Merge pull request #83 from authzed/fix-state-drift

fix: prevent state drift in special fields for all resources

Author: Verolop

internal/provider/policy_resource.go

@@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
@@ -51,6 +53,9 @@ func (r *policyResource) Schema(_ context.Context, _ resource.SchemaRequest, res
 			"id": schema.StringAttribute{
 				Computed:    true,
 				Description: "Unique identifier for this resource",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
 			},
 			"name": schema.StringAttribute{
 				Required:    true,
@@ -76,14 +81,22 @@ func (r *policyResource) Schema(_ context.Context, _ resource.SchemaRequest, res
 			"created_at": schema.StringAttribute{
 				Computed:    true,
 				Description: "Timestamp when the policy was created",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
 			},
 			"creator": schema.StringAttribute{
 				Computed:    true,
 				Description: "User who created the policy",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
 			},
 			"etag": schema.StringAttribute{
-				Computed:    true,
-				Description: "Version identifier used to prevent conflicts from concurrent updates, ensuring safe resource modifications",
+				Computed: true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
 			},
 		},
 	}
@@ -137,18 +150,21 @@ func (r *policyResource) Create(ctx context.Context, req resource.CreateRequest,
 
 	createdPolicyWithETag, err := r.client.CreatePolicy(ctx, policy)
 	if err != nil {
-		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to create policy, got error: %s", err))
+		resp.Diagnostics.AddError("Error creating Policy", err.Error())
 		return
 	}
 
-	createdPolicy := createdPolicyWithETag.Policy
-	data.ID = types.StringValue(createdPolicy.ID)
-	data.CreatedAt = types.StringValue(createdPolicy.CreatedAt)
-	data.Creator = types.StringValue(createdPolicy.Creator)
+	data.ID = types.StringValue(createdPolicyWithETag.Policy.ID)
+	data.CreatedAt = types.StringValue(createdPolicyWithETag.Policy.CreatedAt)
+	if createdPolicyWithETag.Policy.Creator == "" {
+		data.Creator = types.StringNull()
+	} else {
+		data.Creator = types.StringValue(createdPolicyWithETag.Policy.Creator)
+	}
 	data.ETag = types.StringValue(createdPolicyWithETag.ETag)
 
 	// Update role IDs in case the order or values changed
-	roleIDList, diags := types.ListValueFrom(ctx, types.StringType, createdPolicy.RoleIDs)
+	roleIDList, diags := types.ListValueFrom(ctx, types.StringType, createdPolicyWithETag.Policy.RoleIDs)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
@@ -181,11 +197,16 @@ func (r *policyResource) Read(ctx context.Context, req resource.ReadRequest, res
 	policy := policyWithETag.Policy
 
 	// Map response to model
+	data.ID = types.StringValue(policy.ID)
 	data.Name = types.StringValue(policy.Name)
 	data.Description = types.StringValue(policy.Description)
 	data.PrincipalID = types.StringValue(policy.PrincipalID)
 	data.CreatedAt = types.StringValue(policy.CreatedAt)
-	data.Creator = types.StringValue(policy.Creator)
+	if policy.Creator == "" {
+		data.Creator = types.StringNull()
+	} else {
+		data.Creator = types.StringValue(policy.Creator)
+	}
 	data.ETag = types.StringValue(policyWithETag.ETag)
 
 	// Map role IDs
@@ -195,7 +216,6 @@ func (r *policyResource) Read(ctx context.Context, req resource.ReadRequest, res
 		return
 	}
 	data.RoleIDs = roleIDList
-
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }
 
@@ -220,38 +240,37 @@ func (r *policyResource) Update(ctx context.Context, req resource.UpdateRequest,
 		return
 	}
 
-	// Create policy with updated data
+	// Create policy with updated data - use state values for immutable fields
 	policy := &models.Policy{
-		ID:                  data.ID.ValueString(),
+		ID:                  state.ID.ValueString(), // Use state for immutable ID
 		Name:                data.Name.ValueString(),
 		Description:         data.Description.ValueString(),
 		PermissionsSystemID: data.PermissionsSystemID.ValueString(),
 		PrincipalID:         data.PrincipalID.ValueString(),
 		RoleIDs:             roleIDs,
+		CreatedAt:           state.CreatedAt.ValueString(), // Preserve immutable CreatedAt
+	}
+
+	// Handle Creator field - it might be null in state
+	if !state.Creator.IsNull() {
+		policy.Creator = state.Creator.ValueString()
 	}
 
 	// Coordinate operations to prevent conflicts
 	permissionSystemID := data.PermissionsSystemID.ValueString()
 	r.fgamCoordinator.Lock(permissionSystemID)
 	defer r.fgamCoordinator.Unlock(permissionSystemID)
 
-	// Use the ETag from state for optimistic concurrency control
 	updatedPolicyWithETag, err := r.client.UpdatePolicy(ctx, policy, state.ETag.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to update policy, got error: %s", err))
 		return
 	}
 
 	// Update resource data with the response
-	data.ID = types.StringValue(updatedPolicyWithETag.Policy.ID)
-
-	// If the ID is empty, preserve the original ID
-	if data.ID.ValueString() == "" {
-		data.ID = state.ID
-	}
-
-	data.CreatedAt = types.StringValue(updatedPolicyWithETag.Policy.CreatedAt)
-	data.Creator = types.StringValue(updatedPolicyWithETag.Policy.Creator)
+	data.ID = state.ID
+	data.CreatedAt = state.CreatedAt
+	data.Creator = state.Creator
 	data.ETag = types.StringValue(updatedPolicyWithETag.ETag)
 
