Merge pull request #113 from AthenZ/resource_state

Extend athenz_role_meta/athenz_group_meta functinality with optional bits to create and delete the resource
AthenZ · May 16, 2024 · e8408ad · e8408ad
2 parents 605bf39 + 9ebca16
commit e8408ad
Show file tree

Hide file tree

Showing 11 changed files with 427 additions and 108 deletions.
diff --git a/athenz/provider.go b/athenz/provider.go
@@ -51,6 +51,18 @@ func Provider() *schema.Provider {
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("ATHENZ_RESOURCE_OWNER", "TF"),
 			},
+			"role_meta_resource_state": {
+				Type:        schema.TypeInt,
+				Description: fmt.Sprintf("Default state for athenz_role_meta resources"),
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ATHENZ_ROLE_META_RESOURCE_STATE", client.StateCreateIfNecessary),
+			},
+			"group_meta_resource_state": {
+				Type:        schema.TypeInt,
+				Description: fmt.Sprintf("Default state for athenz_group_meta resources"),
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ATHENZ_GROUP_META_RESOURCE_STATE", client.StateCreateIfNecessary),
+			},
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
@@ -86,10 +98,12 @@ func Provider() *schema.Provider {
 
 func configProvider(ctx context.Context, d *schema.ResourceData) (interface{}, diag.Diagnostics) {
 	zms := client.ZmsConfig{
-		Url:    d.Get("zms_url").(string),
-		Cert:   d.Get("cert").(string),
-		Key:    d.Get("key").(string),
-		CaCert: d.Get("cacert").(string),
+		Url:                    d.Get("zms_url").(string),
+		Cert:                   d.Get("cert").(string),
+		Key:                    d.Get("key").(string),
+		CaCert:                 d.Get("cacert").(string),
+		RoleMetaResourceState:  d.Get("role_meta_resource_state").(int),
+		GroupMetaResourceState: d.Get("group_meta_resource_state").(int),
 	}
 	// if resource ownership is not disabled, then load the resource owner
 	if !d.Get("disable_resource_ownership").(bool) {

diff --git a/athenz/resource_group_meta.go b/athenz/resource_group_meta.go
@@ -106,6 +106,11 @@ func ResourceGroupMeta() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"resource_state": {
+				Type:     schema.TypeInt,
+				Optional: true,
+				Default:  -1,
+			},
 		},
 	}
 }
@@ -137,9 +142,12 @@ func resourceGroupMetaCreate(ctx context.Context, d *schema.ResourceData, meta i
 	gn := d.Get("name").(string)
 
 	// if the group doesn't exist, we need to create it first
-	err := createNewGroupIfNecessary(zmsClient, dn, gn)
-	if err != nil {
-		return diag.FromErr(err)
+	// but only if the object_state is set to create if necessary
+	if zmsClient.GetGroupMetaResourceState(d.Get("resource_state").(int), client.StateCreateIfNecessary) {
+		err := createNewGroupIfNecessary(zmsClient, dn, gn)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
 	// update our group meta data
@@ -297,30 +305,34 @@ func resourceGroupMetaDelete(_ context.Context, d *schema.ResourceData, meta int
 		return diag.FromErr(err)
 	}
 	auditRef := d.Get("audit_ref").(string)
-	var zero int32
-	zero = 0
-	disabled := false
-	groupMeta := zms.GroupMeta{
-		SelfServe:               &disabled,
-		MemberExpiryDays:        &zero,
-		ServiceExpiryDays:       &zero,
-		ReviewEnabled:           &disabled,
-		NotifyRoles:             "",
-		UserAuthorityFilter:     "",
-		UserAuthorityExpiration: "",
-		Tags:                    make(map[zms.TagKey]*zms.TagValueList),
-		DeleteProtection:        &disabled,
-		SelfRenew:               &disabled,
-		SelfRenewMins:           &zero,
-		MaxMembers:              &zero,
-		AuditEnabled:            &disabled,
-	}
-	if v, ok := d.GetOk("tags"); ok {
-		for key := range v.(map[string]interface{}) {
-			groupMeta.Tags[zms.TagKey(key)] = &zms.TagValueList{List: []zms.TagCompoundValue{}}
+	if zmsClient.GetGroupMetaResourceState(d.Get("resource_state").(int), client.StateAlwaysDelete) {
+		err = zmsClient.DeleteGroup(dn, gn, auditRef)
+	} else {
+		var zero int32
+		zero = 0
+		disabled := false
+		groupMeta := zms.GroupMeta{
+			SelfServe:               &disabled,
+			MemberExpiryDays:        &zero,
+			ServiceExpiryDays:       &zero,
+			ReviewEnabled:           &disabled,
+			NotifyRoles:             "",
+			UserAuthorityFilter:     "",
+			UserAuthorityExpiration: "",
+			Tags:                    make(map[zms.TagKey]*zms.TagValueList),
+			DeleteProtection:        &disabled,
+			SelfRenew:               &disabled,
+			SelfRenewMins:           &zero,
+			MaxMembers:              &zero,
+			AuditEnabled:            &disabled,
 		}
+		if v, ok := d.GetOk("tags"); ok {
+			for key := range v.(map[string]interface{}) {
+				groupMeta.Tags[zms.TagKey(key)] = &zms.TagValueList{List: []zms.TagCompoundValue{}}
+			}
+		}
+		err = zmsClient.PutGroupMeta(dn, gn, auditRef, &groupMeta)
 	}
-	err = zmsClient.PutGroupMeta(dn, gn, auditRef, &groupMeta)
 	if err != nil {
 		return diag.FromErr(err)
 	}

