chore: support set roles for user in workspace level

Author: ecmadao

api/client.go

@@ -76,7 +76,7 @@ type Client interface {
 	// GetProjectIAMPolicy gets the project IAM policy by project full name.
 	GetProjectIAMPolicy(ctx context.Context, projectName string) (*v1pb.IamPolicy, error)
 	// SetProjectIAMPolicy sets the project IAM policy.
-	SetProjectIAMPolicy(ctx context.Context, projectName string, iamPolicy *v1pb.IamPolicy) (*v1pb.IamPolicy, error)
+	SetProjectIAMPolicy(ctx context.Context, projectName string, update *v1pb.SetIamPolicyRequest) (*v1pb.IamPolicy, error)
 
 	// Setting
 	// ListSettings lists all settings.
@@ -98,7 +98,7 @@ type Client interface {
 	// CreateVCSProvider creates the vcs provider.
 	CreateVCSProvider(ctx context.Context, vcsID string, vcs *v1pb.VCSProvider) (*v1pb.VCSProvider, error)
 	// UpdateVCSProvider updates the vcs provider.
-	UpdateVCSProvider(ctx context.Context, patch *v1pb.VCSProvider, updateMasks []string) (*v1pb.VCSConnector, error)
+	UpdateVCSProvider(ctx context.Context, patch *v1pb.VCSProvider, updateMasks []string) (*v1pb.VCSProvider, error)
 	// DeleteVCSProvider deletes the vcs provider.
 	DeleteVCSProvider(ctx context.Context, name string) error
 
@@ -127,4 +127,10 @@ type Client interface {
 	DeleteUser(ctx context.Context, userName string) error
 	// UndeleteUser undeletes the user by name.
 	UndeleteUser(ctx context.Context, userName string) (*v1pb.User, error)
+
+	// Workspace
+	// GetWorkspaceIAMPolicy gets the workspace IAM policy.
+	GetWorkspaceIAMPolicy(ctx context.Context) (*v1pb.IamPolicy, error)
+	// SetWorkspaceIAMPolicy sets the workspace IAM policy.
+	SetWorkspaceIAMPolicy(ctx context.Context, setIamPolicyRequest *v1pb.SetIamPolicyRequest) (*v1pb.IamPolicy, error)
 }

client/project.go

@@ -41,10 +41,8 @@ func (c *client) GetProjectIAMPolicy(ctx context.Context, projectName string) (*
 }
 
 // SetProjectIAMPolicy sets the project IAM policy.
-func (c *client) SetProjectIAMPolicy(ctx context.Context, projectName string, iamPolicy *v1pb.IamPolicy) (*v1pb.IamPolicy, error) {
-	payload, err := protojson.Marshal(&v1pb.SetIamPolicyRequest{
-		Policy: iamPolicy,
-	})
+func (c *client) SetProjectIAMPolicy(ctx context.Context, projectName string, update *v1pb.SetIamPolicyRequest) (*v1pb.IamPolicy, error) {
+	payload, err := protojson.Marshal(update)
 	if err != nil {
 		return nil, err
 	}

client/vcs.go

@@ -72,13 +72,13 @@ func (c *client) CreateVCSProvider(ctx context.Context, vcsID string, vcs *v1pb.
 }
 
 // UpdateVCSProvider updates the vcs provider.
-func (c *client) UpdateVCSProvider(ctx context.Context, patch *v1pb.VCSProvider, updateMasks []string) (*v1pb.VCSConnector, error) {
+func (c *client) UpdateVCSProvider(ctx context.Context, patch *v1pb.VCSProvider, updateMasks []string) (*v1pb.VCSProvider, error) {
 	body, err := c.updateResource(ctx, patch.Name, patch, updateMasks, false /* allow missing = false*/)
 	if err != nil {
 		return nil, err
 	}
 
-	var res v1pb.VCSConnector
+	var res v1pb.VCSProvider
 	if err := ProtojsonUnmarshaler.Unmarshal(body, &res); err != nil {
 		return nil, err
 	}

client/workspace.go

@@ -0,0 +1,52 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	v1pb "github.com/bytebase/bytebase/proto/generated-go/v1"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+// GetWorkspaceIAMPolicy gets the workspace IAM policy.
+func (c *client) GetWorkspaceIAMPolicy(ctx context.Context) (*v1pb.IamPolicy, error) {
+	body, err := c.getResource(ctx, "workspaces/-:getIamPolicy")
+	if err != nil {
+		return nil, err
+	}
+
+	var res v1pb.IamPolicy
+	if err := ProtojsonUnmarshaler.Unmarshal(body, &res); err != nil {
+		return nil, err
+	}
+
+	return &res, nil
+}
+
+// SetWorkspaceIAMPolicy sets the workspace IAM policy.
+func (c *client) SetWorkspaceIAMPolicy(ctx context.Context, setIamPolicyRequest *v1pb.SetIamPolicyRequest) (*v1pb.IamPolicy, error) {
+	payload, err := protojson.Marshal(setIamPolicyRequest)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf("%s/%s/%s:setIamPolicy", c.url, c.version, "workspaces/-"), strings.NewReader(string(payload)))
+
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var res v1pb.IamPolicy
+	if err := ProtojsonUnmarshaler.Unmarshal(body, &res); err != nil {
+		return nil, err
+	}
+
+	return &res, nil
+}

