add role grant resource (#232)

Author: whites11

examples/rbac/main.tf

@@ -79,10 +79,21 @@ resource "clickhouse_role" "writer" {
   name                 = "writer"
 }
 
-output "service_endpoints" {
-  value = clickhouse_service.service.endpoints
+resource "clickhouse_grant_role" "writer_to_john" {
+  service_id        = clickhouse_service.service.id
+  role_name         = clickhouse_role.writer.name
+  grantee_user_name = clickhouse_user.john.name
+  admin_option      = false
 }
 
-output "service_iam" {
-  value = clickhouse_service.service.iam_role
+resource "clickhouse_role" "manager" {
+  service_id           = clickhouse_service.service.id
+  name                 = "manager"
+}
+
+resource "clickhouse_grant_role" "writer_to_manager" {
+  service_id        = clickhouse_service.service.id
+  role_name         = clickhouse_role.writer.name
+  grantee_role_name = clickhouse_role.manager.name
+  admin_option      = false
 }

pkg/internal/api/client_mock.go

@@ -0,0 +1,127 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/huandu/go-sqlbuilder"
+
+	sqlutil "github.com/ClickHouse/terraform-provider-clickhouse/pkg/internal/sql"
+)
+
+type GrantRole struct {
+	RoleName        string  `json:"granted_role_name"`
+	GranteeUserName *string `json:"user_name"`
+	GranteeRoleName *string `json:"role_name"`
+	AdminOption     bool    `json:"with_admin_option"`
+}
+
+func (c *ClientImpl) GrantRole(ctx context.Context, serviceID string, grantRole GrantRole) (*GrantRole, error) {
+	format := "GRANT `$?` TO `$?`"
+	if grantRole.AdminOption {
+		format = fmt.Sprintf("%s WITH ADMIN OPTION", format)
+	}
+	args := []interface{}{
+		sqlbuilder.Raw(sqlutil.EscapeBacktick(grantRole.RoleName)),
+	}
+
+	if grantRole.GranteeUserName != nil {
+		args = append(args, sqlbuilder.Raw(sqlutil.EscapeBacktick(*grantRole.GranteeUserName)))
+	} else if grantRole.GranteeRoleName != nil {
+		args = append(args, sqlbuilder.Raw(sqlutil.EscapeBacktick(*grantRole.GranteeRoleName)))
+	} else {
+		return nil, fmt.Errorf("either GranteeUserName or GranteeRoleName must be set")
+	}
+
+	sb := sqlbuilder.Build(format, args...)
+
+	sql, args := sb.Build()
+
+	_, err := c.runQuery(ctx, serviceID, sql, args...)
+	if err != nil {
+		return nil, err
+	}
+
+	createdGrant, err := c.GetGrantRole(ctx, serviceID, grantRole.RoleName, grantRole.GranteeUserName, grantRole.GranteeRoleName)
+	if err != nil {
+		return nil, err
+	}
+
+	return createdGrant, nil
+}
+
+func (c *ClientImpl) GetGrantRole(ctx context.Context, serviceID string, grantedRoleName string, granteeUserName *string, granteeRoleName *string) (*GrantRole, error) {
+	var fieldName, fieldValue string
+	if granteeUserName != nil {
+		fieldName = "user_name"
+		fieldValue = *granteeUserName
+	} else if granteeRoleName != nil {
+		fieldName = "role_name"
+		fieldValue = *granteeRoleName
+	} else {
+		return nil, fmt.Errorf("either GranteeUserName or GranteeRoleName must be set")
+	}
+
+	format := fmt.Sprintf("SELECT granted_role_name,user_name,role_name,toBool(with_admin_option) as with_admin_option FROM system.role_grants WHERE granted_role_name = ${granted_role_name} and %s = ${field_value}", fieldName)
+	args := []interface{}{
+		sqlbuilder.Named("granted_role_name", grantedRoleName),
+		sqlbuilder.Named("field_value", fieldValue),
+	}
+
+	sb := sqlbuilder.Build(format, args...)
+
+	sql, args := sb.Build()
+
+	data, err := c.runQuery(ctx, serviceID, sql, args...)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) == 0 {
+		// Grant not found
+		return nil, nil
+	}
+
+	grant := GrantRole{}
+
+	err = json.Unmarshal(data, &grant)
+	if err != nil {
+		return nil, err
+	}
+
+	if grant.GranteeUserName != nil && *grant.GranteeUserName == "" {
+		grant.GranteeUserName = nil
+	}
+	if grant.GranteeRoleName != nil && *grant.GranteeRoleName == "" {
+		grant.GranteeRoleName = nil
+	}
+
+	return &grant, nil
+}
+
+func (c *ClientImpl) RevokeGrantRole(ctx context.Context, serviceID string, grantedRoleName string, granteeUserName *string, granteeRoleName *string) error {
+	format := "REVOKE `$?` FROM `$?`"
+	args := []interface{}{
+		sqlbuilder.Raw(sqlutil.EscapeBacktick(grantedRoleName)),
+	}
+
+	if granteeUserName != nil {
+		args = append(args, sqlbuilder.Raw(sqlutil.EscapeBacktick(*granteeUserName)))
+	} else if granteeRoleName != nil {
+		args = append(args, sqlbuilder.Raw(sqlutil.EscapeBacktick(*granteeRoleName)))
+	} else {
+		return fmt.Errorf("either GranteeUserName or GranteeRoleName must be set")
+	}
+
+	sb := sqlbuilder.Build(format, args...)
+
+	sql, args := sb.Build()
+
+	_, err := c.runQuery(ctx, serviceID, sql, args...)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/internal/api/db_grant_role.go

