rubrikinc
diff --git a/‎README.md
+2 b/‎README.md
+2
diff --git a/‎docs/data-sources/azure_permissions.md
+42 b/‎docs/data-sources/azure_permissions.md
+42
diff --git a/‎docs/data-sources/gcp_permissions.md
+39 b/‎docs/data-sources/gcp_permissions.md
+39
diff --git a/‎docs/guides/permissions.md
+150 b/‎docs/guides/permissions.md
+150
diff --git a/‎docs/guides/upgrade_guide_v0.3.0.md
+123 b/‎docs/guides/upgrade_guide_v0.3.0.md
+123
@@ -1,3 +1,5 @@
+![Go version](https://img.shields.io/github/go-mod/go-version/rubrikinc/terraform-provider-polaris) ![License MIT](https://img.shields.io/github/license/rubrikinc/terraform-provider-polaris) ![Latest tag](https://img.shields.io/github/v/tag/rubrikinc/terraform-provider-polaris)
+
 <p align="center">
 &#9888;&#65039; Code in this repository is in BETA and should NOT be used in a production system! &#9888;&#65039;
 </p>
 
@@ -0,0 +1,42 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "polaris_azure_permissions Data Source - terraform-provider-polaris"
+subcategory: ""
+description: |-
+  
+---
+
+# polaris_azure_permissions (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "polaris_azure_permissions" "default" {
+  features = [
+    "cloud-native-protection",
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **features** (Set of String) Enabled features.
+
+### Optional
+
+- **id** (String) The ID of this resource.
+
+### Read-Only
+
+- **actions** (List of String) Allowed actions.
+- **data_actions** (List of String) Allowed data actions.
+- **hash** (String) SHA-256 hash of the permissions, can be used to detect changes to the permissions.
+- **not_actions** (List of String) Disallowed actions.
+- **not_data_actions** (List of String) Disallowed data actions.
+
+
@@ -0,0 +1,39 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "polaris_gcp_permissions Data Source - terraform-provider-polaris"
+subcategory: ""
+description: |-
+  
+---
+
+# polaris_gcp_permissions (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "polaris_gcp_permissions" "default" {
+  features = [
+    "cloud-native-protection",
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **features** (Set of String) Enabled features.
+
+### Optional
+
+- **id** (String) The ID of this resource.
+
+### Read-Only
+
+- **hash** (String) SHA-256 hash of the permissions, can be used to detect changes to the permissions.
+- **permissions** (List of String) Permissions required for the features enabled.
+
+
@@ -0,0 +1,150 @@
+---
+page_title: "Manage Permissions"
+---
+
+# Manage Permissions
+Polaris requires permissions to operate and as new features are added to Polaris the set of required permissions
+changes. This guide explains how Terraform can be used to keep this set of permissions up to date.
+
+## AWS
+For AWS this is managed through a CloudFormation stack. When the status of an account feature is `missing-permissions`
+the CloudFormation stack must be updated for the feature to continue to function. This can be managed by setting the
+`permissions` argument to `update`.
+```hcl
+resource "polaris_aws_account" "default" {
+  profile     = "default"
+  permissions = "update"
+
+  cloud_native_protection {
+    regions = [
+      "us-east-2",
+    ]
+  }
+}
+```
+This will generate a diff when the status of at least one feature is `missing-permissions`. Applying the account
+resource for this diff will update the CloudFormation stack. If the `permissions` argument is not specified the
+provider will not attempt to update the CloudFormation stack.
+
+## Azure
+For Azure permissions are managed through a service principal. When the status of a subscription feature is
+`missing-permissions` the permissions of the service principal must be updated for the feature to continue to
+function. This can be managed by Terraform using the
+[azurerm](https://registry.terraform.io/providers/hashicorp/azurerm/latest) provider:
+```hcl
+data "polaris_azure_permissions" "default" {
+  features = [
+    "cloud-native-protection",
+    "exocompute",
+  ]
+}
+
+resource "azurerm_role_definition" "default" {
+  name  = "terraform"
+  scope = data.azurerm_subscription.default.id
+
+  permissions {
+    actions          = data.polaris_azure_permissions.default.actions
+    data_actions     = data.polaris_azure_permissions.default.data_actions
+    not_actions      = data.polaris_azure_permissions.default.not_actions
+    not_data_actions = data.polaris_azure_permissions.default.not_data_actions
+  }
+}
+
+resource "azurerm_role_assignment" "default" {
+  principal_id       = "9e7f3952-1fc1-11ec-b57a-972144d12d97"
+  role_definition_id = azurerm_role_definition.default.role_definition_resource_id
+  scope              = data.azurerm_subscription.default.id
+}
+
+resource "polaris_azure_service_principal" "default" {
+  sdk_auth         = "${path.module}/sdk-service-principal.json"
+  tenant_domain    = "mydomain.onmicrosoft.com"
+  permissions_hash = data.polaris_azure_permissions.default.hash
+
+  depends_on = [
+    azurerm_role_definition.default,
+    azurerm_role_assignment.default,
+  ]
+}
+```
+When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
+role definition and service principal resources. Applying the diff will first update the permissions of the service
+principal's role definition and then notify Polaris about the update.
+
+## GCP
+For GCP permissions are managed through a service account. When the status of a project feature is `missing-permissions`
+the permissions of the service account must be updated for the feature to continue to function. This can be managed by
+Terraform using the [google](https://registry.terraform.io/providers/hashicorp/google/latest) provider.
