Merge pull request #972 from hashicorp/Netra2104/TF-6273-add-project-policy-set-resource

TF-6273 Add a new project_policy_set resource

Author: Netra2104

CHANGELOG.md

@@ -3,6 +3,7 @@
 FEATURES:
 * **New Resource**: `r/tfe_saml_settings` manages SAML Settings, by @karvounis-form3 [970](https://github.com/hashicorp/terraform-provider-tfe/pull/970)
 * `d/tfe_saml_settings`: Add PrivateKey (sensitive), SignatureSigningMethod, and SignatureDigestMethod attributes, by @karvounis-form3 [970](https://github.com/hashicorp/terraform-provider-tfe/pull/970)
+* **New Resource**: `r/tfe_project_policy_set` is a new resource to attach/detach an existing `project` to an existing `policy set`, by @Netra2104 [972](https://github.com/hashicorp/terraform-provider-tfe/pull/972)
 
 NOTES:
 * The provider is now using go-tfe [v1.30.0](https://github.com/hashicorp/go-tfe/releases/tag/v1.30.0), by @karvounis-form3 [970](https://github.com/hashicorp/terraform-provider-tfe/pull/970)

tfe/provider.go

@@ -149,6 +149,7 @@ func Provider() *schema.Provider {
 			"tfe_policy_set":                    resourceTFEPolicySet(),
 			"tfe_policy_set_parameter":          resourceTFEPolicySetParameter(),
 			"tfe_project":                       resourceTFEProject(),
+			"tfe_project_policy_set":            resourceTFEProjectPolicySet(),
 			"tfe_project_variable_set":          resourceTFEProjectVariableSet(),
 			"tfe_registry_module":               resourceTFERegistryModule(),
 			"tfe_no_code_module":                resourceTFENoCodeModule(),

