WIP: Authorization of resources on project-level (#235)

saidst · tmeckel · web-flow · commit 67031846971d · 2020-05-06T10:11:02.000-05:00
* added resource authorization for service endpoints. upgraded to terraform-plugin-sdk-1.6.0.

* Updated documentation and example.

* Removed excessive reference to github.com/Azure/go-autorest/autorest/to from azuredevops/resource_resource_authorization.go

* Removed excessive reference to github.com/Azure/go-autorest/autorest/to from azuredevops/resource_resource_authorization_test.go

* tidy up go.mod after cherry-picking and rebasing.

* externalize error strings to reduce redundancy.

* fix linting issues.

Co-authored-by: Thomas Meckel &lt;tmeckel@users.noreply.github.com&gt;
diff --git a/azuredevops/crud/serviceendpoint/crud_service_endpoint.go b/azuredevops/crud/serviceendpoint/crud_service_endpoint.go
@@ -223,7 +223,12 @@ func genServiceEndpointReadFunc(flatFunc flatFunc) func(d *schema.ResourceData,
 			return fmt.Errorf("Error looking up service endpoint given ID (%v) and project ID (%v): %v", serviceEndpointID, projectID, err)
 		}
 
-		flatFunc(d, serviceEndpoint, projectID)
+		if serviceEndpoint.Id == nil {
+			// e.g. service endpoint has been deleted separately without TF
+			d.SetId("")
+		} else {
+			flatFunc(d, serviceEndpoint, projectID)
+		}
 		return nil
 	}
 }
diff --git a/azuredevops/provider.go b/azuredevops/provider.go
@@ -9,6 +9,7 @@ import (
 func Provider() *schema.Provider {
 	p := &schema.Provider{
 		ResourcesMap: map[string]*schema.Resource{
+			"azuredevops_resource_authorization":    resourceResourceAuthorization(),
 			"azuredevops_build_definition":          resourceBuildDefinition(),
 			"azuredevops_project":                   resourceProject(),
 			"azuredevops_variable_group":            resourceVariableGroup(),
diff --git a/azuredevops/provider_test.go b/azuredevops/provider_test.go
@@ -15,6 +15,7 @@ var provider = Provider()
 