diff --git a/athenz/resource_group_meta_test.go b/athenz/resource_group_meta_test.go
@@ -1,8 +1,10 @@
 package athenz
 
 import (
+	"errors"
 	"fmt"
 	"github.com/AthenZ/athenz/clients/go/zms"
+	"github.com/ardielle/ardielle-go/rdl"
 	"log"
 	"os"
 	"testing"
@@ -152,3 +154,97 @@ resource "athenz_group_meta" "test_group_meta" {
 }
 `, domainName, groupName)
 }
+
+func TestAccGroupMetaResourceStateDelete(t *testing.T) {
+	if v := os.Getenv("TF_ACC"); v != "1" && v != "true" {
+		log.Print("TF_ACC must be set for acceptance tests")
+		return
+	}
+	if v := os.Getenv("DOMAIN"); v == "" {
+		t.Fatal("DOMAIN must be set for acceptance tests")
+	}
+	domainName := os.Getenv("DOMAIN")
+	groupName := "test-group-meta-delete"
+	resourceName := "athenz_group_meta.test_group_meta_delete"
+	t.Cleanup(func() {
+		cleanAccTestGroupMeta(domainName, groupName)
+	})
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: testAccProviders,
+		CheckDestroy:      testAccCheckGroupMetaResourceStateDeleteDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGroupMetaConfigResourceStateDelete(domainName, groupName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGroupMetaExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "domain", domainName),
+					resource.TestCheckResourceAttr(resourceName, "user_expiry_days", "30"),
+					resource.TestCheckResourceAttr(resourceName, "service_expiry_days", "70"),
+					resource.TestCheckResourceAttr(resourceName, "max_members", "90"),
+					resource.TestCheckResourceAttr(resourceName, "self_serve", "true"),
+					resource.TestCheckResourceAttr(resourceName, "self_renew", "true"),
+					resource.TestCheckResourceAttr(resourceName, "self_renew_mins", "100"),
+					resource.TestCheckResourceAttr(resourceName, "delete_protection", "true"),
+					resource.TestCheckResourceAttr(resourceName, "review_enabled", "true"),
+					resource.TestCheckResourceAttr(resourceName, "notify_roles", "admin,security"),
+					resource.TestCheckResourceAttr(resourceName, "tags.zms.DisableExpirationNotifications", "4"),
+					resource.TestCheckResourceAttr(resourceName, "audit_ref", "test audit ref"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckGroupMetaResourceStateDeleteDestroy(s *terraform.State) error {
+	zmsClient := testAccProvider.Meta().(client.ZmsClient)
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "athenz_group_meta" {
+			continue
+		}
+		dn, gn, err := splitGroupId(rs.Primary.ID)
+		if err != nil {
+			return err
+		}
+		// make sure our group is deleted and 404 is returned
+		_, err = zmsClient.GetGroup(dn, gn)
+		if err == nil {
+			_ = zmsClient.DeleteGroup(dn, gn, AUDIT_REF)
+			return fmt.Errorf("athenz group still exists")
+		}
+		var v rdl.ResourceError
+		switch {
+		case errors.As(err, &v):
+			if v.Code == 404 {
+				return nil
+			}
+		}
+		return fmt.Errorf("unexpected error: %v", err)
+	}
+
+	return nil
+}
+
+func testAccGroupMetaConfigResourceStateDelete(domainName, groupName string) string {
+	return fmt.Sprintf(`
+resource "athenz_group_meta" "test_group_meta_delete" {
+  domain = "%s"
+  name = "%s"
+  user_expiry_days = 30
+  service_expiry_days = 70
+  max_members = 90
+  self_serve = true
+  self_renew = true
+  self_renew_mins = 100
+  delete_protection = true
+  review_enabled = true
+  notify_roles = "admin,security"
+  tags = {
+    "zms.DisableExpirationNotifications" = "4"
+  }
+  resource_state = 3
+  audit_ref = "test audit ref"
+}
+`, domainName, groupName)
+}
diff --git a/athenz/resource_role_meta.go b/athenz/resource_role_meta.go
@@ -144,6 +144,11 @@ func ResourceRoleMeta() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"resource_state": {
+				Type:     schema.TypeInt,
+				Optional: true,
+				Default:  -1,
+			},
 		},
 	}
 }
@@ -175,9 +180,12 @@ func resourceRoleMetaCreate(ctx context.Context, d *schema.ResourceData, meta in
 	rn := d.Get("name").(string)
 
