Add docker_org_access_token resource for Docker Hub organization access tokens (#127)

* Add organization access token resource

* Address review feedback for org access token resource

* Fix OAT test paths and document repo path rules

* Trim org access token resource surface

Author: lanwen

docs/resources/org_access_token.md

@@ -0,0 +1,116 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "docker_org_access_token Resource - docker"
+subcategory: ""
+description: |-
+  Manages organization access tokens.
+  -> Note: This resource is only available when authenticated with a username and password as an owner of the org.
+  Example Usage
+  
+  resource "docker_org_access_token" "example" {
+    org_name    = "my-organization"
+    label       = "ci-token"
+    description = "Token for CI pulls"
+    resources = [
+      {
+        type   = "TYPE_REPO"
+        path   = "my-organization/*"
+        scopes = ["scope-image-pull"]
+      }
+    ]
+    expires_at = "2027-12-31T23:59:59Z"
+  }
+
+  For TYPE_REPO resources, path must point to an existing repository or a supported glob such as my-organization/*.
+  
+  Public-Only Repositories
+  Use the special path */*/public to scope the token to public repositories only.
+  
+  resource "docker_org_access_token" "public_pull" {
+    org_name = "my-organization"
+    label    = "public-pull-token"
+  
+    resources = [
+      {
+        type   = "TYPE_REPO"
+        path   = "*/*/public"
+        scopes = ["scope-image-pull"]
+      }
+    ]
+  }
+---
+
+# docker_org_access_token (Resource)
+
+Manages organization access tokens.
+
+-> **Note**: This resource is only available when authenticated with a username and password as an owner of the org.
+
+## Example Usage
+
+```hcl
+resource "docker_org_access_token" "example" {
+  org_name    = "my-organization"
+  label       = "ci-token"
+  description = "Token for CI pulls"
+  resources = [
+    {
+      type   = "TYPE_REPO"
+      path   = "my-organization/*"
+      scopes = ["scope-image-pull"]
+    }
+  ]
+  expires_at = "2027-12-31T23:59:59Z"
+}
+```
+
+For `TYPE_REPO` resources, `path` must point to an existing repository or a supported glob such as `my-organization/*`.
+
+## Public-Only Repositories
+
+Use the special path `*/*/public` to scope the token to public repositories only.
+
+```hcl
+resource "docker_org_access_token" "public_pull" {
+  org_name = "my-organization"
+  label    = "public-pull-token"
+
+  resources = [
+    {
+      type   = "TYPE_REPO"
+      path   = "*/*/public"
+      scopes = ["scope-image-pull"]
+    }
+  ]
+}
+```
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `label` (String) Label for the access token
+- `org_name` (String) The organization namespace
+- `resources` (Attributes List) Resources this token has access to (see [below for nested schema](#nestedatt--resources))
+
+### Optional
+
+- `description` (String) Description for the access token
+- `expires_at` (String) Expiration date for the token. Changing this value recreates the token.
+
+### Read-Only
+
+- `id` (String) The ID of the organization access token
+- `token` (String, Sensitive) The organization access token. This value is only returned during creation.
+
+<a id="nestedatt--resources"></a>
+### Nested Schema for `resources`
+
+Required:
+
+- `path` (String) The path of the resource. For TYPE_REPO, this must point to an existing repository or a supported glob such as `my-organization/*`. Use `*/*/public` for public repositories only.
+- `scopes` (List of String) The scopes this token has access to
+- `type` (String) The type of resource

