WIP: cleanup tests

volcanonoodle · volcanonoodle · commit cdce2e510438 · 2025-10-17T20:18:38.000+02:00
diff --git a/internal/resources/cloud/resource_cloud_access_policy_rotating_token_test.go b/internal/resources/cloud/resource_cloud_access_policy_rotating_token_test.go
@@ -2,6 +2,7 @@ package cloud_test
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"strconv"
@@ -18,20 +19,19 @@ import (
 	"github.com/grafana/terraform-provider-grafana/v4/internal/testutils"
 )
 
-// This test covers both the cloud_access_policy and cloud_access_policy_rotating_token resources.
 func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 	t.Parallel()
 	testutils.CheckCloudAPITestsEnabled(t)
 
 	var policy gcom.AuthAccessPolicy
 	var policyToken gcom.AuthToken
-	var policyToken2 gcom.AuthToken
+	var policyTokenAfterRecreation gcom.AuthToken
 
 	rotateAfter := time.Now().Add(time.Hour * 2).UTC()
-	updatedRotateAfter := time.Now().Add(time.Hour * 4).UTC()
+	updatedRotateAfter := rotateAfter.Add(time.Hour * 4)
 	postRotationLifetime := "24h"
-	namePrefix := "test-rotating-token-terraform"
 	expectedExpiresAt := rotateAfter.Add(24 * time.Hour).Format(time.RFC3339)
+	namePrefix := "test-rotating-token-terraform"
 	expectedName := fmt.Sprintf("%s-%d-%s", namePrefix, rotateAfter.Unix(), postRotationLifetime)
 	accessPolicyName := fmt.Sprintf("test-rotating-token-terraform-initial-%s", acctest.RandStringFromCharSet(6, acctest.CharSetAlpha))
 
