Adding a resource for service account permissions (#708)

* resource for service account permissions

* test

* add resource example

* linting

* docs

* docs category

* docs category done correctly

* terraform fmt

* gen docs again after updating example

* set -1 as the default ID

* docs

* set default team and user IDs to 0

* generate docs

Author: IevaVasiljeva

docs/resources/service_account_permission.md

@@ -0,0 +1,73 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_service_account_permission Resource - terraform-provider-grafana"
+subcategory: "Grafana OSS"
+description: |-
+  Note: This resource is available from Grafana 9.2.4 onwards.
+  Official documentation https://grafana.com/docs/grafana/latest/administration/service-accounts/#manage-users-and-teams-permissions-for-a-service-account-in-grafana
+---
+
+# grafana_service_account_permission (Resource)
+
+**Note:** This resource is available from Grafana 9.2.4 onwards.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/#manage-users-and-teams-permissions-for-a-service-account-in-grafana)
+
+## Example Usage
+
+```terraform
+resource "grafana_service_account" "test" {
+  name        = "sa-terraform-test"
+  role        = "Editor"
+  is_disabled = false
+}
+
+resource "grafana_team" "test_team" {
+  name = "tf_test_team"
+}
+
+resource "grafana_user" "test_user" {
+  email    = "[email protected]"
+  login    = "[email protected]"
+  password = "password"
+}
+
+resource "grafana_service_account_permission" "test_permissions" {
+  service_account_id = grafana_service_account.test.id
+
+  permissions {
+    user_id    = grafana_user.test_user.id
+    permission = "Edit"
+  }
+  permissions {
+    team_id    = grafana_team.test_team.id
+    permission = "Admin"
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `permissions` (Block Set, Min: 1) The permission items to add/update. Items that are omitted from the list will be removed. (see [below for nested schema](#nestedblock--permissions))
+- `service_account_id` (Number) The id of the service account.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--permissions"></a>
+### Nested Schema for `permissions`
+
+Required:
+
+- `permission` (String) Permission to associate with item. Must be `Edit` or `Admin`.
+
+Optional:
+
+- `team_id` (Number) ID of the team to manage permissions for. Specify either this or `user_id`. Defaults to `0`.
+- `user_id` (Number) ID of the user to manage permissions for. Specify either this or `team_id`. Defaults to `0`.
+
+

examples/resources/grafana_service_account_permission/resource.tf

@@ -0,0 +1,28 @@
+resource "grafana_service_account" "test" {
+  name        = "sa-terraform-test"
+  role        = "Editor"
+  is_disabled = false
+}
+
+resource "grafana_team" "test_team" {
+  name = "tf_test_team"
+}
+
+resource "grafana_user" "test_user" {
+  email    = "[email protected]"
+  login    = "[email protected]"
+  password = "password"
+}
+
+resource "grafana_service_account_permission" "test_permissions" {
+  service_account_id = grafana_service_account.test.id
+
+  permissions {
+    user_id    = grafana_user.test_user.id
+    permission = "Edit"
+  }
+  permissions {
+    team_id    = grafana_team.test_team.id
+    permission = "Admin"
+  }
+}

