Merge pull request #5912 from steve-thousand/ACCT-10424/account-owned-token-tests

ACCT-10424 adding tests for account owned tokens and fixing bugs

Author: musa-cf

internal/services/account_token/resource_test.go

@@ -0,0 +1,223 @@
+package account_token_test
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/acctest"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/utils"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+)
+
+func TestAccAccountToken_Basic(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	resourceID := "cloudflare_account_token." + rnd
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	permissionID := "82e64a83756745bbbb1c9c2701bf816b" // DNS read
+
+	var policyId string
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccountTokenWithoutCondition(rnd, accountID, rnd, permissionID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceID, "name", rnd),
+					resource.TestCheckResourceAttrSet(resourceID, "policies.0.id"),
+					resource.TestCheckResourceAttrWith(resourceID, "policies.0.id", func(value string) error {
+						policyId = value
+						return nil
+					}),
+					resource.TestCheckResourceAttr(resourceID, "policies.0.permission_groups.0.id", permissionID),
+				),
+			},
+			{
+				Config: testAccCloudflareAccountTokenWithoutCondition(rnd, accountID, rnd+"-updated", permissionID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceID, "name", rnd+"-updated"),
+					resource.TestCheckResourceAttrSet(resourceID, "policies.0.id"),
+					resource.TestCheckResourceAttrWith(resourceID, "policies.0.id", func(value string) error {
+						if value != policyId {
+							return fmt.Errorf("policy ID changed from %s to %s", policyId, value)
+						}
+						return nil
+					}),
+					resource.TestCheckResourceAttr(resourceID, "policies.0.permission_groups.0.id", permissionID),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAccountToken_DoesNotSetConditions(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := "cloudflare_account_token." + rnd
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	permissionID := "82e64a83756745bbbb1c9c2701bf816b" // DNS read
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccountTokenWithoutCondition(rnd, accountID, rnd, permissionID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckNoResourceAttr(name, "condition.request_ip.0.in"),
+					resource.TestCheckNoResourceAttr(name, "condition.request_ip.0.not_in"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCloudflareAccountTokenWithoutCondition(resourceName, accountId, rnd, permissionID string) string {
+	return acctest.LoadTestCase("account_token-without-condition.tf", resourceName, accountId, rnd, permissionID)
+}
+
+func TestAccAccountToken_SetIndividualCondition(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := "cloudflare_account_token." + rnd
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	permissionID := "82e64a83756745bbbb1c9c2701bf816b" // DNS read
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccountTokenWithIndividualCondition(rnd, accountID, permissionID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "condition.request_ip.in.0", "192.0.2.1/32"),
+					resource.TestCheckNoResourceAttr(name, "condition.request_ip.not_in"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCloudflareAccountTokenWithIndividualCondition(rnd, accountID, permissionID string) string {
+	return acctest.LoadTestCase("account_token-with-individual-condition.tf", rnd, accountID, permissionID)
+}
+
+func TestAccAccountToken_SetAllCondition(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := "cloudflare_account_token." + rnd
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	permissionID := "82e64a83756745bbbb1c9c2701bf816b" // DNS read
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccountTokenWithAllCondition(rnd, accountID, permissionID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "condition.request_ip.in.0", "192.0.2.1/32"),
+					resource.TestCheckResourceAttr(name, "condition.request_ip.not_in.0", "198.51.100.1/32"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCloudflareAccountTokenWithAllCondition(rnd, accountID, permissionID string) string {
+	return acctest.LoadTestCase("account_token-with-all-condition.tf", rnd, accountID, permissionID)
+}
+
+func TestAccAccountToken_TokenTTL(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := "cloudflare_account_token." + rnd
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	permissionID := "82e64a83756745bbbb1c9c2701bf816b" // DNS read
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccountTokenWithTTL(rnd, accountID, permissionID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "not_before", "2018-07-01T05:20:00Z"),
+					resource.TestCheckResourceAttr(name, "expires_on", "2032-01-01T00:00:00Z"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCloudflareAccountTokenWithTTL(rnd, accountID, permissionID string) string {
+	return acctest.LoadTestCase("account_token-with-ttl.tf", rnd, accountID, permissionID)
+}
+
+func TestAccAccountToken_PermissionGroupOrder(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := "cloudflare_account_token." + rnd
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	permissionID1 := "82e64a83756745bbbb1c9c2701bf816b" // DNS read
+	permissionID2 := "e199d584e69344eba202452019deafe3" // Disable ESC read
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: acctest.LoadTestCase("account_token-permissiongroup-order.tf", rnd, accountID, permissionID1, permissionID2),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "policies.0.permission_groups.0.id", permissionID1),
+					resource.TestCheckResourceAttr(name, "policies.0.permission_groups.1.id", permissionID2),
+				),
+			},
+			{
+				Config: acctest.LoadTestCase("account_token-permissiongroup-order.tf", rnd, accountID, permissionID2, permissionID1),
+				// changing the order of permission groups should not affect plan
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+					},
+				},
+			},
+		},
+	})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: acctest.LoadTestCase("account_token-permissiongroup-order.tf", rnd, accountID, permissionID2, permissionID1),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "policies.0.permission_groups.0.id", permissionID1),
+					resource.TestCheckResourceAttr(name, "policies.0.permission_groups.1.id", permissionID2),
+				),
+			},
+			{
+				Config: acctest.LoadTestCase("account_token-permissiongroup-order.tf", rnd, accountID, permissionID2, permissionID1),
+				// re-applying same change does not produce drift
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+					},
+				},
+			},
+			{
+				Config: acctest.LoadTestCase("account_token-permissiongroup-order.tf", rnd, accountID, permissionID1, permissionID2),
+				// changing the order of permission groups should not affect plan
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+					},
+				},
+			},
+		},
+	})
+}

