Implicitly force import manually added group (#1067)

Author: nkvuong

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Version changelog
 
+## 0.4.7
+* Added optional `force` argument to `databricks_group` resource to ignore `cannot create group: Group with name X already exists.` errors and implicitly import the specific group into Terraform state, enforcing entitlements defined in the instance of resource ([#1066](https://github.com/databrickslabs/terraform-provider-databricks/pull/1066)).
+
 ## 0.4.6
 
 * Clarified error messages around `azure_workspace_resource_id` provider configuration ([#1049](https://github.com/databrickslabs/terraform-provider-databricks/issues/1049)).

docs/resources/group.md

@@ -52,6 +52,7 @@ The following arguments are supported:
 * `allow_instance_pool_create` -  (Optional) This is a field to allow the group to have [instance pool](instance_pool.md) create privileges. More fine grained permissions could be assigned with [databricks_permissions](permissions.md#Instance-Pool-usage) and [instance_pool_id](permissions.md#instance_pool_id) argument.
 * `databricks_sql_access` - (Optional) This is a field to allow the group to have access to [Databricks SQL](https://databricks.com/product/databricks-sql) feature in User Interface and through [databricks_sql_endpoint](sql_endpoint.md).
 * `workspace_access` - (Optional) This is a field to allow the group to have access to Databricks Workspace.
+* `force` - (Optional) Ignore `cannot create group: Group with name X already exists.` errors and implicitly import the specific group into Terraform state, enforcing entitlements defined in the instance of resource. _This functionality is experimental_ and is designed to simplify corner cases, like Azure Active Directory synchronisation.
 
 ## Attribute Reference
 

scim/resource_group.go

@@ -2,6 +2,8 @@ package scim
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/databrickslabs/terraform-provider-databricks/common"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -24,18 +26,24 @@ func ResourceGroup() *schema.Resource {
 			Optional: true,
 			ForceNew: true,
 		},
+		"force": {
+			Type:     schema.TypeBool,
+			Optional: true,
+		},
 	}
 	addEntitlementsToSchema(&groupSchema)
 	return common.Resource{
 		Create: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
 			groupName := d.Get("display_name").(string)
-			group, err := NewGroupsAPI(ctx, c).Create(Group{
+			g := Group{
 				DisplayName:  groupName,
 				Entitlements: readEntitlementsFromData(d),
 				ExternalID:   d.Get("external_id").(string),
-			})
+			}
+			groupsAPI := NewGroupsAPI(ctx, c)
+			group, err := groupsAPI.Create(g)
 			if err != nil {
-				return err
+				return createForceOverridesManuallyAddedGroup(err, d, groupsAPI, g)
 			}
 			d.SetId(group.ID)
 			return nil
@@ -61,3 +69,22 @@ func ResourceGroup() *schema.Resource {
 		Schema: groupSchema,
 	}.ToResource()
 }
+
+func createForceOverridesManuallyAddedGroup(err error, d *schema.ResourceData, groupsAPI GroupsAPI, g Group) error {
+	forceCreate := d.Get("force").(bool)
+	if !forceCreate {
+		return err
+	}
+	// corner-case for overriding manually provisioned groups
+	groupName := strings.ReplaceAll(g.DisplayName, "'", "")
+	force := fmt.Sprintf("Group with name %s already exists.", groupName)
+	if err.Error() != force {
+		return err
+	}
+	group, err := groupsAPI.ReadByDisplayName(groupName)
+	if err != nil {
+		return err
+	}
+	d.SetId(group.ID)
+	return groupsAPI.UpdateNameAndEntitlements(d.Id(), g.DisplayName, g.ExternalID, g.Entitlements)
+}

scim/resource_group_test.go

@@ -1,6 +1,8 @@
 package scim
 
 import (
+	"context"
+	"fmt"
 	"testing"
 
 	"github.com/databrickslabs/terraform-provider-databricks/common"
@@ -346,3 +348,67 @@ func TestResourceGroupDelete_Error(t *testing.T) {
 		ID:       "abc",
 	}.ExpectError(t, "Internal error happened")
 }
+
+func TestCreateForceOverwriteCannotListGroups(t *testing.T) {
+	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Groups?filter=displayName%20eq%20%27abc%27",
+			Status:   417,
+			Response: common.APIError{
+				Message: "cannot find group",
+			},
+		},
+	}, func(ctx context.Context, client *common.DatabricksClient) {
+		d := ResourceGroup().TestResourceData()
+		d.Set("force", true)
+		err := createForceOverridesManuallyAddedGroup(
+			fmt.Errorf("Group with name abc already exists."),
+			d, NewGroupsAPI(ctx, client), Group{
+				DisplayName: "abc",
+			})
+		assert.EqualError(t, err, "cannot find group")
+	})
+}
+
+func TestCreateForceOverwriteFindsAndSetsGroupID(t *testing.T) {
+	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Groups?filter=displayName%20eq%20%27abc%27",
+			Response: GroupList{
+				Resources: []Group{
+					{
+						ID: "123",
+					},
+				},
+			},
+		},
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Groups/123",
+			Response: Group{
+				ID: "123",
+			},
+		},
+		{
+			Method:   "PUT",
+			Resource: "/api/2.0/preview/scim/v2/Groups/123",
+			ExpectedRequest: Group{
+				Schemas:     []URN{"urn:ietf:params:scim:schemas:core:2.0:Group"},
+				DisplayName: "abc",
+			},
+		},
+	}, func(ctx context.Context, client *common.DatabricksClient) {
+		d := ResourceGroup().TestResourceData()
+		d.Set("force", true)
+		d.Set("display_name", "abc")
+		err := createForceOverridesManuallyAddedGroup(
+			fmt.Errorf("Group with name abc already exists."),
+			d, NewGroupsAPI(ctx, client), Group{
+				DisplayName: "abc",
+			})
+		assert.NoError(t, err)
+		assert.Equal(t, "123", d.Id())
+	})
+}