Add CI/CD check ensuring Terraform resources are up-to-date (#43788)

* check if Terraform resources and docs are up-to-date

* move proto lint into a dedicated job

* re-render TF resources

* run proto checks on Terraform template or exmaple changes

* run proto checks on generator changes

* address alan's feedback

.github/workflows/lint.yaml

@@ -40,6 +40,23 @@ jobs:
               - 'Cargo.lock'
               - 'build.assets/versions.mk'
               - 'Makefile'
+            has_proto:
+              # workflow changes
+              - '.github/workflows/lint.yaml'
+              # proto files or buf changes
+              - 'go.mod'
+              - 'go.sum'
+              - 'api/proto/**'
+              - 'proto/**'
+              # operator protoc generator change
+              - 'integrations/operator/crdgen'
+              # terraform protoc generator changes
+              - 'integrations/terraform/go.mod'
+              - 'integrations/terraform/gen/docs.sh'
+              - 'integrations/terraform/protoc-gen-terraform-*'
+              - 'integrations/terraform/Makefile'
+              - 'integrations/terraform/examples/**'
+              - 'integrations/terraform/templates/**'
 
   lint-go:
     name: Lint (Go)
@@ -66,12 +83,10 @@ jobs:
 
       - name: Set linter versions
         run: |
-          echo BUF_VERSION=$(cd build.assets; make print-buf-version) >> $GITHUB_ENV
           echo GOLANGCI_LINT_VERSION=$(cd build.assets; make print-golangci-lint-version) >> $GITHUB_ENV
 
       - name: Print linter versions
         run: |
-          echo "BUF_VERSION=$BUF_VERSION"
           echo "GOLANGCI_LINT_VERSION=$GOLANGCI_LINT_VERSION"
 
       # Run various golangci-lint checks.
@@ -118,33 +133,9 @@ jobs:
           args: --out-format=colored-line-number
           skip-cache: true
 
-      - uses: bufbuild/buf-setup-action@35c243d7f2a909b1d4e40399b348a7fdab27d78d # v1.34.0
-        with:
-          github_token: ${{ github.token }}
-          version: ${{ env.BUF_VERSION }}
-      - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1
-      - name: buf breaking from parent to self
-        uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1.1.4
-        with:
-          against: 'https://github.com/${GITHUB_REPOSITORY}.git#branch=${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }}'
-      - name: buf breaking from self to master
-        uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1.1.4
-        if: ${{ github.base_ref != 'master' && github.event.merge_group.base_ref != 'refs/heads/master' }}
-        with:
-          input: 'https://github.com/${GITHUB_REPOSITORY}.git#branch=master'
-          against: '.'
-
       - name: Run (non-action) linters
         run: make lint-no-actions
 
-      - name: Check if protos are up to date
-        # We have to add the current directory as a safe directory or else git commands will not work as expected.
-        run: git config --global --add safe.directory $(realpath .) && make protos-up-to-date/host
-
-      - name: Check if Operator CRDs are up to date
-        # We have to add the current directory as a safe directory or else git commands will not work as expected.
-        run: git config --global --add safe.directory $(realpath .) && make crds-up-to-date
-
       - name: Check if derived functions are up to date
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
         run: git config --global --add safe.directory $(realpath .) && make derive-up-to-date
@@ -177,3 +168,54 @@ jobs:
 
       - name: Run Rust linters
         run: make lint-rust
+
+  lint-proto:
+    name: Lint (Proto)
+    needs: changes
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') && needs.changes.outputs.has_proto == 'true' }}
+    runs-on: ubuntu-22.04-16core
+
+    permissions:
+      contents: read
+
+    container:
+      image: ghcr.io/gravitational/teleport-buildbox:teleport16
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set linter versions
+        run: |
+          echo BUF_VERSION=$(cd build.assets; make print-buf-version) >> $GITHUB_ENV
+
+      - name: Print linter versions
+        run: |
+          echo "BUF_VERSION=$BUF_VERSION"
+      - uses: bufbuild/buf-setup-action@35c243d7f2a909b1d4e40399b348a7fdab27d78d # v1.34.0
+        with:
+          github_token: ${{ github.token }}
+          version: ${{ env.BUF_VERSION }}
+      - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1
+      - name: buf breaking from parent to self
+        uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1.1.4
+        with:
+          against: 'https://github.com/${GITHUB_REPOSITORY}.git#branch=${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }}'
+      - name: buf breaking from self to master
+        uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1.1.4
+        if: ${{ github.base_ref != 'master' && github.event.merge_group.base_ref != 'refs/heads/master' }}
+        with:
+          input: 'https://github.com/${GITHUB_REPOSITORY}.git#branch=master'
+          against: '.'
+
+      - name: Check if protos are up to date
+        # We have to add the current directory as a safe directory or else git commands will not work as expected.
+        run: git config --global --add safe.directory $(realpath .) && make protos-up-to-date/host
+
+      - name: Check if Operator CRDs are up to date
+        # We have to add the current directory as a safe directory or else git commands will not work as expected.
+        run: git config --global --add safe.directory $(realpath .) && make crds-up-to-date
+
+      - name: Check if Terraform resources are up to date
+        # We have to add the current directory as a safe directory or else git commands will not work as expected.
+        run: git config --global --add safe.directory $(realpath .) && make terraform-resources-up-to-date

Makefile

@@ -1496,6 +1496,16 @@ crds-up-to-date: must-start-clean/host
 		exit 1; \
 	fi
 
+# tfdocs-up-to-date checks if the generated Terraform types and documentation from the protobuf stubs are up to date.
+.PHONY: terraform-resources-up-to-date
+terraform-resources-up-to-date: must-start-clean/host
+	$(MAKE) -C integrations/terraform docs
+	@if ! git diff --quiet; then \
+		echo 'Please run make -C integrations/terraform docs.'; \
+		git diff; \
+		exit 1; \
+	fi
+
 print/env:
 	env
 

docs/pages/reference/terraform-provider/data-sources/auth_preference.mdx

@@ -39,6 +39,7 @@ Optional:
 - `piv_slot` (String) TODO(Joerger): DELETE IN 17.0.0 Deprecated, replaced by HardwareKey settings.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `second_factor` (String) SecondFactor is the type of second factor.
+- `signature_algorithm_suite` (Number) SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster. The current default value is "legacy". This field is not yet fully supported.
 - `type` (String) Type is the type of authentication.
 - `u2f` (Attributes) U2F are the settings for the U2F device. (see [below for nested schema](#nested-schema-for-specu2f))
 - `webauthn` (Attributes) Webauthn are the settings for server-side Web Authentication support. (see [below for nested schema](#nested-schema-for-specwebauthn))

docs/pages/reference/terraform-provider/resources/auth_preference.mdx

@@ -57,6 +57,7 @@ Optional:
 - `piv_slot` (String) TODO(Joerger): DELETE IN 17.0.0 Deprecated, replaced by HardwareKey settings.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `second_factor` (String) SecondFactor is the type of second factor.
+- `signature_algorithm_suite` (Number) SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster. The current default value is "legacy". This field is not yet fully supported.
 - `type` (String) Type is the type of authentication.
 - `u2f` (Attributes) U2F are the settings for the U2F device. (see [below for nested schema](#nested-schema-for-specu2f))
 - `webauthn` (Attributes) Webauthn are the settings for server-side Web Authentication support. (see [below for nested schema](#nested-schema-for-specwebauthn))