azurerm_policy_set_definition - fix empty group names on update (#1…

…9890) * Add missing groupNames field to policy_set_definition update method (#13791) * convert set to string[] * Add acceptance test for `policy_definition_reference.policy_group_names` * fix alignment of comment * remove unneeded comments
hashicorp · Jan 11, 2023 · 3b0495d · 3b0495d
1 parent 740861e
commit 3b0495d
Show file tree

Hide file tree

Showing 2 changed files with 160 additions and 0 deletions.
diff --git a/internal/services/policy/policy_set_definition_resource.go b/internal/services/policy/policy_set_definition_resource.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/services/preview/resources/mgmt/2021-06-01-preview/policy" // nolint: staticcheck
 	"github.com/Azure/go-autorest/autorest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
 	mgmtGrpParse "github.com/hashicorp/terraform-provider-azurerm/internal/services/managementgroup/parse"
@@ -570,6 +571,7 @@ func expandAzureRMPolicySetDefinitionPolicyDefinitionsUpdate(d *pluginsdk.Resour
 			PolicyDefinitionID:          utils.String(d.Get(fmt.Sprintf("policy_definition_reference.%d.policy_definition_id", i)).(string)),
 			Parameters:                  parameters,
 			PolicyDefinitionReferenceID: utils.String(d.Get(fmt.Sprintf("policy_definition_reference.%d.reference_id", i)).(string)),
+			GroupNames:                  utils.ExpandStringSlice(d.Get(fmt.Sprintf("policy_definition_reference.%d.policy_group_names", i)).(*schema.Set).List()),
 		})
 	}
 

diff --git a/internal/services/policy/policy_set_definition_resource_test.go b/internal/services/policy/policy_set_definition_resource_test.go
@@ -185,6 +185,41 @@ func TestAccAzureRMPolicySetDefinition_customWithDefinitionGroups(t *testing.T)
 	})
 }
 
+func TestAccAzureRMPolicySetDefinition_customWithGroupsInDefinitionReferenceUpdate(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_policy_set_definition", "test")
+	r := PolicySetDefinitionResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			// provision a policy set without group names
+			Config: r.customWithDefinitionGroupsNotUsedInPolicyReference(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("policy_definition_reference.0.policy_group_names").DoesNotExist(),
+			),
+		},
+		data.ImportStep(),
+		{
+			// test if group_names were correctly added
+			Config: r.customWithDefinitionGroupsUsedInPolicyReference(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("policy_definition_reference.0.policy_group_names.#").HasValue("3"),
+			),
+		},
+		data.ImportStep(),
+		{
+			// test if the deletion of the group_names works again
+			Config: r.customWithDefinitionGroupsNotUsedInPolicyReference(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("policy_definition_reference.0.policy_group_names.0").DoesNotExist(),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccAzureRMPolicySetDefinition_managementGroup(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_policy_set_definition", "test")
 	r := PolicySetDefinitionResource{}
@@ -665,6 +700,129 @@ VALUES
 `, template, data.RandomInteger, data.RandomInteger)
 }
 
+// test adding "group-3" to policy_definition_reference.policy_group_names
+func (r PolicySetDefinitionResource) customWithDefinitionGroupsUsedInPolicyReference(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_policy_set_definition" "test" {
+  name         = "acctestPolSet-%d"
+  policy_type  = "Custom"
+  display_name = "acctestPolSet-display-%d"
+
+  parameters = <<PARAMETERS
+    {
+        "allowedLocations": {
+            "type": "Array",
+            "metadata": {
+                "description": "The list of allowed locations for resources.",
+                "displayName": "Allowed locations",
+                "strongType": "location"
+            }
+        }
+    }
+PARAMETERS
+
+  policy_definition_reference {
+    policy_definition_id = azurerm_policy_definition.test.id
+    parameter_values     = <<VALUES
+	{
+      "allowedLocations": {"value": "[parameters('allowedLocations')]"}
+    }
+VALUES
+    policy_group_names   = ["group-1", "group-2", "group-3"]
+  }
+
+  policy_definition_group {
+    name = "redundant"
+  }
+
+  policy_definition_group {
+    name         = "group-1"
+    display_name = "Group-Display-1"
+    category     = "My Access Control"
+    description  = "Controls accesses"
+  }
+
+  policy_definition_group {
+    name         = "group-2"
+    display_name = "group-display-2"
+    category     = "My Security Control"
+    description  = "Controls security"
+  }
+
+  policy_definition_group {
+    name         = "group-3"
+    display_name = "group-display-3"
+    category     = "Category-3"
+    description  = "Newly added group 3"
+  }
+}
+`, template, data.RandomInteger, data.RandomInteger)
+}
+
+// test adding "group-3" to policy_definition_reference.policy_group_names
+func (r PolicySetDefinitionResource) customWithDefinitionGroupsNotUsedInPolicyReference(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_policy_set_definition" "test" {
+  name         = "acctestPolSet-%d"
+  policy_type  = "Custom"
+  display_name = "acctestPolSet-display-%d"
+
+  parameters = <<PARAMETERS
+    {
+        "allowedLocations": {
+            "type": "Array",
+            "metadata": {
+                "description": "The list of allowed locations for resources.",
+                "displayName": "Allowed locations",
+                "strongType": "location"
+            }
+        }
+    }
+PARAMETERS
+
+  policy_definition_reference {
+    policy_definition_id = azurerm_policy_definition.test.id
+    parameter_values     = <<VALUES
+    {
+        "allowedLocations": {"value": "[parameters('allowedLocations')]"}
+    }
+    VALUES
+  }
+
+  policy_definition_group {
+    name = "redundant"
+  }
+
+  policy_definition_group {
+    name         = "group-1"
+    display_name = "Group-Display-1"
+    category     = "My Access Control"
+    description  = "Controls accesses"
+  }
+
+  policy_definition_group {
+    name         = "group-2"
+    display_name = "group-display-2"
+    category     = "My Security Control"
+    description  = "Controls security"
+  }
+
+  policy_definition_group {
+    name         = "group-3"
+    display_name = "group-display-3"
+    category     = "Category-3"
+    description  = "Newly added group 3"
+  }
+}
+`, template, data.RandomInteger, data.RandomInteger)
+}
+
 func (r PolicySetDefinitionResource) template(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {