diff --git a/codefresh/cfclient/permission.go b/codefresh/cfclient/permission.go index 27ca0e9..aaeea94 100644 --- a/codefresh/cfclient/permission.go +++ b/codefresh/cfclient/permission.go @@ -142,3 +142,24 @@ func (client *Client) DeletePermission(id string) error { return nil } + +func (client *Client) UpdatePermissionTags(permission *Permission) error { + + fullPath := fmt.Sprintf("/abac/tags/rule/%s", permission.ID) + + body, _ := EncodeToJSON(permission.Tags) + + opts := RequestOptions{ + Path: fullPath, + Method: "POST", + Body: body, + } + + _, err := client.RequestAPI(&opts) + + if err != nil { + return err + } + + return nil +} diff --git a/codefresh/resource_permission.go b/codefresh/resource_permission.go index 63039ed..b6b4c49 100644 --- a/codefresh/resource_permission.go +++ b/codefresh/resource_permission.go @@ -99,9 +99,6 @@ The tags for which to apply the permission. Supports two custom tags: }, CustomizeDiff: customdiff.All( resourcePermissionCustomDiff, - customdiff.ForceNewIfChange("related_resource", func(ctx context.Context, oldValue, newValue, meta interface{}) bool { - return true - }), ), } } @@ -163,18 +160,30 @@ func resourcePermissionRead(d *schema.ResourceData, meta interface{}) error { func resourcePermissionUpdate(d *schema.ResourceData, meta interface{}) error { client := meta.(*cfclient.Client) - permission := *mapResourceToPermission(d) - resp, err := client.CreatePermission(&permission) - if err != nil { - return err - } - deleteErr := resourcePermissionDelete(d, meta) - if deleteErr != nil { - log.Printf("[WARN] failed to delete permission %v: %v", permission, deleteErr) + // In case team, action or relatedResource or resource have changed - a new permission needs to be created (but without recreating the terraform resource as destruction of resources is alarming for end users) + if d.HasChanges("team", "action", "related_resource", "resource") { + deleteErr := resourcePermissionDelete(d, meta) + + if deleteErr != nil { + log.Printf("[WARN] failed to delete permission %v: %v", permission, deleteErr) + } + + resp, err := client.CreatePermission(&permission) + + if err != nil { + return err + } + + d.SetId(resp.ID) + // Only tags can be updated + } else if d.HasChange("tags") { + err := client.UpdatePermissionTags(&permission) + if err != nil { + return err + } } - d.SetId(resp.ID) return resourcePermissionRead(d, meta) } diff --git a/codefresh/resource_permission_test.go b/codefresh/resource_permission_test.go index f2b9d16..0b4ec91 100644 --- a/codefresh/resource_permission_test.go +++ b/codefresh/resource_permission_test.go @@ -27,7 +27,7 @@ func TestAccCodefreshPermissionConfig(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "action", "create"), resource.TestCheckResourceAttr(resourceName, "resource", "pipeline"), resource.TestCheckResourceAttr(resourceName, "tags.0", "*"), - resource.TestCheckResourceAttr(resourceName, "related_resource",""), + resource.TestCheckResourceAttr(resourceName, "related_resource", ""), resource.TestCheckResourceAttr(resourceName, "tags.1", "production"), ), },