fix: add error if not root on root only field

Author: awlsring

internal/service/client.go

@@ -13,6 +13,7 @@ import (
 
 type Proxmox struct {
 	client *proxmox.DefaultApiService
+	IsRoot bool
 }
 
 type ClientConfig struct {
@@ -54,13 +55,15 @@ func newTokenClient(c ClientConfig, cfg *proxmox.Configuration) (*Proxmox, error
 	client := proxmox.NewAPIClient(cfg)
 	return &Proxmox{
 		client: client.DefaultApi,
+		IsRoot: false,
 	}, nil
 }
 
 func newBasicAuthClient(c ClientConfig, cfg *proxmox.Configuration) (*Proxmox, error) {
 	client := proxmox.NewAPIClient(cfg)
 	p := &Proxmox{
 		client: client.DefaultApi,
+		IsRoot: c.Username == "root@pam",
 	}
 
 	ticket, err := p.login(c.Username, c.Password)

proxmox/qemu/vms/auth_validators.go

@@ -0,0 +1,34 @@
+package vms
+
+import (
+	"context"
+
+	vt "github.com/awlsring/terraform-provider-proxmox/proxmox/qemu/vms/types"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+)
+
+func authCreateValidator(ctx context.Context, isRoot bool, model *vt.VirtualMachineResourceModel, resp *resource.ModifyPlanResponse) {
+	tflog.Debug(ctx, "authCreateValidator")
+	if isRoot {
+		tflog.Debug(ctx, "user is root, all allowed")
+		return
+	}
+	if model.CloudInit != nil {
+		resp.Diagnostics.AddError("Root only property set", "A current bug prevents non-root users from using cloud-init https://lists.proxmox.com/pipermail/pve-devel/2023-March/056155.html")
+	}
+	if !model.CPU.Architecture.IsNull() && !model.CPU.Architecture.IsUnknown() {
+		resp.Diagnostics.AddError("Root only property set", "The field cpu.architecture is only allowed to be set by root users")
+	}
+}
+
+func authUpdateValidator(ctx context.Context, isRoot bool, model *vt.VirtualMachineResourceModel, resp *resource.ModifyPlanResponse) {
+	tflog.Debug(ctx, "authCreateValidator")
+	if isRoot {
+		tflog.Debug(ctx, "user is root, all allowed")
+		return
+	}
+	if model.CloudInit != nil {
+		resp.Diagnostics.AddError("Root only property set", "A current bug prevents non-root users from using cloud-init https://lists.proxmox.com/pipermail/pve-devel/2023-March/056155.html")
+	}
+}

proxmox/qemu/vms/resource.go

@@ -29,26 +29,26 @@ type virtualMachineResource struct {
 	timeouts *VirtualMachineTimeouts
 }
 
+type ConfigureMode string
+
+const (
+	ConfigureModeCreate ConfigureMode = "create"
+	ConfigureModeUpdate ConfigureMode = "update"
+	ConfigureModeDelete ConfigureMode = "delete"
+)
+
 func (r *virtualMachineResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
 	resp.TypeName = req.ProviderTypeName + "_virtual_machine"
 }
 
-func (r *virtualMachineResource) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
-	tflog.Debug(ctx, "ModifyPlan virtual machine method")
-	var plan vt.VirtualMachineResourceModel
-	diags := req.Plan.Get(ctx, &plan)
-	if diags.HasError() {
-		tflog.Debug(ctx, "Plan is delete, skipping")
-		return
-	}
-
-	var state vt.VirtualMachineResourceModel
-	diags = req.State.Get(ctx, &state)
-	if diags.HasError() {
-		tflog.Debug(ctx, "Plan is create, skipping")
+func (r *virtualMachineResource) createPlanModifiers(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse, plan *vt.VirtualMachineResourceModel) {
+	authCreateValidator(ctx, r.client.IsRoot, plan, resp)
+	if resp.Diagnostics.HasError() {
 		return
 	}
+}
 
