Implement drift detection for mondoo_policy_assignment resource (#403)

The Read() function was empty, only persisting existing Terraform state
without querying the API. This meant changes made outside Terraform
(e.g., via UI) were never detected.

Now uses the activePolicies GraphQL API to fetch actual policy states,
filtered by assignedScope to only consider directly-assigned policies.
Compares each policy's actual action (ACTIVE/IGNORE/missing) against the
configured state and updates Terraform state to reflect reality when
drift is detected.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jaym

internal/provider/gql.go

@@ -353,6 +353,22 @@ type Policy struct {
 	Docs      mondoov1.String
 }
 
+type ActivePolicy struct {
+	Mrn           mondoov1.String
+	Name          mondoov1.String
+	Action        mondoov1.String
+	AssignedScope mondoov1.String
+}
+
+type ActivePolicyEdge struct {
+	Node ActivePolicy
+}
+
+type ActivePoliciesConnection struct {
+	TotalCount int
+	Edges      []ActivePolicyEdge
+}
+
 type PolicyNode struct {
 	Policy Policy
 }
@@ -478,6 +494,31 @@ func (c *ExtendedGqlClient) GetPolicy(ctx context.Context, policyMrn string, spa
 	return &q.Policy, nil
 }
 
+func (c *ExtendedGqlClient) GetActivePolicies(ctx context.Context, scopeMrn string) ([]ActivePolicy, error) {
+	var q struct {
+		ActivePolicies ActivePoliciesConnection `graphql:"activePolicies(input: $input)"`
+	}
+
+	input := mondoov1.ActivePoliciesInput{
+		ScopeMrn: mondoov1.String(scopeMrn),
+	}
+
+	variables := map[string]interface{}{
+		"input": input,
+	}
+
+	err := c.Query(ctx, &q, variables)
+	if err != nil {
+		return nil, err
+	}
+
+	policies := make([]ActivePolicy, 0, len(q.ActivePolicies.Edges))
+	for _, edge := range q.ActivePolicies.Edges {
+		policies = append(policies, edge.Node)
+	}
+	return policies, nil
+}
+
 func (c *ExtendedGqlClient) AssignPolicy(ctx context.Context, spaceMrn string, action mondoov1.PolicyAction, policyMrns []string) error {
 	var list *[]mondoov1.String
 

internal/provider/policy_assignment_resource.go

@@ -154,7 +154,62 @@ func (r *policyAssignmentResource) Read(ctx context.Context, req resource.ReadRe
 		return
 	}
 
-	// Read API call logic
+	// Compute and validate the space
+	space, err := r.client.ComputeSpace(data.SpaceID)
+	if err != nil {
+		resp.Diagnostics.AddError("Invalid Configuration", err.Error())
+		return
+	}
+	ctx = tflog.SetField(ctx, "space_mrn", space.MRN())
+
+	// Fetch active policies from API
+	activePolicies, err := r.client.GetActivePolicies(ctx, space.MRN())
+	if err != nil {
+		resp.Diagnostics.AddError("Failed to fetch active policies", err.Error())
+		return
+	}
+
+	// Build lookup map: policyMrn -> action, filtered by assignedScope
+	policyActions := make(map[string]string)
+	for _, p := range activePolicies {
+		if string(p.AssignedScope) == space.MRN() {
+			policyActions[string(p.Mrn)] = string(p.Action)
+		}
+	}
+
+	// Check the actual state of each configured policy
+	policyMrns := []string{}
+	data.PolicyMrns.ElementsAs(ctx, &policyMrns, false)
+
+	configuredState := data.State.ValueString()
+	allMatch := true
+	for _, mrn := range policyMrns {
+		action, found := policyActions[mrn]
+		var actualState string
+		if !found {
+			actualState = "disabled"
+		} else {
+			switch action {
+			case "ACTIVE":
+				actualState = "enabled"
+			case "IGNORE":
+				actualState = "preview"
+			default:
+				actualState = "disabled"
+			}
+		}
+		if actualState != configuredState {
+			allMatch = false
+			// Report the actual state of this policy so Terraform sees the drift
+			data.State = types.StringValue(actualState)
+			break
+		}
+	}
+
+	if allMatch {
+		// All policies match the configured state, no drift
+		data.State = types.StringValue(configuredState)
+	}
 
 	// Save updated data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)