Fix AWS permissions updated notification (#207)

Added an optional permissions field to the role set of the
polaris_aws_cnp_account_attachments resource. When used, the field will
force the resource to be updated when the polaris_aws_cnp_permissions
data source changes. During the update RSC will be notified about the
updated permissions.

docs/guides/aws_cnp_account.md

@@ -132,11 +132,13 @@ resource "polaris_aws_cnp_account_attachments" "attachments" {
   dynamic "role" {
     for_each = aws_iam_role.role
     content {
-      key = role.key
-      arn = role.value["arn"]
+      key         = role.key
+      arn         = role.value["arn"]
+      permissions = data.polaris_aws_cnp_permissions.permissions[role.key].id
     }
   }
 }
 ```
 This attaches the instance profiles and roles to the AWS account in RSC. When Terraform processes this resource the AWS
-account will transition from the connecting state to the connected state in the RSC UI.
+account will transition from the connecting state to the connected state in the RSC UI. Note the `permissions` field of
+the `polaris_aws_cnp_account_attachments` resource requires version `0.10.0-beta.8` or later of the provider.

docs/guides/changelog.md

@@ -4,6 +4,19 @@ page_title: "Changelog"
 
 # Changelog
 
+## v0.10.0-beta.8
+* Add the `permissions` field to the `polaris_aws_cnp_account_attachments` resource. The `permissions` field should be
+  used with the `id` field of the `polaris_aws_cnp_permissions` data source to trigger an update of the resource
+  whenever the permissions changes. This update will move the RSC cloud account from the missing permissions state.
+
+## v0.10.0-beta.7
+* Add support for Azure Bring Your Own Kubernetes Exocompute, also known as BYOK and customer managed Exocompute.
+  [[docs](../resources/azure_exocompute_cluster_attachment)], [[docs](../resources/azure_private_container_registry)]
+
+## v0.10.0-beta.6
+* Add support for the Cloud Native Blob Protection feature to the `polaris_azure_subscription` resource.
+  [[docs](../resources/azure_subscription#nested-schema-for-cloud_native_blob_protection)]
+
 ## v0.10.0-beta.5
 * The data_center_archival_location_amazon_s3 resource will now monitor and wait for the asynchronous CDM operations to
   finish.

docs/resources/aws_cnp_account_attachments.md

@@ -70,6 +70,10 @@ Required:
 - `arn` (String) AWS role ARN.
 - `key` (String) RSC artifact key for the AWS role.
 
+Optional:
+
+- `permissions` (String) Permissions updated signal. When this field changes, the provider will notify RSC that the permissions for the feature has been updated. Use this field with the `id` field of the `polaris_aws_cnp_permissions` data source.
+
 
 <a id="nestedblock--instance_profile"></a>
 ### Nested Schema for `instance_profile`

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/terraform-plugin-docs v0.16.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
-	github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8
+	github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9
 )
 
 require (

go.sum

@@ -270,8 +270,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8 h1:dU2PQJUQ4G0FcdivN2Y0/vYsu/9hZRvAYld2I9Tqvro=
-github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.8/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
+github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9 h1:Jz10i2sNEmX7nEcijARy859jpn4qwRC1iD2Sb9r0fWM=
+github.com/rubrikinc/rubrik-polaris-sdk-for-go v0.11.0-beta.9/go.mod h1:ryJGDKlbaCvozY3Wvt+TPSN2OZRChQedHUNsnVfCbXE=
 github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
 github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=

internal/provider/resource_aws_cnp_account_attachments.go

@@ -155,7 +155,7 @@ func awsReadCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, m
 	}
 	features := &schema.Set{F: schema.HashString}
 	for _, feature := range account.Features {
-		features.Add(string(feature.Feature.Name))
+		features.Add(feature.Feature.Name)
 	}
 
 	// Request the cloud account artifacts.
@@ -176,9 +176,14 @@ func awsReadCnpAccountAttachments(ctx context.Context, d *schema.ResourceData, m
