DXCDT-432: auth0_role_permissions resource

[willvedd]

🔧 Changes

Introducing the auth0_role_permissions resource which enables management of all role permissions in a single block.

Unlike the auth0_role_permission resource (#582) which manages on a per-permission basis, this resource manages all of a role's permissions. In addition to offering a flexible way of expressing role permissions, out-of-band changes can be observed with a single import command rather than multiple imports per permission.

Remaining a draft until split into two smaller PRs

📚 References

• 1-1 auth0_role_permission - DXCDT-431: auth0_role_permission resource #582

🔬 Testing

Added suite of integration tests.

📝 Checklist

• All new/changed/fixed functionality is covered by tests (or N/A)
• I have added documentation for all new/changed functionality (or N/A)

[codecov-commenter]

Codecov Report

Merging #583 (9f7a550) into main (ac04ae9) will decrease coverage by 0.04%.
The diff coverage is 84.44%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #583      +/-   ##
==========================================
- Coverage   87.28%   87.24%   -0.04%     
==========================================
  Files          69       70       +1     
  Lines       10559    10693     +134     
==========================================
+ Hits         9216     9329     +113     
- Misses       1021     1037      +16     
- Partials      322      327       +5     

Impacted Files	Coverage Δ
internal/provider/provider.go	100.00% <ø> (ø)
internal/auth0/role/resource_permissions.go	84.32% <84.32%> (ø)
internal/auth0/role/resource.go	81.86% <100.00%> (ø)

[willvedd]

Necessary to rename this test to not collide with the new resource.

[sergiught]

Hm... 🤔 This will remove all the permissions, not just the ones assigned through this resource. I think it should be okay, however in the auth0_user_roles we do

userRolesToRemove := data.Get("roles").(*schema.Set).List()
	var rmRoles []*management.Role
	for _, rmRole := range userRolesToRemove {
		role := &management.Role{ID: auth0.String(rmRole.(string))}
		rmRoles = append(rmRoles, role)
	}

The two approaches technically should be exactly the same as we should manage all the permissions through this and have nothing left on the API.

However, there is one edge case where:

1. You attach permissions to a role. (but the role has actually more permissions set on the API)
2. You do a read in another terraform plan and you're gonna see the diff between what you have in the config and what's on remote.
3. If you don't add those extra permissions to the config and immediately do a terraform destroy, with the logic we have now it will remove even the others that are untracked, whereas the solution above to fetch them again from the config will only remove the ones that we set in the config and leave the others that were untracked and shown in the diff.

What do you think we should do?

[willvedd]

While I think it would be an anti-pattern for folks to adopt that workflow, it's a safer and low-cost to only delete the ones within management purview.

[sergiught]

Impostor!

[willvedd]

This is necessary otherwise the data source doesn't get the change reflected.

[sergiught]

Ah, I see that now 👍🏻 , indeed the execution flow on a terraform apply is:

0. read and refresh state
1. creations
2. updates
3. deletions

so we need another refresh state after the deletion.