NSOF-5754 roles: don't add privs that were not requested by the config to make roles consistent

Author: hod-alpert

docs/data-sources/role.md

@@ -45,7 +45,7 @@ output "role_by_name" {
 - **all_write_privileges** (Boolean)
 - **apply_to_orgs** (List of String) indicates which orgs this role applies to. By default, it is applied to current org.
 - **description** (String)
-- **privileges** (List of String) Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc.
+- **privileges** (Set of String) Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc.
 - **suborgs_expression** (String) Allows grouping of entities according to their tags. Filtering by tag value is also supported, if provided. Supported operations: AND, OR, XOR, parenthesis.
 
 

docs/resources/role.md

@@ -47,7 +47,7 @@ resource "pfptmeta_role" "with_privileges" {
 - **all_write_privileges** (Boolean)
 - **apply_to_orgs** (List of String) indicates which orgs this role applies to. By default, it is applied to current org.
 - **description** (String)
-- **privileges** (List of String) Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc.
+- **privileges** (Set of String) Privileges to be assigned to the new role. It has the following structure - `resource:read/write` For example, metaports:read etc.
 - **suborgs_expression** (String) Allows grouping of entities according to their tags. Filtering by tag value is also supported, if provided. Supported operations: AND, OR, XOR, parenthesis.
 
 ### Read-Only

internal/client/role.go

@@ -34,12 +34,8 @@ func NewRole(d *schema.ResourceData) *Role {
 	s := d.Get("suborgs_expression").(string)
 	res.SubOrgsExpression = s
 
-	p := d.Get("privileges").([]interface{})
-	privs := make([]string, len(p))
-	for i, priv := range p {
-		privs[i] = priv.(string)
-	}
-	res.Privileges = privs
+	p := d.Get("privileges").(*schema.Set)
+	res.Privileges = ResourceTypeSetToStringSlice(p)
 
 	o := d.Get("apply_to_orgs").([]interface{})
 	orgs := make([]string, len(o))

internal/provider/role/common.go

@@ -15,23 +15,35 @@ const (
 	subOrgsExpressionDesc = "Allows grouping of entities according to their tags. Filtering by tag value is also supported, if provided. Supported operations: AND, OR, XOR, parenthesis."
 )
 
-var excludedKeys = []string{"id", "roles"}
+var excludedKeys = []string{"id", "privileges"}
+
+func roleToResource(r *client.Role, d *schema.ResourceData) (diags diag.Diagnostics) {
+	d.SetId(r.ID)
+	err := client.MapResponseToResource(r, d, excludedKeys)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	origPrivs := schema.NewSet(schema.HashString, d.Get("privileges").(*schema.Set).List())
+	newPrivs := &schema.Set{F: schema.HashString}
+	for _, i := range r.Privileges {
+		newPrivs.Add(i)
+	}
+	err = d.Set("privileges", origPrivs.Intersection(newPrivs))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	return
+}
 
 func roleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	var diags diag.Diagnostics
 	c := meta.(*client.Client)
 
 	body := client.NewRole(d)
 	r, err := client.CreateRole(ctx, c, body)
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	d.SetId(r.ID)
-	err = client.MapResponseToResource(r, d, excludedKeys)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-	return diags
+	return roleToResource(r, d)
 }
 func roleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
@@ -58,30 +70,21 @@ func roleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) dia
 		d.SetId("")
 		return diags
 	}
-	err = client.MapResponseToResource(r, d, excludedKeys)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-	d.SetId(r.ID)
-	return diags
+	return roleToResource(r, d)
 }
 
 func roleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	var diags diag.Diagnostics
 	c := meta.(*client.Client)
+
 	id := d.Id()
 	body := client.NewRole(d)
 	r, err := client.UpdateRole(ctx, c, id, body)
 	if err != nil {
 		return diag.FromErr(err)
 	}
-	d.SetId(r.ID)
-	err = client.MapResponseToResource(r, d, excludedKeys)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-	return diags
+	return roleToResource(r, d)
 }
+
 func roleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
 	c := meta.(*client.Client)

internal/provider/role/data_source.go

@@ -27,7 +27,7 @@ func DataSource() *schema.Resource {
 			},
 			"privileges": {
 				Description: privilegesDesc,
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Elem:        &schema.Schema{Type: schema.TypeString},
 				Computed:    true,
 			},

internal/provider/role/resource.go

@@ -33,7 +33,7 @@ func Resource() *schema.Resource {
 			},
 			"privileges": {
 				Description: privilegesDesc,
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Elem: &schema.Schema{
 					Type:             schema.TypeString,
 					ValidateDiagFunc: common.ValidatePattern(common.PrivilegesPattern)},