Forbid importing of system roles

System roles can't be modified or deleted.
It doesn't make sense to make such roles importable.
Data about system roles can be retrieved through
vsphere_role data source.

Signed-off-by: Yoana Stoyanova <stoyanovay@vmware.com>

vsphere/data_source_vsphere_role_test.go

@@ -7,6 +7,10 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 )
 
+const NoAccessRoleDescription = "No access"
+const NoAccessRoleName = "NoAccess"
+const NoAccessRoleId = "-5"
+
 func TestAccDataSourceVSphereRole_basic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -47,6 +51,24 @@ func TestAccDataSourceVSphereRole_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceVSphereRole_systemRoleData(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceVSphereRoleSystemRoleConfig(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.vsphere_role.role1", "name", NoAccessRoleName),
+					resource.TestCheckResourceAttr("data.vsphere_role.role1", "id", NoAccessRoleId),
+					resource.TestCheckResourceAttr("data.vsphere_role.role1", "role_privileges.#", "0")),
+			},
+		},
+	})
+}
+
 func testAccDataSourceVSphereRoleConfig() string {
 	return fmt.Sprintf(`
 resource "vsphere_role" test-role {
@@ -64,3 +86,13 @@ data "vsphere_role" "role1" {
 		Privilege4,
 	)
 }
+
+func testAccDataSourceVSphereRoleSystemRoleConfig() string {
+	return fmt.Sprintf(`
+data "vsphere_role" "role1" {
+  label = "%s"
+}
+`,
+		NoAccessRoleDescription,
+	)
+}

vsphere/resource_vsphere_role.go

@@ -43,7 +43,7 @@ func resourceVsphereRole() *schema.Resource {
 		Delete: resourceRoleDelete,
 		Schema: sch,
 		Importer: &schema.ResourceImporter{
-			StateContext: schema.ImportStatePassthroughContext,
+			State: resourceRoleImport,
 		},
 	}
 }
@@ -67,6 +67,19 @@ func resourceRoleCreate(d *schema.ResourceData, meta interface{}) error {
 }
 
 func resourceRoleRead(d *schema.ResourceData, meta interface{}) error {
+	return roleById(d, false, meta)
+}
+
+func resourceRoleImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	err := roleById(d, true, meta)
+	if err != nil {
+		return nil, err
+	}
+
+	return []*schema.ResourceData{d}, nil
+}
+
+func roleById(d *schema.ResourceData, excludeSystem bool, meta interface{}) error {
 	log.Printf("[DEBUG] Reading vm role with id %s", d.Id())
 	client := meta.(*Client).vimClient
 	authorizationManager := object.NewAuthorizationManager(client.Client)
@@ -81,6 +94,10 @@ func resourceRoleRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error while reading the role list %s", err)
 	}
 	role := roleList.ById(roleID)
+	if role != nil && excludeSystem && role.System {
+		return fmt.Errorf("error specified role with id %s is a system role. System roles are not supported for this operation", d.Id())
+	}
+
 	if role == nil {
 		log.Printf(" [DEBUG] Role %s doesn't exist", d.Get("name"))
 		d.SetId("")

vsphere/resource_vsphere_role_test.go

@@ -3,6 +3,7 @@ package vsphere
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -44,7 +45,7 @@ func TestAccResourceVsphereRole_createRole(t *testing.T) {
 	})
 }
 
-func TestAccResourceVsphereRole_addPrivilege(t *testing.T) {
+func TestAccResourceVsphereRole_addPrivileges(t *testing.T) {
 	roleName := "terraform_role" + acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -77,7 +78,7 @@ func TestAccResourceVsphereRole_addPrivilege(t *testing.T) {
 	})
 }
 
-func TestAccResourceVsphereRole_removePrivilege(t *testing.T) {
+func TestAccResourceVsphereRole_removePrivileges(t *testing.T) {
 	roleName := "terraform_role" + acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
@@ -110,6 +111,25 @@ func TestAccResourceVsphereRole_removePrivilege(t *testing.T) {
 	})
 }
 
+func TestAccResourceVsphereRole_importSystemRoleShouldError(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config:            testAccResourceVsphereRoleConfigSystemRole(),
+				ResourceName:      "vsphere_role." + RoleResource,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateId:     NoAccessRoleId,
+				ExpectError:       regexp.MustCompile(fmt.Sprintf("error system role id %s specified. System roles are not supported", NoAccessRoleId)),
+			},
+		},
+	})
+}
+
 func testAccResourceVsphereRoleCheckExists(expected bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		_, err := testGetVsphereRole(s, RoleResource)
@@ -154,3 +174,12 @@ func testAccResourceVsphereRoleConfigAdditionalPrivileges(roleName string) strin
 		Privilege4,
 	)
 }
+
+func testAccResourceVsphereRoleConfigSystemRole() string {
+	return fmt.Sprintf(`
+  resource "vsphere_role" "%s" {
+  name = "NoAccess"
+  role_privileges = []
+}
+`, RoleResource)
+}

website/docs/r/vsphere_role.html.markdown

@@ -38,3 +38,15 @@ The following arguments are supported:
 * `name` - (Required) The name of the role.
 * `role_privileges` - (Optional) The privileges to be associated with this role.
 
+## Importing
+
+An existing role can be imported into this resource via supplying the role id. An example is below:
+
+```hcl
+terraform import vsphere_role.role1 -709298051
+```
+~> **NOTE:** System roles can't be imported because they can't be modified or deleted.
+Use [`vsphere_role` data source][ref-vsphere-role-data-source]
+to read information about system roles.
+
+[ref-vsphere-role-data-source]: /docs/providers/vsphere/d/vsphere_role.html