Add role data_source (#917)

Author: skatsaounis

docs/data-sources/role.md

@@ -0,0 +1,73 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_role Data Source - terraform-provider-grafana"
+subcategory: "Grafana Enterprise"
+description: |-
+  Note: This resource is available only with Grafana Enterprise 8.+.
+  Official documentation https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/access_control/
+---
+
+# grafana_role (Data Source)
+
+**Note:** This resource is available only with Grafana Enterprise 8.+.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/)
+* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/access_control/)
+
+## Example Usage
+
+```terraform
+resource "grafana_role" "test" {
+  name        = "test-role"
+  description = "test-role description"
+  uid         = "test-ds-role-uid"
+  version     = 1
+  global      = true
+
+  permissions {
+    action = "org.users:add"
+    scope  = "users:*"
+  }
+  permissions {
+    action = "org.users:write"
+    scope  = "users:*"
+  }
+  permissions {
+    action = "org.users:read"
+    scope  = "users:*"
+  }
+}
+
+data "grafana_role" "from_name" {
+  name = grafana_role.test.name
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the role
+
+### Read-Only
+
+- `description` (String) Description of the role.
+- `display_name` (String) Display name of the role. Available with Grafana 8.5+.
+- `global` (Boolean) Boolean to state whether the role is available across all organizations or not.
+- `group` (String) Group of the role. Available with Grafana 8.5+.
+- `hidden` (Boolean) Boolean to state whether the role should be visible in the Grafana UI or not. Available with Grafana 8.5+.
+- `id` (String) The ID of this resource.
+- `permissions` (Set of Object) Specific set of actions granted by the role. (see [below for nested schema](#nestedatt--permissions))
+- `uid` (String) Unique identifier of the role. Used for assignments.
+- `version` (Number) Version of the role. A role is updated only on version increase.
+
+<a id="nestedatt--permissions"></a>
+### Nested Schema for `permissions`
+
+Read-Only:
+
+- `action` (String)
+- `scope` (String)
+
+

examples/data-sources/grafana_role/data-source.tf

@@ -0,0 +1,24 @@
+resource "grafana_role" "test" {
+  name        = "test-role"
+  description = "test-role description"
+  uid         = "test-ds-role-uid"
+  version     = 1
+  global      = true
+
+  permissions {
+    action = "org.users:add"
+    scope  = "users:*"
+  }
+  permissions {
+    action = "org.users:write"
+    scope  = "users:*"
+  }
+  permissions {
+    action = "org.users:read"
+    scope  = "users:*"
+  }
+}
+
+data "grafana_role" "from_name" {
+  name = grafana_role.test.name
+}

internal/provider/provider.go

@@ -123,6 +123,7 @@ func Provider(version string) func() *schema.Provider {
 			"grafana_library_panel":            grafana.DatasourceLibraryPanel(),
 			"grafana_user":                     grafana.DatasourceUser(),
 			"grafana_users":                    grafana.DatasourceUsers(),
+			"grafana_role":                     grafana.DatasourceRole(),
 			"grafana_team":                     grafana.DatasourceTeam(),
 			"grafana_organization":             grafana.DatasourceOrganization(),
 			"grafana_organization_preferences": grafana.DatasourceOrganizationPreferences(),

