add crowdstrike_cloud_group resource (#190)

Author: ffalor

docs/resources/cloud_group.md

@@ -0,0 +1,265 @@
+---
+page_title: "crowdstrike_cloud_group Resource - crowdstrike"
+subcategory: "Falcon Cloud Security"
+description: |-
+  This resource manages CrowdStrike Cloud Groups for organizing cloud resources and container images.
+  API Scopes
+  The following API scopes are required:
+  Cloud security | Read & Write
+---
+
+# crowdstrike_cloud_group (Resource)
+
+This resource manages CrowdStrike Cloud Groups for organizing cloud resources and container images.
+
+## API Scopes
+
+The following API scopes are required:
+
+- Cloud security | Read & Write
+
+
+## Example Usage
+
+```terraform
+terraform {
+  required_providers {
+    crowdstrike = {
+      source = "crowdstrike/crowdstrike"
+    }
+  }
+}
+
+provider "crowdstrike" {
+  cloud = "us-1"
+}
+
+# AWS cloud group with filters
+resource "crowdstrike_cloud_group" "aws_production" {
+  name            = "Production AWS Resources"
+  description     = "Production AWS accounts in us-east-1 and us-west-2"
+  business_impact = "high"
+  business_unit   = "Engineering"
+  environment     = "prod"
+  owners          = ["[email protected]", "[email protected]"]
+
+  aws = {
+    account_ids = ["123456789012", "234567890123"]
+    filters = {
+      region = ["us-east-1", "us-west-2"]
+      tags   = ["Environment=Production", "Team=Platform"]
+    }
+  }
+}
+
+# Multi-cloud group
+resource "crowdstrike_cloud_group" "multi_cloud_dev" {
+  name            = "Development Multi-Cloud"
+  description     = "Development resources across AWS, Azure, and GCP"
+  business_impact = "moderate"
+  environment     = "dev"
+
+  aws = {
+    account_ids = ["987654321098"]
+    filters = {
+      region = ["us-east-1"]
+    }
+  }
+
+  azure = {
+    account_ids = ["a1b2c3d4-e5f6-7890-abcd-ef1234567890"]
+    filters = {
+      region = ["eastus"]
+      tags   = ["Environment=Dev"]
+    }
+  }
+
+  gcp = {
+    account_ids = ["my-gcp-project-id"]
+    filters = {
+      region = ["us-central1"]
+    }
+  }
+}
+
+# Container image group
+resource "crowdstrike_cloud_group" "container_images" {
+  name        = "Production Container Images"
+  description = "Production container images from various registries"
+  environment = "prod"
+
+  images = [
+    {
+      registry     = "docker.io"
+      repositories = ["myorg/backend-api"]
+      tags         = ["v1.2.3"]
+    },
+    {
+      registry     = "ghcr.io"
+      repositories = ["myorg/frontend"]
+      tags         = ["latest"]
+    },
+    {
+      registry     = "123456789012.dkr.ecr.us-east-1.amazonaws.com"
+      repositories = ["internal/worker"]
+    }
+  ]
+}
+
+# Azure-only group with minimal configuration
+resource "crowdstrike_cloud_group" "azure_simple" {
+  name = "Azure Subscriptions"
+
+  azure = {
+    account_ids = [
+      "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+      "b2c3d4e5-f6a7-8901-bcde-f12345678901"
+    ]
+  }
+}
+
+# GCP group (note: GCP does not support tag filtering)
+resource "crowdstrike_cloud_group" "gcp_projects" {
+  name            = "GCP Projects"
+  description     = "All GCP projects for data analytics"
+  business_unit   = "Data Analytics"
+  business_impact = "moderate"
+
+  gcp = {
+    account_ids = ["analytics-project-prod", "analytics-project-staging"]
+    filters = {
+      region = ["us-central1", "us-east1", "global", "us"]
+    }
+  }
+}
+
+# Multi-cloud group managing all accounts with selective filters
+resource "crowdstrike_cloud_group" "all_clouds_filtered" {
+  name            = "All Cloud Accounts - Production Only"
+  description     = "Access to all accounts across clouds, filtered by production tags"
+  business_impact = "high"
+  environment     = "prod"
+
+  aws = {
+    filters = {
+      region = ["us-east-1", "us-west-2", "eu-west-1"]
+      tags   = ["Environment=Production", "ManagedBy=Terraform"]
+    }
+  }
+
+  azure = {
+    filters = {
+      region = ["eastus", "westus", "westeurope"]
+      tags   = ["Environment=Production"]
+    }
+  }
+
+  gcp = {
+    filters = {
+      region = ["us-central1", "us-east1", "europe-west1"]
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the cloud group.
+
+### Optional
+
+- `aws` (Attributes) AWS cloud resource configuration (see [below for nested schema](#nestedatt--aws))
+- `azure` (Attributes) Azure cloud resource configuration (see [below for nested schema](#nestedatt--azure))