+func (r *virtualMachineResource) updatePlanModifiers(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse, state *vt.VirtualMachineResourceModel, plan *vt.VirtualMachineResourceModel) {
 	node := plan.Node.ValueString()
 	vmId := int(state.ID.ValueInt64())
 
@@ -61,25 +61,56 @@ func (r *virtualMachineResource) ModifyPlan(ctx context.Context, req resource.Mo
 		return
 	}
 	if status.Status != proxmox.VIRTUALMACHINESTATUS_RUNNING {
-		powerOffValidator(ctx, r.client, &state, &plan, resp)
+		powerOffValidator(ctx, r.client, state, plan, resp)
 	}
 
-	changeValidatorDiskSize(ctx, &state, &plan, resp)
-	changeValidatorDiskStorage(ctx, &state, &plan, resp)
-	changeValidatorDiskRemoved(ctx, &state, &plan, resp)
+	authUpdateValidator(ctx, r.client.IsRoot, plan, resp)
+
+	changeValidatorDiskSize(ctx, state, plan, resp)
+	changeValidatorDiskStorage(ctx, state, plan, resp)
+	changeValidatorDiskRemoved(ctx, state, plan, resp)
 	// carry over computed values sets to prevent unnecessary diffs
 	amended := plan
 	amended.ComputedDisks = state.ComputedDisks
 	amended.ComputedNetworkInterfaces = state.ComputedNetworkInterfaces
 	amended.ComputedPCIDevices = state.ComputedPCIDevices
 
-	diags = resp.Plan.Set(ctx, &amended)
+	diags := resp.Plan.Set(ctx, &amended)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 }
 
+func (r *virtualMachineResource) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
+	tflog.Debug(ctx, "ModifyPlan virtual machine method")
+	configureMode := ConfigureModeUpdate
+
+	var plan vt.VirtualMachineResourceModel
+	diags := req.Plan.Get(ctx, &plan)
+	if diags.HasError() {
+		configureMode = ConfigureModeDelete
+	}
+
+	var state vt.VirtualMachineResourceModel
+	diags = req.State.Get(ctx, &state)
+	if diags.HasError() {
+		configureMode = ConfigureModeCreate
+	}
+
+	tflog.Info(ctx, fmt.Sprintf("configureMode '%v'", configureMode))
+
+	switch configureMode {
+	case ConfigureModeCreate:
+		r.createPlanModifiers(ctx, req, resp, &plan)
+		return
+	case ConfigureModeDelete:
+		return
+	default:
+		r.updatePlanModifiers(ctx, req, resp, &state, &plan)
+	}
+}
+
 func (r *virtualMachineResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
 	resp.Schema = schemas.ResourceSchema
 }

proxmox/qemu/vms/schemas/resource_schema.go

@@ -45,7 +45,11 @@ var ResourceSchema = schema.Schema{
 		},
 		"description": schema.StringAttribute{
 			Optional:    true,
+			Computed:    true,
 			Description: "The virtual machine description.",
+			PlanModifiers: []planmodifier.String{
+				stringplanmodifier.UseStateForUnknown(),
+			},
 		},
 		"tags": schema.SetAttribute{
 			Optional:    true,
@@ -201,10 +205,11 @@ var ResourceSchema = schema.Schema{
 					"cpu_units":     types.Int64Value(100),
 				}),
 			},
+			// requires root, make computed til this can be warned about
 			Attributes: map[string]schema.Attribute{
 				"architecture": schema.StringAttribute{
-					Optional:    true,
 					Computed:    true,
+					Optional:    true,
 					Description: "The CPU architecture.",
 					Validators: []validator.String{
 						stringvalidator.OneOf(
@@ -213,7 +218,8 @@ var ResourceSchema = schema.Schema{
 						),
 					},
 					PlanModifiers: []planmodifier.String{
-						defaults.DefaultString("x86_64"),
+						stringplanmodifier.RequiresReplace(),
+						stringplanmodifier.UseStateForUnknown(),
 					},
 				},
 				"cores": schema.Int64Attribute{