Revert "BasicRoles: Remove builtin role assignments (#474)" (#496)

This reverts commit 62f1baf.

Author: vtorosyan

docs/resources/builtin_role_assignment.md

@@ -0,0 +1,62 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_builtin_role_assignment Resource - terraform-provider-grafana"
+subcategory: ""
+description: |-
+  Note: This resource is available only with Grafana Enterprise 8.+.
+  Official documentation https://grafana.com/docs/grafana/latest/enterprise/access-control/HTTP API https://grafana.com/docs/grafana/latest/http_api/access_control/
+---
+
+# grafana_builtin_role_assignment (Resource)
+
+**Note:** This resource is available only with Grafana Enterprise 8.+.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/enterprise/access-control/)
+* [HTTP API](https://grafana.com/docs/grafana/latest/http_api/access_control/)
+
+## Example Usage
+
+```terraform
+resource "grafana_builtin_role_assignment" "viewer" {
+  builtin_role = "Viewer"
+  roles {
+    uid    = "firstuid"
+    global = false
+  }
+  roles {
+    uid    = "seconduid"
+    global = true
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `builtin_role` (String) Organization roles (`Viewer`, `Editor`, `Admin`) or `Grafana Admin` to assign the roles to.
+- `roles` (Block Set, Min: 1) Fixed or custom roles which provide granular access for specific resources within Grafana. (see [below for nested schema](#nestedblock--roles))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--roles"></a>
+### Nested Schema for `roles`
+
+Required:
+
+- `uid` (String) Unique identifier of the role to assign to `builtin_role`.
+
+Optional:
+
+- `global` (Boolean) States whether the assignment is available across all organizations or not. Defaults to `false`.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import grafana_builtin_role_assignment.builtin_role_name {{builtin_role_name}}
+```

examples/resources/grafana_builtin_role_assignment/import.sh

@@ -0,0 +1 @@
+terraform import grafana_builtin_role_assignment.builtin_role_name {{builtin_role_name}}

examples/resources/grafana_builtin_role_assignment/resource.tf

@@ -0,0 +1,11 @@
+resource "grafana_builtin_role_assignment" "viewer" {
+  builtin_role = "Viewer"
+  roles {
+    uid    = "firstuid"
+    global = false
+  }
+  roles {
+    uid    = "seconduid"
+    global = true
+  }
+}

grafana/provider.go

@@ -160,23 +160,24 @@ func Provider(version string) func() *schema.Provider {
 
 			ResourcesMap: map[string]*schema.Resource{
 				// Grafana
-				"grafana_api_key":                ResourceAPIKey(),
-				"grafana_alert_notification":     ResourceAlertNotification(),
-				"grafana_dashboard":              ResourceDashboard(),
-				"grafana_dashboard_permission":   ResourceDashboardPermission(),
-				"grafana_data_source":            ResourceDataSource(),
-				"grafana_data_source_permission": ResourceDatasourcePermission(),
-				"grafana_folder":                 ResourceFolder(),
-				"grafana_folder_permission":      ResourceFolderPermission(),
-				"grafana_library_panel":          ResourceLibraryPanel(),
-				"grafana_organization":           ResourceOrganization(),
-				"grafana_playlist":               ResourcePlaylist(),
-				"grafana_report":                 ResourceReport(),
-				"grafana_role":                   ResourceRole(),
-				"grafana_team":                   ResourceTeam(),
-				"grafana_team_preferences":       ResourceTeamPreferences(),
-				"grafana_team_external_group":    ResourceTeamExternalGroup(),
-				"grafana_user":                   ResourceUser(),
+				"grafana_api_key":                 ResourceAPIKey(),
+				"grafana_alert_notification":      ResourceAlertNotification(),
+				"grafana_builtin_role_assignment": ResourceBuiltInRoleAssignment(),
+				"grafana_dashboard":               ResourceDashboard(),
+				"grafana_dashboard_permission":    ResourceDashboardPermission(),
+				"grafana_data_source":             ResourceDataSource(),
+				"grafana_data_source_permission":  ResourceDatasourcePermission(),
+				"grafana_folder":                  ResourceFolder(),
+				"grafana_folder_permission":       ResourceFolderPermission(),
+				"grafana_library_panel":           ResourceLibraryPanel(),
+				"grafana_organization":            ResourceOrganization(),
+				"grafana_playlist":                ResourcePlaylist(),
+				"grafana_report":                  ResourceReport(),
+				"grafana_role":                    ResourceRole(),
+				"grafana_team":                    ResourceTeam(),
+				"grafana_team_preferences":        ResourceTeamPreferences(),
+				"grafana_team_external_group":     ResourceTeamExternalGroup(),
+				"grafana_user":                    ResourceUser(),
 
