progress on improving account_member

Author: steve-thousand

internal/services/account_member/custom.go

@@ -3,43 +3,80 @@ package account_member
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/apijson"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/customfield"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
+type ConfiguredPermissionType int
+
+const (
+	Unknown ConfiguredPermissionType = iota
+	Policies
+	Roles
+)
+
+// Given a config value, determine which permission type is configured. This
+// should only be called with the config value, never the plan or state value.
+func checkConfiguredPermissionType(configuredModel *AccountMemberModel) ConfiguredPermissionType {
+	permissionType := Unknown
+
+	if !configuredModel.Roles.IsNull() && len(configuredModel.Roles.Elements()) > 0 {
+		permissionType = Roles
+	}
+	if !configuredModel.Policies.IsNull() && len(configuredModel.Policies.Elements()) > 0 {
+		if permissionType == Roles {
+			// if both are found, return Unknown
+			return Unknown
+		}
+		return Policies
+	}
+	return permissionType
+}
+
 func (m AccountMemberModel) marshalCustom() (data []byte, err error) {
 	return apijson.MarshalRoot(m)
 }
 
-func (m AccountMemberModel) marshalCustomForUpdate(state AccountMemberModel) (data []byte, err error) {
+func (m AccountMemberModel) marshalCustomForUpdate(state AccountMemberModel, configuredPermissionType ConfiguredPermissionType) (data []byte, err error) {
 	data, err = apijson.MarshalForUpdate(m, state)
 	if err != nil {
 		return
 	}
 
-	if m.Roles == nil || len(*m.Roles) == 0 {
-		return
-	}
-
 	var payload map[string]interface{}
 	if err = json.Unmarshal(data, &payload); err != nil {
 		return
 	}
 
-	// Transform roles: ["role_id"] -> [{"id": "role_id"}]
-	roleObjects := make([]map[string]interface{}, 0, len(*m.Roles))
-	for _, role := range *m.Roles {
-		if !role.IsNull() && !role.IsUnknown() {
-			roleObjects = append(roleObjects, map[string]interface{}{
-				"id": role.ValueString(),
-			})
+	if configuredPermissionType == Roles {
+		delete(payload, "policies")
+
+		roles := m.Roles.Elements()
+
+		// Transform roles: ["role_id"] -> [{"id": "role_id"}]
+		roleObjects := make([]map[string]interface{}, 0, len(roles))
+		for _, role := range roles {
+			if !role.IsNull() && !role.IsUnknown() {
+				roleString, ok := role.(types.String)
+				if !ok {
+					return nil, fmt.Errorf("unexpected role type: %T", role)
+				}
+				roleObjects = append(roleObjects, map[string]interface{}{
+					"id": roleString.ValueString(),
+				})
+			}
+		}
+
+		if len(roleObjects) > 0 {
+			payload["roles"] = roleObjects
 		}
 	}
 
-	if len(roleObjects) > 0 {
-		payload["roles"] = roleObjects
+	if configuredPermissionType == Policies {
+		delete(payload, "roles")
 	}
 
 	// Ensure account_id is included for the API even though it's a path param
@@ -51,75 +88,76 @@ func (m AccountMemberModel) marshalCustomForUpdate(state AccountMemberModel) (da
 }
 
 func unmarshalCustom(data []byte, configuredModel *AccountMemberModel) (*AccountMemberModel, error) {
+	ctx := context.Background()
 	var env AccountMemberResultEnvelope
-	if err := apijson.UnmarshalComputed(data, &env); err != nil {
+	if err := apijson.Unmarshal(data, &env); err != nil {
 		return nil, err
 	}
+	result := &env.Result
+
+	result.AccountID = configuredModel.AccountID
+
+	return parsePoliciesAndRoles(ctx, data, result)
+}
 
+func unmarshalComputedCustom(data []byte, configuredModel *AccountMemberModel) (*AccountMemberModel, error) {
+	ctx := context.Background()
+	var env AccountMemberResultEnvelope
+	if err := apijson.UnmarshalComputed(data, &env); err != nil {
+		return nil, err
+	}
 	result := &env.Result
 
-	// Preserve required fields from configured model to avoid replacement
 	result.AccountID = configuredModel.AccountID
-	result.Email = configuredModel.Email
+	if result.Email.IsNull() && !configuredModel.Email.IsNull() {
+		// Preserve required fields from configured model to avoid replacement
+		result.Email = configuredModel.Email
+	}
 
 	// Only preserve status if it was explicitly configured
 	if !configuredModel.Status.IsNull() && !configuredModel.Status.IsUnknown() {
 		result.Status = configuredModel.Status
 	}
 