 func TestAzureDevOpsProvider_HasChildResources(t *testing.T) {
 	expectedResources := []string{
+		"azuredevops_resource_authorization",
 		"azuredevops_build_definition",
 		"azuredevops_project",
 		"azuredevops_serviceendpoint_github",
diff --git a/azuredevops/resource_resource_authorization.go b/azuredevops/resource_resource_authorization.go
@@ -0,0 +1,172 @@
+package azuredevops
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	"github.com/microsoft/azure-devops-go-api/azuredevops/build"
+	"github.com/microsoft/terraform-provider-azuredevops/azuredevops/utils/config"
+	"github.com/microsoft/terraform-provider-azuredevops/azuredevops/utils/converter"
+)
+
+const msgErrorFailedResourceCreate = "error creating authorized resource: %+v"
+const msgErrorFailedResourceUpdate = "error updating authorized resource: %+v"
+const msgErrorFailedResourceDelete = "error deleting authorized resource: %+v"
+
+func resourceResourceAuthorization() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceResourceAuthorizationCreate,
+		Read:   resourceResourceAuthorizationRead,
+		Update: resourceResourceAuthorizationUpdate,
+		Delete: resourceResourceAuthorizationDelete,
+
+		Schema: map[string]*schema.Schema{
+			"project_id": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"resource_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "id of the resource",
+				ValidateFunc: validation.IsUUID,
+			},
+			"type": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Default:      "endpoint",
+				Description:  "type of the resource",
+				ValidateFunc: validation.StringInSlice([]string{"endpoint"}, false),
+			},
+			"authorized": {
+				Type:        schema.TypeBool,
+				Required:    true,
+				Description: "indicates whether the resource is authorized for use",
+			},
+		},
+	}
+}
+
+func resourceResourceAuthorizationCreate(d *schema.ResourceData, m interface{}) error {
+	clients := m.(*config.AggregatedClient)
+	authorizedResource, projectID, err := expandAuthorizedResource(d)
+	if err != nil {
+		return fmt.Errorf(msgErrorFailedResourceCreate, err)
+	}
+
+	_, err = sendAuthorizedResourceToAPI(clients, authorizedResource, projectID)
+	if err != nil {
+		return fmt.Errorf(msgErrorFailedResourceCreate, err)
+	}
+
+	return resourceResourceAuthorizationRead(d, m)
+}
+
+func resourceResourceAuthorizationRead(d *schema.ResourceData, m interface{}) error {
+	ctx := context.Background()
+	clients := m.(*config.AggregatedClient)
+
+	authorizedResource, projectID, err := expandAuthorizedResource(d)
+	if err != nil {
+		return err
+	}
+
+	if !*authorizedResource.Authorized {
+		// flatten structure provided by user-configuration and not read from ado
+		flattenAuthorizedResource(d, authorizedResource, projectID)
+	} else {
+		// (attempt) flatten read result from ado
+		resourceRefs, err := clients.BuildClient.GetProjectResources(ctx, build.GetProjectResourcesArgs{
+			Project: &projectID,
+			Type:    authorizedResource.Type,
+			Id:      authorizedResource.Id,
+		})
+
+		if err != nil {
+			return err
+		}
+
+		// the authorization does no longer exist
+		if len(*resourceRefs) == 0 {
+			d.SetId("")
+			return nil
+		}
+
+		flattenAuthorizedResource(d, &(*resourceRefs)[0], projectID)
+		return nil
+	}
+	return nil
+}
+
+func resourceResourceAuthorizationDelete(d *schema.ResourceData, m interface{}) error {
+	clients := m.(*config.AggregatedClient)
+	authorizedResource, projectID, err := expandAuthorizedResource(d)
+	if err != nil {
+		return fmt.Errorf(msgErrorFailedResourceDelete, err)
+	}
+
+	// deletion works only by setting authorized to false
+	// because the resource to delete might have had this parameter set to true, we overwrite it
+	authorizedResource.Authorized = converter.Bool(false)
+
+	_, err = sendAuthorizedResourceToAPI(clients, authorizedResource, projectID)
+	if err != nil {
+		return fmt.Errorf(msgErrorFailedResourceDelete, err)
+	}
+
+	return err
+}
+
+func resourceResourceAuthorizationUpdate(d *schema.ResourceData, m interface{}) error {
+	clients := m.(*config.AggregatedClient)
+	authorizedResource, projectID, err := expandAuthorizedResource(d)
+	if err != nil {
+		return fmt.Errorf(msgErrorFailedResourceUpdate, err)
+	}
+
+	_, err = sendAuthorizedResourceToAPI(clients, authorizedResource, projectID)
+	if err != nil {
+		return fmt.Errorf(msgErrorFailedResourceUpdate, err)
+	}
+
+	return resourceResourceAuthorizationRead(d, m)
+}
+
+func flattenAuthorizedResource(d *schema.ResourceData, authorizedResource *build.DefinitionResourceReference, projectID string) {
+	d.SetId(*authorizedResource.Id)
+	d.Set("resource_id", *authorizedResource.Id)
+	d.Set("type", *authorizedResource.Type)
+	d.Set("authorized", *authorizedResource.Authorized)
+	d.Set("project_id", projectID)
+}
+
+func expandAuthorizedResource(d *schema.ResourceData) (*build.DefinitionResourceReference, string, error) {
+	resourceRef := build.DefinitionResourceReference{
+		Authorized: converter.Bool(d.Get("authorized").(bool)),
+		Id:         converter.String(d.Get("resource_id").(string)),
+		Name:       nil,
+		Type:       converter.String(d.Get("type").(string)),
+	}
+
+	return &resourceRef, d.Get("project_id").(string), nil
+}
+
+func sendAuthorizedResourceToAPI(clients *config.AggregatedClient, resourceRef *build.DefinitionResourceReference, project string) (*build.DefinitionResourceReference, error) {
+	ctx := context.Background()
+
+	createdResourceRefs, err := clients.BuildClient.AuthorizeProjectResources(ctx, build.AuthorizeProjectResourcesArgs{
+		Resources: &[]build.DefinitionResourceReference{*resourceRef},
+		Project:   &project,
+	})
+
+	if err != nil {
+		return nil, err
+	} else if len(*createdResourceRefs) == 0 {
