Update resource_builtin_role_assignment resource to ignore assignments defined in the server side (#369)

vtorosyan · web-flow · commit 4c86b858389a · 2022-02-04T13:18:18.000+01:00
When Grafana starts, by default it creates built-in role assignments for fixed roles. Additionally, users can create built-in role assignments via API. In these scenarios, when the resource is not properly imported, terraform will try to destroy what is in server side, but not in the configuration.

The change ensures that this does not happen as it can cause unintended behaviour for users.
diff --git a/grafana/resource_builtin_role_assignment.go b/grafana/resource_builtin_role_assignment.go
@@ -102,8 +102,20 @@ func ReadBuiltInRole(ctx context.Context, d *schema.ResourceData, meta interface
 		return nil
 	}
 
+	stateRoles, configRoles, err := collectRoles(d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 	roles := make([]interface{}, 0)
 	for _, br := range brRole {
+		// It is possible that in the server side there are roles assigned to the built-in role which were never in Terraform state,
+		// and are not in the current configuration. The following check ensures that we only consider roles which are either in the state or in the config.
+		// This prevents unintended behaviour, such as destroying the assignments which were never managed by Terraform.
+		_, isInState := stateRoles[br.UID]
+		_, isInConfig := configRoles[br.UID]
+		if !isInState && !isInConfig {
+			continue
+		}
 		rm := map[string]interface{}{
 			"uid":    br.UID,
 			"global": br.Global,
diff --git a/grafana/resource_builtin_role_assignment_test.go b/grafana/resource_builtin_role_assignment_test.go
@@ -10,34 +10,45 @@ import (
 	gapi "github.com/grafana/grafana-api-golang-client"
 )
 
+const (
+	roleUID1 = "reportviewer"
+	roleUID2 = "createuser"
+
+	roleUID3 = "testroletwouid"
+	roleUID4 = "testroleuid"
+
+	roleUID5 = "viewer_test"
+	roleUID6 = "viewer_test_2"
+)
+
 func TestAccBuiltInRoleAssignment(t *testing.T) {
 	CheckEnterpriseTestsEnabled(t)
 
-	var br gapi.BuiltInRoleAssignment
+	var assignments map[string][]*gapi.Role
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:          func() { testAccPreCheck(t) },
 		ProviderFactories: testAccProviderFactories,
-		CheckDestroy:      testAccBuiltInRoleAssignmentCheckDestroy(&br),
+		CheckDestroy:      testAccBuiltInRoleAssignmentCheckDestroy(&assignments, []string{roleUID3, roleUID4}, nil),
 		Steps: []resource.TestStep{
 			{
 				Config: builtInRoleAssignmentConfig,
 				Check: resource.ComposeTestCheckFunc(
-					testAccBuiltInRoleAssignmentCheckExists("grafana_builtin_role_assignment.test_assignment"),
+					testAccBuiltInRoleAssignmentCheckExists("grafana_builtin_role_assignment.test_assignment", &assignments),
 					resource.TestCheckResourceAttr(
-						"grafana_builtin_role_assignment.test_assignment", "builtin_role", "Viewer",
+						"grafana_builtin_role_assignment.test_assignment", "builtin_role", "Editor",
 					),
 					resource.TestCheckResourceAttr(
 						"grafana_builtin_role_assignment.test_assignment", "roles.#", "2",
 					),
 					resource.TestCheckResourceAttr(
-						"grafana_builtin_role_assignment.test_assignment", "roles.0.uid", "testroletwouid",
+						"grafana_builtin_role_assignment.test_assignment", "roles.0.uid", roleUID3,
 					),
 					resource.TestCheckResourceAttr(
 						"grafana_builtin_role_assignment.test_assignment", "roles.0.global", "false",
 					),
 					resource.TestCheckResourceAttr(
-						"grafana_builtin_role_assignment.test_assignment", "roles.1.uid", "testroleuid",
+						"grafana_builtin_role_assignment.test_assignment", "roles.1.uid", roleUID4,
 					),
 					resource.TestCheckResourceAttr(
 						"grafana_builtin_role_assignment.test_assignment", "roles.1.global", "true",
@@ -48,7 +59,136 @@ func TestAccBuiltInRoleAssignment(t *testing.T) {
 	})
 }
 
