Config Generation: Handle read failures (#1690)

julienduchesne · web-flow · commit 8021cf977fe2 · 2024-07-16T11:57:11.000-04:00
Sometimes, Grafana allows list operations but not read operations on limited permissions
What happens then is that the import blocks are generated, but the process crashes on the resource generation step (tf plan)
With this PR, this is turned into a "non-critical" error which can be displayed and ignored
The superfluous import blocks are removed
diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/grafana/terraform-provider-grafana/v3/internal/common"
 	"github.com/grafana/terraform-provider-grafana/v3/pkg/generate/postprocessing"
+	"github.com/grafana/terraform-provider-grafana/v3/pkg/generate/utils"
 	"github.com/hashicorp/hcl/v2/hclwrite"
 	"github.com/hashicorp/terraform-exec/tfexec"
 	"github.com/zclconf/go-cty/cty"
@@ -22,8 +23,13 @@ var (
 	allowedTerraformChars = regexp.MustCompile(`[^a-zA-Z0-9_-]`)
 )
 
+// NonCriticalError is an error that is not critical to the generation process.
+// It can be handled differently by the caller.
+type NonCriticalError interface {
+	NonCriticalError()
+}
+
 // ResourceError is an error that occurred while generating a resource.
-// It can be filtered out by the caller if it is not critical that a single resource failed.
 type ResourceError struct {
 	Resource *common.Resource
 	Err      error
@@ -33,6 +39,12 @@ func (e ResourceError) Error() string {
 	return fmt.Sprintf("resource %s: %v", e.Resource.Name, e.Err)
 }
 
+func (ResourceError) NonCriticalError() {}
+
+type NonCriticalGenerationFailure struct{ error }
+
+func (f NonCriticalGenerationFailure) NonCriticalError() {}
+
 type GenerationSuccess struct {
 	Resource *common.Resource
 	Blocks   int
@@ -293,15 +305,61 @@ func generateImportBlocks(ctx context.Context, client *common.Client, listerData
 	}
 	_, err = cfg.Terraform.Plan(ctx, tfexec.GenerateConfigOut(generatedFilename("resources.tf")))
 	if err != nil {
-		return failuref("failed to generate resources: %w", err)
+		// If resources.tf was created and is not empty, return the error as a "non-critical" error
+		if stat, statErr := os.Stat(generatedFilename("resources.tf")); statErr == nil && stat.Size() > 0 {
+			returnResult.Errors = append(returnResult.Errors, NonCriticalGenerationFailure{err})
+		} else {
+			return failuref("failed to generate resources: %w", err)
+		}
 	}
+
+	if err := removeOrphanedImports(generatedFilename("imports.tf"), generatedFilename("resources.tf")); err != nil {
+		return failure(err)
+	}
+
 	if err := sortResourcesFile(generatedFilename("resources.tf")); err != nil {
 		return failure(err)
 	}
 
 	return returnResult
 }
 
+// removeOrphanedImports removes import blocks that do not have a corresponding resource block in the resources file.
+// These happen when the Terraform plan command has failed for some resources.
+func removeOrphanedImports(importsFile, resourcesFile string) error {
+	imports, err := utils.ReadHCLFile(importsFile)
+	if err != nil {
+		return err
+	}
+
+	resources, err := utils.ReadHCLFile(resourcesFile)
+	if err != nil {
+		return err
+	}
+
+	resourcesMap := map[string]struct{}{}
+	for _, block := range resources.Body().Blocks() {
+		if block.Type() != "resource" {
+			continue
+		}
+
+		resourcesMap[strings.Join(block.Labels(), ".")] = struct{}{}
+	}
+
+	for _, block := range imports.Body().Blocks() {
+		if block.Type() != "import" {
+			continue
+		}
+
+		importTo := strings.TrimSpace(string(block.Body().GetAttribute("to").Expr().BuildTokens(nil).Bytes()))
+		if _, ok := resourcesMap[importTo]; !ok {
+			imports.Body().RemoveBlock(block)
+		}
+	}
+
+	return writeBlocksFile(importsFile, true, imports.Body().Blocks()...)
+}
+
 func filterResources(resources []*common.Resource, includedResources []string) ([]*common.Resource, error) {
 	if len(includedResources) == 0 {
 		return resources, nil
diff --git a/pkg/generate/generate_test.go b/pkg/generate/generate_test.go
@@ -7,8 +7,13 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/grafana/grafana-openapi-client-go/client/access_control"
+	"github.com/grafana/grafana-openapi-client-go/client/service_accounts"
+	"github.com/grafana/grafana-openapi-client-go/models"
+	"github.com/grafana/terraform-provider-grafana/v3/internal/common"
 	"github.com/grafana/terraform-provider-grafana/v3/internal/testutils"
 	"github.com/grafana/terraform-provider-grafana/v3/pkg/generate"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/stretchr/testify/assert"
@@ -228,6 +233,99 @@ func TestAccGenerate(t *testing.T) {
 	}
 }
 
