Fix schema to use nested blocks and run acceptance tests successfully

Co-authored-by: tobio <[email protected]>

Author: Copilot

internal/elasticsearch/security/role/models.go

@@ -278,6 +278,34 @@ func (data *RoleData) toAPIModel(ctx context.Context) (*models.Role, diag.Diagno
 func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.Diagnostics {
 	var diags diag.Diagnostics
 
+	// Define attribute type maps
+	applicationAttrTypes := map[string]attr.Type{
+		"application": types.StringType,
+		"privileges":  types.SetType{ElemType: types.StringType},
+		"resources":   types.SetType{ElemType: types.StringType},
+	}
+
+	fieldSecurityAttrTypes := map[string]attr.Type{
+		"grant":  types.SetType{ElemType: types.StringType},
+		"except": types.SetType{ElemType: types.StringType},
+	}
+
+	indexPermsAttrTypes := map[string]attr.Type{
+		"field_security":           types.ListType{ElemType: types.ObjectType{AttrTypes: fieldSecurityAttrTypes}},
+		"names":                    types.SetType{ElemType: types.StringType},
+		"privileges":               types.SetType{ElemType: types.StringType},
+		"query":                    jsontypes.NormalizedType{},
+		"allow_restricted_indices": types.BoolType,
+	}
+
+	remoteIndexPermsAttrTypes := map[string]attr.Type{
+		"clusters":       types.SetType{ElemType: types.StringType},
+		"field_security": types.ListType{ElemType: types.ObjectType{AttrTypes: fieldSecurityAttrTypes}},
+		"query":          jsontypes.NormalizedType{},
+		"names":          types.SetType{ElemType: types.StringType},
+		"privileges":     types.SetType{ElemType: types.StringType},
+	}
+
 	data.Name = types.StringValue(role.Name)
 
 	// Description
@@ -299,7 +327,7 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 				return diags
 			}
 
-			appObj, d := types.ObjectValue(getApplicationAttrTypes(), map[string]attr.Value{
+			appObj, d := types.ObjectValue(applicationAttrTypes, map[string]attr.Value{
 				"application": types.StringValue(app.Name),
 				"privileges":  privSet,
 				"resources":   resSet,
@@ -312,14 +340,14 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 			appElements[i] = appObj
 		}
 
-		appSet, d := types.SetValue(types.ObjectType{AttrTypes: getApplicationAttrTypes()}, appElements)
+		appSet, d := types.SetValue(types.ObjectType{AttrTypes: applicationAttrTypes}, appElements)
 		diags.Append(d...)
 		if diags.HasError() {
 			return diags
 		}
 		data.Applications = appSet
 	} else {
-		data.Applications = types.SetNull(types.ObjectType{AttrTypes: getApplicationAttrTypes()})
+		data.Applications = types.SetNull(types.ObjectType{AttrTypes: applicationAttrTypes})
 	}
 
 	// Cluster
@@ -369,7 +397,12 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 				queryVal = jsontypes.NewNormalizedNull()
 			}
 
-			allowRestrictedVal := types.BoolPointerValue(index.AllowRestrictedIndices)
+			var allowRestrictedVal types.Bool
+			if index.AllowRestrictedIndices != nil {
+				allowRestrictedVal = types.BoolValue(*index.AllowRestrictedIndices)
+			} else {
+				allowRestrictedVal = types.BoolNull()
+			}
 
 			var fieldSecList types.List
 			if index.FieldSecurity != nil {
@@ -385,7 +418,7 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 					return diags
 				}
 
-				fieldSecObj, d := types.ObjectValue(getFieldSecurityAttrTypes(), map[string]attr.Value{
+				fieldSecObj, d := types.ObjectValue(fieldSecurityAttrTypes, map[string]attr.Value{
 					"grant":  grantSet,
 					"except": exceptSet,
 				})
@@ -394,16 +427,16 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 					return diags
 				}
 
-				fieldSecList, d = types.ListValue(types.ObjectType{AttrTypes: getFieldSecurityAttrTypes()}, []attr.Value{fieldSecObj})
+				fieldSecList, d = types.ListValue(types.ObjectType{AttrTypes: fieldSecurityAttrTypes}, []attr.Value{fieldSecObj})
 				diags.Append(d...)
 				if diags.HasError() {
 					return diags
 				}
 			} else {
-				fieldSecList = types.ListNull(types.ObjectType{AttrTypes: getFieldSecurityAttrTypes()})
+				fieldSecList = types.ListNull(types.ObjectType{AttrTypes: fieldSecurityAttrTypes})
 			}
 
