   - [`teleport_dynamic_windows_desktop`](./dynamic_windows_desktop.mdx)
   - [`teleport_github_connector`](./github_connector.mdx)
   - [`teleport_health_check_config`](./health_check_config.mdx)

docs/pages/reference/infrastructure-as-code/terraform-provider/resources/resources.mdx

@@ -24,6 +24,7 @@ The Teleport Terraform provider supports the following resources:
   - [`teleport_cluster_maintenance_config`](./cluster_maintenance_config.mdx)
   - [`teleport_cluster_networking_config`](./cluster_networking_config.mdx)
   - [`teleport_database`](./database.mdx)
+  - [`teleport_discovery_config`](./discovery_config.mdx)
   - [`teleport_dynamic_windows_desktop`](./dynamic_windows_desktop.mdx)
   - [`teleport_github_connector`](./github_connector.mdx)
   - [`teleport_health_check_config`](./health_check_config.mdx)

integrations/terraform/Makefile

@@ -63,7 +63,7 @@ $(BUILDDIR)/terraform-provider-teleport_%: terraform-provider-teleport-v$(VERSIO
 
 CUSTOM_IMPORTS_TMP_DIR ?= /tmp/protoc-gen-terraform/custom-imports
 # This version must match the version installed by .github/workflows/lint.yaml
-PROTOC_GEN_TERRAFORM_VERSION ?= v3.0.2
+PROTOC_GEN_TERRAFORM_VERSION ?= v3.0.3
 PROTOC_GEN_TERRAFORM_EXISTS := $(shell $(PROTOC_GEN_TERRAFORM) version 2>&1 >/dev/null | grep 'protoc-gen-terraform $(PROTOC_GEN_TERRAFORM_VERSION)')
 
 .PHONY: gen-tfschema
@@ -142,13 +142,21 @@ endif
 		--terraform_out=config=protoc-gen-terraform-healthcheckconfig.yaml:./tfschema \
 		teleport/healthcheckconfig/v1/health_check_config.proto
 
+	@protoc \
+		-I=../../api/proto \
+		-I=$(PROTOBUF_MOD_PATH) \
+		--plugin=$(PROTOC_GEN_TERRAFORM) \
+		--terraform_out=config=protoc-gen-terraform-discoveryconfig.yaml:./tfschema \
+		teleport/discoveryconfig/v1/discoveryconfig.proto
+
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1/loginrule_terraform.go ./tfschema/loginrule/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1/accesslist_terraform.go ./tfschema/accesslist/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_terraform.go ./tfschema/accessmonitoringrules/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser_terraform.go ./tfschema/userprovisioning/v2/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1/resource_terraform.go ./tfschema/workloadidentity/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1/autoupdate_terraform.go ./tfschema/autoupdate/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/healthcheckconfig/v1/health_check_config_terraform.go ./tfschema/healthcheckconfig/v1/
+	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig_terraform.go ./tfschema/discoveryconfig/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/types/device_terraform.go ./tfschema/devicetrust/v1/
 	rm -r ./tfschema/github.com/
 	@go run ./gen/main.go
@@ -192,11 +200,7 @@ ifndef TERRAFORM_EXISTS
 	terraform -version
 	@exit -1
 endif
-# NOTE: This is related to an old bug in Terraform and will be fixed in future releases (possibly, by a workaround on our side)
-ifeq ($(shell expr $(CURRENT_ULIMIT) \< 1024), 1)
-	@echo "ulimit -n is too low ($(CURRENT_ULIMIT)), please set ulimit -n 1024"
-	@exit -1
-endif
+
 	gotestsum --junitfile unit-tests-terraform.xml --jsonfile unit-tests-terraform.json -- ./testlib -v $(TEST_ARGS)
 
 .PHONY: test-full

integrations/terraform/README.md

@@ -7,9 +7,9 @@ Please, refer to [official documentation](https://goteleport.com/docs/admin-guid
 ## Development
 
 1. Install [`protobuf`](https://grpc.io/docs/protoc-installation/).
-2. Install [`protoc-gen-terraform`](https://github.com/gravitational/protoc-gen-terraform) @v3.0.2.
+2. Install [`protoc-gen-terraform`](https://github.com/gravitational/protoc-gen-terraform) @v3.0.3.
 
-    ```go install github.com/gravitational/protoc-gen-terraform/v3@v3.0.2```
+    ```go install github.com/gravitational/protoc-gen-terraform/v3@v3.0.3```
 
