From 3fe2bc45dc1ec7e10297193ab02c767a07bc3d84 Mon Sep 17 00:00:00 2001 From: ilia-medvedev-codefresh Date: Mon, 15 Jul 2024 09:59:28 +0300 Subject: [PATCH] fix - permission resource update failures and ignored related_resource attribute (#150) --- codefresh/cfclient/permission.go | 25 +++++++++++-- codefresh/resource_permission.go | 51 +++++++++++++++++++-------- codefresh/resource_permission_test.go | 12 +++++++ 3 files changed, 71 insertions(+), 17 deletions(-) diff --git a/codefresh/cfclient/permission.go b/codefresh/cfclient/permission.go index 181fc8de..aaeea946 100644 --- a/codefresh/cfclient/permission.go +++ b/codefresh/cfclient/permission.go @@ -9,7 +9,7 @@ type Permission struct { ID string `json:"id,omitempty"` Team string `json:"role,omitempty"` Resource string `json:"resource,omitempty"` - RelatedResource string `json:"related_resource,omitempty"` + RelatedResource string `json:"relatedResource,omitempty"` Action string `json:"action,omitempty"` Account string `json:"account,omitempty"` Tags []string `json:"attributes,omitempty"` @@ -20,7 +20,7 @@ type NewPermission struct { ID string `json:"_id,omitempty"` Team string `json:"team,omitempty"` Resource string `json:"resource,omitempty"` - RelatedResource string `json:"related_resource,omitempty"` + RelatedResource string `json:"relatedResource,omitempty"` Action string `json:"action,omitempty"` Account string `json:"account,omitempty"` Tags []string `json:"tags,omitempty"` @@ -142,3 +142,24 @@ func (client *Client) DeletePermission(id string) error { return nil } + +func (client *Client) UpdatePermissionTags(permission *Permission) error { + + fullPath := fmt.Sprintf("/abac/tags/rule/%s", permission.ID) + + body, _ := EncodeToJSON(permission.Tags) + + opts := RequestOptions{ + Path: fullPath, + Method: "POST", + Body: body, + } + + _, err := client.RequestAPI(&opts) + + if err != nil { + return err + } + + return nil +} diff --git a/codefresh/resource_permission.go b/codefresh/resource_permission.go index 1e9f1379..b6b4c491 100644 --- a/codefresh/resource_permission.go +++ b/codefresh/resource_permission.go @@ -7,6 +7,7 @@ import ( "github.com/codefresh-io/terraform-provider-codefresh/codefresh/cfclient" "github.com/codefresh-io/terraform-provider-codefresh/codefresh/internal/datautil" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" funk "github.com/thoas/go-funk" @@ -96,7 +97,9 @@ The tags for which to apply the permission. Supports two custom tags: }, }, }, - CustomizeDiff: resourcePermissionCustomDiff, + CustomizeDiff: customdiff.All( + resourcePermissionCustomDiff, + ), } } @@ -157,18 +160,30 @@ func resourcePermissionRead(d *schema.ResourceData, meta interface{}) error { func resourcePermissionUpdate(d *schema.ResourceData, meta interface{}) error { client := meta.(*cfclient.Client) - permission := *mapResourceToPermission(d) - resp, err := client.CreatePermission(&permission) - if err != nil { - return err - } - deleteErr := resourcePermissionDelete(d, meta) - if deleteErr != nil { - log.Printf("[WARN] failed to delete permission %v: %v", permission, deleteErr) + // In case team, action or relatedResource or resource have changed - a new permission needs to be created (but without recreating the terraform resource as destruction of resources is alarming for end users) + if d.HasChanges("team", "action", "related_resource", "resource") { + deleteErr := resourcePermissionDelete(d, meta) + + if deleteErr != nil { + log.Printf("[WARN] failed to delete permission %v: %v", permission, deleteErr) + } + + resp, err := client.CreatePermission(&permission) + + if err != nil { + return err + } + + d.SetId(resp.ID) + // Only tags can be updated + } else if d.HasChange("tags") { + err := client.UpdatePermissionTags(&permission) + if err != nil { + return err + } } - d.SetId(resp.ID) return resourcePermissionRead(d, meta) } @@ -206,6 +221,11 @@ func mapPermissionToResource(permission *cfclient.Permission, d *schema.Resource return err } + err = d.Set("related_resource", permission.RelatedResource) + if err != nil { + return err + } + err = d.Set("tags", permission.Tags) if err != nil { return err @@ -224,11 +244,12 @@ func mapResourceToPermission(d *schema.ResourceData) *cfclient.Permission { tags = []string{"*", "untagged"} } permission := &cfclient.Permission{ - ID: d.Id(), - Team: d.Get("team").(string), - Action: d.Get("action").(string), - Resource: d.Get("resource").(string), - Tags: tags, + ID: d.Id(), + Team: d.Get("team").(string), + Action: d.Get("action").(string), + Resource: d.Get("resource").(string), + RelatedResource: d.Get("related_resource").(string), + Tags: tags, } return permission diff --git a/codefresh/resource_permission_test.go b/codefresh/resource_permission_test.go index 5dd356ec..0b4ec91b 100644 --- a/codefresh/resource_permission_test.go +++ b/codefresh/resource_permission_test.go @@ -27,6 +27,18 @@ func TestAccCodefreshPermissionConfig(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "action", "create"), resource.TestCheckResourceAttr(resourceName, "resource", "pipeline"), resource.TestCheckResourceAttr(resourceName, "tags.0", "*"), + resource.TestCheckResourceAttr(resourceName, "related_resource", ""), + resource.TestCheckResourceAttr(resourceName, "tags.1", "production"), + ), + }, + { + Config: testAccCodefreshPermissionConfig("create", "pipeline", "project", []string{"production", "*"}), + Check: resource.ComposeTestCheckFunc( + testAccCheckCodefreshPermissionExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "action", "create"), + resource.TestCheckResourceAttr(resourceName, "resource", "pipeline"), + resource.TestCheckResourceAttr(resourceName, "related_resource", "project"), + resource.TestCheckResourceAttr(resourceName, "tags.0", "*"), resource.TestCheckResourceAttr(resourceName, "tags.1", "production"), ), },