Update documentation to add privilege needed to manage cloud-init content

[pwhack]

Hi,

I'm using version 3.0.1-rc1 of the provider against Proxmox 8.2.2 and followed the current documentation to create a role, user, and bind them together in Proxmox. When attempting to create a proxmox_cloud_init_disk resource in Terraform I got the following error:

proxmox_cloud_init_disk.ci: Creating...
╷
│ Error: read tcp 192.168.1.68:51682->192.168.1.38:8006: read: connection reset by peer
│ 
│   with proxmox_cloud_init_disk.ci,
│   on vm-cloudinit.tf line 8, in resource "proxmox_cloud_init_disk" "ci":
│    8: resource "proxmox_cloud_init_disk" "ci" {
│ 
╵

After some digging in logs on the Proxmox host I noticed an HTTP 403 error in /var/log/pveproxy/access.log:

...
::ffff:192.168.1.68 - - [03/05/2024:19:36:38 -0600] "POST /api2/json/access/ticket HTTP/1.1" 200 1016
::ffff:192.168.1.68 - terraform-prov@pve [03/05/2024:19:36:38 -0600] "GET /api2/json/access/users?full=1 HTTP/1.1" 200 283
::ffff:192.168.1.68 - terraform-prov@pve [03/05/2024:19:36:38 -0600] "GET /api2/json/access/permissions?userid=terraform-prov@pve&path=/ HTTP/1.1" 200 395
::ffff:192.168.1.68 - - [03/05/2024:19:36:38 -0600] "POST /api2/json/nodes/radon/storage/local/upload HTTP/1.1" 403 -
::ffff:192.168.1.68 - root@pam [03/05/2024:19:36:38 -0600] "GET /api2/json/nodes/radon/status HTTP/1.1" 200 818
...

It seemed the provider was not authorized to upload snippet content to the storage location. After browsing through the Proxmox Permission Management guide, I guessed the privilege Datastore.AllocateTemplate is needed. I modified the privileges for the role to include that privilege and was able to successfully create a proxmox_cloud_init_disk resource.

proxmox_cloud_init_disk.ci: Creating...
proxmox_cloud_init_disk.ci: Creation complete after 0s [id=local:iso/tf-ci-test-vm-cloudinit.iso]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Please change the documentation so that this block...

pveum role add TerraformProv -privs "Datastore.AllocateSpace Datastore.Audit Pool.Allocate Sys.Audit Sys.Console Sys.Modify VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.Cloudinit VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Migrate VM.Monitor VM.PowerMgmt SDN.Use"

...is instead...

pveum role add TerraformProv -privs "Datastore.AllocateSpace Datastore.Audit Datastore.AllocateTemplate Pool.Allocate Sys.Audit Sys.Console Sys.Modify VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.Cloudinit VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Migrate VM.Monitor VM.PowerMgmt SDN.Use"

Thanks!

[pwhack]

I'm not sure how content from this repo ends up in the Terraform Registry docs but I'm guessing this line is what needs to change per my recommendation above.

[pwhack]

Also I just noticed that Datastore.Allocate is needed to modify existing cloud-init content. Without this, I received another HTTP 403 error in the /var/log/pveproxy/access.log:

::ffff:192.168.1.68 - terraform-prov@pve [03/05/2024:20:10:41 -0600] "DELETE /api2/json/nodes/radon/storage/local/content/local:iso/tf-ci-test-vm-cloudinit.iso HTTP/1.1" 403 13

EDIT: So now the documentation block should probably say:

pveum role add TerraformProv -privs "Datastore.AllocateSpace Datastore.Audit Datastore.AllocateTemplate Datastore.Allocate Pool.Allocate Sys.Audit Sys.Console Sys.Modify VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.Cloudinit VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Migrate VM.Monitor VM.PowerMgmt SDN.Use"

[maksimsamt]

From my point of view, such approach, granting Datastore.Allocate, Datastore.AllocateTemplate for the root pool / or for all the disks, and many other roles/permissions, is very risky and give for user too many permissions, thus dramatically increases blast area. More secure option is to configure fine-grained permissions and it can be achieved with user/token with privilege separation, my example is described in this post - https://github.com/Telmate/terraform-provider-proxmox/issues/784#issuecomment-2135266013