@@ -40,7 +40,7 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 		CheckDestroy: resource.ComposeTestCheckFunc(
 			testAccCloudAccessPolicyCheckDestroy("prod-us-east-0", &policy),
 			testAccCloudAccessPolicyTokenCheckDestroy("prod-us-east-0", &policyToken),
-			testAccCloudAccessPolicyTokenCheckDestroy("prod-us-east-0", &policyToken2),
+			testAccCloudAccessPolicyTokenCheckDestroy("prod-us-east-0", &policyTokenAfterRecreation),
 		),
 		Steps: []resource.TestStep{
 			// Test that the cloud access policy and rotating token get created
@@ -79,32 +79,7 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "region", "prod-us-east-0"),
 				),
 			},
-			// Test that the token exists and can be manually deleted through the API
-			{
-				Config: testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "", "prod-us-east-0", namePrefix, rotateAfter.Unix(), postRotationLifetime),
-				PreConfig: func() {
-					orgID, err := strconv.ParseInt(*policy.OrgId, 10, 32)
-					if err != nil {
-						t.Fatal(err)
-					}
-					client := testutils.Provider.Meta().(*common.Client).GrafanaCloudAPI
-					_, _, err = client.TokensAPI.DeleteToken(context.Background(), *policyToken.Id).
-						Region("prod-us-east-0").
-						OrgId(int32(orgID)).
-						XRequestId("deleting-token").Execute()
-					if err != nil {
-						t.Fatalf("error getting cloud access policy: %s", err)
-					}
-				},
-			},
-			// Recreate token because it got deleted in the last test
-			{
-				Config: testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "updated", "prod-us-east-0", namePrefix, rotateAfter.Unix(), postRotationLifetime),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCloudAccessPolicyCheckExists("grafana_cloud_access_policy.rotating_token_test", &policy),
-					testAccCloudAccessPolicyTokenCheckExists("grafana_cloud_access_policy_rotating_token.test", &policyToken),
-				),
-			},
+			// Test import
 			{
 				ResourceName:            "grafana_cloud_access_policy_rotating_token.test",
 				ImportState:             true,
@@ -116,56 +91,81 @@ func TestResourceAccessPolicyRotatingToken_Basic(t *testing.T) {
 				Config: testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "", "prod-us-east-0", namePrefix, updatedRotateAfter.Unix(), postRotationLifetime),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCloudAccessPolicyCheckExists("grafana_cloud_access_policy.rotating_token_test", &policy),
-					testAccCloudAccessPolicyTokenCheckExists("grafana_cloud_access_policy_rotating_token.test", &policyToken2),
+					testAccCloudAccessPolicyTokenCheckExists("grafana_cloud_access_policy_rotating_token.test", &policyTokenAfterRecreation),
 					resource.TestCheckResourceAttr("grafana_cloud_access_policy_rotating_token.test", "rotate_after", strconv.Itoa(int(updatedRotateAfter.Unix()))),
-					// Verify the token ID changed (indicating recreation)
 					func(s *terraform.State) error {
-						if policyToken.Id == nil || policyToken2.Id == nil {
+						if policyToken.Id == nil || policyTokenAfterRecreation.Id == nil {
 							return fmt.Errorf("expected token to be recreated, but ID is nil")
 						}
-						if *policyToken.Id == *policyToken2.Id {
+						if *policyToken.Id == *policyTokenAfterRecreation.Id {
 							return fmt.Errorf("expected token to be recreated, but ID remained the same: %s", *policyToken.Id)
 						}
 						return nil
 					},
 				),
 			},
-			// Test import with different values in config vs what is inferred from the name
+			// Make sure token exists
 			{
-				Config:            testAccCloudAccessPolicyRotatingTokenConfigMismatch(accessPolicyName, "", "prod-us-east-0", "different-prefix", time.Now().Add(time.Hour*6).Unix(), "12h"),
-				ResourceName:      "grafana_cloud_access_policy_rotating_token.test",
-				ImportState:       true,
-				ImportStateVerify: false, // We expect this to fail verification
-				ImportStateCheck: func(s []*terraform.InstanceState) error {
-					if len(s) != 1 {
-						return fmt.Errorf("expected 1 state, got %d", len(s))
-					}
-
-					state := s[0]
+				Config: testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "", "prod-us-east-0", "test-no-delete", rotateAfter.Unix(), postRotationLifetime),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudAccessPolicyCheckExists("grafana_cloud_access_policy.rotating_token_test", &policy),
+					testAccCloudAccessPolicyTokenCheckExists("grafana_cloud_access_policy_rotating_token.test", &policyToken),
+				),
+			},
+			// Test that destroy does not actually delete the token (it should only show a warning instead)
+			{
+				Config: testAccCloudAccessPolicyRotatingTokenConfigNoToken(accessPolicyName, "", "prod-us-east-0"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudAccessPolicyCheckExists("grafana_cloud_access_policy.rotating_token_test", &policy),
+					func(s *terraform.State) error {
+						// Verify token still exists in Grafana Cloud API
+						client := testutils.Provider.Meta().(*common.Client).GrafanaCloudAPI
+						orgID, err := strconv.ParseInt(*policy.OrgId, 10, 32)
+						if err != nil {
+							return err
+						}
+						token, _, err := client.TokensAPI.GetToken(context.Background(), *policyToken.Id).
+							Region("prod-us-east-0").
+							OrgId(int32(orgID)).
+							Execute()
+						if err != nil {
+							return fmt.Errorf("expected token to still exist after destroy, but API call failed: %s", err)
+						}
+						if token == nil || token.Id == nil || policyToken.Id == nil {
+							return errors.New("expected token to still exist after destroy, but API response is empty")
+						}
+						if *token.Id != *policyToken.Id {
+							return fmt.Errorf("expected token IDs to be the same (%s) (%s)", *token.Id, *policyToken.Id)
+						}
 