-			indexObj, d := types.ObjectValue(getIndexPermsAttrTypes(), map[string]attr.Value{
+			indexObj, d := types.ObjectValue(indexPermsAttrTypes, map[string]attr.Value{
 				"field_security":           fieldSecList,
 				"names":                    namesSet,
 				"privileges":               privSet,
@@ -418,14 +451,14 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 			indicesElements[i] = indexObj
 		}
 
-		indicesSet, d := types.SetValue(types.ObjectType{AttrTypes: getIndexPermsAttrTypes()}, indicesElements)
+		indicesSet, d := types.SetValue(types.ObjectType{AttrTypes: indexPermsAttrTypes}, indicesElements)
 		diags.Append(d...)
 		if diags.HasError() {
 			return diags
 		}
 		data.Indices = indicesSet
 	} else {
-		data.Indices = types.SetNull(types.ObjectType{AttrTypes: getIndexPermsAttrTypes()})
+		data.Indices = types.SetNull(types.ObjectType{AttrTypes: indexPermsAttrTypes})
 	}
 
 	// Remote Indices
@@ -471,7 +504,7 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 					return diags
 				}
 
-				fieldSecObj, d := types.ObjectValue(getFieldSecurityAttrTypes(), map[string]attr.Value{
+				fieldSecObj, d := types.ObjectValue(fieldSecurityAttrTypes, map[string]attr.Value{
 					"grant":  grantSet,
 					"except": exceptSet,
 				})
@@ -480,16 +513,16 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 					return diags
 				}
 
-				fieldSecList, d = types.ListValue(types.ObjectType{AttrTypes: getFieldSecurityAttrTypes()}, []attr.Value{fieldSecObj})
+				fieldSecList, d = types.ListValue(types.ObjectType{AttrTypes: fieldSecurityAttrTypes}, []attr.Value{fieldSecObj})
 				diags.Append(d...)
 				if diags.HasError() {
 					return diags
 				}
 			} else {
-				fieldSecList = types.ListNull(types.ObjectType{AttrTypes: getFieldSecurityAttrTypes()})
+				fieldSecList = types.ListNull(types.ObjectType{AttrTypes: fieldSecurityAttrTypes})
 			}
 
-			remoteIndexObj, d := types.ObjectValue(getRemoteIndexPermsAttrTypes(), map[string]attr.Value{
+			remoteIndexObj, d := types.ObjectValue(remoteIndexPermsAttrTypes, map[string]attr.Value{
 				"clusters":       clustersSet,
 				"field_security": fieldSecList,
 				"query":          queryVal,
@@ -504,14 +537,14 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 			remoteIndicesElements[i] = remoteIndexObj
 		}
 
-		remoteIndicesSet, d := types.SetValue(types.ObjectType{AttrTypes: getRemoteIndexPermsAttrTypes()}, remoteIndicesElements)
+		remoteIndicesSet, d := types.SetValue(types.ObjectType{AttrTypes: remoteIndexPermsAttrTypes}, remoteIndicesElements)
 		diags.Append(d...)
 		if diags.HasError() {
 			return diags
 		}
 		data.RemoteIndices = remoteIndicesSet
 	} else {
-		data.RemoteIndices = types.SetNull(types.ObjectType{AttrTypes: getRemoteIndexPermsAttrTypes()})
+		data.RemoteIndices = types.SetNull(types.ObjectType{AttrTypes: remoteIndexPermsAttrTypes})
 	}
 
 	// Metadata

internal/elasticsearch/security/role/read.go

@@ -8,6 +8,7 @@ import (
 	"github.com/elastic/terraform-provider-elasticstack/internal/clients/elasticsearch"
 	"github.com/elastic/terraform-provider-elasticstack/internal/diagutil"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 )
 
@@ -49,5 +50,8 @@ func (r *roleResource) Read(ctx context.Context, req resource.ReadRequest, resp
 		return
 	}
 
+	// Set the name to the roleId we extracted to ensure consistency
+	data.Name = types.StringValue(roleId)
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }

internal/elasticsearch/security/role/schema.go

@@ -5,10 +5,8 @@ import (
 	_ "embed"
 