+func TestAccGenerate_RestrictedPermissions(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping long test")
+	}
+	testutils.CheckEnterpriseTestsEnabled(t, ">=10.0.0")
+
+	// Create SA with no permissions
+	randString := acctest.RandString(10)
+	client := testutils.Provider.Meta().(*common.Client).GrafanaAPI.Clone().WithOrgID(0)
+	sa, err := client.ServiceAccounts.CreateServiceAccount(
+		service_accounts.NewCreateServiceAccountParams().WithBody(&models.CreateServiceAccountForm{
+			Name: "test-no-permissions-" + randString,
+			Role: "None",
+		},
+		))
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		client.ServiceAccounts.DeleteServiceAccount(sa.Payload.ID)
+	})
+
+	saToken, err := client.ServiceAccounts.CreateToken(
+		service_accounts.NewCreateTokenParams().WithBody(&models.AddServiceAccountTokenCommand{
+			Name: "test-no-permissions-" + randString,
+		},
+		).WithServiceAccountID(sa.Payload.ID),
+	)
+	require.NoError(t, err)
+
+	// Allow the SA to read dashboards
+	if _, err := client.AccessControl.CreateRole(&models.CreateRoleForm{
+		Name: randString,
+		Permissions: []*models.Permission{
+			{
+				Action: "dashboards:read",
+				Scope:  "dashboards:*",
+			},
+			{
+				Action: "folders:read",
+				Scope:  "folders:*",
+			},
+		},
+		UID: randString,
+	}); err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(func() {
+		client.AccessControl.DeleteRole(access_control.NewDeleteRoleParams().WithRoleUID(randString))
+	})
+	if _, err := client.AccessControl.SetUserRoles(sa.Payload.ID, &models.SetUserRolesCommand{
+		RoleUids: []string{randString},
+		Global:   false,
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	resource.Test(t, resource.TestCase{
+		ProtoV5ProviderFactories: testutils.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testutils.TestAccExample(t, "resources/grafana_dashboard/resource.tf"),
+				Check: func(s *terraform.State) error {
+					tempDir := t.TempDir()
+					config := generate.Config{
+						OutputDir:       tempDir,
+						Clobber:         true,
+						Format:          generate.OutputFormatHCL,
+						ProviderVersion: "v3.0.0",
+						Grafana: &generate.GrafanaConfig{
+							URL:  "http://localhost:3000",
+							Auth: saToken.Payload.Key,
+						},
+					}
+
+					result := generate.Generate(context.Background(), &config)
+					assert.NotEmpty(t, result.Errors, "expected errors, got: %+v", result)
+					for _, err := range result.Errors {
+						// Check that all errors are non critical
+						_, ok := err.(generate.NonCriticalError)
+						assert.True(t, ok, "expected NonCriticalError, got: %v (Type: %T)", err, err)
+					}
+
+					assertFiles(t, tempDir, "testdata/generate/dashboard-restricted-permissions", []string{
+						".terraform",
+						".terraform.lock.hcl",
+					})
+
+					return nil
+				},
+			},
+		},
+	})
+}
+
 // assertFiles checks that all files in the "expectedFilesDir" directory match the files in the "gotFilesDir" directory.
 func assertFiles(t *testing.T, gotFilesDir, expectedFilesDir string, ignoreDirEntries []string) {
 	t.Helper()
diff --git a/pkg/generate/postprocessing/postprocessing.go b/pkg/generate/postprocessing/postprocessing.go
@@ -1,25 +1,19 @@
 package postprocessing
 
 import (
-	"errors"
 	"os"
 