internal/hubclient/client_org_access_token.go

@@ -0,0 +1,118 @@
+/*
+   Copyright 2024 Docker Terraform Provider authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package hubclient
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+)
+
+const (
+	OrgAccessTokenTypeRepo = "TYPE_REPO"
+	OrgAccessTokenTypeOrg  = "TYPE_ORG"
+)
+
+type OrgAccessToken struct {
+	ID          string                   `json:"id"`
+	Label       string                   `json:"label"`
+	Description string                   `json:"description,omitempty"`
+	CreatedBy   string                   `json:"created_by"`
+	IsActive    bool                     `json:"is_active"`
+	CreatedAt   string                   `json:"created_at"`
+	ExpiresAt   string                   `json:"expires_at,omitempty"`
+	LastUsedAt  string                   `json:"last_used_at,omitempty"`
+	Token       string                   `json:"token,omitempty"`
+	Resources   []OrgAccessTokenResource `json:"resources,omitempty"`
+}
+
+type OrgAccessTokenResource struct {
+	Type   string   `json:"type"`
+	Path   string   `json:"path"`
+	Scopes []string `json:"scopes"`
+}
+
+type OrgAccessTokenCreateParams struct {
+	Label       string                   `json:"label"`
+	Description string                   `json:"description"`
+	Resources   []OrgAccessTokenResource `json:"resources"`
+	ExpiresAt   string                   `json:"expires_at,omitempty"`
+}
+
+type OrgAccessTokenUpdateParams struct {
+	Label       string                   `json:"label"`
+	Description string                   `json:"description"`
+	Resources   []OrgAccessTokenResource `json:"resources"`
+}
+
+func (c *Client) CreateOrgAccessToken(ctx context.Context, orgName string, params OrgAccessTokenCreateParams) (OrgAccessToken, error) {
+	if orgName == "" {
+		return OrgAccessToken{}, fmt.Errorf("orgName is required")
+	}
+
+	buf := bytes.NewBuffer(nil)
+	if err := json.NewEncoder(buf).Encode(params); err != nil {
+		return OrgAccessToken{}, err
+	}
+
+	var accessToken OrgAccessToken
+	err := c.sendRequest(ctx, "POST", fmt.Sprintf("/orgs/%s/access-tokens", orgName), buf.Bytes(), &accessToken)
+	return accessToken, err
+}
+
+func (c *Client) GetOrgAccessToken(ctx context.Context, orgName, accessTokenID string) (OrgAccessToken, error) {
+	if orgName == "" {
+		return OrgAccessToken{}, fmt.Errorf("orgName is required")
+	}
+	if accessTokenID == "" {
+		return OrgAccessToken{}, fmt.Errorf("accessTokenID is required")
+	}
+
+	var accessToken OrgAccessToken
+	err := c.sendRequest(ctx, "GET", fmt.Sprintf("/orgs/%s/access-tokens/%s", orgName, accessTokenID), nil, &accessToken)
+	return accessToken, err
+}
+
+func (c *Client) UpdateOrgAccessToken(ctx context.Context, orgName, accessTokenID string, params OrgAccessTokenUpdateParams) (OrgAccessToken, error) {
+	if orgName == "" {
+		return OrgAccessToken{}, fmt.Errorf("orgName is required")
+	}
+	if accessTokenID == "" {
+		return OrgAccessToken{}, fmt.Errorf("accessTokenID is required")
+	}
+
+	buf := bytes.NewBuffer(nil)
+	if err := json.NewEncoder(buf).Encode(params); err != nil {
+		return OrgAccessToken{}, err
+	}
+
+	var accessToken OrgAccessToken
+	err := c.sendRequest(ctx, "PATCH", fmt.Sprintf("/orgs/%s/access-tokens/%s", orgName, accessTokenID), buf.Bytes(), &accessToken)
+	return accessToken, err
+}
+
+func (c *Client) DeleteOrgAccessToken(ctx context.Context, orgName, accessTokenID string) error {
+	if orgName == "" {
+		return fmt.Errorf("orgName is required")
+	}
+	if accessTokenID == "" {
+		return fmt.Errorf("accessTokenID is required")
+	}
+
+	return c.sendRequest(ctx, "DELETE", fmt.Sprintf("/orgs/%s/access-tokens/%s", orgName, accessTokenID), nil, nil)
+}

internal/provider/access_token_validators.go

@@ -0,0 +1,29 @@
+/*
+   Copyright 2024 Docker Terraform Provider authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package provider
+
+import (
+	"regexp"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+)
+
+var accessTokenExpiresAtValidator validator.String = stringvalidator.RegexMatches(
+	regexp.MustCompile(`^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d{1,6})?Z$`),
+	"must be in ISO 8601 format, e.g., 2021-10-28T18:30:19.520861Z",
+)

internal/provider/provider.go

@@ -382,6 +382,7 @@ func getConfigfileKey(host string) string {
 func (p *DockerProvider) Resources(ctx context.Context) []func() resource.Resource {
 	return []func() resource.Resource{
 		NewAccessTokenResource,
+		NewOrgAccessTokenResource,
 		NewOrgSettingImageAccessManagementResource,
 		NewOrgSettingRegistryAccessManagementResource,
 		NewOrgTeamResource,

internal/provider/resource_access_token.go

@@ -19,10 +19,8 @@ package provider
 import (
 	"context"
 	"fmt"
-	"regexp"
 
 	"github.com/docker/terraform-provider-docker/internal/hubclient"
-	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
@@ -123,10 +121,7 @@ resource "docker_access_token" "example" {
 				MarkdownDescription: "Time the token expires. If not set, the token will not expire",
 				Optional:            true,
 				Validators: []validator.String{
-					stringvalidator.RegexMatches(
-						regexp.MustCompile(`^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d{1,6})?Z$`),
-						"must be in ISO 8601 format, e.g., 2021-10-28T18:30:19.520861Z",
-					),
+					accessTokenExpiresAtValidator,
 				},
 			},
 		},