 	// if the role doesn't exist, we need to create it first
-	err := createNewRoleIfNecessary(zmsClient, dn, rn)
-	if err != nil {
-		return diag.FromErr(err)
+	// but only if the object_state is set to create if necessary
+	if zmsClient.GetRoleMetaResourceState(d.Get("resource_state").(int), client.StateCreateIfNecessary) {
+		err := createNewRoleIfNecessary(zmsClient, dn, rn)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
 	// update our role meta data
@@ -405,38 +413,42 @@ func resourceRoleMetaDelete(_ context.Context, d *schema.ResourceData, meta inte
 		return diag.FromErr(err)
 	}
 	auditRef := d.Get("audit_ref").(string)
-	var zero int32
-	zero = 0
-	disabled := false
-	roleMeta := zms.RoleMeta{
-		SelfServe:               &disabled,
-		MemberExpiryDays:        &zero,
-		TokenExpiryMins:         &zero,
-		CertExpiryMins:          &zero,
-		SignAlgorithm:           "",
-		ServiceExpiryDays:       &zero,
-		MemberReviewDays:        &zero,
-		ServiceReviewDays:       &zero,
-		ReviewEnabled:           &disabled,
-		NotifyRoles:             "",
-		UserAuthorityFilter:     "",
-		UserAuthorityExpiration: "",
-		GroupExpiryDays:         &zero,
-		GroupReviewDays:         &zero,
-		Tags:                    make(map[zms.TagKey]*zms.TagValueList),
-		Description:             "",
-		DeleteProtection:        &disabled,
-		SelfRenew:               &disabled,
-		SelfRenewMins:           &zero,
-		MaxMembers:              &zero,
-		AuditEnabled:            &disabled,
-	}
-	if v, ok := d.GetOk("tags"); ok {
-		for key := range v.(map[string]interface{}) {
-			roleMeta.Tags[zms.TagKey(key)] = &zms.TagValueList{List: []zms.TagCompoundValue{}}
+	if zmsClient.GetRoleMetaResourceState(d.Get("resource_state").(int), client.StateAlwaysDelete) {
+		err = zmsClient.DeleteRole(dn, rn, auditRef)
+	} else {
+		var zero int32
+		zero = 0
+		disabled := false
+		roleMeta := zms.RoleMeta{
+			SelfServe:               &disabled,
+			MemberExpiryDays:        &zero,
+			TokenExpiryMins:         &zero,
+			CertExpiryMins:          &zero,
+			SignAlgorithm:           "",
+			ServiceExpiryDays:       &zero,
+			MemberReviewDays:        &zero,
+			ServiceReviewDays:       &zero,
+			ReviewEnabled:           &disabled,
+			NotifyRoles:             "",
+			UserAuthorityFilter:     "",
+			UserAuthorityExpiration: "",
+			GroupExpiryDays:         &zero,
+			GroupReviewDays:         &zero,
+			Tags:                    make(map[zms.TagKey]*zms.TagValueList),
+			Description:             "",
+			DeleteProtection:        &disabled,
+			SelfRenew:               &disabled,
+			SelfRenewMins:           &zero,
+			MaxMembers:              &zero,
+			AuditEnabled:            &disabled,
 		}
+		if v, ok := d.GetOk("tags"); ok {
+			for key := range v.(map[string]interface{}) {
+				roleMeta.Tags[zms.TagKey(key)] = &zms.TagValueList{List: []zms.TagCompoundValue{}}
+			}
+		}
+		err = zmsClient.PutRoleMeta(dn, rn, auditRef, &roleMeta)
 	}
-	err = zmsClient.PutRoleMeta(dn, rn, auditRef, &roleMeta)
 	if err != nil {
 		return diag.FromErr(err)
 	}