-func testAccBuiltInRoleAssignmentCheckExists(rn string) resource.TestCheckFunc {
+func TestAccBuiltInRoleAssignmentUpdate(t *testing.T) {
+	CheckEnterpriseTestsEnabled(t)
+
+	var assignments map[string][]*gapi.Role
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccBuiltInRoleAssignmentCheckDestroy(&assignments, []string{roleUID5, roleUID6}, []string{roleUID1, roleUID2}),
+		Steps: []resource.TestStep{
+			{
+				PreConfig: func() {
+					err := prepareDefaultAssignments()
+					if err != nil {
+						t.Errorf("error when creating built-in role ssignments %s", err)
+					}
+				},
+				Config: builtInRoleAssignmentUpdatePreConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccBuiltInRoleAssignmentCheckExists("grafana_builtin_role_assignment.test_builtin_assignment", &assignments),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "builtin_role", "Viewer",
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.#", "1",
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.0.uid", roleUID5,
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.0.global", "true",
+					),
+				),
+			},
+			{
+				Config: builtInRoleAssignmentUpdateConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccBuiltInRoleAssignmentCheckExists("grafana_builtin_role_assignment.test_builtin_assignment", &assignments),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "builtin_role", "Viewer",
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.#", "2",
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.0.uid", roleUID5,
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.0.global", "true",
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.1.uid", roleUID6,
+					),
+					resource.TestCheckResourceAttr(
+						"grafana_builtin_role_assignment.test_builtin_assignment", "roles.1.global", "true",
+					),
+					testAccBuiltInRoleAssignmentWereNotDestroyed("Viewer", roleUID1, roleUID2),
+				),
+			},
+		},
+	})
+}
+
+func prepareDefaultAssignments() error {
+	client := testAccProvider.Meta().(*client).gapi
+	r1 := gapi.Role{
+		UID:     roleUID1,
+		Version: 1,
+		Name:    "Test Report Viewer",
+		Global:  true,
+		Permissions: []gapi.Permission{
+			{
+				Action: "reports:read",
+				Scope:  "reports:*",
+			},
+			{
+				Action: "users:create",
+			},
+		},
+	}
+	r2 := gapi.Role{
+		UID:     roleUID2,
+		Version: 1,
+		Name:    "Test Create User",
+		Global:  true,
+		Permissions: []gapi.Permission{
+			{
+				Action: "users:create",
+			},
+		},
+	}
+	role1, err := client.NewRole(r1)
+	if err != nil {
+		return fmt.Errorf("error creating role: %w", err)
+	}
+	role2, err := client.NewRole(r2)
+	if err != nil {
+		return fmt.Errorf("error creating role: %w", err)
+	}
+	_, err = client.NewBuiltInRoleAssignment(gapi.BuiltInRoleAssignment{
+		BuiltinRole: "Viewer",
+		RoleUID:     role1.UID,
+		Global:      false,
+	})
+	if err != nil {
+		return fmt.Errorf("error creating built-in role assigntment: %w", err)
+	}
+	_, err = client.NewBuiltInRoleAssignment(gapi.BuiltInRoleAssignment{
+		BuiltinRole: "Viewer",
+		RoleUID:     role2.UID,
+		Global:      false,
+	})
+	if err != nil {
+		return fmt.Errorf("error creating built-in role assigntment: %w", err)
+	}
+	return nil
+}
+
+func testAccBuiltInRoleAssignmentWereNotDestroyed(brName string, roleUIDs ...string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client := testAccProvider.Meta().(*client).gapi
+		assignments, err := client.GetBuiltInRoleAssignments()
+		if err != nil || assignments[brName] == nil {
+			return fmt.Errorf("built-in assignments were destroyed, but expected to exist: %v", err)
+		}
+		return checkAssignmentsExists(assignments[brName], roleUIDs...)
+	}
+}
+
+func testAccBuiltInRoleAssignmentCheckExists(rn string, brAssignments *map[string][]*gapi.Role) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[rn]
 		if !ok {
@@ -65,21 +205,70 @@ func testAccBuiltInRoleAssignmentCheckExists(rn string) resource.TestCheckFunc {
 			return fmt.Errorf("error getting built-in role assignments: %s", err)
 		}
 
+		*brAssignments = map[string][]*gapi.Role{
+			rs.Primary.ID: assignments[rs.Primary.ID],
+		}
 		return nil
 	}
 }
 
