org_member: handle role changes properly (#116)

nicks · cybercyst · web-flow · commit 81933d915d25 · 2025-10-17T15:06:19.000-04:00
* org_member: handle role changes properly

before this PR, if you changed an org member's
role, the provider would remove the member of the org
and re-invite them. this is obviously pretty bad
and breaks a bunch of stuff

after this PR, the provider changes the role in
place.

our invite API is still pretty janky but
we do the best we can with the api that exists.

Signed-off-by: Nick Santos &lt;nick.santos@docker.com&gt;

* Update internal/provider/resource_org_member.go

Co-authored-by: Forrest Loomis &lt;forrest.loomis@docker.com&gt;
Signed-off-by: Nick Santos &lt;nick.santos@docker.com&gt;

---------

Signed-off-by: Nick Santos &lt;nick.santos@docker.com&gt;
Co-authored-by: Forrest Loomis &lt;forrest.loomis@docker.com&gt;
diff --git a/internal/hubclient/client_organization.go b/internal/hubclient/client_organization.go
@@ -135,6 +135,16 @@ type OrgMemberListResponse struct {
 	Results  []OrgMember `json:"results"`  // List of accounts.
 }
 
+// Weirdly, org role params are lowercase even though org role return values
+// are uppercase.
+type OrgRoleParam string
+
+const (
+	OrgRoleParamOwner  OrgRoleParam = "owner"
+	OrgRoleParamEditor OrgRoleParam = "editor"
+	OrgRoleParamMember OrgRoleParam = "member"
+)
+
 // OrgMember represents each organization member
 type OrgMember struct {
 	Email         string   `json:"email"`          // User's email address
@@ -254,7 +264,7 @@ func (c *Client) ListOrgTeamMembers(ctx context.Context, orgName string, teamNam
 	if err != nil {
 		return membersResponse, err
 	}
-	
+
 	members := membersResponse.Results
 	for membersResponse.Next != "" {
 		nextResponse := OrgTeamMembersResponse{}
@@ -266,7 +276,7 @@ func (c *Client) ListOrgTeamMembers(ctx context.Context, orgName string, teamNam
 		members = append(members, nextResponse.Results...)
 		membersResponse = nextResponse
 	}
-	
+
 	membersResponse.Results = members
 	return membersResponse, nil
 }
@@ -340,6 +350,17 @@ func (c *Client) DeleteOrgMember(ctx context.Context, orgName string, userName s
 	return c.sendRequest(ctx, "DELETE", url, nil, nil)
 }
 
+func (c *Client) UpdateOrgMember(ctx context.Context, orgName string, userName string, role OrgRoleParam) error {
+	url := fmt.Sprintf("/orgs/%s/members/%s/", orgName, userName)
+	body := map[string]string{"role": string(role)}
+	reqBody, err := json.Marshal(body)
+	if err != nil {
+		return err
+	}
+
+	return c.sendRequest(ctx, "PUT", url, reqBody, nil)
+}
+
 // func (c *Client) GetOrgInvitedMember(ctx context.Context, inviteID string) (OrgMembersResponse, error) {
 // 	url := fmt.Sprintf("/invites", inviteID)
 // 	var membersResponse OrgMembersResponse
diff --git a/internal/provider/resource_org_member.go b/internal/provider/resource_org_member.go
@@ -132,6 +132,7 @@ resource "docker_org_member" "example" {
 			"user_name": schema.StringAttribute{
 				MarkdownDescription: "User name of the member. Either user_name or email must be specified.",
 				Optional:            true,
+				Computed:            true,
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
@@ -144,11 +145,11 @@ resource "docker_org_member" "example" {
 			"role": schema.StringAttribute{
 				MarkdownDescription: "Role assigned to the user within the organization (e.g., 'member', 'editor', 'owner').",
 				Required:            true,
-				PlanModifiers: []planmodifier.String{
-					stringplanmodifier.RequiresReplace(),
-				},
 				Validators: []validator.String{
-					stringvalidator.OneOf("member", "editor", "owner"),
+					stringvalidator.OneOf(
+						string(hubclient.OrgRoleParamMember),
+						string(hubclient.OrgRoleParamEditor),
+						string(hubclient.OrgRoleParamOwner)),
 				},
 			},
 			"invite_id": schema.StringAttribute{
@@ -187,6 +188,7 @@ func (r *OrgMemberResource) Create(ctx context.Context, req resource.CreateReque
 		// Set computed fields.
 		data.InviteID = current.InviteID
 		data.Email = current.Email
+		data.UserName = current.UserName
 	} else {
 		// If the member is not found, invite them now.
 		inviteResp, err := r.client.InviteOrgMember(ctx,
@@ -207,6 +209,29 @@ func (r *OrgMemberResource) Create(ctx context.Context, req resource.CreateReque
 		if invite.Invite.ID != "" {
 			data.InviteID = types.StringValue(invite.Invite.ID)
 		}
+
+		// If username or email or not set, we need to compute them
+		if data.UserName.ValueString() == "" {
+			data.UserName = types.StringValue("")
+		}
+		if data.Email.ValueString() == "" {
+			data.Email = types.StringValue("")
+		}
+	}
+
+	isAlreadyMember := data.InviteID.ValueString() == "" && data.UserName.ValueString() != ""
+	isRoleUpdated := current.Role.ValueString() != data.Role.ValueString()
+
+	if isAlreadyMember && isRoleUpdated {
+		err = r.client.UpdateOrgMember(ctx,
+			data.OrgName.ValueString(),
+			data.UserName.ValueString(),
+			hubclient.OrgRoleParam(data.Role.ValueString()))
+		if err != nil {
+			errMsg := fmt.Sprintf("Unable to update org_member role: %v", err)
+			resp.Diagnostics.AddError("Error Updating Resource", errMsg)
+			return
+		}
 	}
 
