Creation of Project Roles using Terraform

[EvertonSA]

I as a Platform engineer would like to provision Project Roles using terraform.

similar to as implemented here #78

[alexhung]

@EvertonSA Are you currently using the project.roles attribute to define your project roles?

[alexhung]

@EvertonSA I'm working on this currently and this is what I'm adding:

• new resource project_role with same attributes as project.role attribute, with extra project_key attribute to link it to a project
• new attribute use_project_role_resource in project resource. This is default to false and is used to tell the provider if you are using project.role attribute or project_role resource to manage your project roles.
• attribute project.role is marked as "deprecated"

So if you are currently using project.role attribute. Nothing needs to change.

If you wish to use the new project_role resource, set project.use_project_role_resource to true and add project_role resources to your configuration:

resource "project" "myproj" {
  key                       = "myprojkey"
  use_project_role_resource = true
  ...
  // no `role` attribute
}

resource "project_role" "myrole" {
  name        = "myrole"
  project_key = "myprojectkey"
  ...
}

This should take care of both existing configuration and new comers.

At some point in the future (6 months?), project.role attribute will be removed.

[EvertonSA]

👍🏿

[mikeycmccarthy]

We're looking at the migration to this now. Just something we've noticed, it appears that if you already have roles against a project the 'old' way (project.roles) and you want to move to the new way (project_role) then I think you're going to have to trash the old roles and create new ones.

We're on version 1.2.1 and we're moving to 1.3.2. Terraform will tell you about the new roles to be created in the plan, but fail because a role with the same name already exists:

module.projects.project_role.this["development-detest-Test Role"]: Creating...

Error:
409 POST https://XXX.jfrog.io/access/api/v1/projects/detest/roles
{
  "errors" : [ {
    "code" : "CONFLICT",
    "message" : "Role `Test Role` already exists and cannot be added"
  } ]
}

The only way that seems to work around this is to come up with different naming for the roles we create post the upgrade to the newer version of the provider, or some workaround to change the names of the old one outside of Terraform.

[alexhung]

@mikeycmccarthy So the process to migrate from using the old attribute project.roles to new resource project_role should look something like this:

• Assuming you already have a role (Test Role) in the project.roles attribute

resource "project" "test-proj" {
  key   = "testproj"
  roles = ["Test Role"]
}

• First you define the new role resource (without applying this config)

resource "project" "test-proj" {
  roles = ["Test Role"]
}

resource "project_role" "test-role" {
  name        = "Test-Role"
  project_key = project.test-proj.key
}

• Then import the existing role from Artifactory into this new resource:

terraform import project_role.test-role testproj:Test-Role

• Once the resource is imported successfully, use use_project_role_resource attribute to disable role management in project resource

resource "project" "test-proj" {
  key                       = "testproj"
  roles                     = ["Test Role"]
  use_project_role_resource = true
}

• After verifying everything is working as intended (e.g. terraform plan return no changes), you can safely remove the role from project.roles.

Let me know if this process works for you. If so, I can incorporate this into a migration guide as part of the documentation.

(Also, I just notice the documentation for project_role doesn't mention support for importing the resource, which I'll fix.)