tfe/resource_tfe_project_policy_set.go

@@ -0,0 +1,173 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package tfe
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"strings"
+
+	tfe "github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceTFEProjectPolicySet() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceTFEProjectPolicySetCreate,
+		Read:   resourceTFEProjectPolicySetRead,
+		Delete: resourceTFEProjectPolicySetDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceTFEProjectPolicySetImporter,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"policy_set_id": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"project_id": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceTFEProjectPolicySetCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(ConfiguredClient)
+
+	policySetID := d.Get("policy_set_id").(string)
+	projectID := d.Get("project_id").(string)
+
+	policySetAddProjectsOptions := tfe.PolicySetAddProjectsOptions{}
+	policySetAddProjectsOptions.Projects = append(policySetAddProjectsOptions.Projects, &tfe.Project{ID: projectID})
+
+	err := config.Client.PolicySets.AddProjects(ctx, policySetID, policySetAddProjectsOptions)
+	if err != nil {
+		return fmt.Errorf(
+			"error attaching policy set id %s to project %s: %w", policySetID, projectID, err)
+	}
+
+	d.SetId(fmt.Sprintf("%s_%s", projectID, policySetID))
+
+	return resourceTFEProjectPolicySetRead(d, meta)
+}
+
+func resourceTFEProjectPolicySetRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(ConfiguredClient)
+
+	policySetID := d.Get("policy_set_id").(string)
+	projectID := d.Get("project_id").(string)
+
+	log.Printf("[DEBUG] Read configuration of project policy set: %s", policySetID)
+	policySet, err := config.Client.PolicySets.ReadWithOptions(ctx, policySetID, &tfe.PolicySetReadOptions{
+		Include: []tfe.PolicySetIncludeOpt{tfe.PolicySetProjects},
+	})
+	if err != nil {
+		if errors.Is(err, tfe.ErrResourceNotFound) {
+			log.Printf("[DEBUG] Policy set %s no longer exists", policySetID)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("error reading configuration of policy set %s: %w", policySetID, err)
+	}
+
+	isProjectAttached := false
+	for _, project := range policySet.Projects {
+		if project.ID == projectID {
+			isProjectAttached = true
+			d.Set("project_id", projectID)
+			break
+		}
+	}
+
+	if !isProjectAttached {
+		log.Printf("[DEBUG] Project %s not attached to policy set %s. Removing from state.", projectID, policySetID)
+		d.SetId("")
+		return nil
+	}
+
+	d.Set("policy_set_id", policySetID)
+	return nil
+}
+
+func resourceTFEProjectPolicySetDelete(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(ConfiguredClient)
+
+	policySetID := d.Get("policy_set_id").(string)
+	projectID := d.Get("project_id").(string)
+
+	log.Printf("[DEBUG] Detaching project (%s) from policy set (%s)", projectID, policySetID)
+	policySetRemoveProjectsOptions := tfe.PolicySetRemoveProjectsOptions{}
+	policySetRemoveProjectsOptions.Projects = append(policySetRemoveProjectsOptions.Projects, &tfe.Project{ID: projectID})
+
+	err := config.Client.PolicySets.RemoveProjects(ctx, policySetID, policySetRemoveProjectsOptions)
+	if err != nil {
+		return fmt.Errorf(
+			"error detaching project %s from policy set %s: %w", projectID, policySetID, err)
+	}
+
+	return nil
+}
+
+func resourceTFEProjectPolicySetImporter(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	// The format of the import ID is <ORGANIZATION/PROJECT ID/POLICYSET NAME>
+	splitID := strings.SplitN(d.Id(), "/", 3)
+	if len(splitID) != 3 {
+		return nil, fmt.Errorf(
+			"invalid project policy set input format: %s (expected <ORGANIZATION>/<PROJECT ID>/<POLICYSET NAME>)",
+			splitID,
+		)
+	}
+
+	organization, projectID, policySetName := splitID[0], splitID[1], splitID[2]
+
+	config := meta.(ConfiguredClient)
+
+	// Ensure the named project exists before fetching all the policy sets in the org
+	_, err := config.Client.Projects.Read(ctx, projectID)
+	if err != nil {
+		return nil, fmt.Errorf("error reading configuration of project %s in organization %s: %w", projectID, organization, err)
+	}
+
+	options := &tfe.PolicySetListOptions{Include: []tfe.PolicySetIncludeOpt{tfe.PolicySetProjects}}
+	for {
+		list, err := config.Client.PolicySets.List(ctx, organization, options)
+		if err != nil {
+			return nil, fmt.Errorf("error retrieving organization's list of policy sets: %w", err)
+		}
+		for _, policySet := range list.Items {
+			if policySet.Name != policySetName {
+				continue
+			}
+
+			for _, project := range policySet.Projects {
+				if project.ID != projectID {
+					continue
+				}
+
+				d.Set("project_id", project.ID)
+				d.Set("policy_set_id", policySet.ID)
+				d.SetId(fmt.Sprintf("%s_%s", project.ID, policySet.ID))
+
+				return []*schema.ResourceData{d}, nil
+			}
+		}
+
+		// Exit the loop when we've seen all pages.
+		if list.CurrentPage >= list.TotalPages {
+			break
+		}
+
+		// Update the page number to get the next page.
+		options.PageNumber = list.NextPage
+	}
+
+	return nil, fmt.Errorf("project %s has not been assigned to policy set %s", projectID, policySetName)
+}

