feat(authorization): refactor role_assignment resource and implement folder assignment

[h3adex]

Description

This PR refactors stackit_authorization_{project,folder,organization}_role_assignment resources to align with our coding standards and adds tests for resource.go and utils.go. It also adds the capability to add role assignments to Folder.

E2E Results:

Required ENV:
TF_ACC=1
TF_ACC_REGION=eu01
TF_ACC_ORGANIZATION_ID=xxxx
STACKIT_SERVICE_ACCOUNT_TOKEN=ey..
TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL=terraform-xxxx@sa.stackit.cloud

Manual Tests:

locals {
  org_id      = "xxxx"
  owner_email = "terraform-xxxx@sa.stackit.cloud"
}

resource "stackit_resourcemanager_folder" "folder" {
  parent_container_id = local.org_id
  name                = "e2e-test-folder"
  owner_email         = local.owner_email
}

resource "stackit_resourcemanager_project" "project" {
  parent_container_id = local.org_id
  name                = "e2e-test-folder"
  owner_email         = local.owner_email
}

resource "stackit_authorization_folder_role_assignment" "fra" {
  resource_id = stackit_resourcemanager_folder.folder.folder_id
  role        = "editor"
  subject     = local.owner_email
}

resource "stackit_authorization_folder_role_assignment" "fra_duplicate" {
  resource_id = stackit_resourcemanager_folder.folder.folder_id
  role        = "editor"
  subject     = local.owner_email
}

resource "stackit_authorization_project_role_assignment" "pra" {
  resource_id = stackit_resourcemanager_project.project.project_id
  role        = "reader"
  subject     = local.owner_email
}

resource "stackit_authorization_organization_role_assignment" "ora" {
  resource_id = local.org_id
  role        = "iaas.project.admin"
  subject     = local.owner_email
}

Checklist

• Issue was linked above
• Code format was applied: make fmt
• Examples were added / adjusted (see examples/ directory)
• Docs are up-to-date: make generate-docs (will be checked by CI)
• Unit tests got implemented or updated
• Acceptance tests got implemented or updated (see e.g. here)
• Unit tests are passing: make test (will be checked by CI)
• No linter issues: make lint (will be checked by CI)

[github-actions]

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

[github-actions]

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

[h3adex]

Wrote a comment above the function to keep everyone aware working on this resource

[marceljk]

Thanks for your contribution! Looks good to me!

[h3adex]

Once merged we can close this issue: #1089

[marceljk]

The check duplicate function has one issue. It doesn't detect duplicates, when they will be created at the same time. I used the testing tf config from you and it created the duplicates without any issues. I think to prevent this is very diffcult and I would leave this for now, like it is. But when I remove one of the duplicates (or even if it was removed via the api directly), my tf state is broken. I get the following error:

╷
│ Error: Error reading authorization
│ 
│   with stackit_authorization_folder_role_assignment.fra,
│   on main.tf line 37, in resource "stackit_authorization_folder_role_assignment" "fra":
│   37: resource "stackit_authorization_folder_role_assignment" "fra" {
│ 
│ Processing API payload: response members did not contain expected role assignment
│ Trace ID: "6881a56e47fd9cfffd39ec403532af48"
╵

The error is thrown from here:

terraform-provider-stackit/stackit/internal/services/authorization/roleassignments/resource.go

Lines 227 to 231 in 2b60ff8

	err = mapListMembersResponse(listResp, &model)
	if err != nil {
	core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading authorization", fmt.Sprintf("Processing API payload: %v", err))
	return
	}

I would suggest, that the error check will be extend to this:

	if err != nil {
		if errors.Is(err, errRoleAssignmentNotFound) {
			resp.State.RemoveResource(ctx)
			return
		}
		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading authorization", fmt.Sprintf("Processing API payload: %v", err))
		return
	}

It's then the same like the 404 check we usually have in the read function

terraform-provider-stackit/stackit/internal/services/iaas/image/resource.go

Lines 519 to 528 in 459122c

	imageResp, err := r.client.GetImage(ctx, projectId, region, imageId).Execute()
	if err != nil {
	oapiErr, ok := err.(*oapierror.GenericOpenAPIError) //nolint:errorlint //complaining that error.As should be used to catch wrapped errors, but this error should not be wrapped
	if ok && oapiErr.StatusCode == http.StatusNotFound {
	resp.State.RemoveResource(ctx)
	return
	}
	core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading image", fmt.Sprintf("Calling API: %v", err))
	return
	}