Merge pull request #138 from cloudsmith-io/ceng-447-support-disabling-default-entitlement-token-without-import

CENG-447: Add enabled/disable entitlement token resource

Author: BartoszBlizniak

cloudsmith/provider.go

@@ -64,6 +64,7 @@ func Provider() *schema.Provider {
 			"cloudsmith_saml":                      resourceSAML(),
 			"cloudsmith_saml_auth":                 resourceSAMLAuth(),
 			"cloudsmith_repository_retention_rule": resourceRepoRetentionRule(),
+			"cloudsmith_entitlement_control":       resourceEntitlementControl(),
 		},
 	}
 

cloudsmith/resource_entitlement.go

@@ -97,6 +97,7 @@ func resourceEntitlementRead(d *schema.ResourceData, m interface{}) error {
 	d.Set("limit_path_query", entitlement.GetLimitPathQuery())
 	d.Set("name", entitlement.GetName())
 	d.Set("token", entitlement.GetToken())
+	d.Set("slug_perm", entitlement.GetSlugPerm())
 
 	// namespace and repository are not returned from the entitlement read
 	// endpoint, so we can use the values stored in resource state. We rely on
@@ -260,6 +261,11 @@ func resourceEntitlement() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: validation.StringIsNotEmpty,
 			},
+			"slug_perm": {
+				Type:        schema.TypeString,
+				Description: "The permanent slug identifier for the entitlement.",
+				Computed:    true,
+			},
 			"token": {
 				Type:         schema.TypeString,
 				Description:  "The literal value of the token to be created.",

cloudsmith/resource_entitlement_control.go

@@ -0,0 +1,151 @@
+package cloudsmith
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func entitlementControlImport(ctx context.Context, d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) {
+	idParts := strings.Split(d.Id(), ".")
+	if len(idParts) != 3 {
+		return nil, fmt.Errorf(
+			"invalid import ID, must be of the form <namespace>.<repository>.<identifier>, got: %s", d.Id(),
+		)
+	}
+
+	d.Set("namespace", idParts[0])
+	d.Set("repository", idParts[1])
+	d.SetId(idParts[2])
+	return []*schema.ResourceData{d}, nil
+}
+
+func entitlementControlCreate(d *schema.ResourceData, m interface{}) error {
+	pc := m.(*providerConfig)
+
+	namespace := requiredString(d, "namespace")
+	repository := requiredString(d, "repository")
+	identifier := requiredString(d, "identifier")
+	enabled := requiredBool(d, "enabled")
+
+	if enabled {
+		req := pc.APIClient.EntitlementsApi.EntitlementsEnable(pc.Auth, namespace, repository, identifier)
+		_, err := pc.APIClient.EntitlementsApi.EntitlementsEnableExecute(req)
+		if err != nil {
+			return err
+		}
+	} else {
+		req := pc.APIClient.EntitlementsApi.EntitlementsDisable(pc.Auth, namespace, repository, identifier)
+		_, err := pc.APIClient.EntitlementsApi.EntitlementsDisableExecute(req)
+		if err != nil {
+			return err
+		}
+	}
+
+	d.SetId(identifier)
+	return entitlementControlRead(d, m)
