CENG-569: Add warning and error out on specific cases to avoid repo lockouts (#155)

* Add warning and error out on specific cases to avoid repo lockouts

Author: BartoszBlizniak

cloudsmith/data_source_repository_privileges_test.go

@@ -39,6 +39,8 @@ resource "cloudsmith_service" "test" {
 	role         = "Member"
 }
 
+data "cloudsmith_user_self" "current" {}
+
 resource "cloudsmith_repository_privileges" "test" {
     organization = cloudsmith_repository.test.namespace
     repository   = cloudsmith_repository.test.slug
@@ -47,6 +49,12 @@ resource "cloudsmith_repository_privileges" "test" {
 		privilege = "Read"
 		slug      = cloudsmith_service.test.slug
 	}
+
+	# Include the authenticated account explicitly to satisfy lockout safeguard.
+	user {
+		privilege = "Admin"
+		slug      = data.cloudsmith_user_self.current.slug
+	}
 }
 
 data "cloudsmith_repository_privileges" "test_data" {

cloudsmith/resource_repository_privileges.go

@@ -3,6 +3,7 @@ package cloudsmith
 import (
 	"context"
 	"fmt"
+	"log"
 	"strings"
 	"time"
 
@@ -20,6 +21,44 @@ var (
 	}
 )
 
+// containsAccountSlug returns true if any privilege entry contains the provided slug
+// either as a user or service.
+func containsAccountSlug(privs []cloudsmith.RepositoryPrivilegeDict, slug string) bool {
+	for _, p := range privs {
+		if p.HasUser() && p.GetUser() == slug {
+			return true
+		}
+		if p.HasService() && p.GetService() == slug {
+			return true
+		}
+	}
+	return false
+}
+
+// containsTeam returns true if any privilege entry references a team.
+func containsTeam(privs []cloudsmith.RepositoryPrivilegeDict) bool {
+	for _, p := range privs {
+		if p.HasTeam() {
+			return true
+		}
+	}
+	return false
+}
+
+// setContainsSlug returns true if the *schema.Set contains an element whose slug matches key.
+func setContainsSlug(set *schema.Set, key string) bool {
+	if set == nil {
+		return false
+	}
+	for _, x := range set.List() {
+		m := x.(map[string]interface{})
+		if m["slug"].(string) == key {
+			return true
+		}
+	}
+	return false
+}
+
 // expandRepositoryPrivilegeServices extracts "services" from TF state as a *schema.Set and converts to
 // a slice of structs we can use when interacting with the Cloudsmith API.
 func expandRepositoryPrivilegeServices(d *schema.ResourceData) []cloudsmith.RepositoryPrivilegeDict {
@@ -149,12 +188,31 @@ func resourceRepositoryPrivilegesCreateUpdate(d *schema.ResourceData, m interfac
 	privileges = append(privileges, expandRepositoryPrivilegeTeams(d)...)
 	privileges = append(privileges, expandRepositoryPrivilegeUsers(d)...)
 
+	// Only return an error if the authenticated account is NOT present in any user/service block
+	// AND there are NO team blocks defined. If team blocks are present, emit a warning only.
+	userReq := pc.APIClient.UserApi.UserSelf(pc.Auth)
+	userSelf, _, err := pc.APIClient.UserApi.UserSelfExecute(userReq)
+	if err != nil {
+		return fmt.Errorf("error retrieving authenticated account for lockout prevention: %w", err)
+	}
+	currentSlug := userSelf.GetSlug()
+
+	if !containsAccountSlug(privileges, currentSlug) {
+		if !containsTeam(privileges) {
+			return fmt.Errorf(
+				"repository_privileges (%s.%s): configuration must include authenticated account slug '%s' (user or service block) OR at least one team block to avoid potential lockout",
+				organization, repository, currentSlug,
+			)
+		}
+		log.Printf("[WARN] repository_privileges (%s.%s): authenticated account slug '%s' not explicitly included via user/service; ensure access via configured teams to avoid lockout.", organization, repository, currentSlug)
+	}
+
 	req := pc.APIClient.ReposApi.ReposPrivilegesUpdate(pc.Auth, organization, repository)
 	req = req.Data(cloudsmith.RepositoryPrivilegeInputRequest{
 		Privileges: privileges,
 	})
 
