WIP: fixes

Author: volcanonoodle

internal/resources/cloud/resource_cloud_access_policy_rotating_token.go

@@ -24,7 +24,6 @@ var (
 	emptyTokenRotationValueError = errors.New("empty value for required field")
 )
 
-// TODO: Test importing existing tokens
 func resourceAccessPolicyRotatingToken() *common.Resource {
 	schema := &schema.Resource{
 
@@ -203,10 +202,25 @@ func getRotatingTokenRotateAfter(d getter) (*time.Time, error) {
 }
 
 func computeRotatingTokenName(d getter) (string, error) {
+	namePrefix := d.Get("name_prefix").(string)
+	if namePrefix == "" {
+		return "", emptyTokenRotationValueError
+	}
+
+	postRotationLifetime := d.Get("post_rotation_lifetime").(string)
+	if postRotationLifetime == "" {
+		return "", emptyTokenRotationValueError
+	}
+
+	rotateAfterInt, ok := d.Get("rotate_after").(int)
+	if !ok || rotateAfterInt == 0 {
+		return "", emptyTokenRotationValueError
+	}
+
 	attrs := rotatingTokenNameAttributes{
-		namePrefix:           d.Get("name_prefix").(string),
-		postRotationLifetime: d.Get("post_rotation_lifetime").(string),
-		rotateAfter:          d.Get("rotate_after").(int),
+		namePrefix:           namePrefix,
+		postRotationLifetime: postRotationLifetime,
+		rotateAfter:          rotateAfterInt,
 	}
 
 	return attrs.computedName(), nil

internal/resources/cloud/resource_cloud_access_policy_rotating_token_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/grafana/grafana-com-public-clients/go/gcom"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 
 	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
 	"github.com/grafana/terraform-provider-grafana/v4/internal/testutils"
@@ -24,21 +25,22 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 
 	var policy gcom.AuthAccessPolicy
 	var policyToken gcom.AuthToken
+	var policyToken2 gcom.AuthToken
 
-	// Set up rotation parameters
 	rotateAfter := time.Now().Add(time.Hour * 2).UTC()
+	updatedRotateAfter := time.Now().Add(time.Hour * 4).UTC()
 	postRotationLifetime := "24h"
-	namePrefix := "test-rotating"
+	namePrefix := "test-rotating-token-terraform"
 	expectedExpiresAt := rotateAfter.Add(24 * time.Hour).Format(time.RFC3339)
 	expectedName := fmt.Sprintf("%s-%d-%s", namePrefix, rotateAfter.Unix(), postRotationLifetime)
-
-	accessPolicyName := fmt.Sprintf("initial-%s", acctest.RandStringFromCharSet(6, acctest.CharSetAlpha))
+	accessPolicyName := fmt.Sprintf("test-rotating-token-terraform-initial-%s", acctest.RandStringFromCharSet(6, acctest.CharSetAlpha))
 