-	"github.com/hashicorp/hcl/v2"
+	"github.com/grafana/terraform-provider-grafana/v3/pkg/generate/utils"
 	"github.com/hashicorp/hcl/v2/hclwrite"
 )
 
 type postprocessingFunc func(*hclwrite.File) error
 
 func postprocessFile(fpath string, fn postprocessingFunc) error {
-	src, err := os.ReadFile(fpath)
+	file, err := utils.ReadHCLFile(fpath)
 	if err != nil {
 		return err
 	}
-
-	file, diags := hclwrite.ParseConfig(src, fpath, hcl.Pos{Line: 1, Column: 1})
-	if diags.HasErrors() {
-		return errors.New(diags.Error())
-	}
 	initialBytes := file.Bytes()
 
 	if err := fn(file); err != nil {
diff --git a/pkg/generate/terraform.go b/pkg/generate/terraform.go
@@ -74,12 +74,18 @@ func setupTerraform(cfg *Config) (*tfexec.Terraform, error) {
 }
 
 func writeBlocks(filepath string, blocks ...*hclwrite.Block) error {
+	return writeBlocksFile(filepath, false, blocks...)
+}
+
+func writeBlocksFile(filepath string, new bool, blocks ...*hclwrite.Block) error {
 	contents := hclwrite.NewFile()
-	if fileBytes, err := os.ReadFile(filepath); err == nil {
-		var diags hcl.Diagnostics
-		contents, diags = hclwrite.ParseConfig(fileBytes, filepath, hcl.InitialPos)
-		if diags.HasErrors() {
-			return errors.Join(diags.Errs()...)
+	if !new {
+		if fileBytes, err := os.ReadFile(filepath); err == nil {
+			var diags hcl.Diagnostics
+			contents, diags = hclwrite.ParseConfig(fileBytes, filepath, hcl.InitialPos)
+			if diags.HasErrors() {
+				return errors.Join(diags.Errs()...)
+			}
 		}
 	}
 
diff --git a/pkg/generate/testdata/generate/dashboard-restricted-permissions/imports.tf b/pkg/generate/testdata/generate/dashboard-restricted-permissions/imports.tf
@@ -0,0 +1,9 @@
+import {
+  to = grafana_dashboard._0_my-dashboard-uid
+  id = "0:my-dashboard-uid"
+}
+
+import {
+  to = grafana_folder._0_my-folder-uid
+  id = "0:my-folder-uid"
+}
diff --git a/pkg/generate/testdata/generate/dashboard-restricted-permissions/provider.tf b/pkg/generate/testdata/generate/dashboard-restricted-permissions/provider.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    grafana = {
+      source  = "grafana/grafana"
+      version = "3.0.0"
+    }
+  }
+}
+
+provider "grafana" {
+  url  = "http://localhost:3000"
+  auth = "REDACTED"
+}
diff --git a/pkg/generate/testdata/generate/dashboard-restricted-permissions/resources.tf b/pkg/generate/testdata/generate/dashboard-restricted-permissions/resources.tf
@@ -0,0 +1,17 @@
+# __generated__ by Terraform
+# Please review these resources and move them into your main configuration files.
+
+# __generated__ by Terraform from "0:my-dashboard-uid"
+resource "grafana_dashboard" "_0_my-dashboard-uid" {
+  config_json = jsonencode({
+    title = "My Dashboard"
+    uid   = "my-dashboard-uid"
+  })
+  folder = grafana_folder._0_my-folder-uid.uid
+}
+
+# __generated__ by Terraform from "0:my-folder-uid"
+resource "grafana_folder" "_0_my-folder-uid" {
+  title = "My Folder"
+  uid   = "my-folder-uid"
+}
diff --git a/pkg/generate/utils/hcl.go b/pkg/generate/utils/hcl.go
@@ -0,0 +1,23 @@
+package utils
+
+import (
+	"errors"
+	"os"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/hclwrite"
+)
+
+func ReadHCLFile(fpath string) (*hclwrite.File, error) {
+	src, err := os.ReadFile(fpath)
+	if err != nil {
+		return nil, err
+	}
+
+	file, diags := hclwrite.ParseConfig(src, fpath, hcl.Pos{Line: 1, Column: 1})
+	if diags.HasErrors() {
+		return nil, errors.New(diags.Error())
+	}
+
+	return file, nil
+}
