Fix grafana_cloud_stack_service_account resource to support creating service accounts without a basic role (#1464)

* Fix grafana_cloud_stack_service_account resource to support creating service accounts without a basic role

* Fix tests

* Generate docs

---------

Co-authored-by: Julien Duchesne <[email protected]>

Author: F21

docs/resources/cloud_stack_service_account.md

@@ -41,12 +41,12 @@ resource "grafana_cloud_stack_service_account" "cloud_sa" {
 ### Required
 
 - `name` (String) The name of the service account.
+- `role` (String) The basic role of the service account in the organization.
 - `stack_slug` (String)
 
 ### Optional
 
 - `is_disabled` (Boolean) The disabled status for the service account. Defaults to `false`.
-- `role` (String) The basic role of the service account in the organization.
 
 ### Read-Only
 

internal/resources/cloud/resource_cloud_stack_service_account.go

@@ -58,8 +58,8 @@ Required access policy scopes:
 			},
 			"role": {
 				Type:         schema.TypeString,
-				Optional:     true,
-				ValidateFunc: validation.StringInSlice([]string{"Viewer", "Editor", "Admin"}, false),
+				Required:     true,
+				ValidateFunc: validation.StringInSlice([]string{"Viewer", "Editor", "Admin", "None"}, false),
 				Description:  "The basic role of the service account in the organization.",
 				ForceNew:     true, // The grafana API does not support updating the service account
 			},

internal/resources/cloud/resource_cloud_stack_service_account_test.go

@@ -29,7 +29,7 @@ func TestAccGrafanaServiceAccountFromCloud(t *testing.T) {
 		CheckDestroy:             testAccStackCheckDestroy(&stack),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccGrafanaServiceAccountFromCloud(slug, slug, true),
+				Config: testAccGrafanaServiceAccountFromCloud(slug, slug, true, "Admin"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccStackCheckExists("grafana_cloud_stack.test", &stack),
 					testAccGrafanaAuthCheckServiceAccounts(&stack, []string{"management-sa"}),
@@ -42,9 +42,10 @@ func TestAccGrafanaServiceAccountFromCloud(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccGrafanaServiceAccountFromCloud(slug, slug, false),
+				Config: testAccGrafanaServiceAccountFromCloud(slug, slug, false, "Editor"),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("grafana_cloud_stack_service_account.management", "is_disabled", "false"),
+					resource.TestCheckResourceAttr("grafana_cloud_stack_service_account.management", "role", "Editor"),
 				),
 			},
 			{
@@ -60,6 +61,37 @@ func TestAccGrafanaServiceAccountFromCloud(t *testing.T) {
 	})
 }
 
+func TestAccGrafanaServiceAccountFromCloudNoneRole(t *testing.T) {
+	testutils.CheckCloudAPITestsEnabled(t)
+
+	var stack gcom.FormattedApiInstance
+	prefix := "tfsanone"
+	slug := GetRandomStackName(prefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccDeleteExistingStacks(t, prefix)
+		},
+		ProtoV5ProviderFactories: testutils.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccStackCheckDestroy(&stack),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGrafanaServiceAccountFromCloud(slug, slug, true, "None"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccStackCheckExists("grafana_cloud_stack.test", &stack),
+					testAccGrafanaAuthCheckServiceAccounts(&stack, []string{"management-sa"}),
+					resource.TestCheckResourceAttr("grafana_cloud_stack_service_account.management", "name", "management-sa"),
+					resource.TestCheckResourceAttr("grafana_cloud_stack_service_account.management", "role", "None"),
+					resource.TestCheckResourceAttr("grafana_cloud_stack_service_account.management", "is_disabled", "true"),
+					resource.TestCheckResourceAttr("grafana_cloud_stack_service_account_token.management_token", "name", "management-sa-token"),
+					resource.TestCheckNoResourceAttr("grafana_cloud_stack_service_account_token.management_token", "expiration"),
+					resource.TestCheckResourceAttrSet("grafana_cloud_stack_service_account_token.management_token", "key"),
+				),
+			},
+		},
+	})
+}
+
 // Tests that the ID change from 2.13.0 to latest works
 // Remove on next major release
 func TestAccGrafanaServiceAccountFromCloud_MigrateFrom213(t *testing.T) {
@@ -112,12 +144,12 @@ func TestAccGrafanaServiceAccountFromCloud_MigrateFrom213(t *testing.T) {
 	})
 }
 
-func testAccGrafanaServiceAccountFromCloud(name, slug string, disabled bool) string {
+func testAccGrafanaServiceAccountFromCloud(name, slug string, disabled bool, role string) string {
 	return testAccStackConfigBasic(name, slug, "description") + fmt.Sprintf(`
 	resource "grafana_cloud_stack_service_account" "management" {
 		stack_slug = grafana_cloud_stack.test.slug
 		name        = "management-sa"
-		role        = "Admin"
+		role        = "%s"
 		is_disabled = %t
 	}
 
@@ -126,11 +158,11 @@ func testAccGrafanaServiceAccountFromCloud(name, slug string, disabled bool) str
 		service_account_id = grafana_cloud_stack_service_account.management.id
 		name       = "management-sa-token"
 	}
-	`, disabled)
+	`, role, disabled)
 }
 
 func testAccGrafanaServiceAccountWithStackFolder(name, slug string, withFolder bool) string {
-	return testAccGrafanaServiceAccountFromCloud(name, slug, false) + fmt.Sprintf(`
+	return testAccGrafanaServiceAccountFromCloud(name, slug, false, "Admin") + fmt.Sprintf(`
 	provider "grafana" {
 		alias = "stack"
 		auth = grafana_cloud_stack_service_account_token.management_token.key