 	resource.Test(t, resource.TestCase{
 		ProtoV5ProviderFactories: testutils.ProtoV5ProviderFactories,
 		CheckDestroy: resource.ComposeTestCheckFunc(
 			testAccCloudAccessPolicyCheckDestroy("prod-us-east-0", &policy),
 			testAccCloudAccessPolicyTokenCheckDestroy("prod-us-east-0", &policyToken),
+			testAccCloudAccessPolicyTokenCheckDestroy("prod-us-east-0", &policyToken2),
 		),
 		Steps: []resource.TestStep{
 			// Test that the cloud access policy and rotating token get created
@@ -52,7 +54,7 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "name", expectedName),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "expires_at", expectedExpiresAt),
 					// Input fields
-					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "name_prefix", "test-rotating"),
+					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "name_prefix", namePrefix),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "rotate_after", strconv.FormatInt(rotateAfter.Unix(), 10)),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "post_rotation_lifetime", postRotationLifetime),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "region", "prod-us-east-0"),
@@ -71,7 +73,7 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "name", expectedName),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "expires_at", expectedExpiresAt),
 					// Input fields
-					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "name_prefix", "test-rotating"),
+					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "name_prefix", namePrefix),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "rotate_after", strconv.FormatInt(rotateAfter.Unix(), 10)),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "post_rotation_lifetime", postRotationLifetime),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "region", "prod-us-east-0"),
@@ -109,6 +111,54 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"token"},
 			},
+			// Test rotation time change should force recreation
+			{
+				Config: testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "", "prod-us-east-0", namePrefix, updatedRotateAfter.Unix(), postRotationLifetime),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudAccessPolicyCheckExists("grafana_cloud_access_policy.rotating_token_test", &policy),
+					testAccCloudAccessPolicyTokenCheckExists("grafana_cloud_access_policy_rotating_token.test", &policyToken2),
+					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "rotate_after", strconv.Itoa(int(updatedRotateAfter.Unix()))),
+					// Verify the token ID changed (indicating recreation)
+					func(s *terraform.State) error {
+						if policyToken.Id == nil || policyToken2.Id == nil {
+							return fmt.Errorf("expected token to be recreated, but ID is nil")
+						}
+						if *policyToken.Id == *policyToken2.Id {
+							return fmt.Errorf("expected token to be recreated, but ID remained the same: %s", *policyToken.Id)
+						}
+						return nil
+					},
+				),
+			},
+			// Test import with different values in config vs what is inferred from the name
+			{
+				Config:            testAccCloudAccessPolicyRotatingTokenConfigMismatch(accessPolicyName, "", "prod-us-east-0", "different-prefix", time.Now().Add(time.Hour*6).Unix(), "12h"),
+				ResourceName:      "grafana_cloud_access_policy_rotating_token.test",
+				ImportState:       true,
+				ImportStateVerify: false, // We expect this to fail verification
+				ImportStateCheck: func(s []*terraform.InstanceState) error {
+					if len(s) != 1 {
+						return fmt.Errorf("expected 1 state, got %d", len(s))
+					}
+
+					state := s[0]
+
+					// Verify that imported values come from the token name in Grafana Cloud, not the Terraform state we had
+					if state.Attributes["name_prefix"] != namePrefix {
+						return fmt.Errorf("expected name_prefix to be inferred as %s from token name, got %s", namePrefix, state.Attributes["name_prefix"])
+					}
+
+					if state.Attributes["rotate_after"] != strconv.Itoa(int(updatedRotateAfter.Unix())) {
+						return fmt.Errorf("expected rotate_after to be inferred as %s from token name, got %s", strconv.Itoa(int(updatedRotateAfter.Unix())), state.Attributes["rotate_after"])
+					}
+
+					if state.Attributes["post_rotation_lifetime"] != postRotationLifetime {
+						return fmt.Errorf("expected post_rotation_lifetime to be inferred as %s from token name, got %s", postRotationLifetime, state.Attributes["post_rotation_lifetime"])
+					}
+
+					return nil
+				},
+			},
 			// Test that destroy does not actually delete the token (it should only show a warning instead)
 			{
 				Config:  testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "", "prod-us-east-0", "test-no-delete", rotateAfter.Unix(), postRotationLifetime),
@@ -166,3 +216,50 @@ func testAccCloudAccessPolicyRotatingTokenConfigBasic(name, displayName, region
 	}
 	`, name, displayName, strings.Join(scopes, `","`), os.Getenv("GRAFANA_CLOUD_ORG"), namePrefix, rotateAfter, region, postRotationLifetime)
 }
+
+func testAccCloudAccessPolicyRotatingTokenConfigMismatch(name, displayName, region string, namePrefix string, rotateAfter int64, postRotationLifetime string) string {
+	if displayName != "" {
+		displayName = fmt.Sprintf("display_name = \"%s\"", displayName)
+	}
+
+	scopes := []string{
+		"metrics:read",
+		"logs:write",
+		"accesspolicies:read",
+		"accesspolicies:write",
+		"accesspolicies:delete",
+		"datadog:validate",
+	}
+
+	return fmt.Sprintf(`
+	data "grafana_cloud_organization" "current" {
+		slug = "%[4]s"
+	}
+
+	resource "grafana_cloud_access_policy" "rotating_token_test" {
+		region       = "%[7]s"
+		name         = "%[1]s"
+		%[2]s
+
+		scopes = ["%[3]s"]
+
+		realm {
+			type       = "org"
+			identifier = data.grafana_cloud_organization.current.id
+
+			label_policy {
+				selector = "{namespace=\"default\"}"
+			}
+		}
+	}
+
+	resource "grafana_cloud_access_policy_rotating_token" "test" {
+		region                  = "%[7]s"
+		access_policy_id        = grafana_cloud_access_policy.rotating_token_test.policy_id
+		name_prefix             = "%[5]s"
+		rotate_after            = "%[6]d"
+		post_rotation_lifetime  = "%[8]s"
+		%[2]s
+	}
+	`, name, displayName, strings.Join(scopes, `","`), os.Getenv("GRAFANA_CLOUD_ORG"), namePrefix, rotateAfter, region, postRotationLifetime)
+}

internal/resources/cloud/resource_cloud_access_policy_token_test.go

@@ -221,7 +221,7 @@ func testAccCloudAccessPolicyTokenCheckExists(rn string, a *gcom.AuthToken) reso
 
 func testAccCloudAccessPolicyCheckDestroy(region string, a *gcom.AuthAccessPolicy) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		if a == nil {
+		if a == nil || a.Id == nil {
 			return nil
 		}
 		client := testutils.Provider.Meta().(*common.Client).GrafanaCloudAPI
@@ -236,7 +236,7 @@ func testAccCloudAccessPolicyCheckDestroy(region string, a *gcom.AuthAccessPolic
 
 func testAccCloudAccessPolicyTokenCheckDestroy(region string, a *gcom.AuthToken) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		if a == nil {
+		if a == nil || a.Id == nil {
 			return nil
 		}
 		client := testutils.Provider.Meta().(*common.Client).GrafanaCloudAPI