Merge pull request #266 from philips-software/chore/workaround-iam-bugfix

IAM: conditionally check IAM Device/User mixups #265

Author: loafoe

docs/resources/iam_group.md

@@ -59,6 +59,8 @@ The following arguments are supported:
   opt-in for IAM Groups due to insufficient IAM API capabilities to perform this operation efficiently.
   A future version might change this to be always-on. When enabled, the provider will perform additional API calls
   to determine if any changes were made outside of Terraform to user and service assignments of this Group. Default: `false`
+* `iam_device_bug_workaround` - (Optional, bool) Work around an IAM bug that returns both user and device entities in the API.
+  Do not enable this unless you are using IAM Devices in your infrastructure. Default: `false`
 
 ## Attributes Reference
 

internal/services/iam/group/resource_iam_group.go

@@ -18,7 +18,7 @@ func ResourceIAMGroup() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
-		SchemaVersion: 2,
+		SchemaVersion: 3,
 		CreateContext: resourceIAMGroupCreate,
 		ReadContext:   resourceIAMGroupRead,
 		UpdateContext: resourceIAMGroupUpdate,
@@ -34,6 +34,11 @@ func ResourceIAMGroup() *schema.Resource {
 				Upgrade: patchIAMGroupV1,
 				Version: 1,
 			},
+			{
+				Type:    ResourceIAMGroupV2().CoreConfigSchema().ImpliedType(),
+				Upgrade: patchIAMGroupV2,
+				Version: 2,
+			},
 		},
 
 		Schema: map[string]*schema.Schema{
@@ -82,6 +87,11 @@ func ResourceIAMGroup() *schema.Resource {
 				Optional: true,
 				Default:  false,
 			},
+			"iam_device_bug_workaround": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		},
 	}
 }
@@ -224,6 +234,7 @@ func resourceIAMGroupRead(_ context.Context, d *schema.ResourceData, m interface
 
 	id := d.Id()
 	driftDetection := d.Get("drift_detection").(bool)
+	iamDeviceBugWorkaround := d.Get("iam_device_bug_workaround").(bool)
 
 	group, resp, err := client.Groups.GetGroupByID(id)
 	if err != nil {
@@ -254,15 +265,19 @@ func resourceIAMGroupRead(_ context.Context, d *schema.ResourceData, m interface
 		if err != nil {
 			return diag.FromErr(fmt.Errorf("error retrieving users from group: %v", err))
 		}
-		// Unfortunately Users must now be verified as the GetAllUsers query also returns IAM Devices
-		var verifiedUsers []string
-		for _, u := range users {
-			_, _, err := client.Users.GetUserByID(u)
-			if err == nil {
-				verifiedUsers = append(verifiedUsers, u)
+		_ = d.Set("users", tools.SchemaSetStrings(users))
+
+		if iamDeviceBugWorkaround {
+			// IAM Devices could be mixed in the GetUser results, this is an IAM BUG
+			var verifiedUsers []string
+			for _, u := range users {
+				_, _, err := client.Users.GetUserByID(u) // This call could FAIL if the IAM entity does not have broad access
+				if err == nil {
+					verifiedUsers = append(verifiedUsers, u)
+				}
 			}
+			_ = d.Set("users", tools.SchemaSetStrings(verifiedUsers))
 		}
-		_ = d.Set("users", tools.SchemaSetStrings(verifiedUsers))
 
 		// Services
 		// We only deal with services we know

internal/services/iam/group/resource_iam_group_test.go

@@ -119,6 +119,20 @@ resource "hsdp_iam_role" "test" {
   managing_organization = hsdp_iam_org.test.id
 }
 
+resource "hsdp_iam_group" "user_test" {
+  name        = "%s1"
+  description = "Acceptance Test Group %s1"
+
+  roles    = [hsdp_iam_role.test.id]
+  users    = [hsdp_iam_user.test.id]
+  services = [hsdp_iam_service.test.id]
+
+  managing_organization = hsdp_iam_org.test.id
+ 
+  drift_detection           = true
+  iam_device_bug_workaround = false
+}
+
 resource "hsdp_iam_group" "test" {
   name        = "%s"
   description = "Acceptance Test Group %s"
@@ -130,8 +144,11 @@ resource "hsdp_iam_group" "test" {
 
   managing_organization = hsdp_iam_org.test.id
  
-  drift_detection = true
-}`,
+  drift_detection           = true
+  iam_device_bug_workaround = true
+}
+
+`,
 		// ORG
 		upperName,
 		name,
@@ -155,6 +172,9 @@ resource "hsdp_iam_group" "test" {
 		// ROLE
 		upperName,
 		name,
+		// USER GROUP
+		name,
+		name,
 		// GROUP
 		name,
 		name)

internal/services/iam/group/resource_iam_group_v2.go

@@ -0,0 +1,69 @@
+package group
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/philips-software/terraform-provider-hsdp/internal/tools"
+)
+
+// Upgrades an IAM Group resource from v2 to v3
+func patchIAMGroupV2(_ context.Context, rawState map[string]interface{}, _ interface{}) (map[string]interface{}, error) {
+	if rawState == nil {
+		rawState = map[string]interface{}{}
+	}
+	rawState["iam_device_bug_workaround"] = false
+	return rawState, nil
+}
+
+func ResourceIAMGroupV2() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: tools.SuppressCaseDiffs,
+			},
+			"description": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				DiffSuppressFunc: tools.SuppressWhenGenerated,
+			},
+			"managing_organization": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"roles": {
+				Type:     schema.TypeSet,
+				MaxItems: 1000,
+				Required: true,
+				Elem:     tools.StringSchema(),
+			},
+			"users": {
+				Type:     schema.TypeSet,
+				MaxItems: 2000,
+				Optional: true,
+				Elem:     tools.StringSchema(),
+			},
+			"services": {
+				Type:     schema.TypeSet,
+				MaxItems: 2000,
+				Optional: true,
+				Elem:     tools.StringSchema(),
+			},
+			"devices": {
+				Type:     schema.TypeSet,
+				MaxItems: 2000,
+				Optional: true,
+				Elem:     tools.StringSchema(),
+			},
+			"drift_detection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+		},
+	}
+}