feat: add support for import of r/vsphere_role (#1822)

Add support for role importing
hashicorp · Feb 8, 2023 · 2242659 · 2242659
1 parent 64d740e
commit 2242659
Show file tree

Hide file tree

Showing 4 changed files with 176 additions and 1 deletion.
diff --git a/vsphere/data_source_vsphere_role_test.go b/vsphere/data_source_vsphere_role_test.go
@@ -7,6 +7,10 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 )
 
+const NoAccessRoleDescription = "No access"
+const NoAccessRoleName = "NoAccess"
+const NoAccessRoleId = "-5"
+
 func TestAccDataSourceVSphereRole_basic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -47,6 +51,24 @@ func TestAccDataSourceVSphereRole_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceVSphereRole_systemRoleData(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceVSphereRoleSystemRoleConfig(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.vsphere_role.role1", "name", NoAccessRoleName),
+					resource.TestCheckResourceAttr("data.vsphere_role.role1", "id", NoAccessRoleId),
+					resource.TestCheckResourceAttr("data.vsphere_role.role1", "role_privileges.#", "0")),
+			},
+		},
+	})
+}
+
 func testAccDataSourceVSphereRoleConfig() string {
 	return fmt.Sprintf(`
 resource "vsphere_role" test-role {
@@ -64,3 +86,13 @@ data "vsphere_role" "role1" {
 		Privilege4,
 	)
 }
+
+func testAccDataSourceVSphereRoleSystemRoleConfig() string {
+	return fmt.Sprintf(`
+data "vsphere_role" "role1" {
+  label = "%s"
+}
+`,
+		NoAccessRoleDescription,
+	)
+}
diff --git a/vsphere/resource_vsphere_role.go b/vsphere/resource_vsphere_role.go
@@ -42,6 +42,9 @@ func resourceVsphereRole() *schema.Resource {
 		Update: resourceRoleUpdate,
 		Delete: resourceRoleDelete,
 		Schema: sch,
+		Importer: &schema.ResourceImporter{
+			State: resourceRoleImport,
+		},
 	}
 }
 
@@ -64,6 +67,19 @@ func resourceRoleCreate(d *schema.ResourceData, meta interface{}) error {
 }
 
 func resourceRoleRead(d *schema.ResourceData, meta interface{}) error {
+	return roleById(d, false, meta)
+}
+
+func resourceRoleImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	err := roleById(d, true, meta)
+	if err != nil {
+		return nil, err
+	}
+
+	return []*schema.ResourceData{d}, nil
+}
+
+func roleById(d *schema.ResourceData, excludeSystem bool, meta interface{}) error {
 	log.Printf("[DEBUG] Reading vm role with id %s", d.Id())
 	client := meta.(*Client).vimClient
 	authorizationManager := object.NewAuthorizationManager(client.Client)
@@ -78,6 +94,10 @@ func resourceRoleRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error while reading the role list %s", err)
 	}
 	role := roleList.ById(roleID)
+	if role != nil && excludeSystem && role.System {
+		return fmt.Errorf("error specified role with id %s is a system role. System roles are not supported for this operation", d.Id())
+	}
+
 	if role == nil {
 		log.Printf(" [DEBUG] Role %s doesn't exist", d.Get("name"))
 		d.SetId("")

diff --git a/vsphere/resource_vsphere_role_test.go b/vsphere/resource_vsphere_role_test.go
@@ -3,6 +3,7 @@ package vsphere
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -17,7 +18,7 @@ const Privilege2 = "Alarm.Create"
 const Privilege3 = "Datacenter.Create"
 const Privilege4 = "Datacenter.Move"
 
