Allow recreation of recently deleted project and org custom roles #1681
Conversation
| } | ||
| } | ||
|
|
||
| // If role is not deleted, make sure it exists and undelete if needed. |
There was a problem hiding this comment.
Because this gets called on create, the next bit about d.HasChange will actually return true and send a patch request. It's not a huge deal, but it's still an extra API call that we don't really need. If it's not hard, I think the Undelete should probably just get called straight from Create.
There was a problem hiding this comment.
I might be confused - isn't that what we want? If this gets called on create, what we want is the 1. role.undelete 2. role.patch. If we just call undelete then we still have to call patch to essentially reset the previously deleted role to whatever value we are trying to create.
|
The context of this one scares me, but on the assumption that we can update roles as if they were just now created (i.e., all user-specifiable fields can be updated), I can't see why not. Projects, on the other hand (I'm not sure if those are intended, but as they have a similar soft-delete, I just want to be explicit about this) I'd argue against taking this approach with, because there are a lot of things about a project that would need to be cleaned up, and some of them can't be cleaned up, so we'd be saying the user has a fresh project when they, in fact, do not. Anyways, just wanted to call that subtlety out. I'll take a pass at reviewing the code now :) |
| PreCheck: func() { testAccPreCheck(t) }, | ||
| Providers: testAccProviders, | ||
| CheckDestroy: testAccCheckGoogleOrganizationIamCustomRoleDestroy, | ||
| Steps: []resource.TestStep{ |
There was a problem hiding this comment.
This is going to sound really nitpicky, but could we verify that recreating it gets us the results we expect? I'd just hate for it to do the deletion regularly, only for us to find out its failing to set the other properties, or something.
| } | ||
| } | ||
|
|
||
| // If role is not deleted, make sure it exists and undelete if needed. |
There was a problem hiding this comment.
Same comment Dana pointed out about the unnecessary PATCH applies here, I think.
| PreCheck: func() { testAccPreCheck(t) }, | ||
| Providers: testAccProviders, | ||
| CheckDestroy: testAccCheckGoogleProjectIamCustomRoleDestroy, | ||
| Steps: []resource.TestStep{ |
There was a problem hiding this comment.
Same thing here about verifying the resource has the expected values.
I want to echo that this is potentially very dangerous. There's a lot of undefined behavior with project recreation and this could cause more bugs than it fixes IMO. |
|
Looking at the IAM custom roles docs, it seems like there are two stages of deletion for custom roles: Stage 1, 0-7 days after deletion: The role can be undeleted but otherwise cannot be used. There are a couple of bugs with the current implementation. Currently roles can be deleted through either setting
IMO What I think this PR should do is:
In either case, I'll need to add a check to ResourceDelete so tl;dr: @paddycarver @danawillow: I think the current solution should run undelete-patch for either create or update, and we should make |
|
@paddycarver @morgante why is project deletion relevant here? This PR is just about custom roles. |
|
@danawillow I parsed the title as "Allow recreation of recently deleted (projects) and (org custom roles)" but now realize it's "Allow recreation of recently deleted (project and org) custom roles" so retract my comments. 😄 |
|
@paddycarver @danawillow I made some new changes that I think (think??) will not cause breakage and actually handle all errors. I added a deprecation message for deleted (as advised by Dana) and tried to make the Create/Update logic easier to follow, but pls re-review. Also, I don't know if I have access to the team city still but can someone run the org tests for me? I need to set that up -__- project test run: |
|
I'll take a look and run the tests tonight, hopefully. In the meantime, I also made sure you have access to the CI server. Feel free to drop an email to paddy@hashicorp if you're having trouble, and I can give you more info. |
| // If a role with same name exists and is enabled, just return error | ||
| return fmt.Errorf("Custom project role %s already exists and must be imported", roleId) | ||
| } | ||
| } else { |
There was a problem hiding this comment.
Do you want to check that the error was actually a 404?
There was a problem hiding this comment.
Tests pass, and I'm mostly really happy with this. Awesome work, @emilymye! The only thing I'd ask is just, as @danawillow pointed out, that we check the error is actually a 404 and not some other error. Otherwise, I think it's good to merge.
|
WHOOPS I forgot about this PR Updates made, also added a warning to docs so custom roles might be less confusing in general. This is a real pickle $ make testacc TEST=./google TESTARGS='--run="TestAccProjectIamCustomRole"' |
emilymye
force-pushed
the
custom_roles
branch
from
2fc22d6 to
2f80af9
Compare
…shicorp#1681) * undelete-update recently soft-deleted custom roles * remove my TODO statements * check values on soft-delete-recreate for custom role tests * final fixes to make sure delete works; return read() when updating to 'create' * check for non-404 errors for custom role get * add warnings to custom roles docs
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #1668