Merge pull request #1154 from hashicorp/brandonc/update_query_policyset

Unfork #1108
hashicorp · Nov 28, 2023 · 81a5e86 · 81a5e86
2 parents f217b6e + b011c3f
commit 81a5e86
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@
 BREAKING CHANGES:
 * `r/tfe_workspace`: Default value of the `execution_mode` field now uses the organization's `default_execution_mode`. If no `default_execution_mode` has been set, the default `execution_mode` will be unchanged (i.e. `remote`).
 
+BUG FIXES:
+* `r/tfe_policy`: Fix the provider ignoring updates to the `query` field, by @skeggse [1108](https://github.com/hashicorp/terraform-provider-tfe/pull/1108)
+
 FEATURES:
 * `d/tfe_registry_module`: Add `vcs_repo.tags` and `vcs_repo.branch` attributes to allow configuration of `publishing_mechanism`. Add `test_config` to support running tests on `branch`-based registry modules, by @hashimoon [1096](https://github.com/hashicorp/terraform-provider-tfe/pull/1096)
 * **New Resource**: `r/tfe_organization_default_execution_mode` is a new resource to set the `default_execution_mode` and `default_agent_pool_id` for an organization, by @SwiftEngineer [1137](https://github.com/hashicorp/terraform-provider-tfe/pull/1137)'

diff --git a/internal/provider/resource_tfe_policy.go b/internal/provider/resource_tfe_policy.go
@@ -264,7 +264,7 @@ func resourceTFEPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(ConfiguredClient)
 
 	// nolint:nestif
-	if d.HasChange("description") || d.HasChange("enforce_mode") {
+	if d.HasChange("description") || d.HasChange("enforce_mode") || d.HasChange("query") {
 		// Create a new options struct.
 		options := tfe.PolicyUpdateOptions{}
 
@@ -288,6 +288,10 @@ func resourceTFEPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
 			}
 		}
 
+		if query, ok := d.GetOk("query"); ok {
+			options.Query = tfe.String(query.(string))
+		}
+
 		log.Printf("[DEBUG] Update configuration for %s policy: %s", vKind, d.Id())
 		_, err := config.Client.Policies.Update(ctx, d.Id(), options)
 		if err != nil {

diff --git a/internal/provider/resource_tfe_policy_test.go b/internal/provider/resource_tfe_policy_test.go
@@ -13,7 +13,6 @@ import (
 )
 
 func TestAccTFEPolicy_basic(t *testing.T) {
-	skipUnlessBeta(t)
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
 		t.Fatal(err)
@@ -52,7 +51,6 @@ func TestAccTFEPolicy_basic(t *testing.T) {
 }
 
 func TestAccTFEPolicy_basicWithDefaults(t *testing.T) {
-	skipUnlessBeta(t)
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
 		t.Fatal(err)
@@ -91,7 +89,6 @@ func TestAccTFEPolicy_basicWithDefaults(t *testing.T) {
 }
 
 func TestAccTFEPolicyOPA_basic(t *testing.T) {
-	skipUnlessBeta(t)
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
 		t.Fatal(err)
@@ -132,7 +129,6 @@ func TestAccTFEPolicyOPA_basic(t *testing.T) {
 }
 
 func TestAccTFEPolicy_update(t *testing.T) {
-	skipUnlessBeta(t)
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
 		t.Fatal(err)
@@ -154,6 +150,7 @@ func TestAccTFEPolicy_update(t *testing.T) {
 					testAccCheckTFEPolicyExists(
 						"tfe_policy.foobar", policy),
 					testAccCheckTFEPolicyAttributes(policy),
+					testAccCheckTFEPolicyContent(policy, "main = rule { true }"),
 					resource.TestCheckResourceAttr(
 						"tfe_policy.foobar", "name", "policy-test"),
 					resource.TestCheckResourceAttr(
@@ -173,6 +170,7 @@ func TestAccTFEPolicy_update(t *testing.T) {
 					testAccCheckTFEPolicyExists(
 						"tfe_policy.foobar", policy),
 					testAccCheckTFEPolicyAttributesUpdated(policy),
+					testAccCheckTFEPolicyContent(policy, "main = rule { false }"),
 					resource.TestCheckResourceAttr(
 						"tfe_policy.foobar", "name", "policy-test"),
 					resource.TestCheckResourceAttr(
@@ -244,7 +242,6 @@ func TestAccTFEPolicy_unsetEnforce(t *testing.T) {
 }
 