-func TestAccResourceVsphereRole_basic(t *testing.T) {
+func TestAccResourceVsphereRole_createRole(t *testing.T) {
 	roleName := "terraform_role" + acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -28,6 +29,66 @@ func TestAccResourceVsphereRole_basic(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config: testAccResourceVsphereRoleConfigBasic(roleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccResourceVsphereRoleCheckExists(true),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "name", roleName),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.0", Privilege1),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.1", Privilege2),
+				),
+			},
+			{
+				ResourceName:      "vsphere_role." + RoleResource,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccResourceVsphereRole_addPrivileges(t *testing.T) {
+	roleName := "terraform_role" + acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccResourceVsphereRoleCheckExists(false),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceVsphereRoleConfigBasic(roleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccResourceVsphereRoleCheckExists(true),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "name", roleName),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.0", Privilege1),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.1", Privilege2),
+				),
+			},
+			{
+				Config: testAccResourceVsphereRoleConfigAdditionalPrivileges(roleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccResourceVsphereRoleCheckExists(true),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "name", roleName),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.0", Privilege1),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.1", Privilege2),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.2", Privilege3),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.3", Privilege4),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceVsphereRole_removePrivileges(t *testing.T) {
+	roleName := "terraform_role" + acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccResourceVsphereRoleCheckExists(false),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceVsphereRoleConfigAdditionalPrivileges(roleName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccResourceVsphereRoleCheckExists(true),
 					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "name", roleName),
@@ -37,6 +98,34 @@ func TestAccResourceVsphereRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.3", Privilege4),
 				),
 			},
+			{
+				Config: testAccResourceVsphereRoleConfigAdditionalPrivileges(roleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccResourceVsphereRoleCheckExists(true),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "name", roleName),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.0", Privilege1),
+					resource.TestCheckResourceAttr("vsphere_role."+RoleResource, "role_privileges.1", Privilege2),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceVsphereRole_importSystemRoleShouldError(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config:            testAccResourceVsphereRoleConfigSystemRole(),
+				ResourceName:      "vsphere_role." + RoleResource,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateId:     NoAccessRoleId,
+				ExpectError:       regexp.MustCompile(fmt.Sprintf("error specified role with id %s is a system role. System roles are not supported for this operation", NoAccessRoleId)),
+			},
 		},
 	})
 }
@@ -62,6 +151,19 @@ func testAccResourceVsphereRoleConfigBasic(roleName string) string {
 	return fmt.Sprintf(`
   resource "vsphere_role" "%s" {
   name = "%s"
+  role_privileges = ["%s", "%s"]
+}
+`, RoleResource,
+		roleName,
+		Privilege1,
+		Privilege2,
+	)
+}
+
+func testAccResourceVsphereRoleConfigAdditionalPrivileges(roleName string) string {
+	return fmt.Sprintf(`
+  resource "vsphere_role" "%s" {
+  name = "%s"
   role_privileges = ["%s", "%s","%s","%s"]
 }
 `, RoleResource,
@@ -72,3 +174,12 @@ func testAccResourceVsphereRoleConfigBasic(roleName string) string {
 		Privilege4,
 	)
 }
+
+func testAccResourceVsphereRoleConfigSystemRole() string {
+	return fmt.Sprintf(`
+  resource "vsphere_role" "%s" {
+  name = "NoAccess"
+  role_privileges = []
+}
+`, RoleResource)
+}
diff --git a/website/docs/r/vsphere_role.html.markdown b/website/docs/r/vsphere_role.html.markdown
@@ -38,3 +38,15 @@ The following arguments are supported:
 * `name` - (Required) The name of the role.
 * `role_privileges` - (Optional) The privileges to be associated with this role.
 
+## Importing
+
+An existing role can be imported into this resource by supplying the role id. An example is below:
+
+```hcl
+terraform import vsphere_role.role1 -709298051
+```
+~> **NOTE:** System roles can't be imported because they can't be modified or deleted.
+Use [`vsphere_role` data source][ref-vsphere-role-data-source]
+to read information about system roles.
+
+[ref-vsphere-role-data-source]: /docs/providers/vsphere/d/vsphere_role.html