auth: Make access policy token's expires_at optional (#788)

* auth: Make access policy token's `expires_at` optional

* tidy up go.sum

* feedback: add dedicated tests to exercise no expiration

* remove unused import

Author: cinaglia

go.mod

@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/Masterminds/semver/v3 v3.2.0
 	github.com/grafana/amixr-api-go-client v0.0.5
-	github.com/grafana/grafana-api-golang-client v0.18.1
+	github.com/grafana/grafana-api-golang-client v0.18.2
 	github.com/grafana/machine-learning-go-client v0.3.0
 	github.com/grafana/synthetic-monitoring-agent v0.14.0
 	github.com/grafana/synthetic-monitoring-api-go-client v0.6.5

go.sum

@@ -77,8 +77,8 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grafana/amixr-api-go-client v0.0.5 h1:jqmljnd5FozuOsCNuyhZVpooxmj0BW9MmeLA7PaLK6U=
 github.com/grafana/amixr-api-go-client v0.0.5/go.mod h1:N6x26XUrM5zGtK5zL5vNJnAn2JFMxLFPPLTw/6pDkFE=
-github.com/grafana/grafana-api-golang-client v0.18.1 h1:yOXCQQZvVsgE5aBoc+W1kNdke1mqZ8czdJIL6A+cdc4=
-github.com/grafana/grafana-api-golang-client v0.18.1/go.mod h1:24W29gPe9yl0/3A9X624TPkAOR8DpHno490cPwnkv8E=
+github.com/grafana/grafana-api-golang-client v0.18.2 h1:WPYT4Cyw0uqBHAyO619HykzNsQ98yHKFmPuJonfiW8c=
+github.com/grafana/grafana-api-golang-client v0.18.2/go.mod h1:24W29gPe9yl0/3A9X624TPkAOR8DpHno490cPwnkv8E=
 github.com/grafana/machine-learning-go-client v0.3.0 h1:QmDPt9kFvw7RsVZE92V4tSbng2dHsOsVsHvNczLpNy8=
 github.com/grafana/machine-learning-go-client v0.3.0/go.mod h1:QFfZz8NkqVF8++skjkKQXJEZfpCYd8S0yTWJUpsLLTA=
 github.com/grafana/synthetic-monitoring-agent v0.14.0 h1:3kdNdMrQCBznU0uJWK7LN/+sKnzn/DpTvnNOKYC2iZM=

grafana/resource_cloud_access_policy_token.go

@@ -92,22 +92,21 @@ func CreateCloudAccessPolicyToken(ctx context.Context, d *schema.ResourceData, m
 	client := meta.(*client).gcloudapi
 	region := d.Get("region").(string)
 
-	expiresAt, err := time.Parse(time.RFC3339, d.Get("expires_at").(string))
-	if err != nil {
-		return diag.FromErr(err)
+	tokenInput := gapi.CreateCloudAccessPolicyTokenInput{
+		AccessPolicyID: d.Get("access_policy_id").(string),
+		Name:           d.Get("name").(string),
+		DisplayName:    d.Get("display_name").(string),
 	}
 
-	displayName := d.Get("display_name").(string)
-	if displayName == "" {
-		displayName = d.Get("name").(string)
+	if v, ok := d.GetOk("expires_at"); ok {
+		expiresAt, err := time.Parse(time.RFC3339, v.(string))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		tokenInput.ExpiresAt = &expiresAt
 	}
 
-	result, err := client.CreateCloudAccessPolicyToken(region, gapi.CreateCloudAccessPolicyTokenInput{
-		AccessPolicyID: d.Get("access_policy_id").(string),
-		Name:           d.Get("name").(string),
-		DisplayName:    displayName,
-		ExpiresAt:      expiresAt,
-	})
+	result, err := client.CreateCloudAccessPolicyToken(region, tokenInput)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -158,9 +157,13 @@ func ReadCloudAccessPolicyToken(ctx context.Context, d *schema.ResourceData, met
 	d.Set("region", region)
 	d.Set("name", result.Name)
 	d.Set("display_name", result.DisplayName)
-	d.Set("expires_at", result.ExpiresAt.Format(time.RFC3339))
 	d.Set("created_at", result.CreatedAt.Format(time.RFC3339))
-	d.Set("updated_at", result.UpdatedAt.Format(time.RFC3339))
+	if result.ExpiresAt != nil {
+		d.Set("expires_at", result.ExpiresAt.Format(time.RFC3339))
+	}
+	if result.UpdatedAt != nil {
+		d.Set("updated_at", result.UpdatedAt.Format(time.RFC3339))
+	}
 
 	return nil
 }

grafana/resource_cloud_access_policy_token_test.go

@@ -110,6 +110,34 @@ func TestResourceCloudAccessPolicyToken_Basic(t *testing.T) {
 	})
 }
 
+func TestResourceCloudAccessPolicyToken_NoExpiration(t *testing.T) {
+	t.Parallel()
+	CheckCloudAPITestsEnabled(t)
+
+	var policy gapi.CloudAccessPolicy
+	var policyToken gapi.CloudAccessPolicyToken
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudAccessPolicyTokenConfigBasic("initial-no-expiration", "", []string{"metrics:read"}, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudAccessPolicyCheckExists("grafana_cloud_access_policy.test", &policy),
+					testAccCloudAccessPolicyTokenCheckExists("grafana_cloud_access_policy_token.test", &policyToken),
+					resource.TestCheckNoResourceAttr("grafana_cloud_access_policy_token.test", "expires_at"),
+				),
+			},
+			{
+				ResourceName:            "grafana_cloud_access_policy_token.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"token"},
+			},
+		},
+	})
+}
+
 // nolint: unparam
 func testAccCloudAccessPolicyCheckExists(rn string, a *gapi.CloudAccessPolicy) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -193,6 +221,10 @@ func testAccCloudAccessPolicyTokenConfigBasic(name, displayName string, scopes [
 		displayName = fmt.Sprintf("display_name = \"%s\"", displayName)
 	}
 
+	if expiresAt != "" {
+		expiresAt = fmt.Sprintf("expires_at = \"%s\"", expiresAt)
+	}
+
 	return fmt.Sprintf(`
 	data "grafana_cloud_organization" "current" {
 		slug = "%[4]s"
@@ -220,7 +252,7 @@ func testAccCloudAccessPolicyTokenConfigBasic(name, displayName string, scopes [
 		access_policy_id = grafana_cloud_access_policy.test.policy_id
 		name             = "token-%[1]s"
 		%[2]s
-		expires_at       = "%[5]s"
+		%[5]s
 	}
 	`, name, displayName, strings.Join(scopes, `","`), os.Getenv("GRAFANA_CLOUD_ORG"), expiresAt)
 }