fix: remove validation of empty public_key and private_key attributes…

… in provider config to avoid breaking change (#1402) * fix: remove validation of empty public_key and private_key attributes in provider config to avoid breaking change * define error if neither PAK or AWS Secret Manager attributes are defined
mongodb · Aug 23, 2023 · 57cede4 · 57cede4
1 parent 7aaa9f2
commit 57cede4
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 22 deletions.
diff --git a/mongodbatlas/fw_provider.go b/mongodbatlas/fw_provider.go
@@ -208,7 +208,11 @@ func (p *MongodbtlasProvider) Configure(ctx context.Context, req provider.Config
 		return
 	}
 
-	data = setDefaultValuesWithValidations(&data, resp)
+	var assumeRoles []tfAssumeRoleModel
+	data.AssumeRole.ElementsAs(ctx, &assumeRoles, true)
+	awsRoleDefined := len(assumeRoles) > 0
+
+	data = setDefaultValuesWithValidations(&data, awsRoleDefined, resp)
 	if resp.Diagnostics.HasError() {
 		return
 	}
@@ -220,10 +224,7 @@ func (p *MongodbtlasProvider) Configure(ctx context.Context, req provider.Config
 		RealmBaseURL: data.RealmBaseURL.ValueString(),
 	}
 
-	var assumeRoles []tfAssumeRoleModel
-	data.AssumeRole.ElementsAs(ctx, &assumeRoles, true)
-
-	if len(assumeRoles) > 0 {
+	if awsRoleDefined {
 		config.AssumeRole = parseTfModel(ctx, &assumeRoles[0])
 		secret := data.SecretName.ValueString()
 		region := data.Region.ValueString()
@@ -288,7 +289,7 @@ func parseTfModel(ctx context.Context, tfAssumeRoleModel *tfAssumeRoleModel) *As
 
 const MongodbGovCloudURL = "https://cloud.mongodbgov.com"
 
-func setDefaultValuesWithValidations(data *tfMongodbAtlasProviderModel, resp *provider.ConfigureResponse) tfMongodbAtlasProviderModel {
+func setDefaultValuesWithValidations(data *tfMongodbAtlasProviderModel, awsRoleDefined bool, resp *provider.ConfigureResponse) tfMongodbAtlasProviderModel {
 	if mongodbgovCloud := data.IsMongodbGovCloud.ValueBool(); mongodbgovCloud {
 		data.BaseURL = types.StringValue(MongodbGovCloudURL)
 	}
@@ -304,8 +305,8 @@ func setDefaultValuesWithValidations(data *tfMongodbAtlasProviderModel, resp *pr
 			"MONGODB_ATLAS_PUBLIC_KEY",
 			"MCLI_PUBLIC_API_KEY",
 		}, "").(string))
-		if data.PublicKey.ValueString() == "" {
-			resp.Diagnostics.AddError(ProviderConfigError, fmt.Sprintf(AttrNotSetError, "public_key"))
+		if data.PublicKey.ValueString() == "" && !awsRoleDefined {
+			resp.Diagnostics.AddError(ProviderConfigError, MissingAuthAttrError)
 		}
 	}
 
@@ -314,8 +315,8 @@ func setDefaultValuesWithValidations(data *tfMongodbAtlasProviderModel, resp *pr
 			"MONGODB_ATLAS_PRIVATE_KEY",
 			"MCLI_PRIVATE_API_KEY",
 		}, "").(string))
-		if data.PrivateKey.ValueString() == "" {
-			resp.Diagnostics.AddError(ProviderConfigError, fmt.Sprintf(AttrNotSetError, "private_key"))
+		if data.PrivateKey.ValueString() == "" && !awsRoleDefined {
+			resp.Diagnostics.AddError(ProviderConfigError, MissingAuthAttrError)
 		}
 	}
 

diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"hash/crc32"
 	"log"
@@ -41,7 +42,7 @@ const (
 	endPointSTSDefault                    = "https://sts.amazonaws.com"
 	DeprecationMessage                    = "this resource is deprecated and will be removed in %s, please transition to %s"
 	DeprecationMessageParameterToResource = "this parameter is deprecated and will be removed in %s, please transition to %s"
-	AttrNotSetError                       = "attribute %s must be set"
+	MissingAuthAttrError                  = "either Atlas Programmatic API Keys or AWS Secrets Manager attributes must be set"
 	ProviderConfigError                   = "error in configuring the provider."
 	AWS                                   = "AWS"
 	AZURE                                 = "AZURE"
@@ -276,7 +277,9 @@ func addBetaFeatures(provider *schema.Provider) {
 }
 
 func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}, diag.Diagnostics) {
-	if err := setDefaultsAndValidations(d); err != nil {
+	assumeRoleValue, ok := d.GetOk("assume_role")
+	awsRoleDefined := ok && len(assumeRoleValue.([]interface{})) > 0 && assumeRoleValue.([]interface{})[0] != nil
+	if err := setDefaultsAndValidations(d, awsRoleDefined); err != nil {
 		return nil, diag.FromErr(err)
 	}
 
@@ -287,8 +290,8 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 		RealmBaseURL: d.Get("realm_base_url").(string),
 	}
 
-	if v, ok := d.GetOk("assume_role"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
-		config.AssumeRole = expandAssumeRole(v.([]interface{})[0].(map[string]interface{}))
+	if awsRoleDefined {
+		config.AssumeRole = expandAssumeRole(assumeRoleValue.([]interface{})[0].(map[string]interface{}))
 		secret := d.Get("secret_name").(string)
 		region := d.Get("region").(string)
 		awsAccessKeyID := d.Get("aws_access_key_id").(string)
@@ -309,7 +312,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 	return client, nil
 }
 
-func setDefaultsAndValidations(d *schema.ResourceData) error {
+func setDefaultsAndValidations(d *schema.ResourceData, awsRoleDefined bool) error {
 	mongodbgovCloud := pointy.Bool(d.Get("is_mongodbgov_cloud").(bool))
 	if *mongodbgovCloud {
 		if err := d.Set("base_url", MongodbGovCloudURL); err != nil {
@@ -330,8 +333,8 @@ func setDefaultsAndValidations(d *schema.ResourceData) error {
 	}); err != nil {
 		return err
 	}
-	if d.Get("public_key").(string) == "" {
-		return fmt.Errorf(AttrNotSetError, "public_key")
+	if d.Get("public_key").(string) == "" && !awsRoleDefined {
+		return errors.New(MissingAuthAttrError)
 	}
 
 	if err := setValueFromConfigOrEnv(d, "private_key", []string{
@@ -341,8 +344,8 @@ func setDefaultsAndValidations(d *schema.ResourceData) error {
 		return err
 	}
 
-	if d.Get("private_key").(string) == "" {
-		return fmt.Errorf(AttrNotSetError, "private_key")
+	if d.Get("private_key").(string) == "" && !awsRoleDefined {
+		return errors.New(MissingAuthAttrError)
 	}
 
 	if err := setValueFromConfigOrEnv(d, "realm_base_url", []string{
@@ -785,16 +788,16 @@ var validAssumeRoleSourceIdentity = validation.All(
 
 // validAssumeRoleDuration validates a string can be parsed as a valid time.Duration
 // and is within a minimum of 15 minutes and maximum of 12 hours
-func validAssumeRoleDuration(v interface{}, k string) (ws []string, errors []error) {
+func validAssumeRoleDuration(v interface{}, k string) (ws []string, errorResults []error) {
 	duration, err := time.ParseDuration(v.(string))
 
 	if err != nil {
-		errors = append(errors, fmt.Errorf("%q cannot be parsed as a duration: %w", k, err))
+		errorResults = append(errorResults, fmt.Errorf("%q cannot be parsed as a duration: %w", k, err))
 		return
 	}
 
 	if duration.Minutes() < 15 || duration.Hours() > 12 {
-		errors = append(errors, fmt.Errorf("duration %q must be between 15 minutes (15m) and 12 hours (12h), inclusive", k))
+		errorResults = append(errorResults, fmt.Errorf("duration %q must be between 15 minutes (15m) and 12 hours (12h), inclusive", k))
 	}
 
 	return