@@ -38,4 +38,8 @@ type Client interface {
 	CreateRole(ctx context.Context, serviceId string, role Role) (*Role, error)
 	GetRole(ctx context.Context, serviceID string, name string) (*Role, error)
 	DeleteRole(ctx context.Context, serviceID string, name string) error
+
+	GrantRole(ctx context.Context, serviceId string, grantRole GrantRole) (*GrantRole, error)
+	GetGrantRole(ctx context.Context, serviceID string, grantedRoleName string, granteeUserName *string, granteeRoleName *string) (*GrantRole, error)
+	RevokeGrantRole(ctx context.Context, serviceID string, grantedRoleName string, granteeUserName *string, granteeRoleName *string) error
 }

pkg/internal/api/interface.go

@@ -0,0 +1,6 @@
+You can use the `clickhouse_grant_role` resource to grant a `clickhouse_role` to either a `clickhouse_user` or to another `clickhouse_role`.
+
+Known limitations:
+
+- It's not possible to grant the same `clickhouse_role` to both a `clickhouse_user` and a `clickhouse_role` using a single `clickhouse_grant_role` stanza. You can do that using two different stanzas, one with `grantee_user_name` and the other with `grantee_role_name` fields set.
+- Importing `clickhouse_grant_role` resources into terraform is not supported.