-	// Determine comparison strategy based on what's configured in Terraform
-	// as user can use roles or policies to configure the account member
-	configUsesRoles := configuredModel.Roles != nil && len(*configuredModel.Roles) > 0
-	configUsesPolicies := !configuredModel.Policies.IsNull() && !configuredModel.Policies.IsUnknown()
+	return parsePoliciesAndRoles(ctx, data, result)
+}
 
-	if configUsesRoles && !configUsesPolicies {
-		// User configured roles - preserve computed policies from API to prevent diffs
-		// Don't modify result.Policies - let it keep the computed values from API response
+func parsePoliciesAndRoles(ctx context.Context, data []byte, result *AccountMemberModel) (*AccountMemberModel, error) {
+	// Extract role IDs from GET response (roles come as objects with id field)
+	var fullResponse struct {
+		Result struct {
+			Policies []AccountMemberPoliciesModel `json:"policies"`
+			Roles    []struct {
+				ID types.String `json:"id"`
+			} `json:"roles"`
+		} `json:"result"`
+	}
 
-		// Extract role IDs from GET response (roles come as objects with id field)
-		var fullResponse struct {
-			Result struct {
-				Roles []struct {
-					ID string `json:"id"`
-				} `json:"roles"`
-			} `json:"result"`
-		}
+	err := apijson.Unmarshal(data, &fullResponse)
+	if err != nil {
+		return nil, err
+	}
 
-		if err := json.Unmarshal(data, &fullResponse); err == nil && len(fullResponse.Result.Roles) > 0 {
-			roleIDs := make([]types.String, 0, len(fullResponse.Result.Roles))
-			for _, role := range fullResponse.Result.Roles {
-				roleIDs = append(roleIDs, types.StringValue(role.ID))
-			}
-			result.Roles = &roleIDs
-		} else {
-			result.Roles = configuredModel.Roles
-		}
-	} else if configUsesPolicies && !configUsesRoles {
-		// User configured policies - ignore roles, set roles to nil to prevent diffs
-		result.Roles = nil
-
-		// Extract policies from the API response and ensure they match the configured structure
-		var fullResponse struct {
-			Result struct {
-				Policies []AccountMemberPoliciesModel `json:"policies"`
-			} `json:"result"`
-		}
+	roleIDs := make([]types.String, 0, len(fullResponse.Result.Roles))
+	for _, role := range fullResponse.Result.Roles {
+		roleIDs = append(roleIDs, role.ID)
+	}
 
-		if err := json.Unmarshal(data, &fullResponse); err == nil && len(fullResponse.Result.Policies) > 0 {
-			policies := append([]AccountMemberPoliciesModel(nil), fullResponse.Result.Policies...)
-			policiesList, diags := customfield.NewObjectSet(context.Background(), policies)
-			if !diags.HasError() {
-				result.Policies = policiesList
-			} else {
-				result.Policies = configuredModel.Policies
-			}
-		} else {
-			result.Policies = configuredModel.Policies
-		}
+	roleSet, diags := types.SetValueFrom(ctx, types.StringType, roleIDs)
+	if !diags.HasError() {
+		result.Roles = roleSet
+	} else {
+		// TODO what to do here?
+		return result, fmt.Errorf("failed to parse roles")
+	}
+
+	policies := append([]AccountMemberPoliciesModel(nil), fullResponse.Result.Policies...)
+	policiesSet, diags := customfield.NewObjectSet(ctx, policies)
+	if !diags.HasError() {
+		result.Policies = policiesSet
 	} else {
-		// Fallback: preserve configured values
-		result.Roles = configuredModel.Roles
-		result.Policies = configuredModel.Policies
+		// TODO what to do here?
+		return result, fmt.Errorf("failed to parse policies")
 	}
 