+		return nil, fmt.Errorf("no project resources have been authorized")
+	}
+
+	return &(*createdResourceRefs)[0], err
+}
diff --git a/azuredevops/resource_resource_authorization_test.go b/azuredevops/resource_resource_authorization_test.go
@@ -0,0 +1,148 @@
+// +build all resource_resource_authorization
+
+package azuredevops
+
+// The tests in this file use the mock clients in mock_client.go to mock out
+// the Azure DevOps client operations.
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/microsoft/terraform-provider-azuredevops/azdosdkmocks"
+
+	"github.com/golang/mock/gomock"
+	"github.com/google/uuid"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/microsoft/azure-devops-go-api/azuredevops/build"
+	"github.com/microsoft/terraform-provider-azuredevops/azuredevops/utils/config"
+	"github.com/microsoft/terraform-provider-azuredevops/azuredevops/utils/converter"
+	"github.com/stretchr/testify/require"
+)
+
+var projectId = "projectid"
+var endpointId = uuid.New()
+
+var resourceReferenceAuthorized = build.DefinitionResourceReference{
+	Authorized: converter.Bool(true),
+	Id:         converter.String(endpointId.String()),
+	Name:       nil,
+	Type:       converter.String("endpoint"),
+}
+
+var resourceReferenceNotAuthorized = build.DefinitionResourceReference{
+	Authorized: converter.Bool(false),
+	Id:         converter.String(endpointId.String()),
+	Name:       nil,
+	Type:       converter.String("endpoint"),
+}
+
+func init() {
+	InitProvider()
+}
+
+/**
+ * Begin unit tests
+ */
+
+func TestAzureDevOpsResourceAuthorization_FlattenExpand_RoundTripTestAzureDevOpsResourceAuthorization_FlattenExpand_RoundTrip(t *testing.T) {
+	resourceData := schema.TestResourceDataRaw(t, resourceResourceAuthorization().Schema, nil)
+	flattenAuthorizedResource(resourceData, &resourceReferenceAuthorized, projectId)
+
+	resourceReferenceAfterRoundtrip, projectIdAfterRoundtrip, err := expandAuthorizedResource(resourceData)
+	require.Nil(t, err)
+	require.Equal(t, resourceReferenceAuthorized, *resourceReferenceAfterRoundtrip)
+	require.Equal(t, projectId, projectIdAfterRoundtrip)
+}
+
+func TestAzureDevOpsResourceAuthorization_Create_DoesNotSwallowError(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	r, resourceData, clients := prepareForCreateOrUpdate(t, ctrl, "CreateResourceAuthorization() Failed")
+
+	err := r.Create(resourceData, clients)
+	require.Contains(t, err.Error(), "CreateResourceAuthorization() Failed")
+}
+
+func TestAzureDevOpsResourceAuthorization_Update_DoesNotSwallowError(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	r, resourceData, clients := prepareForCreateOrUpdate(t, ctrl, "UpdateResourceAuthorization() Failed")
+
+	err := r.Update(resourceData, clients)
+	require.Contains(t, err.Error(), "UpdateResourceAuthorization() Failed")
+}
+
+func prepareForCreateOrUpdate(t *testing.T, ctrl *gomock.Controller, expectedMessage string) (*schema.Resource, *schema.ResourceData, *config.AggregatedClient) {
+	r := resourceResourceAuthorization()
+	resourceData := schema.TestResourceDataRaw(t, r.Schema, nil)
+	flattenAuthorizedResource(resourceData, &resourceReferenceAuthorized, projectId)
+
+	buildClient := azdosdkmocks.NewMockBuildClient(ctrl)
+	clients := &config.AggregatedClient{BuildClient: buildClient, Ctx: context.Background()}
+
+	expectedArgs := build.AuthorizeProjectResourcesArgs{
+		Resources: &[]build.DefinitionResourceReference{resourceReferenceAuthorized},
+		Project:   &projectId,
+	}
+	buildClient.
+		EXPECT().
+		AuthorizeProjectResources(clients.Ctx, expectedArgs).
+		Return(nil, errors.New(expectedMessage)).
+		Times(1)
+	return r, resourceData, clients
+}
+
+func TestAzureDevOpsResourceAuthorization_Read_DoesNotSwallowError(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	r := resourceResourceAuthorization()
+	resourceData := schema.TestResourceDataRaw(t, r.Schema, nil)
+	flattenAuthorizedResource(resourceData, &resourceReferenceAuthorized, projectId)
+
+	buildClient := azdosdkmocks.NewMockBuildClient(ctrl)
+	clients := &config.AggregatedClient{BuildClient: buildClient, Ctx: context.Background()}
+
+	expectedArgs := build.GetProjectResourcesArgs{
+		Project: &projectId,
+		Type:    resourceReferenceAuthorized.Type,
+		Id:      resourceReferenceAuthorized.Id,
+	}
+	buildClient.
+		EXPECT().
+		GetProjectResources(clients.Ctx, expectedArgs).
+		Return(nil, errors.New("ReadResourceAuthorization() Failed")).
+		Times(1)
+
+	err := r.Read(resourceData, clients)
+	require.Contains(t, err.Error(), "ReadResourceAuthorization() Failed")
+}
+
+func TestAzureDevOpsResourceAuthorization_Delete_DoesNotSwallowError(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	r := resourceResourceAuthorization()
+	resourceData := schema.TestResourceDataRaw(t, r.Schema, nil)
+	flattenAuthorizedResource(resourceData, &resourceReferenceNotAuthorized, projectId)
+
+	buildClient := azdosdkmocks.NewMockBuildClient(ctrl)
+	clients := &config.AggregatedClient{BuildClient: buildClient, Ctx: context.Background()}
+
+	expectedArgs := build.AuthorizeProjectResourcesArgs{
+		Resources: &[]build.DefinitionResourceReference{resourceReferenceNotAuthorized},
+		Project:   &projectId,
+	}
+	buildClient.
+		EXPECT().
+		AuthorizeProjectResources(clients.Ctx, expectedArgs).
+		Return(nil, errors.New("DeleteResourceAuthorization() Failed")).
+		Times(1)
+
+	err := r.Delete(resourceData, clients)
+	require.Contains(t, err.Error(), "DeleteResourceAuthorization() Failed")
+}
diff --git a/examples/azdo-based-cicd/main.tf b/examples/azdo-based-cicd/main.tf
@@ -96,6 +96,20 @@ resource "azuredevops_serviceendpoint_azurerm" "endpoint1" {
   azurerm_scope             = "/subscriptions/1da42ac9-xxxx-xxxxx-xxxx-xxxxxxxxxxx"
 }
 