 3. Install [`Terraform`](https://learn.hashicorp.com/tutorials/terraform/install-cli) v1.1.0+. Alternatively, you can use [`tfenv`](https://github.com/tfutils/tfenv). Please note that on Mac M1 you need to specify `TFENV_ARCH` (ex: `TFENV_ARCH=arm64 tfenv install 1.1.6`).
 

integrations/terraform/examples/resources/teleport_discovery_config/resource.tf

@@ -0,0 +1,74 @@
+# Teleport Discovery Config
+#
+# Discovery Config resources define matchers for the Teleport Discovery Service.
+# The Discovery Service automatically discovers and enrolls cloud resources
+# (EC2 instances, RDS databases, EKS clusters, Azure VMs, etc.) into your
+# Teleport cluster.
+#
+# Each Discovery Config is associated with a discovery_group. Discovery Services
+# load matchers from Discovery Configs that share the same discovery_group.
+
+# Example: AWS Discovery Config for EC2 instances and RDS databases
+resource "teleport_discovery_config" "aws_example" {
+  header = {
+    metadata = {
+      name        = "aws-discovery"
+      description = "Discover AWS EC2 instances and RDS databases"
+      labels = {
+        env = "production"
+      }
+    }
+    version = "v1"
+  }
+
+  spec = {
+    discovery_group = "aws-prod"
+
+    aws = [{
+      types   = ["ec2", "rds"]
+      regions = ["us-west-2", "us-east-1"]
+      tags = {
+        "env" = ["prod", "production"]
+      }
+      install_params = {
+        join_method = "iam"
+        join_token  = "aws-discovery-token"
+        script_name = "default-installer"
+      }
+    }]
+  }
+}
+
+# Example: Azure Discovery Config for VMs and AKS clusters
+resource "teleport_discovery_config" "azure_example" {
+  header = {
+    metadata = {
+      name        = "azure-discovery"
+      description = "Discover Azure VMs and AKS clusters"
+    }
+    version = "v1"
+  }
+
+  spec = {
+    discovery_group = "azure-prod"
+
+    azure = [{
+      types           = ["vm", "aks"]
+      regions         = ["eastus", "westus2"]
+      subscriptions   = ["00000000-0000-0000-0000-000000000000"]
+      resource_groups = ["my-resource-group"]
+      tags = {
+        "*" = ["*"]
+      }
+      install_params = {
+        join_method = "azure"
+        join_token  = "azure-discovery-token"
+        script_name = "default-installer"
+        azure = {
+          client_id = "00000000-0000-0000-0000-000000000000"
+        }
+      }
+    }]
+  }
+}
+

integrations/terraform/gen/main.go

@@ -665,6 +665,28 @@ var (
 		ExtraImports: []string{"apitypes \"github.com/gravitational/teleport/api/types\""},
 		ForceSetKind: "apitypes.KindHealthCheckConfig",
 	}
+
+	discoveryConfig = payload{
+		Name:                  "DiscoveryConfig",
+		TypeName:              "DiscoveryConfig",
+		VarName:               "discoveryConfig",
+		GetMethod:             "DiscoveryConfigClient().GetDiscoveryConfig",
+		CreateMethod:          "DiscoveryConfigClient().CreateDiscoveryConfig",
+		UpsertMethodArity:     2,
+		UpdateMethod:          "DiscoveryConfigClient().UpsertDiscoveryConfig",
+		DeleteMethod:          "DiscoveryConfigClient().DeleteDiscoveryConfig",
+		ID:                    "discoveryConfig.Header.Metadata.Name",
+		Kind:                  "discovery_config",
+		HasStaticID:           false,
+		ProtoPackage:          "discoveryconfigv1",
+		ProtoPackagePath:      "github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1",
+		SchemaPackage:         "schemav1",
+		SchemaPackagePath:     "github.com/gravitational/teleport/integrations/terraform/tfschema/discoveryconfig/v1",
+		TerraformResourceType: "teleport_discovery_config",
+		ExtraImports:          []string{"apitypes \"github.com/gravitational/teleport/api/types\""},
+		ForceSetKind:          "apitypes.KindDiscoveryConfig",
+		ConvertPackagePath:    "github.com/gravitational/teleport/api/types/discoveryconfig/convert/v1",
+	}
 )
 
 func main() {
@@ -726,6 +748,8 @@ func genTFSchema() {
 	generateDataSource(autoUpdateConfig, singularDataSource)
 	generateResource(healthCheckConfig, pluralResource)
 	generateDataSource(healthCheckConfig, pluralDataSource)
+	generateResource(discoveryConfig, pluralResource)
+	generateDataSource(discoveryConfig, pluralDataSource)
 }
 
