feat: add grants to roles

hashicorp · Jul 10, 2020 · 82ff641 · 82ff641
1 parent 13e3638
commit 82ff641
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/internal/provider/resource_role.go b/internal/provider/resource_role.go
@@ -41,6 +41,11 @@ func resourceRole() *schema.Resource {
 				Optional: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
+			roleGrantsKey: {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 	}
 
@@ -72,6 +77,12 @@ func convertRoleToResourceData(u *roles.Role, d *schema.ResourceData) error {
 		}
 	}
 
+	if u.Grants != nil {
+		if err := d.Set(roleGrantsKey, u.Grants); err != nil {
+			return err
+		}
+	}
+
 	d.SetId(u.Id)
 
 	return nil
@@ -100,6 +111,12 @@ func convertResourceDataToRole(d *schema.ResourceData) *roles.Role {
 			u.UserIds = append(u.UserIds, i.(string))
 		}
 	}
+	if val, ok := d.GetOk(roleGrantsKey); ok {
+		grants := val.(*schema.Set).List()
+		for _, i := range grants {
+			u.Grants = append(u.Grants, i.(string))
+		}
+	}
 
 	if d.Id() != "" {
 		u.Id = d.Id()
@@ -120,12 +137,20 @@ func resourceRoleCreate(d *schema.ResourceData, meta interface{}) error {
 	r := convertResourceDataToRole(d)
 	users := r.UserIds
 	groups := r.GroupIds
+	grants := r.Grants
 
 	r, apiErr, err := o.CreateRole(ctx, r)
 	if apiErr != nil || err != nil {
 		return fmt.Errorf("error creating role:\n  API Err: %v\n  Err: %v\n", *apiErr.Message, err)
 	}
 
+	if len(grants) > 0 {
+		r, apiErr, err := r.AddGrants(ctx, grants)
+		if apiErr != nil || err != nil {
+			return fmt.Errorf("error setting grants on role:\n  API Err: %+v\n  Err: %+v\n", *apiErr.Message, err)
+		}
+	}
+
 	if len(users) > 0 || len(groups) > 0 {
 		r, apiErr, err = r.SetPrincipals(ctx, groups, users)
 		if apiErr != nil || err != nil {
@@ -189,6 +214,21 @@ func resourceRoleUpdate(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error updating role:\n  API Err: %v\n  Err: %v\n", *apiErr.Message, err)
 	}
 
+	grants := []string{}
+	if d.HasChange(roleGrantsKey) {
+		grants := d.Get(roleGrantsKey).(*schema.Set).List()
+		for _, grant := range grants {
+			grants = append(grants, grant.(string))
+		}
+	}
+
+	if d.HasChange(roleGrantsKey) {
+		r, apiErr, err := r.SetGrants(ctx, grants)
+		if apiErr != nil || err != nil {
+			return fmt.Errorf("error setting grants on role:\n  API Err: %+v\n  Err: %+v\n", *apiErr.Message, err)
+		}
+	}
+
 	userIDs := []string{}
 	if d.HasChange(roleUsersKey) {
 		users := d.Get(roleUsersKey).(*schema.Set).List()

diff --git a/internal/provider/resource_role_test.go b/internal/provider/resource_role_test.go
@@ -83,6 +83,14 @@ resource "watchtower_role" "foo" {
 	description = "test description"
 	groups = [watchtower_group.foo.id, watchtower_group.bar.id]
 }`
+
+	readonlyGrant     = "id=*;action=read"
+	fooRoleWithGrants = fmt.Sprintf(`
+resource "watchtower_role" "foo" {
+  name "readonly"
+	description = "test description"
+	grants = [%s]
+}`, readonlyGrant)
 )
 
 func TestAccRoleWithUsers(t *testing.T) {