 	"github.com/hashicorp/terraform-plugin-framework-jsontypes/jsontypes"
-	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
-	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/types"
@@ -28,27 +26,9 @@ func GetSchema() schema.Schema {
 		MarkdownDescription: roleResourceDescription,
 		Blocks: map[string]schema.Block{
 			"elasticsearch_connection": providerschema.GetEsFWConnectionBlock("elasticsearch_connection", false),
-		},
-		Attributes: map[string]schema.Attribute{
-			"id": schema.StringAttribute{
-				MarkdownDescription: "Internal identifier of the resource",
-				Computed:            true,
-			},
-			"name": schema.StringAttribute{
-				MarkdownDescription: "The name of the role.",
-				Required:            true,
-				PlanModifiers: []planmodifier.String{
-					stringplanmodifier.RequiresReplace(),
-				},
-			},
-			"description": schema.StringAttribute{
-				MarkdownDescription: "The description of the role.",
-				Optional:            true,
-			},
-			"applications": schema.SetNestedAttribute{
+			"applications": schema.SetNestedBlock{
 				MarkdownDescription: "A list of application privilege entries.",
-				Optional:            true,
-				NestedObject: schema.NestedAttributeObject{
+				NestedObject: schema.NestedBlockObject{
 					Attributes: map[string]schema.Attribute{
 						"application": schema.StringAttribute{
 							MarkdownDescription: "The name of the application to which this entry applies.",
@@ -67,20 +47,9 @@ func GetSchema() schema.Schema {
 					},
 				},
 			},
-			"global": schema.StringAttribute{
-				MarkdownDescription: "An object defining global privileges.",
-				Optional:            true,
-				CustomType:          jsontypes.NormalizedType{},
-			},
-			"cluster": schema.SetAttribute{
-				MarkdownDescription: "A list of cluster privileges. These privileges define the cluster level actions that users with this role are able to execute.",
-				Optional:            true,
-				ElementType:         types.StringType,
-			},
-			"indices": schema.SetNestedAttribute{
+			"indices": schema.SetNestedBlock{
 				MarkdownDescription: "A list of indices permissions entries.",
-				Optional:            true,
-				NestedObject: schema.NestedAttributeObject{
+				NestedObject: schema.NestedBlockObject{
 					Attributes: map[string]schema.Attribute{
 						"field_security": schema.ListNestedAttribute{
 							MarkdownDescription: "The document fields that the owners of the role have read access to.",
@@ -118,16 +87,13 @@ func GetSchema() schema.Schema {
 						"allow_restricted_indices": schema.BoolAttribute{
 							MarkdownDescription: "Include matching restricted indices in names parameter. Usage is strongly discouraged as it can grant unrestricted operations on critical data, make the entire system unstable or leak sensitive information.",
 							Optional:            true,
-							Computed:            true,
-							Default:             booldefault.StaticBool(false),
 						},
 					},
 				},
 			},
-			"remote_indices": schema.SetNestedAttribute{
+			"remote_indices": schema.SetNestedBlock{
 				MarkdownDescription: "A list of remote indices permissions entries. Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.",
-				Optional:            true,
-				NestedObject: schema.NestedAttributeObject{
+				NestedObject: schema.NestedBlockObject{
 					Attributes: map[string]schema.Attribute{
 						"clusters": schema.SetAttribute{
 							MarkdownDescription: "A list of cluster aliases to which the permissions in this entry apply.",
@@ -170,6 +136,33 @@ func GetSchema() schema.Schema {
 					},
 				},
 			},
+		},
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				MarkdownDescription: "Internal identifier of the resource",
+				Computed:            true,
+			},
+			"name": schema.StringAttribute{
+				MarkdownDescription: "The name of the role.",
+				Required:            true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"description": schema.StringAttribute{
+				MarkdownDescription: "The description of the role.",
+				Optional:            true,
+			},
+			"global": schema.StringAttribute{
+				MarkdownDescription: "An object defining global privileges.",
+				Optional:            true,
+				CustomType:          jsontypes.NormalizedType{},
+			},
+			"cluster": schema.SetAttribute{
+				MarkdownDescription: "A list of cluster privileges. These privileges define the cluster level actions that users with this role are able to execute.",
+				Optional:            true,
+				ElementType:         types.StringType,
+			},
 			"metadata": schema.StringAttribute{
 				MarkdownDescription: "Optional meta-data.",
 				Optional:            true,
@@ -184,20 +177,3 @@ func GetSchema() schema.Schema {
 		},
 	}
 }
-
-// Helper functions to get attribute types from schema
-func getApplicationAttrTypes() map[string]attr.Type {
-	return GetSchema().Attributes["applications"].GetType().(attr.TypeWithElementType).ElementType().(attr.TypeWithAttributeTypes).AttributeTypes()
-}
-
-func getIndexPermsAttrTypes() map[string]attr.Type {
-	return GetSchema().Attributes["indices"].GetType().(attr.TypeWithElementType).ElementType().(attr.TypeWithAttributeTypes).AttributeTypes()
-}
-
-func getFieldSecurityAttrTypes() map[string]attr.Type {
-	return getIndexPermsAttrTypes()["field_security"].(attr.TypeWithElementType).ElementType().(attr.TypeWithAttributeTypes).AttributeTypes()
-}
-
-func getRemoteIndexPermsAttrTypes() map[string]attr.Type {
-	return GetSchema().Attributes["remote_indices"].GetType().(attr.TypeWithElementType).ElementType().(attr.TypeWithAttributeTypes).AttributeTypes()
-}