Bug Fix - Fix using security_attributes in UpdateInstance and add tests

Author: bh-orcl

internal/integrationtest/core_instance_resource_test.go

@@ -2602,6 +2602,137 @@ func (s *ResourceCoreInstanceTestSuite) TestAccResourceCoreInstance_launchOption
 	})
 }
 
+func TestResourceCoreInstance_UpdateSecurityAttributes(t *testing.T) {
+	httpreplay.SetScenario("TestAccResourceCoreInstance_securityAttributes")
+	defer httpreplay.SaveScenario()
+
+	instanceName := "t"
+	instanceResourceKey := "oci_core_instance." + instanceName
+
+	subnetConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_subnet", "test_subnet",
+		acctest.Required, acctest.Create, acctest.RepresentationCopyWithNewProperties(CoreSubnetRepresentation,
+			map[string]interface{}{
+				"dns_label": acctest.Representation{RepType: acctest.Required, Create: "dnslabel"},
+			}))
+	vcnConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_vcn", "test_vcn",
+		acctest.Required, acctest.Create, acctest.RepresentationCopyWithNewProperties(CoreVcnRepresentation,
+			map[string]interface{}{
+				"dns_label": acctest.Representation{RepType: acctest.Required, Create: "dnslabel"},
+			}))
+	AvailabilityDomainConfig := AvailabilityDomainConfig
+	imageConfig := utils.OciImageIdsVariable
+	instanceCreateConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_instance", instanceName,
+		acctest.Required, acctest.Create, CoreInstanceRepresentation)
+
+	securityAttributesInstanceConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_instance",
+		instanceName, acctest.Required, acctest.Create,
+		acctest.RepresentationCopyWithNewProperties(CoreInstanceRepresentation, map[string]interface{}{
+			"security_attributes": acctest.Representation{RepType: acctest.Required, Create: map[string]string{
+				"oracle-zpr.sensitivity.value": "low",
+				"oracle-zpr.sensitivity.mode":  "enforce",
+			}},
+		}))
+	changedSecurityAttributesConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_instance",
+		instanceName, acctest.Required, acctest.Create,
+		acctest.RepresentationCopyWithNewProperties(CoreInstanceRepresentation, map[string]interface{}{
+			"security_attributes": acctest.Representation{RepType: acctest.Required, Create: map[string]string{
+				"oracle-zpr.sensitivity.value": "medium",
+				"oracle-zpr.sensitivity.mode":  "enforce",
+			}},
+		}))
+	deletedSecurityAttributesConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_instance",
+		instanceName, acctest.Required, acctest.Create,
+		acctest.RepresentationCopyWithNewProperties(CoreInstanceRepresentation, map[string]interface{}{
+			"security_attributes": acctest.Representation{RepType: acctest.Required, Create: map[string]string{}},
+		}))
+	securityAttributesTimeoutConfig := acctest.GenerateResourceFromRepresentationMap("oci_core_instance",
+		instanceName, acctest.Required, acctest.Create,
+		acctest.RepresentationCopyWithNewProperties(CoreInstanceRepresentation, map[string]interface{}{
+			"security_attributes": acctest.Representation{RepType: acctest.Required, Create: map[string]string{
+				"oracle-zpr.sensitivity.value": "low",
+				"oracle-zpr.sensitivity.mode":  "enforce",
+			}},
+			"timeouts": acctest.RepresentationGroup{RepType: acctest.Required, Group: map[string]interface{}{
+				"update": acctest.Representation{RepType: acctest.Required, Create: "1s"},
+			}},
+		}))
+
+	config := acctest.LegacyTestProviderConfig() + AvailabilityDomainConfig + imageConfig + subnetConfig + vcnConfig
+
+	var instanceId string
+	resource.Test(t, resource.TestCase{
+		Providers: map[string]*schema.Provider{
+			"oci": acctest.TestAccProvider,
+		},
+		CheckDestroy: testAccCheckCoreInstanceDestroy,
+		Steps: []resource.TestStep{
+			{ // Create an instance
+				Config: config + instanceCreateConfig,
+				Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+					func(s *terraform.State) (err error) {
+						instanceId, err = acctest.FromInstanceState(s, instanceResourceKey, "id")
+						return err
+					},
+				),
+			},
+			{ // Verify add security_attributes
+				Config: config + securityAttributesInstanceConfig,
+				Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.%", "2"),
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.oracle-zpr.sensitivity.value", "low"),
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.oracle-zpr.sensitivity.mode", "enforce"),
+					func(ts *terraform.State) (err error) {
+						newId, err := acctest.FromInstanceState(ts, instanceResourceKey, "id")
+						if newId != instanceId {
+							return fmt.Errorf("expected same instance ocid, got different")
+						}
+						return err
+					},
+				),
+			},
+			{ // Verify change security_attributes
+				Config: config + changedSecurityAttributesConfig,
+				Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.%", "2"),
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.oracle-zpr.sensitivity.value", "medium"),
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.oracle-zpr.sensitivity.mode", "enforce"),
+					func(ts *terraform.State) (err error) {
+						newId, err := acctest.FromInstanceState(ts, instanceResourceKey, "id")
+						if newId != instanceId {
+							return fmt.Errorf("expected same instance ocid, got different")
+						}
+						return err
+					},
+				),
+			},
+			{ // Verify remove security_attributes
+				Config: config + deletedSecurityAttributesConfig,
+				Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+					resource.TestCheckResourceAttr(instanceResourceKey, "security_attributes.%", "0"),
+					func(ts *terraform.State) (err error) {
+						newId, err := acctest.FromInstanceState(ts, instanceResourceKey, "id")
+						if newId != instanceId {
+							return fmt.Errorf("expected same instance ocid, got different")
+						}
+						return err
+					},
+				),
+			},
+			{ // Verify update timeout
+				Config: config + securityAttributesTimeoutConfig,
+				Check: func(ts *terraform.State) (err error) {
+					newId, err := acctest.FromInstanceState(ts, instanceResourceKey, "id")
+					if newId != instanceId {
+						return fmt.Errorf("expected same instance ocid, got different")
+					}
+					return err
+				},
+				ExpectError: regexp.MustCompile("Timed out waiting for configuration to reach specified condition"),
+			},
+		},
+	})
+}
+
 // issue-routing-tag: core/computeSharedOwnershipVmAndBm
 func TestAccResourceCoreInstance_nvmeVMShape(t *testing.T) {
 	httpreplay.SetScenario("TestAccResourceCoreInstance_nvmeVMShape")