examples/setup/main.tf

@@ -96,10 +96,22 @@ resource "bytebase_instance" "prod" {
   }
 }
 
+# Create a new user.
+resource "bytebase_user" "workspace_dba" {
+  title = "DBA"
+  email = "[email protected]"
+
+  # Grant workspace level roles.
+  roles = ["roles/workspaceDBA"]
+}
+
 # Create a new user.
 resource "bytebase_user" "project_developer" {
   title = "Developer"
   email = "[email protected]"
+
+  # Grant workspace level roles, will grant projectViewer for this user in all projects.
+  roles = ["roles/projectViewer"]
 }
 
 # Create a new project

provider/data_source_user.go

@@ -43,6 +43,14 @@ func dataSourceUser() *schema.Resource {
 				Computed:    true,
 				Description: "The user phone.",
 			},
+			"roles": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Description: "The user's roles in the workspace level",
+			},
 			"type": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -88,10 +96,29 @@ func dataSourceUserRead(ctx context.Context, d *schema.ResourceData, m interface
 
 	d.SetId(user.Name)
 
-	return setUser(d, user)
+	return setUser(ctx, c, d, user)
+}
+
+func getUserRoles(iamPolicy *v1pb.IamPolicy, email string) []string {
+	userBinding := fmt.Sprintf("user:%s", email)
+	roles := []string{}
+
+	for _, binding := range iamPolicy.Bindings {
+		for _, member := range binding.Members {
+			if member == userBinding {
+				roles = append(roles, binding.Role)
+			}
+		}
+	}
+	return roles
 }
 
-func setUser(d *schema.ResourceData, user *v1pb.User) diag.Diagnostics {
+func setUser(ctx context.Context, client api.Client, d *schema.ResourceData, user *v1pb.User) diag.Diagnostics {
+	workspaceIAM, err := client.GetWorkspaceIAMPolicy(ctx)
+	if err != nil {
+		return diag.Errorf("cannot get workspace IAM with error: %s", err.Error())
+	}
+
 	if err := d.Set("title", user.Title); err != nil {
 		return diag.Errorf("cannot set title for user: %s", err.Error())
 	}
@@ -121,6 +148,9 @@ func setUser(d *schema.ResourceData, user *v1pb.User) diag.Diagnostics {
 			return diag.Errorf("cannot set source for user: %s", err.Error())
 		}
 	}
+	if err := d.Set("roles", getUserRoles(workspaceIAM, user.Email)); err != nil {
+		return diag.Errorf("cannot set roles for user: %s", err.Error())
+	}
 
 	return nil
 }

provider/data_source_user_list.go

@@ -52,6 +52,14 @@ func dataSourceUserList() *schema.Resource {
 							Computed:    true,
 							Description: "The user type.",
 						},
+						"roles": {
+							Type:     schema.TypeSet,
+							Computed: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							Description: "The user's roles in the workspace level",
+						},
 						"mfa_enabled": {
 							Type:        schema.TypeBool,
 							Computed:    true,
@@ -92,6 +100,11 @@ func dataSourceUserListRead(ctx context.Context, d *schema.ResourceData, m inter
 		return diag.FromErr(err)
 	}
 
+	workspaceIAM, err := c.GetWorkspaceIAMPolicy(ctx)
+	if err != nil {
+		return diag.Errorf("cannot get workspace IAM with error: %s", err.Error())
+	}
+
 	users := make([]map[string]interface{}, 0)
 	for _, user := range response.Users {
 		raw := make(map[string]interface{})
@@ -107,6 +120,7 @@ func dataSourceUserListRead(ctx context.Context, d *schema.ResourceData, m inter
 			raw["last_login_time"] = p.LastLoginTime.AsTime().UTC().Format(time.RFC3339)
 			raw["last_change_password_time"] = p.LastChangePasswordTime.AsTime().UTC().Format(time.RFC3339)
 		}
+		raw["roles"] = getUserRoles(workspaceIAM, user.Email)
 		users = append(users, raw)
 	}
 	if err := d.Set("users", users); err != nil {