 func TestAccTFEPolicyOPA_update(t *testing.T) {
-	skipUnlessBeta(t)
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
 		t.Fatal(err)
@@ -266,6 +263,7 @@ func TestAccTFEPolicyOPA_update(t *testing.T) {
 					testAccCheckTFEPolicyExists(
 						"tfe_policy.foobar", policy),
 					testAccCheckTFEOPAPolicyAttributes(policy),
+					testAccCheckTFEPolicyContent(policy, "package example rule[\"not allowed\"] { false }"),
 					resource.TestCheckResourceAttr(
 						"tfe_policy.foobar", "name", "policy-test"),
 					resource.TestCheckResourceAttr(
@@ -287,14 +285,15 @@ func TestAccTFEPolicyOPA_update(t *testing.T) {
 					testAccCheckTFEPolicyExists(
 						"tfe_policy.foobar", policy),
 					testAccCheckTFEOPAPolicyAttributesUpdated(policy),
+					testAccCheckTFEPolicyContent(policy, "package example ruler[\"not allowed\"] { true }"),
 					resource.TestCheckResourceAttr(
 						"tfe_policy.foobar", "name", "policy-test"),
 					resource.TestCheckResourceAttr(
 						"tfe_policy.foobar", "description", "An updated test policy"),
 					resource.TestCheckResourceAttr(
-						"tfe_policy.foobar", "policy", "package example rule[\"not allowed\"] { true }"),
+						"tfe_policy.foobar", "policy", "package example ruler[\"not allowed\"] { true }"),
 					resource.TestCheckResourceAttr(
-						"tfe_policy.foobar", "query", "data.example.rule"),
+						"tfe_policy.foobar", "query", "data.example.ruler"),
 					resource.TestCheckResourceAttr(
 						"tfe_policy.foobar", "enforce_mode", "advisory"),
 				),
@@ -304,7 +303,6 @@ func TestAccTFEPolicyOPA_update(t *testing.T) {
 }
 
 func TestAccTFEPolicy_import(t *testing.T) {
-	skipUnlessBeta(t)
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
 		t.Fatal(err)
@@ -362,6 +360,22 @@ func testAccCheckTFEPolicyExists(
 	}
 }
 
+func testAccCheckTFEPolicyContent(policy *tfe.Policy, content string) resource.TestCheckFunc {
+	return func(_ *terraform.State) error {
+		config := testAccProvider.Meta().(ConfiguredClient)
+
+		b, err := config.Client.Policies.Download(ctx, policy.ID)
+		if err != nil {
+			return fmt.Errorf("Problem downloading policy content: %w", err)
+		}
+		s := string(b)
+		if s != content {
+			return fmt.Errorf("Policy content didn't match. Expected: %q; got: %q", content, s)
+		}
+		return nil
+	}
+}
+
 func testAccCheckTFEPolicyAttributes(
 	policy *tfe.Policy) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -388,6 +402,10 @@ func testAccCheckTFEOPAPolicyAttributes(
 			return fmt.Errorf("Bad enforce mode: %s", policy.Enforce[0].Mode)
 		}
 
+		if *policy.Query != "data.example.rule" {
+			return fmt.Errorf("Bad OPA query string: %s", *policy.Query)
+		}
+
 		return nil
 	}
 }
@@ -438,6 +456,10 @@ func testAccCheckTFEOPAPolicyAttributesUpdated(
 			return fmt.Errorf("Bad enforce mode: %s", policy.Enforce[0].Mode)
 		}
 
+		if *policy.Query != "data.example.ruler" {
+			return fmt.Errorf("Bad OPA query string: %s", *policy.Query)
+		}
+
 		return nil
 	}
 }
@@ -525,8 +547,8 @@ resource "tfe_policy" "foobar" {
   description  = "An updated test policy"
   organization = "%s"
   kind         = "opa"
-  policy       = "package example rule[\"not allowed\"] { true }"
-  query        = "data.example.rule"
+  policy       = "package example ruler[\"not allowed\"] { true }"
+  query        = "data.example.ruler"
   enforce_mode = "advisory"
 }`, organization)
 }