Roles are now optional for in Groups

Signed-off-by: Andy Lo-A-Foe <andy.loafoe@gmail.com>

Author: loafoe

docs/resources/iam_group.md

@@ -53,7 +53,7 @@ The following arguments are supported:
 
 * `name` - (Required) The name of the group
 * `description` - (Required) The description of the group
-* `roles` - (Required) The list of role IDS to assign to this group
+* `roles` - (Optional) The list of role IDS to assign to this group
 * `managing_organization` - (Required) The managing organization ID
 * `users` - (Optional) The list of user IDs to include in this group. The provider only manages this list of users. Existing users added by others means to the group by the provider. It is not practical to manage hundreds or thousands of users this way of course.
 * `services` - (Optional) The list of service identity IDs to include in this group. See `hsdp_iam_service`

internal/services/iam/group/resource_iam_group.go

@@ -23,7 +23,7 @@ func ResourceIAMGroup() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
-		SchemaVersion: 3,
+		SchemaVersion: 4,
 		CreateContext: resourceIAMGroupCreate,
 		ReadContext:   resourceIAMGroupRead,
 		UpdateContext: resourceIAMGroupUpdate,
@@ -44,6 +44,11 @@ func ResourceIAMGroup() *schema.Resource {
 				Upgrade: patchIAMGroupV2,
 				Version: 2,
 			},
+			{
+				Type:    ResourceIAMGroupV3().CoreConfigSchema().ImpliedType(),
+				Upgrade: patchIAMGroupV3,
+				Version: 3,
+			},
 		},
 
 		Schema: map[string]*schema.Schema{
@@ -69,7 +74,7 @@ func ResourceIAMGroup() *schema.Resource {
 			"roles": {
 				Type:        schema.TypeSet,
 				MaxItems:    1000,
-				Required:    true,
+				Optional:    true,
 				Elem:        tools.StringSchema(),
 				Description: "The list of role IDS to assign to this group.",
 			},
@@ -100,13 +105,6 @@ func ResourceIAMGroup() *schema.Resource {
 				Default:     true,
 				Description: "When enabled, the provider will perform additional API calls to determine if any changes were made outside of Terraform to user and service assignments of this group.",
 			},
-			"iam_device_bug_workaround": {
-				Type:        schema.TypeBool,
-				Optional:    true,
-				Default:     false,
-				Deprecated:  "This workaround is no longer required and will be removed in the near future.",
-				Description: "Deprecated, do not use.",
-			},
 		},
 	}
 }
@@ -138,28 +136,30 @@ func resourceIAMGroupCreate(ctx context.Context, d *schema.ResourceData, m inter
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	roles := tools.ExpandStringList(d.Get("roles").(*schema.Set).List())
 
 	_ = d.Set("name", createdGroup.Name)
 	_ = d.Set("description", createdGroup.Description)
 	_ = d.Set("managing_organization", createdGroup.ManagingOrganization)
 
+	roles := tools.ExpandStringList(d.Get("roles").(*schema.Set).List())
 	// Add roles
-	for _, r := range roles {
-		role, _, _ := client.Roles.GetRoleByID(r)
-		if role != nil {
-			err = tools.TryHTTPCall(ctx, 10, func() (*http.Response, error) {
-				_, resp, err := client.Groups.AssignRole(ctx, *createdGroup, *role)
-				if resp == nil {
-					return nil, err
+	if len(roles) > 0 {
+		for _, r := range roles {
+			role, _, _ := client.Roles.GetRoleByID(r)
+			if role != nil {
+				err = tools.TryHTTPCall(ctx, 10, func() (*http.Response, error) {
+					_, resp, err := client.Groups.AssignRole(ctx, *createdGroup, *role)
+					if resp == nil {
+						return nil, err
+					}
+					return resp.Response, err
+				}, append(tools.StandardRetryOnCodes, http.StatusUnprocessableEntity)...) // Handle intermittent HTTP 422 errors
+				if err != nil {
+					// Cleanup
+					_ = purgeGroupContent(ctx, client, createdGroup.ID, d)
+					_, _, _ = client.Groups.DeleteGroup(*createdGroup)
+					return diag.FromErr(fmt.Errorf("error adding roles: %v", err))
 				}
-				return resp.Response, err
-			}, append(tools.StandardRetryOnCodes, http.StatusUnprocessableEntity)...) // Handle intermittent HTTP 422 errors
-			if err != nil {
-				// Cleanup
-				_ = purgeGroupContent(ctx, client, createdGroup.ID, d)
-				_, _, _ = client.Groups.DeleteGroup(*createdGroup)
-				return diag.FromErr(fmt.Errorf("error adding roles: %v", err))
 			}
 		}
 	}

internal/services/iam/group/resource_iam_group_v3.go

@@ -0,0 +1,83 @@
+package group
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/philips-software/terraform-provider-hsdp/internal/tools"
+)
+
+// Upgrades an IAM Group resource from v3 to v4
+func patchIAMGroupV3(_ context.Context, rawState map[string]interface{}, _ interface{}) (map[string]interface{}, error) {
+	if rawState == nil {
+		rawState = map[string]interface{}{}
+	}
+	return rawState, nil
+}
+
+func ResourceIAMGroupV3() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: tools.SuppressCaseDiffs,
+				Description:      "The group name.",
+			},
+			"description": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				DiffSuppressFunc: tools.SuppressWhenGenerated,
+				Description:      "The group description.",
+			},
+			"managing_organization": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The managing organization ID.",
+			},
+			"roles": {
+				Type:        schema.TypeSet,
+				MaxItems:    1000,
+				Required:    true,
+				Elem:        tools.StringSchema(),
+				Description: "The list of role IDS to assign to this group.",
+			},
+			"users": {
+				Type:        schema.TypeSet,
+				MaxItems:    2000,
+				Optional:    true,
+				Elem:        tools.StringSchema(),
+				Description: "The list of user IDs to include in this group. The provider only manages this list of users. Existing users added by others means to the group by the provider. It is not practical to manage hundreds or thousands of users this way of course.",
+			},
+			"services": {
+				Type:        schema.TypeSet,
+				MaxItems:    2000,
+				Optional:    true,
+				Elem:        tools.StringSchema(),
+				Description: "The list of service identity IDs to include in this group.",
+			},
+			"devices": {
+				Type:        schema.TypeSet,
+				MaxItems:    2000,
+				Optional:    true,
+				Elem:        tools.StringSchema(),
+				Description: "The list of IAM device identity IDs to include in this group.",
+			},
+			"drift_detection": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+				Description: "When enabled, the provider will perform additional API calls to determine if any changes were made outside of Terraform to user and service assignments of this group.",
+			},
+			"iam_device_bug_workaround": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Deprecated:  "This workaround is no longer required and will be removed in the near future.",
+				Description: "Deprecated, do not use.",
+			},
+		},
+	}
+}