internal/services/account_token/schema.go

@@ -35,14 +35,17 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 				Description: "Token name.",
 				Required:    true,
 			},
-			"policies": schema.SetNestedAttribute{
+			"policies": schema.ListNestedAttribute{
 				Description: "List of access policies assigned to the token.",
 				Required:    true,
 				NestedObject: schema.NestedAttributeObject{
 					Attributes: map[string]schema.Attribute{
 						"id": schema.StringAttribute{
 							Description: "Policy identifier.",
 							Computed:    true,
+							PlanModifiers: []planmodifier.String{
+								stringplanmodifier.UseStateForUnknown(),
+							},
 						},
 						"effect": schema.StringAttribute{
 							Description: "Allow or deny operations against the resources.\nAvailable values: \"allow\", \"deny\".",
@@ -51,7 +54,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 								stringvalidator.OneOfCaseInsensitive("allow", "deny"),
 							},
 						},
-						"permission_groups": schema.ListNestedAttribute{
+						"permission_groups": schema.SetNestedAttribute{
 							Description: "A set of permission groups that are specified to the policy.",
 							Required:    true,
 							NestedObject: schema.NestedAttributeObject{

internal/services/account_token/testdata/account_token-permissiongroup-order.tf

@@ -0,0 +1,22 @@
+resource "cloudflare_account_token" "%[1]s" {
+  name = "%[1]s"
+  account_id = "%[2]s"
+
+  policies = [{
+    effect = "allow"
+    permission_groups = [{
+      id = "%[3]s"
+    },{
+      id = "%[4]s"
+    }]
+    resources = {
+      "com.cloudflare.api.account.%[2]s" = "*"
+    }
+  }]
+}
+
+data "cloudflare_account_token" "%[1]s" {
+  account_id = "%[2]s"
+  token_id = cloudflare_account_token.%[1]s.id
+  depends_on = [cloudflare_account_token.%[1]s]
+}

internal/services/account_token/testdata/account_token-with-all-condition.tf

@@ -0,0 +1,21 @@
+resource "cloudflare_account_token" "%[1]s" {
+	name = "%[1]s"
+  	account_id = "%[2]s"
+
+	policies = [{
+		effect = "allow"
+		permission_groups = [{
+	    	id = "%[3]s"
+		}]
+		resources = {
+			"com.cloudflare.api.account.%[2]s" = "*"
+		}
+	}]
+
+	condition = {
+		request_ip = {
+				in     = ["192.0.2.1/32"]
+				not_in = ["198.51.100.1/32"]
+			}
+	}
+}

internal/services/account_token/testdata/account_token-with-individual-condition.tf

@@ -0,0 +1,20 @@
+resource "cloudflare_account_token" "%[1]s" {
+	name = "%[1]s"
+  	account_id = "%[2]s"
+
+	policies = [{
+		effect = "allow"
+		permission_groups = [{
+	    	id = "%[3]s"
+		}]
+		resources = {
+			"com.cloudflare.api.account.%[2]s" = "*"
+		}
+	}]
+
+	condition = {
+		request_ip = {
+				in = ["192.0.2.1/32"]
+			}
+	}
+}

internal/services/account_token/testdata/account_token-with-ttl.tf

@@ -0,0 +1,15 @@
+resource "cloudflare_account_token" "%[1]s" {
+	name = "%[1]s"
+  	account_id = "%[2]s"
+
+	policies = [{
+		effect = "allow"
+		permission_groups = [{ id = "%[3]s" }]
+		resources = {
+			"com.cloudflare.api.account.%[2]s" = "*"
+		}
+	}]
+
+	not_before = "2018-07-01T05:20:00Z"
+	expires_on = "2032-01-01T00:00:00Z"
+}

internal/services/account_token/testdata/account_token-without-condition.tf

@@ -0,0 +1,12 @@
+resource "cloudflare_account_token" "%[1]s" {
+	name = "%[3]s"
+  	account_id = "%[2]s"
+
+	policies = [{
+		effect = "allow"
+		permission_groups = [{ id = "%[4]s" }]
+		resources = {
+			"com.cloudflare.api.account.%[2]s" = "*"
+		}
+	}]
+}