grafana/provider.go

@@ -48,33 +48,34 @@ func Provider(version string) func() *schema.Provider {
 		// Resources that require the Grafana client to exist.
 		grafanaClientResources = addResourcesMetadataValidation(grafanaClientPresent, map[string]*schema.Resource{
 			// Grafana
-			"grafana_annotation":               ResourceAnnotation(),
-			"grafana_alert_notification":       ResourceAlertNotification(),
-			"grafana_builtin_role_assignment":  ResourceBuiltInRoleAssignment(),
-			"grafana_contact_point":            ResourceContactPoint(),
-			"grafana_dashboard":                ResourceDashboard(),
-			"grafana_dashboard_permission":     ResourceDashboardPermission(),
-			"grafana_data_source":              ResourceDataSource(),
-			"grafana_data_source_permission":   ResourceDatasourcePermission(),
-			"grafana_folder":                   ResourceFolder(),
-			"grafana_folder_permission":        ResourceFolderPermission(),
-			"grafana_library_panel":            ResourceLibraryPanel(),
-			"grafana_message_template":         ResourceMessageTemplate(),
-			"grafana_mute_timing":              ResourceMuteTiming(),
-			"grafana_notification_policy":      ResourceNotificationPolicy(),
-			"grafana_organization":             ResourceOrganization(),
-			"grafana_organization_preferences": ResourceOrganizationPreferences(),
-			"grafana_playlist":                 ResourcePlaylist(),
-			"grafana_report":                   ResourceReport(),
-			"grafana_role":                     ResourceRole(),
-			"grafana_role_assignment":          ResourceRoleAssignment(),
-			"grafana_rule_group":               ResourceRuleGroup(),
-			"grafana_team":                     ResourceTeam(),
-			"grafana_team_preferences":         ResourceTeamPreferences(),
-			"grafana_team_external_group":      ResourceTeamExternalGroup(),
-			"grafana_service_account_token":    ResourceServiceAccountToken(),
-			"grafana_service_account":          ResourceServiceAccount(),
-			"grafana_user":                     ResourceUser(),
+			"grafana_annotation":                 ResourceAnnotation(),
+			"grafana_alert_notification":         ResourceAlertNotification(),
+			"grafana_builtin_role_assignment":    ResourceBuiltInRoleAssignment(),
+			"grafana_contact_point":              ResourceContactPoint(),
+			"grafana_dashboard":                  ResourceDashboard(),
+			"grafana_dashboard_permission":       ResourceDashboardPermission(),
+			"grafana_data_source":                ResourceDataSource(),
+			"grafana_data_source_permission":     ResourceDatasourcePermission(),
+			"grafana_folder":                     ResourceFolder(),
+			"grafana_folder_permission":          ResourceFolderPermission(),
+			"grafana_library_panel":              ResourceLibraryPanel(),
+			"grafana_message_template":           ResourceMessageTemplate(),
+			"grafana_mute_timing":                ResourceMuteTiming(),
+			"grafana_notification_policy":        ResourceNotificationPolicy(),
+			"grafana_organization":               ResourceOrganization(),
+			"grafana_organization_preferences":   ResourceOrganizationPreferences(),
+			"grafana_playlist":                   ResourcePlaylist(),
+			"grafana_report":                     ResourceReport(),
+			"grafana_role":                       ResourceRole(),
+			"grafana_role_assignment":            ResourceRoleAssignment(),
+			"grafana_rule_group":                 ResourceRuleGroup(),
+			"grafana_team":                       ResourceTeam(),
+			"grafana_team_preferences":           ResourceTeamPreferences(),
+			"grafana_team_external_group":        ResourceTeamExternalGroup(),
+			"grafana_service_account_token":      ResourceServiceAccountToken(),
+			"grafana_service_account":            ResourceServiceAccount(),
+			"grafana_service_account_permission": ResourceServiceAccountPermission(),
+			"grafana_user":                       ResourceUser(),
 
 			// Machine Learning
 			"grafana_machine_learning_job": ResourceMachineLearningJob(),