+}
+
+func entitlementControlRead(d *schema.ResourceData, m interface{}) error {
+	pc := m.(*providerConfig)
+	namespace := requiredString(d, "namespace")
+	repository := requiredString(d, "repository")
+
+	req := pc.APIClient.EntitlementsApi.EntitlementsRead(pc.Auth, namespace, repository, d.Id())
+	entitlement, resp, err := pc.APIClient.EntitlementsApi.EntitlementsReadExecute(req)
+
+	if err != nil {
+		if is404(resp) {
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	d.Set("enabled", entitlement.GetIsActive())
+	return nil
+}
+
+func entitlementControlUpdate(d *schema.ResourceData, m interface{}) error {
+	pc := m.(*providerConfig)
+
+	namespace := requiredString(d, "namespace")
+	repository := requiredString(d, "repository")
+	enabled := requiredBool(d, "enabled")
+
+	if enabled {
+		req := pc.APIClient.EntitlementsApi.EntitlementsEnable(pc.Auth, namespace, repository, d.Id())
+		_, err := pc.APIClient.EntitlementsApi.EntitlementsEnableExecute(req)
+		if err != nil {
+			return err
+		}
+	} else {
+		req := pc.APIClient.EntitlementsApi.EntitlementsDisable(pc.Auth, namespace, repository, d.Id())
+		_, err := pc.APIClient.EntitlementsApi.EntitlementsDisableExecute(req)
+		if err != nil {
+			return err
+		}
+	}
+
+	return entitlementControlRead(d, m)
+}
+
+func entitlementControlDelete(d *schema.ResourceData, m interface{}) error {
+	// We don't actually delete the entitlement, just disable it
+	pc := m.(*providerConfig)
+	namespace := requiredString(d, "namespace")
+	repository := requiredString(d, "repository")
+
+	req := pc.APIClient.EntitlementsApi.EntitlementsDisable(pc.Auth, namespace, repository, d.Id())
+	_, err := pc.APIClient.EntitlementsApi.EntitlementsDisableExecute(req)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func resourceEntitlementControl() *schema.Resource {
+	return &schema.Resource{
+		Create: entitlementControlCreate,
+		Read:   entitlementControlRead,
+		Update: entitlementControlUpdate,
+		Delete: entitlementControlDelete,
+
+		Importer: &schema.ResourceImporter{
+			StateContext: entitlementControlImport,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"namespace": {
+				Type:         schema.TypeString,
+				Description:  "Namespace to which this entitlement belongs.",
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+			"repository": {
+				Type:         schema.TypeString,
+				Description:  "Repository to which this entitlement belongs.",
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+			"identifier": {
+				Type:         schema.TypeString,
+				Description:  "The identifier (slug_perm) of the entitlement token.",
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+			"enabled": {
+				Type:        schema.TypeBool,
+				Description: "Whether the entitlement token is enabled or disabled.",
+				Required:    true,
+			},
+		},
+	}
+}