+resource "azuredevops_serviceendpoint_bitbucket" "bitbucket_account" {
+  project_id = "vanilla-sky"
+  username               = "xxxx"
+  password               = "xxxx"
+  service_endpoint_name  = "test-bitbucket"
+  description            = "test"
+}
+
+resource "azuredevops_resource_authorization" "bitbucket_account_authorization" {
+  project_id = azuredevops_project.project.id
+  resource_id = azuredevops_serviceendpoint_bitbucket.bitbucket_account.id
+  authorized = true
+}
+
 #
 # https://github.com/microsoft/terraform-provider-azuredevops/issues/83
 # resource "azuredevops_policy_build" "p1" {
diff --git a/go.mod b/go.mod
@@ -11,11 +11,9 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk v1.8.0
 	github.com/microsoft/azure-devops-go-api/azuredevops v0.0.0-20200327121006-543de4815ec2
 	github.com/stretchr/testify v1.3.0
-	github.com/yuin/goldmark v1.1.30 // indirect
 	golang.org/x/crypto v0.0.0-20200427165652-729f1e841bcc
 	golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
 	golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0 // indirect
-	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a // indirect
 	golang.org/x/sys v0.0.0-20200428200454-593003d681fa // indirect
-	golang.org/x/tools v0.0.0-20200428211048-dbf5ce1eac26 // indirect
+	golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8 // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/website/docs/r/resource_authorization.html.markdown b/website/docs/r/resource_authorization.html.markdown

Original file line number	Diff line number	Diff line change
`@@ -223,7 +223,12 @@ func genServiceEndpointReadFunc(flatFunc flatFunc) func(d *schema.ResourceData,`
`223`	`223`	`return fmt.Errorf("Error looking up service endpoint given ID (%v) and project ID (%v): %v", serviceEndpointID, projectID, err)`
`224`	`224`	`}`
`225`	`225`
`226`		`- flatFunc(d, serviceEndpoint, projectID)`
	`226`	`+ if serviceEndpoint.Id == nil {`
	`227`	`+ // e.g. service endpoint has been deleted separately without TF`
	`228`	`+ d.SetId("")`
	`229`	`+ } else {`
	`230`	`+ flatFunc(d, serviceEndpoint, projectID)`
	`231`	`+ }`
`227`	`232`	`return nil`
`228`	`233`	`}`
`229`	`234`	`}`