fix(iam): support setting multiple users and groups with appropriate endpoint

* use SetGroupMembers

* implement terraform update

* use expo retry with SetGroupMembers as the API sometimes needs a bit of time to converge

Author: Gnoale

internal/services/iam/group_membership.go

@@ -3,74 +3,85 @@ package iam
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	iam "github.com/scaleway/scaleway-sdk-go/api/iam/v1alpha1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/transport"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
 )
 
+type EntityKind string
+
+const (
+	EntityKindUser        EntityKind = "user"
+	EntityKindApplication EntityKind = "application"
+)
+
 func ResourceGroupMembership() *schema.Resource {
 	return &schema.Resource{
 		CreateContext: resourceIamGroupMembershipCreate,
 		ReadContext:   resourceIamGroupMembershipRead,
+		UpdateContext: resourceIamGroupMembershipUpdate,
 		DeleteContext: resourceIamGroupMembershipDelete,
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
 		SchemaVersion: 0,
 		Schema: map[string]*schema.Schema{
-			"user_id": {
-				Type:         schema.TypeString,
-				Optional:     true,
-				Description:  "The ID of the user",
-				ExactlyOneOf: []string{"application_id"},
-				ForceNew:     true,
-			},
-			"application_id": {
-				Type:         schema.TypeString,
-				Optional:     true,
-				Description:  "The ID of the user",
-				ExactlyOneOf: []string{"user_id"},
-				ForceNew:     true,
-			},
 			"group_id": {
 				Type:        schema.TypeString,
 				Required:    true,
-				Description: "The ID of the group to add the user to",
+				Description: "The ID of the group to add the users or applications to",
 				ForceNew:    true,
 			},
+			"user_ids": {
+				Type:         schema.TypeList,
+				Elem:         &schema.Schema{Type: schema.TypeString},
+				Optional:     true,
+				Description:  "The IDs of the users to add to the group",
+				AtLeastOneOf: []string{"application_ids"},
+			},
+			"application_ids": {
+				Type:         schema.TypeList,
+				Elem:         &schema.Schema{Type: schema.TypeString},
+				Optional:     true,
+				Description:  "The IDs of the applications to add to the group",
+				AtLeastOneOf: []string{"user_ids"},
+			},
 		},
 	}
 }
 
 func resourceIamGroupMembershipCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	api := NewAPI(m)
 
-	userID := types.ExpandStringPtr(d.Get("user_id"))
-	applicationID := types.ExpandStringPtr(d.Get("application_id"))
+	userIDs := types.ExpandStrings(d.Get("user_ids"))
+	applicationIDs := types.ExpandStrings(d.Get("application_ids"))
 
-	group, err := api.AddGroupMember(&iam.AddGroupMemberRequest{
-		GroupID:       d.Get("group_id").(string),
-		UserID:        userID,
-		ApplicationID: applicationID,
-	}, scw.WithContext(ctx))
+	group, err := MakeSetGroupMembershipRequest(ctx, api, &iam.SetGroupMembersRequest{
+		GroupID:        d.Get("group_id").(string),
+		UserIDs:        userIDs,
+		ApplicationIDs: applicationIDs,
+	})
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	d.SetId(GroupMembershipID(group.ID, userID, applicationID))
+	d.SetId(SetGroupMembershipResourceID(group.ID, userIDs, applicationIDs))
 
 	return resourceIamGroupMembershipRead(ctx, d, m)
 }
 
 func resourceIamGroupMembershipRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	api := NewAPI(m)
 
-	groupID, userID, applicationID, err := ExpandGroupMembershipID(d.Id())
+	groupID, entityIDs, err := ExpandGroupMembershipResourceID(d.Id())
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -88,58 +99,76 @@ func resourceIamGroupMembershipRead(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
-	foundInGroup := false
-
-	if userID != "" {
-		for _, groupUserID := range group.UserIDs {
-			if groupUserID == userID {
-				foundInGroup = true
-
-				break
-			}
-		}
-	} else if applicationID != "" {
-		for _, groupApplicationID := range group.ApplicationIDs {
-			if groupApplicationID == applicationID {
-				foundInGroup = true
+	foundUserIDs := make([]bool, len(entityIDs[EntityKindUser]))
+	foundApplicationIDs := make([]bool, len(entityIDs[EntityKindApplication]))
 
-				break
-			}
+	for i, userID := range entityIDs[EntityKindUser] {
+		if slices.Contains(group.UserIDs, userID) {
+			foundUserIDs[i] = true
+		} else {
+			return diag.FromErr(fmt.Errorf("user %s not found in group %s", userID, groupID))
 		}
 	}
 
-	if !foundInGroup {
-		d.SetId("")
-
-		return nil
+	for i, applicationID := range entityIDs[EntityKindApplication] {
+		if slices.Contains(group.ApplicationIDs, applicationID) {
+			foundApplicationIDs[i] = true
+		} else {
+			return diag.FromErr(fmt.Errorf("application %s not found in group %s", applicationID, groupID))
+		}
 	}
 
 	_ = d.Set("group_id", groupID)
-	_ = d.Set("user_id", userID)
-	_ = d.Set("application_id", applicationID)
+	_ = d.Set("user_ids", entityIDs[EntityKindUser])
+	_ = d.Set("application_ids", entityIDs[EntityKindApplication])
 
 	return nil
 }
 
-func resourceIamGroupMembershipDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+func resourceIamGroupMembershipUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	api := NewAPI(m)
 