internal/integrationtest/core_instance_test.go

@@ -338,7 +338,7 @@ var (
 		"type": acctest.Representation{RepType: acctest.Required, Create: `bootVolume`},
 	}
 	CoreInstanceSourceDetailsRepresentation = map[string]interface{}{
-		"source_id":                            acctest.Representation{RepType: acctest.Required, Create: `${var.InstanceImageOCID[var.region]`},
+		"source_id":                            acctest.Representation{RepType: acctest.Required, Create: `${var.InstanceImageOCID[var.region]}`},
 		"source_type":                          acctest.Representation{RepType: acctest.Required, Create: `image`, Update: `image`},
 		"boot_volume_size_in_gbs":              acctest.Representation{RepType: acctest.Optional, Create: `60`, Update: `70`},
 		"boot_volume_vpus_per_gb":              acctest.Representation{RepType: acctest.Optional, Create: `10`},

internal/service/core/core_instance_resource.go

@@ -1620,12 +1620,36 @@ func (s *CoreInstanceResourceCrud) Update() error {
 		return err
 	}
 
+	s.Res = &response.Instance
+
 	if securityAttributes, ok := s.D.GetOkExists("security_attributes"); ok {
-		request.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+		if s.D.HasChange("security_attributes") {
+			securityAttributesRequest := oci_core.UpdateInstanceRequest{}
+			tmp := s.D.Id()
+			securityAttributesRequest.InstanceId = &tmp
+			securityAttributesRequest.SecurityAttributes = tfresource.MapToSecurityAttributes(securityAttributes.(map[string]interface{}))
+			securityAttributesResponse, err := s.Client.UpdateInstance(context.Background(), securityAttributesRequest)
+			securityAttributeErrorMsgTemplate := `[ERROR] Failed to update Security Attributes: %q (Instance ID: "%v"`
+			if err != nil {
+				log.Printf(securityAttributeErrorMsgTemplate+`, desired Security Attributes: %q)`, err, s.Res.Id, securityAttributes)
+				return err
+			}
+			s.Res = &securityAttributesResponse.Instance
+			areSecurityAttributesStable := func() bool {
+				return s.Res != nil &&
+					s.Res.SecurityAttributesState == oci_core.InstanceSecurityAttributesStateStable
+			}
+			if !areSecurityAttributesStable() {
+				log.Printf(`[DEBUG] Waiting for securityAttributesState to become [%s]`, oci_core.InstanceSecurityAttributesStateStable)
+				err := tfresource.WaitForResourceCondition(s, areSecurityAttributesStable, s.D.Timeout(schema.TimeoutUpdate))
+				if err != nil {
+					log.Printf(securityAttributeErrorMsgTemplate+`, timed out waiting for Security Attributes to update)`, err, s.Res.Id)
+					return err
+				}
+			}
+		}
 	}
 
-	s.Res = &response.Instance
-
 	// Check for changes in the create_vnic_details sub resource and separately Update the vnic
 	_, ok := s.D.GetOkExists("create_vnic_details")
 	if !s.D.HasChange("create_vnic_details") || !ok {