Roles: Remove global role validation (#1479)

Global roles can be deployed in Grafana Cloud even though we use SAs. That is because there is always a single org in Grafana Cloud and the RBAC system handles that
This validation is not needed and can be removed.

Author: julienduchesne

internal/resources/grafana/resource_role.go

@@ -117,11 +117,8 @@ func resourceRole() *common.Resource {
 func CreateRole(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, orgID := OAPIClientFromNewOrgResource(meta, d)
 	if d.Get("global").(bool) {
-		var err error
-		if client, err = OAPIGlobalClient(meta); err != nil {
-			return diag.FromErr(err)
-		}
 		orgID = 0
+		client = client.WithOrgID(orgID)
 	}
 
 	var version int
@@ -173,10 +170,8 @@ func permissions(d *schema.ResourceData) []*models.Permission {
 func ReadRole(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, _, uid := OAPIClientFromExistingOrgResource(meta, d.Id())
 	if d.Get("global").(bool) {
-		var err error
-		if client, err = OAPIGlobalClient(meta); err != nil {
-			return diag.FromErr(err)
-		}
+		var orgID int64 = 0
+		client = client.WithOrgID(orgID)
 	}
 	return readRoleFromUID(client, uid, d)
 }
@@ -239,10 +234,8 @@ func readRoleFromUID(client *goapi.GrafanaHTTPAPI, uid string, d *schema.Resourc
 func UpdateRole(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, _, uid := OAPIClientFromExistingOrgResource(meta, d.Id())
 	if d.Get("global").(bool) {
-		var err error
-		if client, err = OAPIGlobalClient(meta); err != nil {
-			return diag.FromErr(err)
-		}
+		var orgID int64 = 0
+		client = client.WithOrgID(orgID)
 	}
 
 	if d.HasChange("version") || d.HasChange("name") || d.HasChange("description") || d.HasChange("permissions") ||
@@ -274,10 +267,8 @@ func DeleteRole(ctx context.Context, d *schema.ResourceData, meta interface{}) d
 	client, _, uid := OAPIClientFromExistingOrgResource(meta, d.Id())
 	global := d.Get("global").(bool)
 	if global {
-		var err error
-		if client, err = OAPIGlobalClient(meta); err != nil {
-			return diag.FromErr(err)
-		}
+		var orgID int64 = 0
+		client = client.WithOrgID(orgID)
 	}
 	_, err := client.AccessControl.DeleteRole(access_control.NewDeleteRoleParams().WithRoleUID(uid).WithGlobal(&global), nil)
 	diag, _ := common.CheckReadError("role", d, err)

internal/resources/grafana/resource_role_test.go

@@ -2,7 +2,7 @@ package grafana_test
 
 import (
 	"fmt"
-	"regexp"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -30,7 +30,7 @@ func TestAccRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("grafana_role.test", "display_name", "testdisplay"),
 					resource.TestCheckResourceAttr("grafana_role.test", "group", "testgroup"),
 					resource.TestCheckResourceAttr("grafana_role.test", "version", "1"),
-					resource.TestCheckResourceAttr("grafana_role.test", "uid", "testuid"),
+					resource.TestCheckResourceAttr("grafana_role.test", "uid", "terraform-acc-test"),
 					resource.TestCheckResourceAttr("grafana_role.test", "global", "true"),
 					resource.TestCheckResourceAttr("grafana_role.test", "hidden", "true"),
 				),
@@ -44,7 +44,7 @@ func TestAccRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("grafana_role.test", "display_name", "testdisplay"),
 					resource.TestCheckResourceAttr("grafana_role.test", "group", "testgroup"),
 					resource.TestCheckResourceAttr("grafana_role.test", "version", "2"),
-					resource.TestCheckResourceAttr("grafana_role.test", "uid", "testuid"),
+					resource.TestCheckResourceAttr("grafana_role.test", "uid", "terraform-acc-test"),
 					resource.TestCheckResourceAttr("grafana_role.test", "global", "true"),
 					resource.TestCheckResourceAttr("grafana_role.test", "hidden", "true"),
 					resource.TestCheckResourceAttr("grafana_role.test", "permissions.#", "2"),
@@ -57,18 +57,14 @@ func TestAccRole_basic(t *testing.T) {
 	})
 }
 