cloudsmith/resource_entitlement_control_test.go

@@ -0,0 +1,161 @@
+//nolint:testpackage
+package cloudsmith
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+// TestAccEntitlementControl_basic spins up a repository and uses its default entitlement token,
+// creates an entitlement control with the token disabled, verifies it exists and checks
+// the enabled state is set correctly. Then it changes the enabled state to true,
+// and verifies it's been set correctly before tearing down the resources and
+// verifying deletion.
+func TestAccEntitlementControl_basic(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccEntitlementControlCheckDestroy("cloudsmith_entitlement_control.test"),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEntitlementControlConfigBasic,
+				Check: resource.ComposeTestCheckFunc(
+					testAccEntitlementControlCheckExists("cloudsmith_entitlement_control.test"),
+					resource.TestCheckResourceAttr("cloudsmith_entitlement_control.test", "namespace", os.Getenv("CLOUDSMITH_NAMESPACE")),
+					resource.TestCheckResourceAttr("cloudsmith_entitlement_control.test", "enabled", "false"),
+				),
+			},
+			{
+				Config: testAccEntitlementControlConfigBasicUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccEntitlementControlCheckExists("cloudsmith_entitlement_control.test"),
+					resource.TestCheckResourceAttr("cloudsmith_entitlement_control.test", "namespace", os.Getenv("CLOUDSMITH_NAMESPACE")),
+					resource.TestCheckResourceAttr("cloudsmith_entitlement_control.test", "enabled", "true"),
+				),
+			},
+			{
+				ResourceName:      "cloudsmith_entitlement_control.test",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: func(s *terraform.State) (string, error) {
+					resourceState := s.RootModule().Resources["cloudsmith_entitlement_control.test"]
+					return fmt.Sprintf(
+						"%s.%s.%s",
+						resourceState.Primary.Attributes["namespace"],
+						resourceState.Primary.Attributes["repository"],
+						resourceState.Primary.ID,
+					), nil
+				},
+				ImportStateVerifyIgnore: []string{
+					"identifier", // Ignore identifier as it's used for creation but not returned in read
+				},
+			},
+		},
+	})
+}
+
+//nolint:goerr113
+func testAccEntitlementControlCheckDestroy(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		resourceState, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("resource not found: %s", resourceName)
+		}
+
+		if resourceState.Primary.ID == "" {
+			return fmt.Errorf("resource id not set")
+		}
+
+		pc := testAccProvider.Meta().(*providerConfig)
+
+		namespace := os.Getenv("CLOUDSMITH_NAMESPACE")
+		repository := resourceState.Primary.Attributes["repository"]
+		identifier := resourceState.Primary.ID
+
+		req := pc.APIClient.EntitlementsApi.EntitlementsRead(pc.Auth, namespace, repository, identifier)
+		entitlement, resp, err := pc.APIClient.EntitlementsApi.EntitlementsReadExecute(req)
+		if err != nil && !is404(resp) {
+			return fmt.Errorf("unable to verify entitlement control state: %w", err)
+		} else if is200(resp) && entitlement.GetIsActive() {
+			return fmt.Errorf("unable to verify entitlement control state: still enabled: %s/%s/%s", namespace, repository, identifier)
+		}
+		defer resp.Body.Close()
+
+		return nil
+	}
+}
+
+//nolint:goerr113
+func testAccEntitlementControlCheckExists(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		resourceState, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("resource not found: %s", resourceName)
+		}
+
+		if resourceState.Primary.ID == "" {
+			return fmt.Errorf("resource id not set")
+		}
+
+		pc := testAccProvider.Meta().(*providerConfig)
+
+		namespace := os.Getenv("CLOUDSMITH_NAMESPACE")
+		repository := resourceState.Primary.Attributes["repository"]
+		identifier := resourceState.Primary.ID
+
+		req := pc.APIClient.EntitlementsApi.EntitlementsRead(pc.Auth, namespace, repository, identifier)
+		_, resp, err := pc.APIClient.EntitlementsApi.EntitlementsReadExecute(req)
+		if err != nil {
+			return fmt.Errorf("unable to verify entitlement control existence: %w", err)
+		}
+		defer resp.Body.Close()
+
+		return nil
+	}
+}
+
+var testAccEntitlementControlConfigBasic = fmt.Sprintf(`
+resource "cloudsmith_repository" "test" {
+	name      = "terraform-acc-test-ent-ctrl"
+	namespace = "%s"
+}
+
+data "cloudsmith_entitlement_list" "test" {
+    namespace  = resource.cloudsmith_repository.test.namespace
+    repository = resource.cloudsmith_repository.test.slug_perm
+    query      = ["name:Default"]
+}
+
+resource "cloudsmith_entitlement_control" "test" {
+    namespace  = resource.cloudsmith_repository.test.namespace
+    repository = resource.cloudsmith_repository.test.slug_perm
+    identifier = data.cloudsmith_entitlement_list.test.entitlement_tokens[0].slug_perm
+    enabled    = false
+}
+`, os.Getenv("CLOUDSMITH_NAMESPACE"))
+
+var testAccEntitlementControlConfigBasicUpdate = fmt.Sprintf(`
+resource "cloudsmith_repository" "test" {
+	name      = "terraform-acc-test-ent-ctrl"
+	namespace = "%s"
+}
+
+data "cloudsmith_entitlement_list" "test" {
+    namespace  = resource.cloudsmith_repository.test.namespace
+    repository = resource.cloudsmith_repository.test.slug_perm
+    query      = ["name:Default"]
+}
+
+resource "cloudsmith_entitlement_control" "test" {
+    namespace  = resource.cloudsmith_repository.test.namespace
+    repository = resource.cloudsmith_repository.test.slug_perm
+    identifier = data.cloudsmith_entitlement_list.test.entitlement_tokens[0].slug_perm
+    enabled    = true
+}
+`, os.Getenv("CLOUDSMITH_NAMESPACE"))