-	_, err := pc.APIClient.ReposApi.ReposPrivilegesUpdateExecute(req)
+	_, err = pc.APIClient.ReposApi.ReposPrivilegesUpdateExecute(req)
 	if err != nil {
 		return err
 	}
@@ -256,6 +314,47 @@ func resourceRepositoryPrivileges() *schema.Resource {
 		Update: resourceRepositoryPrivilegesCreateUpdate,
 		Delete: resourceRepositoryPrivilegesDelete,
 
+		// Plan-time validation to surface lockout risk earlier than apply. We still
+		// keep the apply-time safety net in Create/Update for defense in depth.
+		CustomizeDiff: func(ctx context.Context, d *schema.ResourceDiff, meta interface{}) error {
+			pc := meta.(*providerConfig)
+			userReq := pc.APIClient.UserApi.UserSelf(pc.Auth)
+			userSelf, _, err := pc.APIClient.UserApi.UserSelfExecute(userReq)
+			if err != nil {
+				// If we cannot determine the current user, defer to apply-time logic.
+				return nil
+			}
+			currentSlug := userSelf.GetSlug()
+
+			var userSet *schema.Set
+			if v, ok := d.GetOk("user"); ok {
+				userSet = v.(*schema.Set)
+			}
+			var serviceSet *schema.Set
+			if v, ok := d.GetOk("service"); ok {
+				serviceSet = v.(*schema.Set)
+			}
+			var teamSet *schema.Set
+			if v, ok := d.GetOk("team"); ok {
+				teamSet = v.(*schema.Set)
+			}
+
+			hasUserOrService := setContainsSlug(userSet, currentSlug) || setContainsSlug(serviceSet, currentSlug)
+			teamCount := 0
+			if teamSet != nil {
+				teamCount = teamSet.Len()
+			}
+
+			if !hasUserOrService {
+				if teamCount == 0 {
+					return fmt.Errorf("repository_privileges: authenticated account slug '%s' must be included (user or service block) OR at least one team block must be defined to avoid potential lockout", currentSlug)
+				}
+				log.Printf("[WARN] repository_privileges (plan): authenticated account slug '%s' not explicitly included via user/service; ensure team-based access is sufficient to avoid lockout.", currentSlug)
+			}
+
+			return nil
+		},
+
 		Importer: &schema.ResourceImporter{
 			StateContext: importRepositoryPrivileges,
 		},

cloudsmith/resource_repository_privileges_test.go

@@ -83,6 +83,8 @@ resource "cloudsmith_service" "test" {
 	role         = "Member"
 }
 
+data "cloudsmith_user_self" "current" {}
+
 resource "cloudsmith_repository_privileges" "test" {
     organization = cloudsmith_repository.test.namespace
     repository   = cloudsmith_repository.test.slug
@@ -91,6 +93,12 @@ resource "cloudsmith_repository_privileges" "test" {
 		privilege = "Read"
 		slug      = cloudsmith_service.test.slug
 	}
+
+	# Include the authenticated account explicitly to satisfy lockout safeguard.
+	user {
+		privilege = "Admin"
+		slug      = data.cloudsmith_user_self.current.slug
+	}
 }
 `, os.Getenv("CLOUDSMITH_NAMESPACE"))
 
@@ -106,6 +114,8 @@ resource "cloudsmith_service" "test" {
 	role         = "Member"
 }
 
+data "cloudsmith_user_self" "current" {}
+
 resource "cloudsmith_repository_privileges" "test" {
     organization = cloudsmith_repository.test.namespace
     repository   = cloudsmith_repository.test.slug
@@ -114,6 +124,12 @@ resource "cloudsmith_repository_privileges" "test" {
 		privilege = "Write"
 		slug      = cloudsmith_service.test.slug
 	}
+
+	# Include the authenticated account explicitly to satisfy lockout safeguard.
+	user {
+		privilege = "Admin"
+		slug      = data.cloudsmith_user_self.current.slug
+	}
 }
 `, os.Getenv("CLOUDSMITH_NAMESPACE"))
 

docs/resources/repository_privileges.md

@@ -4,6 +4,9 @@ The repository privileges resource allows the management of privileges for a giv
 
 Note that while users can be added to repositories in this manner, since Terraform does not (and cannot currently) manage those user accounts, you may encounter issues if the users change or are deleted outside of Terraform.
 