-func TestAccRole_GlobalRolesNeedBasicAuth(t *testing.T) {
+func TestAccRole_NonGlobalRolesCanBeManagedWithSA(t *testing.T) {
 	testutils.CheckEnterpriseTestsEnabled(t, ">=9.0.0")
 	orgScopedTest(t)
 	randomName := acctest.RandString(10)
 
 	resource.Test(t, resource.TestCase{
 		ProtoV5ProviderFactories: testutils.ProtoV5ProviderFactories,
 		Steps: []resource.TestStep{
-			{
-				Config:      roleConfig(randomName, true),
-				ExpectError: regexp.MustCompile("global scope resources cannot be managed with an API key. Use basic auth instead"),
-			},
 			{
 				Config: roleConfig(randomName, false),
 				Check: resource.ComposeTestCheckFunc(
@@ -77,7 +73,7 @@ func TestAccRole_GlobalRolesNeedBasicAuth(t *testing.T) {
 					resource.TestCheckResourceAttr("grafana_role.test", "display_name", "testdisplay"),
 					resource.TestCheckResourceAttr("grafana_role.test", "group", "testgroup"),
 					resource.TestCheckResourceAttr("grafana_role.test", "version", "1"),
-					resource.TestCheckResourceAttr("grafana_role.test", "uid", "testuid"),
+					resource.TestCheckResourceAttr("grafana_role.test", "uid", randomName),
 					resource.TestCheckResourceAttr("grafana_role.test", "global", "false"),
 					resource.TestCheckResourceAttr("grafana_role.test", "hidden", "true"),
 				),
@@ -86,6 +82,44 @@ func TestAccRole_GlobalRolesNeedBasicAuth(t *testing.T) {
 	})
 }
 
+func TestAccRole_GlobalCanBeManagedInGrafanaCloud(t *testing.T) {
+	t.Skip("Broken for now. Fix incoming.")
+	testutils.CheckCloudInstanceTestsEnabled(t)
+	randomName := acctest.RandStringFromCharSet(10, acctest.CharSetAlpha)
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProtoV5ProviderFactories: testutils.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: roleConfig(randomName, true),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("grafana_role.test", "name", randomName),
+					resource.TestCheckResourceAttr("grafana_role.test", "description", "test desc"),
+					resource.TestCheckResourceAttr("grafana_role.test", "display_name", "testdisplay"),
+					resource.TestCheckResourceAttr("grafana_role.test", "group", "testgroup"),
+					resource.TestCheckResourceAttr("grafana_role.test", "version", "1"),
+					resource.TestCheckResourceAttr("grafana_role.test", "uid", randomName),
+					resource.TestCheckResourceAttr("grafana_role.test", "global", "true"),
+					resource.TestCheckResourceAttr("grafana_role.test", "hidden", "true"),
+				),
+			},
+			{
+				Config: strings.ReplaceAll(roleConfig(randomName, true), "test desc", "updated desc"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("grafana_role.test", "name", randomName),
+					resource.TestCheckResourceAttr("grafana_role.test", "description", "updated desc"),
+					resource.TestCheckResourceAttr("grafana_role.test", "display_name", "testdisplay"),
+					resource.TestCheckResourceAttr("grafana_role.test", "group", "testgroup"),
+					resource.TestCheckResourceAttr("grafana_role.test", "version", "1"),
+					resource.TestCheckResourceAttr("grafana_role.test", "uid", randomName),
+					resource.TestCheckResourceAttr("grafana_role.test", "global", "true"),
+					resource.TestCheckResourceAttr("grafana_role.test", "hidden", "true"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccRoleVersioning(t *testing.T) {
 	testutils.CheckEnterpriseTestsEnabled(t, ">=9.0.0")
 
@@ -218,11 +252,11 @@ var roleConfigBasic = roleConfig("terraform-acc-test", true)
 func roleConfig(name string, global bool) string {
 	return fmt.Sprintf(`
 	resource "grafana_role" "test" {
-	  name  = "%s"
+	  name  = "%[1]s"
 	  description = "test desc"
 	  version = 1
-	  uid = "testuid"
-	  global = %t
+	  uid = "%[1]s"
+	  global = %[2]t
 	  group = "testgroup"
 	  display_name = "testdisplay"
 	  hidden = true
@@ -235,7 +269,7 @@ resource "grafana_role" "test" {
   name  = "terraform-acc-test"
   description = "test desc"
   version = 2
-  uid = "testuid"
+  uid = "terraform-acc-test"
   global = true
   group = "testgroup"
   display_name = "testdisplay"