 	// Update role IDs in case the order or values changed

internal/provider/resource_policy_test.go

@@ -136,6 +136,59 @@ func TestAccAuthzedPolicy_validation(t *testing.T) {
 	})
 }
 
+func TestAccAuthzedPolicy_noDrift(t *testing.T) {
+	resourceName := "authzed_policy.test"
+	testID := helpers.GenerateTestID("test-policy-drift")
+	roleName := fmt.Sprintf("%s-role", testID)
+	updatedDescription := "Updated test policy description"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckPolicyDestroy,
+		Steps: []resource.TestStep{
+			// Create initial policy
+			{
+				Config: testAccPolicyConfig_basic(testID, roleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckPolicyExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", "Test policy description"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+				),
+			},
+			// Verify no drift on second plan - this is the key test
+			{
+				Config:   testAccPolicyConfig_basic(testID, roleName),
+				PlanOnly: true,
+				// If there's drift in computed fields (id, created_at, creator, etag),
+				// this step will fail because Terraform will detect changes
+			},
+			// Update mutable fields and verify computed fields don't drift
+			{
+				Config: testAccPolicyConfig_update(testID, roleName, updatedDescription),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckPolicyExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", updatedDescription),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+				),
+			},
+			{
+				Config:   testAccPolicyConfig_update(testID, roleName, updatedDescription),
+				PlanOnly: true,
+				// This verifies that after an update, computed fields don't show as changing
+			},
+		},
+	})
+}
+
 // Helper functions
 
 func testAccCheckPolicyExists(resourceName string) resource.TestCheckFunc {

internal/provider/resource_role_test.go

@@ -176,6 +176,55 @@ func TestAccAuthzedRole_validation(t *testing.T) {
 	})
 }
 
+func TestAccAuthzedRole_noDrift(t *testing.T) {
+	resourceName := "authzed_role.test"
+	testID := helpers.GenerateTestID("test-role-drift")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckRoleDestroy,
+		Steps: []resource.TestStep{
+			// Create initial role
+			{
+				Config: testAccRoleConfig_basic(testID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckRoleExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", "Test role description"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+				),
+			},
+			// Verify no drift on second plan. Critical path.
+			{
+				Config:   testAccRoleConfig_basic(testID),
+				PlanOnly: true,
+			},
+			// Update permissions and verify computed fields don't drift
+			{
+				Config: testAccRoleConfig_updatePermissions(testID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckRoleExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+				),
+			},
+			// Verify no drift after update - computed fields should remain stable
+			{
+				Config:   testAccRoleConfig_updatePermissions(testID),
+				PlanOnly: true,
+				// This verifies that after an update, computed fields don't show as changing
+			},
+		},
+	})
+}
+
 // Helper functions
 
 func testAccCheckRoleExists(resourceName string) resource.TestCheckFunc {

internal/provider/resource_service_account_test.go

@@ -124,6 +124,54 @@ func TestAccAuthzedServiceAccount_validation(t *testing.T) {
 	})
 }
 
+func TestAccAuthzedServiceAccount_noDrift(t *testing.T) {
+	resourceName := "authzed_service_account.test"
+	testID := helpers.GenerateTestID("test-service-account-drift")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckServiceAccountDestroy,
+		Steps: []resource.TestStep{
+			// Create initial service account
+			{
+				Config: testAccServiceAccountConfig_basic(testID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServiceAccountExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", "Test service account description"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+				),
+			},
+			{
+				Config:   testAccServiceAccountConfig_basic(testID),
+				PlanOnly: true,
+			},
+			{
+				Config: testAccServiceAccountConfig_updated(testID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServiceAccountExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", "Updated test service account description"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+				),
+			},
+			// Verify no drift after update - computed fields should remain stable
+			{
+				Config:   testAccServiceAccountConfig_updated(testID),
+				PlanOnly: true,
+				// This verifies that after an update, computed fields don't show as changing
+			},
+		},
+	})
+}
+
 // Helper functions
 
 func testAccCheckServiceAccountExists(resourceName string) resource.TestCheckFunc {

internal/provider/resource_token_test.go

@@ -161,6 +161,56 @@ func TestAccAuthzedToken_validation(t *testing.T) {
 	})
 }
 
+func TestAccAuthzedToken_noDrift(t *testing.T) {
+	resourceName := "authzed_token.test"
+	testID := helpers.GenerateTestID("test-token-drift")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckTokenDestroy,
+		Steps: []resource.TestStep{
+			// Create initial token
+			{
+				Config: testAccTokenConfig_basic(testID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTokenExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", "Test token description"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+					resource.TestCheckResourceAttrSet(resourceName, "hash"),
+				),
+			},
+			{
+				Config:   testAccTokenConfig_basic(testID),
+				PlanOnly: true,
+			},
+			// Update mutable fields and verify computed fields don't drift
+			{
+				Config: testAccTokenConfig_updated(testID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTokenExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", testID),
+					resource.TestCheckResourceAttr(resourceName, "description", "Updated test token description"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "creator"),
+					resource.TestCheckResourceAttrSet(resourceName, "etag"),
+					resource.TestCheckResourceAttrSet(resourceName, "hash"),
+				),
+			},
+			{
+				Config:   testAccTokenConfig_updated(testID),
+				PlanOnly: true,
+				// This verifies that after an update, computed fields don't show as changing
+			},
+		},
+	})
+}
+
 // Helper functions
 
 func testAccCheckTokenExists(resourceName string) resource.TestCheckFunc {