-func testAccBuiltInRoleAssignmentCheckDestroy(br *gapi.BuiltInRoleAssignment) resource.TestCheckFunc {
+func testAccBuiltInRoleAssignmentCheckDestroy(brAssignments *map[string][]*gapi.Role, destroyedUIDs []string, preservedRoleUIDs []string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client := testAccProvider.Meta().(*client).gapi
 		bra, err := client.GetBuiltInRoleAssignments()
-		if err == nil && bra[br.BuiltinRole] != nil {
-			return fmt.Errorf("assignment still exists")
+		if err != nil {
+			return fmt.Errorf("error getting built-in role assignments: %s", err)
 		}
+
+		if preservedRoleUIDs != nil {
+			for br := range *brAssignments {
+				err := checkAssignmentsExists(bra[br], preservedRoleUIDs...)
+				if err != nil {
+					return fmt.Errorf("assignments were entirely destroyed, but expected to have roles with UID %v assigned to %s built-in role", preservedRoleUIDs, br)
+				}
+			}
+		}
+
+		if destroyedUIDs != nil {
+			for br := range *brAssignments {
+				err := checkAssignmentsDoNotExist(bra[br], destroyedUIDs...)
+				if err != nil {
+					return fmt.Errorf("assignments were supped to destroyed, but have roles with UID %v assigned to %s built-in role", destroyedUIDs, br)
+				}
+			}
+		}
+
 		return nil
 	}
 }
 
+func checkAssignmentsDoNotExist(roles []*gapi.Role, roleUIDs ...string) error {
+	for _, uid := range roleUIDs {
+		if contains(roles, uid) {
+			return fmt.Errorf("built-in assignments still exists for a role UID: %s", uid)
+		}
+	}
+	return nil
+}
+
+func checkAssignmentsExists(roles []*gapi.Role, roleUIDs ...string) error {
+	for _, uid := range roleUIDs {
+		if !contains(roles, uid) {
+			return fmt.Errorf("built-in assignments do not exist for a role UID: %s", uid)
+		}
+	}
+	return nil
+}
+
+func contains(roles []*gapi.Role, uid string) bool {
+	for _, r := range roles {
+		if r.UID == uid {
+			return true
+		}
+	}
+	return false
+}
+
 const builtInRoleAssignmentConfig = `
 resource "grafana_role" "test_role" {
   name  = "test_role"
@@ -112,7 +301,7 @@ resource "grafana_role" "test_role_two" {
 }
 
 resource "grafana_builtin_role_assignment" "test_assignment" {
-  builtin_role  = "Viewer"
+  builtin_role  = "Editor"
   roles {
 	uid = grafana_role.test_role.id
 	global = true
@@ -123,3 +312,60 @@ resource "grafana_builtin_role_assignment" "test_assignment" {
   }
 }
 `
+
+const builtInRoleAssignmentUpdatePreConfig = `
+resource "grafana_role" "viewer_test" {
+  name  = "viewer_test"
+  description = "test desc"
+  version = 1
+  uid = "viewer_test"
+  global = true 
+  permissions {
+	action = "users:create"
+  }
+}
+
+resource "grafana_builtin_role_assignment" "test_builtin_assignment" {
+  builtin_role  = "Viewer"
+  roles {
+	uid = grafana_role.viewer_test.id
+	global = true
+  } 
+}
+`
+
+const builtInRoleAssignmentUpdateConfig = `
+resource "grafana_role" "viewer_test" {
+  name  = "viewer_test"
+  description = "test desc"
+  version = 1
+  uid = "viewer_test"
+  global = true 
+  permissions {
+	action = "users:create"
+  }
+}
+
+resource "grafana_role" "viewer_test_2" {
+  name  = "viewer_test_2"
+  description = "test desc"
+  version = 1
+  uid = "viewer_test_2"
+  global = true 
+  permissions {
+	action = "users:create"
+  }
+}
+
+resource "grafana_builtin_role_assignment" "test_builtin_assignment" {
+  builtin_role  = "Viewer"
+  roles {
+	uid = grafana_role.viewer_test.id
+	global = true
+  } 
+  roles {
+	uid = grafana_role.viewer_test_2.id
+	global = true
+  } 
+}
+`