 	return result, nil

internal/services/account_member/custom_test.go

@@ -0,0 +1,18 @@
+package account_member
+
+import "testing"
+
+func Test_unmarshalCustom(t *testing.T) {
+	json := `{"result":{"id":"5d5430af856e91ae03cac034b10d7dea","email":"cf-tf-test-ndwqoazamh@example.com","user":{"id":null,"first_name":null,"last_name":null,"email":"cf-tf-test-ndwqoazamh@example.com","two_factor_authentication_enabled":false},"status":"pending","api_access_enabled":null,"policies":[{"id":"073126da887b4291a32b71602542cc9e","access":"allow","permission_groups":[{"id":"ce2c69b09baf4ca38223910a8b7e07a9","name":"Administrator","meta":{"category":"general","description":"Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile.","editable":"false","label":"admin","scopes":"com.cloudflare.api.account"}}],"resource_groups":[{"id":"402006e2284a45fe98db34cf0a4688fc","name":"com.cloudflare.api.account.a67e14daa5f8dceeb91fe5449ba496eb","meta":{"editable":"false"},"scope":{"key":"com.cloudflare.api.account.a67e14daa5f8dceeb91fe5449ba496eb","objects":[{"key":"*"}]}}]}],"roles":[{"id":"6251014a0ecd81ba24f4779a5434767c","name":"Administrator","description":"Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile.","permissions":{"access":{"edit":true,"read":true},"analytics":{"edit":false,"read":true},"api_gateway":{"edit":true,"read":true},"app":{"edit":true,"read":false},"auditlogs":{"edit":false,"read":true},"billing":{"edit":false,"read":true},"blocks":{"edit":true,"read":true},"cache_purge":{"edit":true,"read":false},"casb":{"edit":true,"read":true},"cds":{"edit":true,"read":true},"cds_compute_account":{"edit":true,"read":true},"ces_analytics":{"edit":false,"read":true},"ces_integration":{"edit":true,"read":true},"ces_phishguard":{"edit":false,"read":true},"ces_policies":{"edit":true,"read":true},"ces_pra_report":{"edit":true,"read":true},"ces_search":{"action":true,"edit":false,"preview":true,"raw":true,"read":true,"trace":true},"ces_settings":{"edit":true,"read":true},"ces_submissions":{"edit":false,"read":true},"cf1_integration":{"casb":true,"ces":true,"edit":true,"read":true},"d1":{"edit":true,"read":false},"dex":{"edit":true,"read":true},"dns_records":{"edit":true,"read":true},"domain":{"edit":false,"read":true},"fbm":{"edit":true,"read":true},"fbm_acc":{"edit":true,"read":false},"healthchecks":{"edit":true,"read":true},"http_applications":{"edit":true,"read":true},"image":{"edit":true,"read":true},"integration":{"edit":true,"install":true,"read":true},"lb":{"edit":true,"read":true},"legal":{"edit":false,"read":true},"logs":{"edit":true,"read":true},"magic":{"edit":true,"read":true},"member":{"edit":false,"read":true},"organization":{"edit":true,"read":true},"page_shield":{"edit":true,"read":true},"query_cache":{"edit":true,"read":true},"r2_bucket":{"edit":true,"read":true},"r2_bucket_item":{"edit":true,"read":true},"r2_bucket_warehouse":{"edit":true,"read":true},"r2_bucket_warehouse_sql":{"edit":false,"read":true},"resilience":{"edit":false,"read":true},"ssl":{"edit":true,"read":true},"stream":{"edit":true,"read":true},"subscription":{"edit":true,"read":true},"teams":{"edit":true,"read":true,"report":true},"teams_device":{"edit":false,"read":true},"vectorize":{"edit":true,"read":true},"waf":{"edit":true,"read":true},"waitingroom":{"edit":true,"read":true},"web3":{"edit":true,"read":true},"worker":{"edit":true,"read":true},"zaraz":{"edit":true,"publish":true,"read":true},"zone":{"edit":true,"read":true},"zone_settings":{"edit":true,"read":true},"zone_versioning":{"edit":true,"read":true}}}]},"success":true,"errors":[],"messages":[]}`
+	bytes := []byte(json)
+	data := &AccountMemberModel{}
+	unmarshaled, _ := unmarshalCustom(bytes, data)
+	bytes, err := unmarshaled.marshalCustomForUpdate(*unmarshaled, Roles)
+	if err != nil {
+		t.Fatal(err)
+	}
+	policies := unmarshaled.Policies.Elements()
+	for _, policy := range policies {
+		_ = policy
+	}
+}

internal/services/account_member/model.go

@@ -17,7 +17,7 @@ type AccountMemberModel struct {
 	AccountID types.String                                            `tfsdk:"account_id" path:"account_id,required"`
 	Email     types.String                                            `tfsdk:"email" json:"email,required"`
 	Status    types.String                                            `tfsdk:"status" json:"status,computed_optional"`
-	Roles     *[]types.String                                         `tfsdk:"roles" json:"roles,optional,no_refresh"`
+	Roles     types.Set                                               `tfsdk:"roles" json:"roles,computed_optional,no_refresh"`
 	Policies  customfield.NestedObjectSet[AccountMemberPoliciesModel] `tfsdk:"policies" json:"policies,computed_optional"`
 	User      customfield.NestedObject[AccountMemberUserModel]        `tfsdk:"user" json:"user,computed"`
 }