 		return diag.FromErr(err)
 	}
 
+	oldRoles := make(map[string]string)
+	for _, role := range d.Get(keyRole).(*schema.Set).List() {
+		block := role.(map[string]any)
+		oldRoles[block[keyKey].(string)] = block[keyPermissions].(string)
+	}
 	rolesAttr := &schema.Set{F: schema.HashResource(roleResource())}
 	for key, arn := range roles {
-		rolesAttr.Add(map[string]any{keyKey: key, keyARN: arn})
+		rolesAttr.Add(map[string]any{keyKey: key, keyARN: arn, keyPermissions: oldRoles[key]})
 	}
 	if err := d.Set(keyRole, rolesAttr); err != nil {
 		return diag.FromErr(err)
@@ -199,6 +204,7 @@ func awsUpdateCnpAccountAttachments(ctx context.Context, d *schema.ResourceData,
 	if err != nil {
 		return diag.FromErr(err)
 	}
+
 	var features []core.Feature
 	for _, feature := range d.Get(keyFeatures).(*schema.Set).List() {
 		features = append(features, core.Feature{Name: feature.(string)})
@@ -214,12 +220,20 @@ func awsUpdateCnpAccountAttachments(ctx context.Context, d *schema.ResourceData,
 		roles[block[keyKey].(string)] = block[keyARN].(string)
 	}
 
-	// Request artifacts be added to account.
+	// Update artifacts.
 	_, err = aws.Wrap(client).AddAccountArtifacts(ctx, aws.CloudAccountID(id), features, profiles, roles)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
+	// Notify RSC about updated permissions. Note, we notify RSC that the
+	// permissions for all features have been updated without checking the
+	// permissions hash, the reason is there is no way for us to connect a role
+	// to a feature.
+	if err := aws.Wrap(client).PermissionsUpdated(ctx, id, nil); err != nil {
+		return diag.FromErr(err)
+	}
+
 	return nil
 }
 
@@ -266,6 +280,14 @@ func roleResource() *schema.Resource {
 				Description:  "AWS role ARN.",
 				ValidateFunc: validation.StringIsNotWhiteSpace,
 			},
+			keyPermissions: {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: "Permissions updated signal. When this field changes, the provider will notify " +
+					"RSC that the permissions for the feature has been updated. Use this field with the `id` field " +
+					"of the `polaris_aws_cnp_permissions` data source.",
+				ValidateFunc: validation.StringIsNotWhiteSpace,
+			},
 		},
 	}
 }

templates/guides/aws_cnp_account.md.tmpl

@@ -132,11 +132,13 @@ resource "polaris_aws_cnp_account_attachments" "attachments" {
   dynamic "role" {
     for_each = aws_iam_role.role
     content {
-      key = role.key
-      arn = role.value["arn"]
+      key         = role.key
+      arn         = role.value["arn"]
+      permissions = data.polaris_aws_cnp_permissions.permissions[role.key].id
     }
   }
 }
 ```
 This attaches the instance profiles and roles to the AWS account in RSC. When Terraform processes this resource the AWS
-account will transition from the connecting state to the connected state in the RSC UI.
+account will transition from the connecting state to the connected state in the RSC UI. Note the `permissions` field of
+the `polaris_aws_cnp_account_attachments` resource requires version `0.10.0-beta.8` or later of the provider.

templates/guides/changelog.md.tmpl

@@ -4,6 +4,19 @@ page_title: "Changelog"
 
 # Changelog
 
+## v0.10.0-beta.8
+* Add the `permissions` field to the `polaris_aws_cnp_account_attachments` resource. The `permissions` field should be
+  used with the `id` field of the `polaris_aws_cnp_permissions` data source to trigger an update of the resource
+  whenever the permissions changes. This update will move the RSC cloud account from the missing permissions state.
+
+## v0.10.0-beta.7
+* Add support for Azure Bring Your Own Kubernetes Exocompute, also known as BYOK and customer managed Exocompute.
+  [[docs](../resources/azure_exocompute_cluster_attachment)], [[docs](../resources/azure_private_container_registry)]
+
+## v0.10.0-beta.6
+* Add support for the Cloud Native Blob Protection feature to the `polaris_azure_subscription` resource.
+  [[docs](../resources/azure_subscription#nested-schema-for-cloud_native_blob_protection)]
+
 ## v0.10.0-beta.5
 * The data_center_archival_location_amazon_s3 resource will now monitor and wait for the asynchronous CDM operations to
   finish.