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
@@ -237,6 +262,7 @@ func (r *OrgMemberResource) Read(ctx context.Context, req resource.ReadRequest,
 	if !found {
 		resp.Diagnostics.AddError("Resource Not Found",
 			fmt.Sprintf("Member not found in %s: %s", state.OrgName.ValueString(), invitee))
+		return
 	}
 
 	if data.Role.ValueString() == "" {
@@ -250,12 +276,52 @@ func (r *OrgMemberResource) Read(ctx context.Context, req resource.ReadRequest,
 	}
 }
 
-// NOTE(nicks): currently, we treat all fields as immutable,
-// so in theory update should never happen.
-//
-// Future work: update the provider to allow role changes.
 func (r *OrgMemberResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	return
+	var plan OrgMemberResourceModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	userNameOrEmail := plan.UserName.ValueString()
+	if userNameOrEmail == "" {
+		userNameOrEmail = plan.Email.ValueString()
+	}
+
+	data, found, err := r.orgMember(ctx, plan.OrgName.ValueString(), userNameOrEmail)
+	if err != nil {
+		resp.Diagnostics.AddError("Error Reading Resource", err.Error())
+		return
+	}
+	if !found {
+		resp.Diagnostics.AddError("Resource Not Found",
+			fmt.Sprintf("Member not found in %s: %s", plan.OrgName.ValueString(), userNameOrEmail))
+		return
+	}
+
+	// Role is the only field that can change.
+	if plan.Role.ValueString() == data.Role.ValueString() {
+		return
+	}
+
+	if data.InviteID.ValueString() != "" {
+		resp.Diagnostics.AddError("Resource cannot be changed",
+			fmt.Sprintf("Member role cannot be changed until invitation is accepted: %s", userNameOrEmail))
+		return
+	}
+
+	err = r.client.UpdateOrgMember(ctx,
+		data.OrgName.ValueString(),
+		data.UserName.ValueString(),
+		hubclient.OrgRoleParam(plan.Role.ValueString()))
+	if err != nil {
+		errMsg := fmt.Sprintf("Unable to update org_member role: %v", err)
+		resp.Diagnostics.AddError("Error Updating Resource", errMsg)
+		return
+	}
+
+	data.Role = plan.Role
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }
 
 func (r *OrgMemberResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
diff --git a/internal/provider/resource_org_member_test.go b/internal/provider/resource_org_member_test.go
@@ -56,6 +56,66 @@ resource "docker_org_member" "test" {
 	})
 }
 
+// TestAccOrgMemberResource_ExistingMember tests managing the role of an existing
+// organization member.
+//
+// By design, this test requires the user "nick20241127" to already be a member
+// so that we don't have to deal with the invite flow.
+func TestAccOrgMemberResource_ExistingMember(t *testing.T) {
+	org := envvar.GetWithDefault(envvar.AccTestOrganization)
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(`
+resource "docker_org_member" "test" {
+  org_name  = "%[1]s"
+  user_name = "nick20241127"
+  role      = "member"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}`, org),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("docker_org_member.test", "org_name", org),
+					resource.TestCheckResourceAttr("docker_org_member.test", "user_name", "nick20241127"),
+					resource.TestCheckResourceAttr("docker_org_member.test", "email", "nick.santos+nick20241127@docker.com"),
+					resource.TestCheckResourceAttr("docker_org_member.test", "role", "member"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+resource "docker_org_member" "test" {
+  org_name  = "%[1]s"
+  user_name = "nick20241127"
+  role      = "editor"
+
+  lifecycle{
+    prevent_destroy = true
+  }
+}`, org),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("docker_org_member.test", "org_name", org),
+					resource.TestCheckResourceAttr("docker_org_member.test", "user_name", "nick20241127"),
+					resource.TestCheckResourceAttr("docker_org_member.test", "email", "nick.santos+nick20241127@docker.com"),
+					resource.TestCheckResourceAttr("docker_org_member.test", "role", "editor"),
+				),
+			},
+			{
+				Config: `
+removed {
+  from = docker_org_member.test
+  lifecycle {
+    destroy = false
+  }
+}`,
+			},
+		},
+	})
+}
+
 func TestAccOrgMemberResourceImport(t *testing.T) {
 	username := os.Getenv("DOCKER_USERNAME")
 	org := envvar.GetWithDefault(envvar.AccTestOrganization)