-					// Verify that imported values come from the token name in Grafana Cloud, not the Terraform state we had
-					if state.Attributes["name_prefix"] != namePrefix {
-						return fmt.Errorf("expected name_prefix to be inferred as %s from token name, got %s", namePrefix, state.Attributes["name_prefix"])
-					}
+						// Check that the token resource is no longer in state
+						_, exists := s.RootModule().Resources["grafana_cloud_access_policy_rotating_token.test"]
+						if exists {
+							return fmt.Errorf("expected token resource to be removed from state after destroy, but it still exists")
+						}
 
-					if state.Attributes["rotate_after"] != strconv.Itoa(int(updatedRotateAfter.Unix())) {
-						return fmt.Errorf("expected rotate_after to be inferred as %s from token name, got %s", strconv.Itoa(int(updatedRotateAfter.Unix())), state.Attributes["rotate_after"])
+						return nil
+					},
+				),
+			},
+			// Test that the token exists and can be manually deleted through the API
+			{
+				Config: testAccCloudAccessPolicyRotatingTokenConfigNoToken(accessPolicyName, "", "prod-us-east-0"),
+				PreConfig: func() {
+					orgID, err := strconv.ParseInt(*policy.OrgId, 10, 32)
+					if err != nil {
+						t.Fatal(err)
 					}
-
-					if state.Attributes["post_rotation_lifetime"] != postRotationLifetime {
-						return fmt.Errorf("expected post_rotation_lifetime to be inferred as %s from token name, got %s", postRotationLifetime, state.Attributes["post_rotation_lifetime"])
+					client := testutils.Provider.Meta().(*common.Client).GrafanaCloudAPI
+					_, _, err = client.TokensAPI.DeleteToken(context.Background(), *policyToken.Id).
+						Region("prod-us-east-0").
+						OrgId(int32(orgID)).
+						XRequestId("deleting-token").Execute()
+					if err != nil {
+						t.Fatalf("error getting cloud access policy: %s", err)
 					}
-
-					return nil
 				},
 			},
-			// Test that destroy does not actually delete the token (it should only show a warning instead)
-			{
-				Config:  testAccCloudAccessPolicyRotatingTokenConfigBasic(accessPolicyName, "", "prod-us-east-0", "test-no-delete", rotateAfter.Unix(), postRotationLifetime),
-				Destroy: true,
-				// The plan should be empty since rotating tokens do not get deleted
-				ExpectNonEmptyPlan: false,
-			},
 		},
 	})
 }
@@ -217,6 +217,44 @@ func testAccCloudAccessPolicyRotatingTokenConfigBasic(name, displayName, region
 	`, name, displayName, strings.Join(scopes, `","`), os.Getenv("GRAFANA_CLOUD_ORG"), namePrefix, rotateAfter, region, postRotationLifetime)
 }
 
+func testAccCloudAccessPolicyRotatingTokenConfigNoToken(name, displayName, region string) string {
+	if displayName != "" {
+		displayName = fmt.Sprintf("display_name = \"%s\"", displayName)
+	}
+
+	scopes := []string{
+		"metrics:read",
+		"logs:write",
+		"accesspolicies:read",
+		"accesspolicies:write",
+		"accesspolicies:delete",
+		"datadog:validate",
+	}
+
+	return fmt.Sprintf(`
+	data "grafana_cloud_organization" "current" {
+		slug = "%[4]s"
+	}
+
+	resource "grafana_cloud_access_policy" "rotating_token_test" {
+		region       = "%[5]s"
+		name         = "%[1]s"
+		%[2]s
+
+		scopes = ["%[3]s"]
+
+		realm {
+			type       = "org"
+			identifier = data.grafana_cloud_organization.current.id
+
+			label_policy {
+				selector = "{namespace=\"default\"}"
+			}
+		}
+	}
+	`, name, displayName, strings.Join(scopes, `","`), os.Getenv("GRAFANA_CLOUD_ORG"), region)
+}
+
 func testAccCloudAccessPolicyRotatingTokenConfigMismatch(name, displayName, region string, namePrefix string, rotateAfter int64, postRotationLifetime string) string {
 	if displayName != "" {
 		displayName = fmt.Sprintf("display_name = \"%s\"", displayName)
