Enhance validation for OAuth2 options and improve role resource tests for permission handling

dtoxvanilla1991 · dtoxvanilla1991 · commit 6cb5046e8f2d · 2026-01-06T21:52:32.000-05:00
diff --git a/internal/provider/connection_resource.go b/internal/provider/connection_resource.go
@@ -386,14 +386,28 @@ func (r *ConnectionResource) ValidateConfig(ctx context.Context, req resource.Va
 	if !data.Strategy.IsNull() {
 		strategy := connections.Strategy(data.Strategy.ValueString())
 		if strings.HasPrefix(string(strategy), "oauth2:") {
-			// Validate options if present
-			if data.Options != nil {
-				if err := data.Options.Validate(); err != nil {
-					resp.Diagnostics.AddError(
-						"Invalid Options Configuration",
-						err.Error(),
-					)
-				}
+			if data.Options == nil || data.Options.IsEmpty() {
+				resp.Diagnostics.AddError(
+					"Missing OAuth2 Options",
+					"options must be set for OAuth2 connections and must include both client_id and client_secret.",
+				)
+				return
+			}
+
+			if err := data.Options.Validate(); err != nil {
+				resp.Diagnostics.AddError(
+					"Invalid Options Configuration",
+					err.Error(),
+				)
+				return
+			}
+		} else {
+			if data.Options != nil && !data.Options.IsEmpty() {
+				resp.Diagnostics.AddError(
+					"Unsupported Options",
+					"options is only supported for OAuth2 connection strategies.",
+				)
+				return
 			}
 		}
 	}
diff --git a/internal/provider/role_resource.go b/internal/provider/role_resource.go
@@ -171,6 +171,9 @@ func (r *RoleResource) Create(ctx context.Context, req resource.CreateRequest, r
 
 // Helper function to sort permissions without modifying original.
 func sortPermissions(permissions []string) []string {
+	if permissions == nil {
+		return nil
+	}
 	sorted := make([]string, len(permissions))
 	copy(sorted, permissions)
 	sort.Strings(sorted)
@@ -410,5 +413,9 @@ func (r *RoleResource) ImportState(ctx context.Context, req resource.ImportState
 		return
 	}
 
-	resp.State.Set(ctx, &state)
+	diags := resp.State.Set(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
 }
diff --git a/internal/provider/role_resource_test.go b/internal/provider/role_resource_test.go
@@ -2,11 +2,11 @@ package provider
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-	"github.com/hashicorp/terraform-plugin-testing/terraform"
 )
 
 func TestAccRoleResource(t *testing.T) {
@@ -54,63 +54,23 @@ func TestAccRoleResource_PermissionOrdering(t *testing.T) {
 	permission1ID := acctest.RandomWithPrefix("tfacc-perm1")
 	permission2ID := acctest.RandomWithPrefix("tfacc-perm2")
 
-	var permission1ResourceID, permission2ResourceID string
-
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { testAccPreCheck(t) },
 		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
 		Steps: []resource.TestStep{
-			// Create first permission.
-			{
-				Config: testAccPermissionResourceConfig("test-permission-1", permission1ID, "Test permission 1"),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttrSet("kinde_permission.test", "id"),
-					func(s *terraform.State) error {
-						rs, ok := s.RootModule().Resources["kinde_permission.test"]
-						if !ok {
-							return fmt.Errorf("permission1 not found")
-						}
-						permission1ResourceID = rs.Primary.ID
-						return nil
-					},
-				),
-			},
-			// Create second permission.
+			// Create both permissions and the role with permissions in one order.
 			{
-				Config: testAccPermissionResourceConfig("test-permission-2", permission2ID, "Test permission 2"),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttrSet("kinde_permission.test", "id"),
-					func(s *terraform.State) error {
-						rs, ok := s.RootModule().Resources["kinde_permission.test"]
-						if !ok {
-							return fmt.Errorf("permission2 not found")
-						}
-						permission2ResourceID = rs.Primary.ID
-						return nil
-					},
-				),
-			},
-			// Create role with permissions in one order.
-			{
-				Config: testAccRoleResourceConfig_WithPermissions(testID, testID, []string{
-					permission1ResourceID,
-					permission2ResourceID,
-				}),
+				Config: testAccRoleWithPermissionResourcesConfig(testID, permission1ID, permission2ID, []string{"kinde_permission.perm1.id", "kinde_permission.perm2.id"}),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttr("kinde_role.test", "name", testID),
 					resource.TestCheckResourceAttr("kinde_role.test", "key", testID),
 					resource.TestCheckResourceAttr("kinde_role.test", "description", "Test role with permissions"),
 					resource.TestCheckResourceAttr("kinde_role.test", "permissions.#", "2"),
-					resource.TestCheckTypeSetElemAttr("kinde_role.test", "permissions.*", permission1ResourceID),
-					resource.TestCheckTypeSetElemAttr("kinde_role.test", "permissions.*", permission2ResourceID),
 				),
 			},
 			// Update with same permissions in different order - should not trigger a change.
 			{
-				Config: testAccRoleResourceConfig_WithPermissions(testID, testID, []string{
-					permission2ResourceID,
-					permission1ResourceID,
-				}),
+				Config:   testAccRoleWithPermissionResourcesConfig(testID, permission1ID, permission2ID, []string{"kinde_permission.perm2.id", "kinde_permission.perm1.id"}),
 				PlanOnly: true,
 			},
 			// Remove all permissions.
@@ -136,68 +96,28 @@ func TestAccRoleResource_RemovePermissions(t *testing.T) {
 	permission1ID := acctest.RandomWithPrefix("tfacc-perm1")
 	permission2ID := acctest.RandomWithPrefix("tfacc-perm2")
 