 				// Cloud
 				"grafana_cloud_api_key":             ResourceCloudAPIKey(),

grafana/resource_builtin_role_assignment.go

@@ -0,0 +1,243 @@
+package grafana
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	gapi "github.com/grafana/grafana-api-golang-client"
+)
+
+func ResourceBuiltInRoleAssignment() *schema.Resource {
+	return &schema.Resource{
+		Description: `
+**Note:** This resource is available only with Grafana Enterprise 8.+.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/enterprise/access-control/)
+* [HTTP API](https://grafana.com/docs/grafana/latest/http_api/access_control/)
+`,
+		CreateContext: CreateBuiltInRoleAssignment,
+		UpdateContext: UpdateBuiltInRoleAssignments,
+		ReadContext:   ReadBuiltInRole,
+		DeleteContext: DeleteBuiltInRole,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			// Built-in roles are all organization roles and Grafana Admin
+			"builtin_role": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringInSlice([]string{"Grafana Admin", "Admin", "Editor", "Viewer"}, false),
+				Description:  "Organization roles (`Viewer`, `Editor`, `Admin`) or `Grafana Admin` to assign the roles to.",
+			},
+			"roles": {
+				Type:        schema.TypeSet,
+				Required:    true,
+				Description: "Fixed or custom roles which provide granular access for specific resources within Grafana.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"uid": {
+							Type:        schema.TypeString,
+							Required:    true,
+							ForceNew:    true,
+							Description: "Unique identifier of the role to assign to `builtin_role`.",
+						},
+						"global": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Default:     false,
+							ForceNew:    true,
+							Description: "States whether the assignment is available across all organizations or not.",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func CreateBuiltInRoleAssignment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	name := d.Get("builtin_role").(string)
+	if dg := updateAssignments(d, meta); dg != nil {
+		return dg
+	}
+	d.SetId(name)
+	return nil
+}
+
+func updateAssignments(d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	stateRoles, configRoles, err := collectRoles(d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	// compile the list of differences between current state and config
+	changes := roleChanges(stateRoles, configRoles)
+	brName := d.Get("builtin_role").(string)
+	// now we can make the corresponding updates so current state matches config
+	if err := createOrRemove(meta, brName, changes); err != nil {
+		return diag.FromErr(err)
+	}
+	return nil
+}
+
+func ReadBuiltInRole(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*client).gapi
+	brName := d.Id()
+	builtInRoles, err := client.GetBuiltInRoleAssignments()
+
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	brRole := builtInRoles[brName]
+	if builtInRoles[brName] == nil {
+		log.Printf("[WARN] removing built-in role %s from state because it no longer exists in grafana", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	stateRoles, configRoles, err := collectRoles(d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	roles := make([]interface{}, 0)
+	for _, br := range brRole {
+		// It is possible that in the server side there are roles assigned to the built-in role which were never in Terraform state,
+		// and are not in the current configuration. The following check ensures that we only consider roles which are either in the state or in the config.
+		// This prevents unintended behaviour, such as destroying the assignments which were never managed by Terraform.
+		_, isInState := stateRoles[br.UID]
+		_, isInConfig := configRoles[br.UID]
+		if !isInState && !isInConfig {
+			continue
+		}
+		rm := map[string]interface{}{
+			"uid":    br.UID,
+			"global": br.Global,
+		}
+		roles = append(roles, rm)
+	}
+
+	if err = d.Set("roles", roles); err != nil {
+		return diag.FromErr(err)
+	}
+
+	if err = d.Set("builtin_role", brName); err != nil {
+		return diag.FromErr(err)
+	}
+	d.SetId(brName)
+	return nil
+}
+
+func UpdateBuiltInRoleAssignments(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if !d.HasChange("roles") {
+		return nil
+	}
+
+	if dg := updateAssignments(d, meta); dg != nil {
+		return dg
+	}
+
+	return nil
+}
+
+func DeleteBuiltInRole(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*client).gapi
+
+	for _, r := range d.Get("roles").(*schema.Set).List() {
+		role := r.(map[string]interface{})
+		bra := gapi.BuiltInRoleAssignment{
+			RoleUID:     role["uid"].(string),
+			BuiltinRole: d.Id(),
+			Global:      role["global"].(bool),
+		}
+		err := client.DeleteBuiltInRoleAssignment(bra)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+	d.SetId("")
+	return nil
+}
+
+type RoleChange struct {
+	Type   ChangeRoleType
+	UID    string
+	Global bool
+}
+
+type ChangeRoleType int8
+
+const (
+	AddRole ChangeRoleType = iota
+	RemoveRole
+)
+
+func roleChanges(rolesInState, rolesInConfig map[string]bool) []RoleChange {
+	var changes []RoleChange
+	for uid, g := range rolesInConfig {
+		if _, ok := rolesInState[uid]; !ok {
+			changes = append(changes, RoleChange{Type: AddRole, UID: uid, Global: g})
+		}
+	}
+	for uid, g := range rolesInState {
+		if _, ok := rolesInConfig[uid]; !ok {
+			changes = append(changes, RoleChange{Type: RemoveRole, UID: uid, Global: g})
+		}
+	}
+	return changes
+}
+
+func collectRoles(d *schema.ResourceData) (map[string]bool, map[string]bool, error) {
+	errFn := func(uid string) error {
+		return fmt.Errorf("error: Role '%s' cannot be specified multiple times", uid)
+	}
+
+	rolesFn := func(roles interface{}) (map[string]bool, error) {
+		output := make(map[string]bool)
+		for _, r := range roles.(*schema.Set).List() {
+			role := r.(map[string]interface{})
+			uid := role["uid"].(string)
+			if _, ok := output[uid]; ok {
+				return nil, errFn(uid)
+			}
+			output[uid] = role["global"].(bool)
+		}
+		return output, nil
+	}
+
+	state, config := d.GetChange("roles")
+	rolesInState, err := rolesFn(state)
+	if err != nil {
+		return nil, nil, err
+	}
+	rolesInConfig, err := rolesFn(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return rolesInState, rolesInConfig, nil
+}
+
+func createOrRemove(meta interface{}, name string, changes []RoleChange) error {
+	client := meta.(*client).gapi
+	var err error
+	for _, c := range changes {
+		br := gapi.BuiltInRoleAssignment{BuiltinRole: name, RoleUID: c.UID, Global: c.Global}
+		switch c.Type {
+		case AddRole:
+			_, err = client.NewBuiltInRoleAssignment(br)
+		case RemoveRole:
+			err = client.DeleteBuiltInRoleAssignment(br)
+		}
+		if err != nil {
+			return fmt.Errorf("error with %s %w", name, err)
+		}
+	}
+	return nil
+}