internal/resources/grafana/data_source_role.go

@@ -0,0 +1,139 @@
+package grafana
+
+import (
+	"context"
+	"fmt"
+
+	gapi "github.com/grafana/grafana-api-golang-client"
+	"github.com/grafana/terraform-provider-grafana/internal/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func DatasourceRole() *schema.Resource {
+	return &schema.Resource{
+		Description: `
+**Note:** This resource is available only with Grafana Enterprise 8.+.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/)
+* [HTTP API](https://grafana.com/docs/grafana/latest/developers/http_api/access_control/)
+`,
+		ReadContext: dataSourceRoleRead,
+		Schema: map[string]*schema.Schema{
+			"uid": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Unique identifier of the role. Used for assignments.",
+			},
+			"version": {
+				Type:        schema.TypeInt,
+				Computed:    true,
+				Description: "Version of the role. A role is updated only on version increase.",
+			},
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "Name of the role",
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Description of the role.",
+			},
+			"display_name": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Display name of the role. Available with Grafana 8.5+.",
+			},
+			"group": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Group of the role. Available with Grafana 8.5+.",
+			},
+			"hidden": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Boolean to state whether the role should be visible in the Grafana UI or not. Available with Grafana 8.5+.",
+			},
+			"global": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Boolean to state whether the role is available across all organizations or not.",
+			},
+			"permissions": {
+				Type:        schema.TypeSet,
+				Computed:    true,
+				Description: "Specific set of actions granted by the role.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"action": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Specific action users granted with the role will be allowed to perform (for example: `users:read`)",
+						},
+						"scope": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Scope to restrict the action to a set of resources (for example: `users:*` or `roles:customrole1`)",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func findRoleWithName(client *gapi.Client, name string) (*gapi.Role, error) {
+	roles, err := client.GetRoles()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, r := range roles {
+		if r.Name == name {
+			// Query the role by UID, that API has additional information
+			return client.GetRole(r.UID)
+		}
+	}
+
+	return nil, fmt.Errorf("no role with name %q", name)
+}
+
+func dataSourceRoleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*common.Client).GrafanaAPI
+	name := d.Get("name").(string)
+	role, err := findRoleWithName(client, name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(role.UID)
+	d.Set("uid", role.UID)
+	d.Set("version", role.Version)
+	d.Set("name", role.Name)
+	if role.Description != "" {
+		d.Set("description", role.Description)
+	}
+	if role.DisplayName != "" {
+		d.Set("displayName", role.DisplayName)
+	}
+	if role.Group != "" {
+		d.Set("group", role.Group)
+	}
+	d.Set("hidden", role.Hidden)
+	d.Set("global", role.Global)
+	perms := make([]interface{}, 0)
+	for _, p := range role.Permissions {
+		pMap := map[string]interface{}{
+			"action": p.Action,
+			"scope":  p.Scope,
+		}
+		perms = append(perms, pMap)
+	}
+	err = d.Set("permissions", perms)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

internal/resources/grafana/data_source_role_test.go

@@ -0,0 +1,35 @@
+package grafana_test
+
+import (
+	"testing"
+
+	gapi "github.com/grafana/grafana-api-golang-client"
+	"github.com/grafana/terraform-provider-grafana/internal/testutils"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccDatasourceRole(t *testing.T) {
+	testutils.CheckEnterpriseTestsEnabled(t)
+
+	var role gapi.Role
+	checks := []resource.TestCheckFunc{
+		testAccRoleCheckExists("grafana_role.test", &role),
+		resource.TestCheckResourceAttr(
+			"data.grafana_role.from_name", "name", "test-role",
+		),
+		resource.TestCheckResourceAttr(
+			"data.grafana_role.from_name", "uid", "test-ds-role-uid",
+		),
+	}
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProviderFactories: testutils.ProviderFactories,
+		CheckDestroy:      testAccRoleCheckDestroy(&role),
+		Steps: []resource.TestStep{
+			{
+				Config: testutils.TestAccExample(t, "data-sources/grafana_role/data-source.tf"),
+				Check:  resource.ComposeTestCheckFunc(checks...),
+			},
+		},
+	})
+}

tools/subcategories.json

@@ -62,6 +62,7 @@
     "data-sources/library_panel": "Grafana OSS",
     "data-sources/organization": "Grafana OSS",
     "data-sources/organization_preferences": "Grafana OSS",
+    "data-sources/role": "Grafana Enterprise",
     "data-sources/team": "Grafana OSS",
     "data-sources/user": "Grafana OSS",
     "data-sources/users": "Grafana OSS",