-	var permission1ResourceID, permission2ResourceID string
-
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { testAccPreCheck(t) },
 		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
 		Steps: []resource.TestStep{
-			// Create first permission.
+			// Create both permissions and the role with two permissions.
 			{
-				Config: testAccPermissionResourceConfig("test-permission-1", permission1ID, "Test permission 1"),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttrSet("kinde_permission.test", "id"),
-					func(s *terraform.State) error {
-						rs, ok := s.RootModule().Resources["kinde_permission.test"]
-						if !ok {
-							return fmt.Errorf("permission1 not found")
-						}
-						permission1ResourceID = rs.Primary.ID
-						return nil
-					},
-				),
-			},
-			// Create second permission.
-			{
-				Config: testAccPermissionResourceConfig("test-permission-2", permission2ID, "Test permission 2"),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttrSet("kinde_permission.test", "id"),
-					func(s *terraform.State) error {
-						rs, ok := s.RootModule().Resources["kinde_permission.test"]
-						if !ok {
-							return fmt.Errorf("permission2 not found")
-						}
-						permission2ResourceID = rs.Primary.ID
-						return nil
-					},
-				),
-			},
-			// Create role with two permissions.
-			{
-				Config: testAccRoleResourceConfig_WithPermissions(testID, testID, []string{
-					permission1ResourceID,
-					permission2ResourceID,
-				}),
+				Config: testAccRoleWithPermissionResourcesConfig(testID, permission1ID, permission2ID, []string{"kinde_permission.perm1.id", "kinde_permission.perm2.id"}),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttr("kinde_role.test", "name", testID),
 					resource.TestCheckResourceAttr("kinde_role.test", "key", testID),
 					resource.TestCheckResourceAttr("kinde_role.test", "description", "Test role with permissions"),
 					resource.TestCheckResourceAttr("kinde_role.test", "permissions.#", "2"),
-					resource.TestCheckTypeSetElemAttr("kinde_role.test", "permissions.*", permission1ResourceID),
-					resource.TestCheckTypeSetElemAttr("kinde_role.test", "permissions.*", permission2ResourceID),
 				),
 			},
 			// Remove one permission.
 			{
-				Config: testAccRoleResourceConfig_WithPermissions(testID, testID, []string{
-					permission1ResourceID,
-				}),
+				Config: testAccRoleWithPermissionResourcesConfig(testID, permission1ID, permission2ID, []string{"kinde_permission.perm1.id"}),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttr("kinde_role.test", "name", testID),
 					resource.TestCheckResourceAttr("kinde_role.test", "key", testID),
 					resource.TestCheckResourceAttr("kinde_role.test", "description", "Test role with permissions"),
 					resource.TestCheckResourceAttr("kinde_role.test", "permissions.#", "1"),
-					resource.TestCheckTypeSetElemAttr("kinde_role.test", "permissions.*", permission1ResourceID),
 				),
 			},
 			// Remove all permissions.
@@ -264,3 +184,31 @@ resource "kinde_role" "test" {
 }
 `, name, key, description, permissionsStr)
 }
+
+func testAccRoleWithPermissionResourcesConfig(roleName, permission1Key, permission2Key string, permissionRefs []string) string {
+	permissionsStr := "[]"
+	if len(permissionRefs) > 0 {
+		permissionsStr = "[" + strings.Join(permissionRefs, ", ") + "]"
+	}
+
+	return fmt.Sprintf(`
+resource "kinde_permission" "perm1" {
+  name        = "test-permission-1"
+  key         = %q
+  description = "Test permission 1"
+}
+
+resource "kinde_permission" "perm2" {
+  name        = "test-permission-2"
+  key         = %q
+  description = "Test permission 2"
+}
+
+resource "kinde_role" "test" {
+  name        = %q
+  key         = %q
+  description = "Test role with permissions"
+  permissions = %s
+}
+`, permission1Key, permission2Key, roleName, roleName, permissionsStr)
+}