+
+### Project Service Account
+When the service account is specified as part of the project resource:
+
+```terraform
+data "polaris_gcp_permissions" "default" {
+  features = [
+    "cloud-native-protection",
+  ]
+}
+
+resource "google_project_iam_custom_role" "default" {
+  role_id     = "terraform"
+  title       = "Terraform"
+  permissions = data.polaris_gcp_permissions.default.permissions
+}
+
+resource "google_project_iam_member" "default" {
+  role   = google_project_iam_custom_role.default.id
+  member = "serviceAccount:[email protected]"
+}
+
+resource "polaris_gcp_project" "default" {
+  credentials      = "${path.module}//my-project-d978f94d6c4d.json"
+  permissions_hash = data.polaris_gcp_permissions.default.hash
+
+  cloud_native_protection {
+  }
+
+  depends_on = [
+    google_project_iam_custom_role.default,
+    google_project_iam_member.default,
+  ]
+}
+```
+When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
+custom role and the project resources. Applying the diff will first update the permissions of the service account's
+custom role and then notify Polaris about the update.
+
+### Default Service Account
+When the service account is specified as part of the service account resource:
+```terraform
+data "polaris_gcp_permissions" "default" {
+  features = [
+    "cloud-native-protection",
+  ]
+}
+
+resource "google_project_iam_custom_role" "default" {
+  role_id     = "terraform"
+  title       = "Terraform"
+  permissions = data.polaris_gcp_permissions.default.permissions
+}
+
+resource "google_project_iam_member" "default" {
+  role   = google_project_iam_custom_role.default.id
+  member = "serviceAccount:[email protected]"
+}
+
+resource "polaris_gcp_service_account" "default" {
+  credentials      = "${path.module}/my-project-d978f94d6c4d.json"
+  permissions_hash = data.polaris_gcp_permissions.default.hash
+
+  depends_on = [
+    google_project_iam_custom_role.default,
+    google_project_iam_member.default,
+  ]
+}
+```
+When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
+custom role and the project resources. Applying the diff will first update the permissions of the service account's
+custom role and then notify Polaris about the update.
@@ -0,0 +1,123 @@
+---
+page_title: "Upgrade Guide: v0.3.0 "
+subcategory: "Upgrade"
+---
+
+# v0.3.0 of the Polaris Provider
+v0.3.0 introduces breaking changes to the following resources:
+* `polaris_aws_account`
+* `polaris_azure_subscription`
+* `polaris_azure_service_principal`
+* `polaris_gcp_project`
+
+After the Terraform configuration files has been updated according to the instructions in this guide first validate
+their correctness by running:
+```bash
+$ terraform plan
+```
+
+If this doesn't produce any error proceed by running:
+```bash
+$ terraform refresh
+```
+This will read the remote state of the resources and migrate the local Terraform state to v0.3.0.
+
+## AWS
+### polaris_aws_account
+To update the resource add a new `cloud_native_protection` block. Then move the `regions` argument from the resource
+into the new `cloud_native_protection` block.
+
+I.e. if the initial resource configuration looked like this:
+```hcl
+resource "polaris_aws_account" "default" {
+  profile = "default"
+
+  regions = [
+    "us-east-2",
+  ]
+}
+```
+
+It should look like this after the manual update:
+```hcl
+resource "polaris_aws_account" "default" {
+  profile = "default"
+
+  cloud_native_protection {
+    regions = [
+      "us-east-2",
+    ]
+  }
+}
+```
+
+## Azure
+### polaris_azure_subscription
+To update the resource add a new `cloud_native_protection` block. Then move the `regions` argument from the resource
+into the new `cloud_native_protection` block.
+
+I.e. if the initial resource configuration looked like this:
+```hcl
+resource "polaris_azure_subscription" "default" {
+  subscription_id = "1bb87eb6-2039-11ec-8a8a-3ba3fe58b590"
+  tenant_domain   = "mydomain.onmicrosoft.com"
+
+  regions = [
+    "us-east-2",
+  ]
+}
+```
+
+It should look like this after the manual update:
+```hcl
+resource "polaris_azure_subscription" "default" {
+  subscription_id = "1bb87eb6-2039-11ec-8a8a-3ba3fe58b590"
+  tenant_domain   = "mydomain.onmicrosoft.com"
+
+  cloud_native_protection {
+    regions = [
+      "us-east-2",
+    ]
+  }
+}
+```
+
+### polaris_azure_service_principal
+To update the resource add a new `tenant_domain` argument. The value of this argument can be found in the credentials
+file, as either `tenant_domain` or `tenantDomain`.
+
+I.e. if the initial resource configuration looked like this:
+```hcl
+resource "polaris_azure_service_principal" "default" {
+  credentials   = "${path.module}/service-principal.json"
+}
+```
+
+It should look like this after the manual update:
+```hcl
+resource "polaris_azure_service_principal" "default" {
+  credentials   = "${path.module}/service-principal.json"
+  tenant_domain = "mydomain.onmicrosoft.com"
+}
+```
+
+## GCP
+### polaris_gcp_project
+To update the resource add a new `cloud_native_protection` block.
+
+I.e. if the initial resource configuration looked like this:
+```hcl
+resource "polaris_gcp_project" "default" {
+  credentials = "${path.module}/my-project-bf80e97f8c4e.json"
+}
+```
+
+It should look like this after the manual update:
+```hcl
+resource "polaris_gcp_project" "default" {
+  credentials = "${path.module}/my-project-bf80e97f8c4e.json"
+
+  cloud_native_protection {
+  }
+}
+```
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+![Go version](https://img.shields.io/github/go-mod/go-version/rubrikinc/terraform-provider-polaris) ![License MIT](https://img.shields.io/github/license/rubrikinc/terraform-provider-polaris) ![Latest tag](https://img.shields.io/github/v/tag/rubrikinc/terraform-provider-polaris)`
	`2`	`+`
`1`	`3`	`<p align="center">`
`2`	`4`	`⚠️ Code in this repository is in BETA and should NOT be used in a production system! ⚠️`
`3`	`5`	`</p>`