pkg/resource/descriptions/grant_role.md

@@ -0,0 +1,198 @@
+//go:build alpha
+
+package resource
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	"github.com/ClickHouse/terraform-provider-clickhouse/pkg/internal/api"
+	"github.com/ClickHouse/terraform-provider-clickhouse/pkg/resource/models"
+)
+
+//go:embed descriptions/grant_role.md
+var grantResourceDescription string
+
+var (
+	_ resource.Resource              = &GrantRoleResource{}
+	_ resource.ResourceWithConfigure = &GrantRoleResource{}
+)
+
+func NewGrantRoleResource() resource.Resource {
+	return &GrantRoleResource{}
+}
+
+type GrantRoleResource struct {
+	client api.Client
+}
+
+func (r *GrantRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_grant_role"
+}
+
+func (r *GrantRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"service_id": schema.StringAttribute{
+				Description: "ClickHouse Service ID",
+				Required:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"role_name": schema.StringAttribute{
+				Required:    true,
+				Description: "Name of the role to be granted",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"grantee_user_name": schema.StringAttribute{
+				Optional:    true,
+				Description: "Name of the `user` to grant `role_name` to.",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.Expressions{path.MatchRoot("grantee_role_name")}...),
+					stringvalidator.AtLeastOneOf(path.Expressions{
+						path.MatchRoot("grantee_user_name"),
+						path.MatchRoot("grantee_role_name"),
+					}...),
+				},
+			},
+			"grantee_role_name": schema.StringAttribute{
+				Optional:    true,
+				Description: "Name of the `role` to grant `role_name` to.",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.Expressions{path.MatchRoot("grantee_user_name")}...),
+					stringvalidator.AtLeastOneOf(path.Expressions{
+						path.MatchRoot("grantee_user_name"),
+						path.MatchRoot("grantee_role_name"),
+					}...),
+				},
+			},
+			"admin_option": schema.BoolAttribute{
+				Optional:    true,
+				Computed:    true,
+				Description: "If true, the grantee will be able to grant `role_name` to other `users` or `roles`.",
+				PlanModifiers: []planmodifier.Bool{
+					boolplanmodifier.RequiresReplace(),
+				},
+			},
+		},
+		MarkdownDescription: grantResourceDescription,
+	}
+}
+
+func (r *GrantRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, _ *resource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+
+	r.client = req.ProviderData.(api.Client)
+}
+
+func (r *GrantRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan models.GrantRole
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	grant := api.GrantRole{
+		RoleName:        plan.RoleName.ValueString(),
+		GranteeUserName: plan.GranteeUserName.ValueStringPointer(),
+		GranteeRoleName: plan.GranteeRoleName.ValueStringPointer(),
+		AdminOption:     plan.AdminOption.ValueBool(),
+	}
+
+	createdGrant, err := r.client.GrantRole(ctx, plan.ServiceID.ValueString(), grant)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Creating ClickHouse Role Grant",
+			"Could not create role grant, unexpected error: "+err.Error(),
+		)
+		return
+	}
+
+	state := models.GrantRole{
+		ServiceID:       plan.ServiceID,
+		RoleName:        types.StringValue(createdGrant.RoleName),
+		GranteeUserName: types.StringPointerValue(createdGrant.GranteeUserName),
+		GranteeRoleName: types.StringPointerValue(createdGrant.GranteeRoleName),
+		AdminOption:     types.BoolValue(createdGrant.AdminOption),
+	}
+
+	diags = resp.State.Set(ctx, state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+func (r *GrantRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var state models.GrantRole
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	grant, err := r.client.GetGrantRole(ctx, state.ServiceID.ValueString(), state.RoleName.ValueString(), state.GranteeUserName.ValueStringPointer(), state.GranteeRoleName.ValueStringPointer())
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Reading ClickHouse Role Grant",
+			"Could not read role grant, unexpected error: "+err.Error(),
+		)
+		return
+	}
+
+	if grant != nil {
+		state.RoleName = types.StringValue(grant.RoleName)
+		state.GranteeUserName = types.StringPointerValue(grant.GranteeUserName)
+		state.GranteeRoleName = types.StringPointerValue(grant.GranteeRoleName)
+		state.AdminOption = types.BoolValue(grant.AdminOption)
+
+		diags = resp.State.Set(ctx, &state)
+		resp.Diagnostics.Append(diags...)
+	} else {
+		resp.State.RemoveResource(ctx)
+	}
+}
+
+func (r *GrantRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	panic("Update of grant resource is not supported")
+}
+
+func (r *GrantRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var state models.GrantRole
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	err := r.client.RevokeGrantRole(ctx, state.ServiceID.ValueString(), state.RoleName.ValueString(), state.GranteeUserName.ValueStringPointer(), state.GranteeRoleName.ValueStringPointer())
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Deleting ClickHouse Role Grant",
+			"Could not delete role grant, unexpected error: "+err.Error(),
+		)
+		return
+	}
+}

pkg/resource/grant_role.go

@@ -0,0 +1,15 @@
+//go:build alpha
+
+package models
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+type GrantRole struct {
+	ServiceID       types.String `tfsdk:"service_id"`
+	RoleName        types.String `tfsdk:"role_name"`
+	GranteeUserName types.String `tfsdk:"grantee_user_name"`
+	GranteeRoleName types.String `tfsdk:"grantee_role_name"`
+	AdminOption     types.Bool   `tfsdk:"admin_option"`
+}

pkg/resource/models/grant_role.go

@@ -14,5 +14,6 @@ func GetResourceFactories() []func() upstreamresource.Resource {
 		NewClickPipeResource,
 		NewUserResource,
 		NewRoleResource,
+		NewGrantRoleResource,
 	}
 }