Implicitly force import manually added user (#1048)

Author: nfx

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Version changelog
 
+## 0.4.6
+
+* Added optional `force` argument to `databricks_user` resource to ignore `cannot create user: User with username X already exists` errors and implicitly import the specific user into Terraform state, enforcing entitlements defined in the instance of resource.
+
+Updated dependency versions:
+
+* Bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.10 to 0.5.11
+* Bump github.com/Azure/go-autorest/autorest/azure/cli from 0.4.3 to 0.4.5
+* Bump github.com/Azure/go-autorest/autorest from 0.11.23 to 0.11.24
+
 ## 0.4.5
 
 * Cross-linked resource documentation ([#1027](https://github.com/databrickslabs/terraform-provider-databricks/pull/1027)).

docs/resources/user.md

@@ -53,6 +53,7 @@ The following arguments are available:
 * `allow_instance_pool_create` -  (Optional) Allow the user to have [instance pool](instance_pool.md) create privileges. Defaults to false. More fine grained permissions could be assigned with [databricks_permissions](permissions.md#Instance-Pool-usage) and [instance_pool_id](permissions.md#instance_pool_id) argument.
 * `databricks_sql_access` - (Optional) This is a field to allow the group to have access to [Databricks SQL](https://databricks.com/product/databricks-sql) feature in User Interface and through [databricks_sql_endpoint](sql_endpoint.md).
 * `active` - (Optional) Either user is active or not. True by default, but can be set to false in case of user deactivation with preserving user assets.
+* `force` - (Optional) Ignore `cannot create user: User with username X already exists` errors and implicitly import the specific user into Terraform state, enforcing entitlements defined in the instance of resource. _This functionality is experimental_ and is designed to simplify corner cases, like Azure Active Directory synchronisation.
 
 ## Attribute Reference
 

scim/resource_user.go

@@ -2,6 +2,8 @@ package scim
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/databrickslabs/terraform-provider-databricks/common"
 
@@ -20,6 +22,10 @@ func ResourceUser() *schema.Resource {
 		func(m map[string]*schema.Schema) map[string]*schema.Schema {
 			addEntitlementsToSchema(&m)
 			m["active"].Default = true
+			m["force"] = &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+			}
 			return m
 		})
 	scimUserFromData := func(d *schema.ResourceData) (user User, err error) {
@@ -40,9 +46,10 @@ func ResourceUser() *schema.Resource {
 			if err != nil {
 				return err
 			}
-			user, err := NewUsersAPI(ctx, c).Create(u)
+			usersAPI := NewUsersAPI(ctx, c)
+			user, err := usersAPI.Create(u)
 			if err != nil {
-				return err
+				return createForceOverridesManuallyAddedUser(err, d, usersAPI, u)
 			}
 			d.SetId(user.ID)
 			return nil
@@ -70,3 +77,23 @@ func ResourceUser() *schema.Resource {
 		},
 	}.ToResource()
 }
+
+func createForceOverridesManuallyAddedUser(err error, d *schema.ResourceData, usersAPI UsersAPI, u User) error {
+	forceCreate := d.Get("force").(bool)
+	if !forceCreate {
+		return err
+	}
+	// corner-case for overriding manually provisioned users
+	userName := strings.ReplaceAll(u.UserName, "'", "")
+	force := fmt.Sprintf("User with username %s already exists.", userName)
+	if err.Error() != force {
+		return err
+	}
+	userList, err := usersAPI.Filter(fmt.Sprintf("userName eq '%s'", userName))
+	if err != nil {
+		return err
+	}
+	user := userList[0]
+	d.SetId(user.ID)
+	return usersAPI.Update(d.Id(), u)
+}

scim/resource_user_test.go

@@ -1,6 +1,8 @@
 package scim
 
 import (
+	"context"
+	"fmt"
 	"testing"
 
 	"github.com/databrickslabs/terraform-provider-databricks/common"
@@ -370,3 +372,76 @@ func TestResourceUserDelete_Error(t *testing.T) {
 	}.Apply(t)
 	require.Error(t, err, err)
 }
+
+func TestCreateForceOverridesManuallyAddedUserErrorNotMatched(t *testing.T) {
+	d := ResourceUser().TestResourceData()
+	d.Set("force", true)
+	rerr := createForceOverridesManuallyAddedUser(
+		fmt.Errorf("nonsense"), d,
+		NewUsersAPI(context.Background(), &common.DatabricksClient{}), User{})
+	assert.EqualError(t, rerr, "nonsense")
+}
+
+func TestCreateForceOverwriteCannotListUsers(t *testing.T) {
+	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%40example.com%27",
+			Status:   417,
+			Response: common.APIError{
+				Message: "cannot find user",
+			},
+		},
+	}, func(ctx context.Context, client *common.DatabricksClient) {
+		d := ResourceUser().TestResourceData()
+		d.Set("force", true)
+		err := createForceOverridesManuallyAddedUser(
+			fmt.Errorf("User with username [email protected] already exists."),
+			d, NewUsersAPI(ctx, client), User{
+				UserName: "[email protected]",
+			})
+		assert.EqualError(t, err, "cannot find user")
+	})
+}
+
+func TestCreateForceOverwriteFindsAndSetsID(t *testing.T) {
+	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%40example.com%27",
+			Response: UserList{
+				Resources: []User{
+					{
+						ID: "abc",
+					},
+				},
+			},
+		},
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Users/abc",
+			Response: User{
+				ID: "abc",
+			},
+		},
+		{
+			Method:   "PUT",
+			Resource: "/api/2.0/preview/scim/v2/Users/abc",
+			ExpectedRequest: User{
+				Schemas:  []URN{UserSchema},
+				UserName: "[email protected]",
+			},
+		},
+	}, func(ctx context.Context, client *common.DatabricksClient) {
+		d := ResourceUser().TestResourceData()
+		d.Set("force", true)
+		d.Set("user_name", "[email protected]")
+		err := createForceOverridesManuallyAddedUser(
+			fmt.Errorf("User with username [email protected] already exists."),
+			d, NewUsersAPI(ctx, client), User{
+				UserName: "[email protected]",
+			})
+		assert.NoError(t, err)
+		assert.Equal(t, "abc", d.Id())
+	})
+}