+> [!WARNING] Important: When a repository is first created in Cloudsmith, the creating account (user or service account that owns the API key) is automatically granted an implicit Admin privilege. 
+When you later manage privileges via this resource, you must explicitly include that account (using a `user` or `service` block with the appropriate `slug`). Otherwise, the provider will refuse to apply the change to prevent locking you out. You will still be able to apply changes if a `team` block is present. However, you must make sure that the account has sufficient permission within the team, or lockout can still occur.
+
 See [docs.cloudsmith.com](https://docs.cloudsmith.com/repositories/repository-settings#repository-privileges) for full permissions documentation.
 
 ## Example Usage
@@ -25,38 +28,53 @@ resource "cloudsmith_repository" "my_repository" {
 }
 
 resource "cloudsmith_team" "my_team" {
- organization = data.cloudsmith_organization.my_organization.slug_perm
- name         = "My Team"
+    organization = data.cloudsmith_organization.my_organization.slug_perm
+    name         = "My Team"
 }
 
 resource "cloudsmith_team" "my_other_team" {
- organization = data.cloudsmith_organization.my_organization.slug_perm
- name         = "My Other Team"
+    organization = data.cloudsmith_organization.my_organization.slug_perm
+    name         = "My Other Team"
 }
 
 resource "cloudsmith_service" "my_service" {
- name         = "My Service"
- organization = data.cloudsmith_organization.my_organization.slug_perm
+    name         = "My Service"
+    organization = data.cloudsmith_organization.my_organization.slug_perm
 }
 
+# This will return a slug for either service or user
+data "cloudsmith_user_self" "current" {}
+
 resource "cloudsmith_repository_privileges" "privs" {
     organization = data.cloudsmith_organization.my_organization.slug
     repository   = cloudsmith_repository.my_repository.slug
 
- service {
-  privilege = "Write"
-  slug      = cloudsmith_service.my_service.slug
- }
+    ### Always include the authenticated account to avoid lockout (see note above)
+
+    # user {
+    #   privilege = "Admin"
+    #   slug      = data.cloudsmith_user_self.current.slug
+    # }
+
+    # service {
+    #    privilege = "Admin"
+    #    slug      = data.cloudsmith_user_self.current.slug
+    # }
+    
+    service {
+        privilege = "Write"
+        slug      = cloudsmith_service.my_service.slug
+    }
 
- team {
-  privilege = "Write"
-  slug      = cloudsmith_team.my_team.slug
- }
+    team {
+        privilege = "Write"
+        slug      = cloudsmith_team.my_team.slug
+    }
 
- team {
-  privilege = "Read"
-  slug      = cloudsmith_team.my_other_team.slug
- }
+    team {
+        privilege = "Read"
+        slug      = cloudsmith_team.my_other_team.slug
+    }
 
     user {
         privilege = "Read"
@@ -72,14 +90,14 @@ The following arguments are supported:
 * `organization` - (Required) Organization to which this repository belongs.
 * `repository` - (Required) Repository to which these privileges apply.
 * `service` - (Optional) Variable number of blocks containing service accounts that should have repository privileges.
- 	* `privilege` - (Required) The service's privilege level in the repository. Must be one of `Admin`, `Write`, or `Read`.
- 	* `slug` - (Required) The slug/identifier of the service.
+   	* `privilege` - (Required) The service's privilege level in the repository. Must be one of `Admin`, `Write`, or `Read`.
+   	* `slug` - (Required) The slug/identifier of the service.
 * `team` - (Optional) Variable number of blocks containing teams that should have repository privileges.
- 	* `privilege` - (Required) The team's privilege level in the repository. Must be one of `Admin`, `Write`, or `Read`.
- 	* `slug` - (Required) The slug/identifier of the team.
+   	* `privilege` - (Required) The team's privilege level in the repository. Must be one of `Admin`, `Write`, or `Read`.
+   	* `slug` - (Required) The slug/identifier of the team.
 * `user` - (Optional) Variable number of blocks containing users that should have repository privileges.
- 	* `privilege` - (Required) The user's privilege level in the repository. Must be one of `Admin`, `Write`, or `Read`.
- 	* `slug` - (Required) The slug/identifier of the user.
+   	* `privilege` - (Required) The user's privilege level in the repository. Must be one of `Admin`, `Write`, or `Read`.
+   	* `slug` - (Required) The slug/identifier of the user.
 
 ## Import