+- `business_impact` (String) An impact level that reflects how critical the cloud group's assets are to business operations. Valid values: high, moderate, low.
+- `business_unit` (String) A free-text label used to associate the cloud group with an internal team.
+- `description` (String) The description of the cloud group.
+- `environment` (String) Environment designation for the group. Valid values: dev, test, stage, prod.
+- `gcp` (Attributes) GCP cloud resource configuration (see [below for nested schema](#nestedatt--gcp))
+- `images` (Attributes List) The container images accessible to the group. Each entry includes a registry and filters for repositories and tags. (see [below for nested schema](#nestedatt--images))
+- `owners` (List of String) Contact information for stakeholders responsible for the cloud group. List of email addresses.
+
+### Read-Only
+
+- `created_at` (String) The timestamp when the group was created.
+- `created_by` (String) The API client ID that created the group.
+- `id` (String) The ID of the cloud group.
+- `last_updated` (String) The timestamp when the group was last updated.
+
+<a id="nestedatt--aws"></a>
+### Nested Schema for `aws`
+
+Optional:
+
+- `account_ids` (List of String) The cloud account identifiers (AWS account IDs) to include in the group. This field limits access to cloud resources in the specified accounts. When not provided, resources across all accounts in the cloud provider are accessible to the group.
+- `filters` (Attributes) Filters for AWS cloud resources (see [below for nested schema](#nestedatt--aws--filters))
+
+<a id="nestedatt--aws--filters"></a>
+### Nested Schema for `aws.filters`
+
+Optional:
+
+- `region` (List of String) List of AWS regions to include
+- `tags` (List of String) List of tags to filter by (format: key=value)
+
+
+
+<a id="nestedatt--azure"></a>
+### Nested Schema for `azure`
+
+Optional:
+
+- `account_ids` (List of String) The cloud account identifiers (Azure subscription IDs) to include in the group. This field limits access to cloud resources in the specified accounts. When not provided, resources across all accounts in the cloud provider are accessible to the group.
+- `filters` (Attributes) Filters for Azure cloud resources (see [below for nested schema](#nestedatt--azure--filters))
+
+<a id="nestedatt--azure--filters"></a>
+### Nested Schema for `azure.filters`
+
+Optional:
+
+- `region` (List of String) List of Azure regions to include
+- `tags` (List of String) List of tags to filter by (format: key=value)
+
+
+
+<a id="nestedatt--gcp"></a>
+### Nested Schema for `gcp`
+
+Optional:
+
+- `account_ids` (List of String) The cloud account identifiers (GCP project IDs) to include in the group. This field limits access to cloud resources in the specified accounts. When not provided, resources across all accounts in the cloud provider are accessible to the group.
+- `filters` (Attributes) Filters for GCP cloud resources. Note: GCP does not support tag filtering. (see [below for nested schema](#nestedatt--gcp--filters))
+
+<a id="nestedatt--gcp--filters"></a>
+### Nested Schema for `gcp.filters`
+
+Optional:
+
+- `region` (List of String) List of GCP regions to include
+
+
+
+<a id="nestedatt--images"></a>
+### Nested Schema for `images`
+
+Required:
+
+- `registry` (String) The container registry to include in the group. Must be a complete HTTPS URL for a supported registry. For info about supported registries and URL format, see https://docs.crowdstrike.com/r/ved836f1
+
+Optional:
+
+- `repositories` (List of String) The container image repositories within the specified registry to filter by. When specified, only images within these repositories are accessible to the group. When omitted, all repositories in the registry are included.
+- `tags` (List of String) The container image tags to filter by. Tag matching is scoped to the specified repositories values, or across all repositories in the given registry if repositories are not provided.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+#!/bin/bash
+
+# Import an existing cloud group by its UUID
+terraform import crowdstrike_cloud_group.aws_production "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+```

examples/resources/crowdstrike_cloud_group/import.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Import an existing cloud group by its UUID
+terraform import crowdstrike_cloud_group.aws_production "a1b2c3d4-e5f6-7890-abcd-ef1234567890"