grafana/resource_service_account_permission.go

@@ -0,0 +1,212 @@
+package grafana
+
+import (
+	"context"
+	"log"
+	"strconv"
+	"strings"
+
+	gapi "github.com/grafana/grafana-api-golang-client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func ResourceServiceAccountPermission() *schema.Resource {
+	return &schema.Resource{
+		Description: `
+**Note:** This resource is available from Grafana 9.2.4 onwards.
+
+* [Official documentation](https://grafana.com/docs/grafana/latest/administration/service-accounts/#manage-users-and-teams-permissions-for-a-service-account-in-grafana)`,
+
+		CreateContext: UpdateServiceAccountPermissions,
+		ReadContext:   ReadServiceAccountPermissions,
+		UpdateContext: UpdateServiceAccountPermissions,
+		DeleteContext: DeleteServiceAccountPermissions,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"service_account_id": {
+				Type:        schema.TypeInt,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The id of the service account.",
+			},
+			"permissions": {
+				Type:        schema.TypeSet,
+				Required:    true,
+				Description: "The permission items to add/update. Items that are omitted from the list will be removed.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"team_id": {
+							Type:        schema.TypeInt,
+							Optional:    true,
+							Default:     0,
+							Description: "ID of the team to manage permissions for. Specify either this or `user_id`.",
+						},
+						"user_id": {
+							Type:        schema.TypeInt,
+							Optional:    true,
+							Default:     0,
+							Description: "ID of the user to manage permissions for. Specify either this or `team_id`.",
+						},
+						"permission": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.StringInSlice([]string{"Edit", "Admin"}, false),
+							Description:  "Permission to associate with item. Must be `Edit` or `Admin`.",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func ReadServiceAccountPermissions(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*client).gapi
+	id, err := strconv.ParseInt(d.Id(), 10, 64)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	saPermissions, err := client.GetServiceAccountPermissions(id)
+	if err != nil {
+		if strings.Contains(err.Error(), "404") {
+			d.SetId("")
+			log.Printf("[WARN] removing permissions for account with ID %d from state because the service account no longer exists in grafana", id)
+			return nil
+		}
+
+		return diag.FromErr(err)
+	}
+
+	saPerms := make([]interface{}, 0)
+	for _, p := range saPermissions {
+		// Only managed service account permissions can be provisioned through this resource.
+		if !p.IsManaged {
+			continue
+		}
+		permMap := map[string]interface{}{
+			"team_id":    p.TeamID,
+			"user_id":    p.UserID,
+			"permission": p.Permission,
+		}
+		saPerms = append(saPerms, permMap)
+	}
+	if err = d.Set("permissions", saPerms); err != nil {
+		return diag.FromErr(err)
+	}
+	if err = d.Set("service_account_id", id); err != nil {
+		return diag.FromErr(err)
+	}
+	d.SetId(strconv.FormatInt(id, 10))
+
+	return nil
+}
+
+func UpdateServiceAccountPermissions(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*client).gapi
+
+	// Get a list of permissions from Grafana state (current permission setup)
+	state, config := d.GetChange("permissions")
+	oldTeamPerms := make(map[int64]string, 0)
+	oldUserPerms := make(map[int64]string, 0)
+	for _, p := range state.(*schema.Set).List() {
+		perm := p.(map[string]interface{})
+		teamID := int64(perm["team_id"].(int))
+		userID := int64(perm["user_id"].(int))
+		if teamID > 0 {
+			oldTeamPerms[teamID] = perm["permission"].(string)
+		}
+		if userID > 0 {
+			oldUserPerms[userID] = perm["permission"].(string)
+		}
+	}
+
+	permissionList := gapi.ServiceAccountPermissionItems{}
+
+	// Iterate over permissions from the configuration (the desired permission setup)
+	for _, p := range config.(*schema.Set).List() {
+		permission := p.(map[string]interface{})
+		permissionItem := gapi.ServiceAccountPermissionItem{}
+		teamID := int64(permission["team_id"].(int))
+		userID := int64(permission["user_id"].(int))
+		if teamID > 0 {
+			perm, has := oldTeamPerms[teamID]
+			if has {
+				delete(oldTeamPerms, teamID)
+				// Skip permissions that have not been changed
+				if perm == permission["permission"].(string) {
+					continue
+				}
+			}
+			permissionItem.TeamID = teamID
+		} else if userID > 0 {
+			perm, has := oldUserPerms[userID]
+			if has {
+				delete(oldUserPerms, userID)
+				if perm == permission["permission"].(string) {
+					continue
+				}
+			}
+			permissionItem.UserID = userID
+		}
+		permissionItem.Permission = permission["permission"].(string)
+		permissionList.Permissions = append(permissionList.Permissions, &permissionItem)
+	}
+
+	// Remove the permissions that are in the state but not in the config
+	for teamID := range oldTeamPerms {
+		permissionList.Permissions = append(permissionList.Permissions, &gapi.ServiceAccountPermissionItem{
+			TeamID:     teamID,
+			Permission: "",
+		})
+	}
+	for userID := range oldUserPerms {
+		permissionList.Permissions = append(permissionList.Permissions, &gapi.ServiceAccountPermissionItem{
+			UserID:     userID,
+			Permission: "",
+		})
+	}
+
+	saID := int64(d.Get("service_account_id").(int))
+	err := client.UpdateServiceAccountPermissions(saID, &permissionList)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(strconv.FormatInt(saID, 10))
+
+	return ReadServiceAccountPermissions(ctx, d, meta)
+}
+
+func DeleteServiceAccountPermissions(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*client).gapi
+
+	state, _ := d.GetChange("permissions")
+	permissionList := gapi.ServiceAccountPermissionItems{}
+	for _, p := range state.(*schema.Set).List() {
+		perm := p.(map[string]interface{})
+		teamID := int64(perm["team_id"].(int))
+		userID := int64(perm["user_id"].(int))
+		permissionItem := gapi.ServiceAccountPermissionItem{}
+
+		if teamID > 0 {
+			permissionItem.TeamID = teamID
+		} else if userID > 0 {
+			permissionItem.UserID = userID
+		}
+		permissionItem.Permission = ""
+		permissionList.Permissions = append(permissionList.Permissions, &permissionItem)
+	}
+
+	id := int64(d.Get("service_account_id").(int))
+	err := client.UpdateServiceAccountPermissions(id, &permissionList)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}