 func generateResource(p payload, tpl string) {

integrations/terraform/protoc-gen-terraform-discoveryconfig.yaml

@@ -0,0 +1,95 @@
+---
+target_package_name: 'v1'
+default_package_name: 'github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1'
+duration_custom_type: Duration
+use_state_for_unknown_by_default: true
+
+# Top-level type names to export
+types:
+  - 'DiscoveryConfig'
+
+# These import paths were not being automatically picked up by
+# protoc-gen-terraform without these overrides
+import_path_overrides:
+  'types': 'github.com/gravitational/teleport/api/types'
+  'wrappers': 'github.com/gravitational/teleport/api/types/wrappers'
+  'durationpb': 'google.golang.org/protobuf/types/known/durationpb'
+  'timestamppb': 'google.golang.org/protobuf/types/known/timestamppb'
+  'v1': 'github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1'
+  'v11': 'github.com/gravitational/teleport/api/gen/proto/go/teleport/label/v1'
+  'github.com_gravitational_teleport_integrations_terraform_tfschema': 'github.com/gravitational/teleport/integrations/terraform/tfschema'
+
+# id field is required for integration tests. It is not used by provider.
+# We have to add it manually (might be removed in the future versions).
+injected_fields:
+  DiscoveryConfig:
+    - name: id
+      type: github.com/hashicorp/terraform-plugin-framework/types.StringType
+      computed: true
+      plan_modifiers:
+        - 'github.com/hashicorp/terraform-plugin-framework/tfsdk.UseStateForUnknown()'
+
+# These fields will be excluded
+exclude_fields:
+  # Metadata (we id resources by name on our side)
+  - 'DiscoveryConfig.header.metadata.id'
+  # Read only field
+  - 'DiscoveryConfig.status'
+
+# These fields will be marked as Computed: true
+computed_fields:
+  # Metadata
+  - 'DiscoveryConfig.header.metadata.expires'
+  - 'DiscoveryConfig.header.metadata.namespace'
+  - 'DiscoveryConfig.header.metadata.revision'
+  - 'DiscoveryConfig.header.kind'
+  - 'DiscoveryConfig.header.sub_kind'
+
+# These fields will be marked as Required: true
+required_fields:
+  - 'DiscoveryConfig.header'
+  - 'DiscoveryConfig.header.metadata'
+  - 'DiscoveryConfig.header.metadata.name'
+  - 'DiscoveryConfig.header.version'
+  - 'DiscoveryConfig.spec'
+
+plan_modifiers:
+  # Force to recreate resource if it's name changes
+  Metadata.name:
+    - 'github.com/hashicorp/terraform-plugin-framework/tfsdk.RequiresReplace()'
+
+# This must be defined for the generator to be happy, but in reality all time
+# fields are overridden (because the protobuf timestamps contain locks and the
+# linter gets mad if we use raw structs instead of pointers).
+time_type:
+  type: 'PlaceholderType'
+duration_type:
+  type: "DurationType"
+  value_type: "DurationValue"
+  cast_to_type: "time.Duration"
+  cast_from_type: "time.Duration"
+
+validators:
+  # Expires must be in the future
+  Metadata.expires:
+    - github.com_gravitational_teleport_integrations_terraform_tfschema.MustTimeBeInFuture()
+
+custom_types:
+  'DiscoveryConfig.header.metadata.expires': Timestamp
+
+schema_types:
+  'DiscoveryConfig.spec.aws.Params.JoinMethod':
+    type: "github.com/hashicorp/terraform-plugin-framework/types.StringType"
+    value_type: "github.com/hashicorp/terraform-plugin-framework/types.String"
+    cast_to_type: "string"
+    cast_from_type: "github.com/gravitational/teleport/api/types.JoinMethod"
+  'DiscoveryConfig.spec.azure.Params.JoinMethod':
+    type: "github.com/hashicorp/terraform-plugin-framework/types.StringType"
+    value_type: "github.com/hashicorp/terraform-plugin-framework/types.String"
+    cast_to_type: "string"
+    cast_from_type: "github.com/gravitational/teleport/api/types.JoinMethod"
+  'DiscoveryConfig.spec.gcp.Params.JoinMethod':
+    type: "github.com/hashicorp/terraform-plugin-framework/types.StringType"
+    value_type: "github.com/hashicorp/terraform-plugin-framework/types.String"
+    cast_to_type: "string"
+    cast_from_type: "github.com/gravitational/teleport/api/types.JoinMethod"