-	groupID, userID, applicationID, err := ExpandGroupMembershipID(d.Id())
+	groupID, _, err := ExpandGroupMembershipResourceID(d.Id())
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	req := &iam.RemoveGroupMemberRequest{
-		GroupID: groupID,
+	userIDs := types.ExpandStrings(d.Get("user_ids"))
+	applicationIDs := types.ExpandStrings(d.Get("application_ids"))
+
+	request := &iam.SetGroupMembersRequest{
+		GroupID:        groupID,
+		UserIDs:        userIDs,
+		ApplicationIDs: applicationIDs,
 	}
 
-	if userID != "" {
-		req.UserID = &userID
-	} else if applicationID != "" {
-		req.ApplicationID = &applicationID
+	if d.HasChanges("user_ids", "application_ids") {
+		group, err := MakeSetGroupMembershipRequest(ctx, api, request)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+
+		if group.ID != groupID {
+			return diag.FromErr(fmt.Errorf("group id changed from %s to %s", groupID, group.ID))
+		}
+
+		d.SetId(SetGroupMembershipResourceID(groupID, userIDs, applicationIDs))
 	}
 
-	_, err = api.RemoveGroupMember(req, scw.WithContext(ctx))
+	return resourceIamGroupMembershipRead(ctx, d, m)
+}
+
+func resourceIamGroupMembershipDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	api := NewAPI(m)
+
+	groupID, _, err := ExpandGroupMembershipResourceID(d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	_, err = MakeSetGroupMembershipRequest(ctx, api, &iam.SetGroupMembersRequest{
+		GroupID: groupID,
+	})
 	if err != nil {
 		if httperrors.Is404(err) {
 			d.SetId("")
@@ -153,28 +182,77 @@ func resourceIamGroupMembershipDelete(ctx context.Context, d *schema.ResourceDat
 	return nil
 }
 
-func GroupMembershipID(groupID string, userID *string, applicationID *string) string {
-	if userID != nil {
-		return fmt.Sprintf("%s/user/%s", groupID, *userID)
+// Depending on the kind of entity, it will generate a parsable state like:
+// groupID/user:userID,application:applicationID
+func SetGroupMembershipResourceID(groupID string, userIDs []string, applicationIDs []string) (resourceID string) {
+	entityIDs := make([]string, 0)
+
+	for _, userID := range userIDs {
+		entityIDs = append(entityIDs, fmt.Sprintf("%s:%s", EntityKindUser, userID))
 	}
 
-	return fmt.Sprintf("%s/app/%s", groupID, *applicationID)
+	for _, applicationID := range applicationIDs {
+		entityIDs = append(entityIDs, fmt.Sprintf("%s:%s", EntityKindApplication, applicationID))
+	}
+
+	resourceID = fmt.Sprintf("%s/%s", groupID, strings.Join(entityIDs, ","))
+
+	return
 }
 
-func ExpandGroupMembershipID(id string) (groupID string, userID string, applicationID string, err error) {
+func ExpandGroupMembershipResourceID(id string) (groupID string, entityIDs map[EntityKind][]string, err error) {
 	elems := strings.Split(id, "/")
-	if len(elems) != 3 {
-		return "", "", "", fmt.Errorf("invalid group member id format, expected {groupID}/{type}/{memberID}, got: %s", id)
+	if len(elems) != 2 {
+		return "", nil, fmt.Errorf("invalid group membership id format, expected {groupID}/{entityKind}:{entityIDs}, got: %s", id)
 	}
 
 	groupID = elems[0]
 
-	switch elems[1] {
-	case "user":
-		userID = elems[2]
-	case "app":
-		applicationID = elems[2]
+	// entityKind:entityID,entityKind:entityID
+	entityKindAndIDs := strings.Split(elems[1], ",")
+	entityIDs = make(map[EntityKind][]string)
+
+	for _, entityKindAndID := range entityKindAndIDs {
+		splitted := strings.Split(entityKindAndID, ":")
+		if len(splitted) != 2 {
+			return "", nil, fmt.Errorf("invalid entity kind and id format, expected {entityKind}:{entityID}, got: %s", entityKindAndID)
+		}
+
+		entityKind, entityID := EntityKind(splitted[0]), splitted[1]
+		if entityKind != EntityKindUser && entityKind != EntityKindApplication {
+			return "", nil, fmt.Errorf("invalid entity kind, expected %s or %s, got: %s", EntityKindUser, EntityKindApplication, entityKind)
+		}
+
+		entityIDs[entityKind] = append(entityIDs[entityKind], entityID)
 	}
 
 	return
 }
+
+func MakeSetGroupMembershipRequest(ctx context.Context, api *iam.API, request *iam.SetGroupMembersRequest) (*iam.Group, error) {
+	retryInterval := 250 * time.Millisecond
+	maxRetries := 10
+
+	if transport.DefaultWaitRetryInterval != nil {
+		retryInterval = *transport.DefaultWaitRetryInterval
+	}
+
+	// the IAM API often returns a 409 when the group is in a transient state
+	// so we retry with an exponential backoff
+	for i := range maxRetries {
+		response, err := api.SetGroupMembers(request, scw.WithContext(ctx))
+		if err != nil {
+			if httperrors.Is409(err) && strings.Contains(err.Error(), fmt.Sprintf("resource group with ID %s is in a transient state: updating", request.GroupID)) {
+				time.Sleep(retryInterval * time.Duration(i)) // lintignore: R018
+
+				continue
+			}
+
+			return nil, err
+		}
+
+		return response, nil
+	}
+
+	return nil, fmt.Errorf("failed to set group membership after %d retries", maxRetries)
+}