tfe/resource_tfe_project_policy_set_test.go

@@ -0,0 +1,176 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package tfe
+
+import (
+	"fmt"
+	"math/rand"
+	"regexp"
+	"testing"
+	"time"
+
+	tfe "github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccTFEProjectPolicySet_basic(t *testing.T) {
+	skipUnlessBeta(t)
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	org, orgCleanup := createOrganization(t, tfeClient, tfe.OrganizationCreateOptions{
+		Name:  tfe.String(fmt.Sprintf("tst-terraform-%d", rInt)),
+		Email: tfe.String(fmt.Sprintf("%[email protected]", randomString(t))),
+	})
+	t.Cleanup(orgCleanup)
+
+	// Make a project
+	project := createProject(t, tfeClient, org.Name, tfe.ProjectCreateOptions{
+		Name: randomString(t),
+	})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckTFEProjectPolicySetDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEProjectPolicySet_basic(org.Name, project.ID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEProjectPolicySetExists(
+						"tfe_project_policy_set.test"),
+				),
+			},
+			{
+				ResourceName:      "tfe_project_policy_set.test",
+				ImportState:       true,
+				ImportStateId:     fmt.Sprintf("%s/%s/policy_set_test", org.Name, project.ID),
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccTFEProjectPolicySet_incorrectImportSyntax(t *testing.T) {
+	skipUnlessBeta(t)
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	org, orgCleanup := createOrganization(t, tfeClient, tfe.OrganizationCreateOptions{
+		Name:  tfe.String(fmt.Sprintf("tst-terraform-%d", rInt)),
+		Email: tfe.String(fmt.Sprintf("%[email protected]", randomString(t))),
+	})
+	t.Cleanup(orgCleanup)
+
+	// Make a project
+	project := createProject(t, tfeClient, org.Name, tfe.ProjectCreateOptions{
+		Name: randomString(t),
+	})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEProjectPolicySet_basic(org.Name, project.ID),
+			},
+			{
+				ResourceName:  "tfe_project_policy_set.test",
+				ImportState:   true,
+				ImportStateId: fmt.Sprintf("%s/tst-terraform-%d", org.Name, rInt),
+				ExpectError:   regexp.MustCompile(`Error: invalid project policy set input format`),
+			},
+		},
+	})
+}
+
+func testAccCheckTFEProjectPolicySetExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		config := testAccProvider.Meta().(ConfiguredClient)
+
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("not found: %s", n)
+		}
+
+		id := rs.Primary.ID
+		if id == "" {
+			return fmt.Errorf("no ID is set")
+		}
+
+		policySetID := rs.Primary.Attributes["policy_set_id"]
+		if policySetID == "" {
+			return fmt.Errorf("no policy set id set")
+		}
+
+		projectID := rs.Primary.Attributes["project_id"]
+		if projectID == "" {
+			return fmt.Errorf("no project id set")
+		}
+
+		policySet, err := config.Client.PolicySets.ReadWithOptions(ctx, policySetID, &tfe.PolicySetReadOptions{
+			Include: []tfe.PolicySetIncludeOpt{tfe.PolicySetProjects},
+		})
+		if err != nil {
+			return fmt.Errorf("error reading policy set %s: %w", policySetID, err)
+		}
+		for _, project := range policySet.Projects {
+			if project.ID == projectID {
+				return nil
+			}
+		}
+
+		return fmt.Errorf("project (%s) is not attached to policy set (%s).", projectID, policySetID)
+	}
+}
+
+func testAccCheckTFEProjectPolicySetDestroy(s *terraform.State) error {
+	config := testAccProvider.Meta().(ConfiguredClient)
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "tfe_policy_set" {
+			continue
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("no instance ID is set")
+		}
+
+		_, err := config.Client.PolicySets.Read(ctx, rs.Primary.ID)
+		if err == nil {
+			return fmt.Errorf("policy set %s still exists", rs.Primary.ID)
+		}
+	}
+
+	return nil
+}
+
+func testAccTFEProjectPolicySet_base(orgName string) string {
+	return fmt.Sprintf(`
+resource "tfe_policy_set" "test" {
+  name         = "policy_set_test"
+  description  = "a test policy set"
+  global       = false
+  organization = "%s"
+}
+`, orgName)
+}
+
+func testAccTFEProjectPolicySet_basic(orgName string, prjID string) string {
+	return testAccTFEProjectPolicySet_base(orgName) + fmt.Sprintf(`
+resource "tfe_project_policy_set" "test" {
+  policy_set_id = tfe_policy_set.test.id
+  project_id    = "%s"
+}
+`, prjID)
+}