Update enforcement mode for OPA policies (#1521)

Previously the tfe_policy resource could only set policies to advisory.
This commit updates the update function to properly switch path for the
policy enforcement name based on the kind. This was due to the previous comparison
not comparing the same types so it always failed.

Author: glennsarti

CHANGELOG.md

@@ -1,3 +1,7 @@
+## Unreleased
+BUG FIXES:
+* `r/tfe_policy`: enforcement level can be updated on OPA policies by @glennsarti [#1521](https://github.com/hashicorp/terraform-provider-tfe/pull/1521)
+
 ## v0.60.0
 
 BUG FIXES:

internal/provider/resource_tfe_policy.go

@@ -271,6 +271,11 @@ func resourceTFEPolicyRead(d *schema.ResourceData, meta interface{}) error {
 func resourceTFEPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(ConfiguredClient)
 
+	var kind string
+	if v, ok := d.GetOk("kind"); ok {
+		kind = v.(string)
+	}
+
 	// nolint:nestif
 	if d.HasChange("description") || d.HasChange("enforce_mode") || d.HasChange("query") {
 		// Create a new options struct.
@@ -281,11 +286,8 @@ func resourceTFEPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
 		}
 
 		path := d.Get("name").(string) + ".sentinel"
-		vKind, ok := d.GetOk("kind")
-		if ok {
-			if vKind == tfe.OPA {
-				path = d.Get("name").(string) + ".rego"
-			}
+		if kind == string(tfe.OPA) {
+			path = d.Get("name").(string) + ".rego"
 		}
 		if d.HasChange("enforce_mode") {
 			//nolint:staticcheck // this is still used by TFE versions older than 202306-1
@@ -301,11 +303,11 @@ func resourceTFEPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
 			options.Query = tfe.String(query.(string))
 		}
 
-		log.Printf("[DEBUG] Update configuration for %s policy: %s", vKind, d.Id())
+		log.Printf("[DEBUG] Update configuration for %s policy: %s", kind, d.Id())
 		_, err := config.Client.Policies.Update(ctx, d.Id(), options)
 		if err != nil {
 			return fmt.Errorf(
-				"Error updating configuration for %s policy %s: %w", vKind, d.Id(), err)
+				"Error updating configuration for %s policy %s: %w", kind, d.Id(), err)
 		}
 	}
 

internal/provider/resource_tfe_policy_test.go

@@ -319,6 +319,27 @@ func TestAccTFEPolicyOPA_update(t *testing.T) {
 						"tfe_policy.foobar", "enforce_mode", "advisory"),
 				),
 			},
+			// And check that we can back to what we had before
+			{
+				Config: testAccTFEPolicyOPA_updateQuery(org.Name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEPolicyExists(
+						"tfe_policy.foobar", policy),
+					testAccCheckTFEOPAPolicyAttributesUpdatedQuery(policy),
+					resource.TestCheckResourceAttr(
+						"tfe_policy.foobar", "name", "policy-test"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy.foobar", "description", "A test policy"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy.foobar", "kind", "opa"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy.foobar", "policy", "package example rule[\"not allowed\"] { false }"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy.foobar", "query", "data.example.ruler"),
+					resource.TestCheckResourceAttr(
+						"tfe_policy.foobar", "enforce_mode", "mandatory"),
+				),
+			},
 		},
 	})
 }