Add Beta writable_environment_categories to dbtcloud_service_token

.gitignore

@@ -6,3 +6,4 @@ terraform-provider*
 autogen
 TODO.md
 NOTES.md
+.DS_Store

docs/data-sources/service_token.md

@@ -17,20 +17,25 @@ description: |-
 
 ### Required
 
-- `service_token_id` (Number) ID of the service token
+- `service_token_id` (Number) The ID of the service token
 
 ### Read-Only
 
-- `id` (String) The ID of this resource.
+- `id` (String) The ID of the service token
 - `name` (String) Service token name
-- `service_token_permissions` (Set of Object) Permissions set for the service token (see [below for nested schema](#nestedatt--service_token_permissions))
-- `uid` (String) The UID of the service token (part of the token secret)
+- `service_token_permissions` (Block Set) Permissions set for the service token (see [below for nested schema](#nestedblock--service_token_permissions))
+- `uid` (String) Service token UID (part of the token)
 
-<a id="nestedatt--service_token_permissions"></a>
+<a id="nestedblock--service_token_permissions"></a>
 ### Nested Schema for `service_token_permissions`
 
 Read-Only:
 
-- `all_projects` (Boolean)
-- `permission_set` (String)
-- `project_id` (Number)
+- `all_projects` (Boolean) Whether or not to apply this permission to all projects for this service token
+- `permission_set` (String) Set of permissions to apply
+- `project_id` (Number) Project ID to apply this permission to for this service token
+- `writable_environment_categories` (Set of String) What types of environments to apply Write permissions to.
+Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
+The values allowed are `all`, `development`, `staging`, `production` and `other`.
+Not setting a value is the same as selecting `all`.
+Not all permission sets support environment level write settings, only `analyst`, `database_admin`, `developer`, `git_admin` and `team_admin`.

docs/resources/service_token.md

@@ -7,31 +7,32 @@ description: |-
 
 # dbtcloud_service_token (Resource)
 
-The mapping of permission names [from the docs](https://docs.getdbt.com/docs/cloud/manage-access/enterprise-permissions) to the permissions to set in Terraform is the following:
-
-|Permission name......... | Permission code|
-|-- | --|
-|Account Admin | account_admin|
-|Account Viewer | account_viewer|
-|Admin | admin|
-|Analyst | analyst|
-|Billing Admin | billing_admin|
-|Database Admin | database_admin|
-|Developer | developer|
-|Git Admin | git_admin|
-|Job Admin | job_admin|
-|Job Runner | job_runner|
-|Job Viewer | job_viewer|
-|Member | member|
-|Metadata Only | metadata_only|
-|Owner | owner|
-|Project Creator | project_creator|
-|Read-Only | readonly|
-|Security Admin | security_admin|
-|Semantic Layer Only | semantic_layer_only|
-|Stakeholder | stakeholder|
-|Team Admin | team_admin|
-|Webhooks Only | webhooks_only|
+### Nested Schema for `service_token_permissions`
+The mapping of permission names [from the docs](https://docs.getdbt.com/docs/cloud/manage-access/enterprise-permissions) to a `permissions_set` in `service_token_permissions`:
+
+| Permission name | `permission_set = ...` |
+| --- | --- |
+| Account Admin | `"account_admin"` |
+| Account Viewer | `"account_viewer"` |
+| Admin | `"admin"` |
+| Analyst | `"analyst"` |
+| Billing Admin | `"billing_admin"` |
+| Database Admin | `"database_admin"` |
+| Developer | `"developer"` |
+| Git Admin | `"git_admin"` |
+| Job Admin | `"job_admin"` |
+| Job Runner | `"job_runner"` |
+| Job Viewer | `"job_viewer"` |
+| Member | `"member"` |
+| Metadata Only | `"metadata_only"` |
+| Owner | `"owner"` |
+| Project Creator | `"project_creator"` |
+| Read-Only | `"readonly"` |
+| Security Admin | `"security_admin"` |
+| Semantic Layer Only | `"semantic_layer_only"` |
+| Stakeholder | `"stakeholder"` |
+| Team Admin | `"team_admin"` |
+| Webhooks Only | `"webhooks_only"` |
 
 
 
@@ -41,15 +42,32 @@ The mapping of permission names [from the docs](https://docs.getdbt.com/docs/clo
 ```terraform
 resource "dbtcloud_service_token" "test_service_token" {
   name = "Test Service Token"
+
+  // Grant the service token `git_admin` permissions on all projects
   service_token_permissions {
     permission_set = "git_admin"
     all_projects   = true
   }
+
+  // Grant the service token `job_admin` permissions on a specific project
   service_token_permissions {
     permission_set = "job_admin"
     all_projects   = false
     project_id     = dbtcloud_project.dbt_project.id
   }
+
+  // Grant the service token `developer` permissions on all projects, 
+  // but only in the `development` and `staging` environments
+  //
+  // NOTE: This is only configurable for certain `permission_set` values
+  service_token_permissions {
+    permission_set = "developer"
+    all_projects   = true
+    writable_environment_categories = [
+      "development",
+      "staging"
+    ]
+  }
 }
 ```
 
@@ -67,7 +85,7 @@ resource "dbtcloud_service_token" "test_service_token" {
 
 ### Read-Only
 
-- `id` (String) The ID of this resource.
+- `id` (String) The ID of the service token
 - `token_string` (String, Sensitive) Service token secret value (only accessible on creation))
 - `uid` (String) Service token UID (part of the token)
 
@@ -82,6 +100,11 @@ Required:
 Optional:
 
 - `project_id` (Number) Project ID to apply this permission to for this service token
+- `writable_environment_categories` (Set of String) What types of environments to apply Write permissions to.
+Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
+The values allowed are `all`, `development`, `staging`, `production` and `other`.
+Not setting a value is the same as selecting `all`.
+Not all permission sets support environment level write settings, only `analyst`, `database_admin`, `developer`, `git_admin` and `team_admin`.
 
 ## Import
 
@@ -90,16 +113,16 @@ Import is supported using the following syntax:
 ```shell
 # using  import blocks (requires Terraform >= 1.5)
 import {
-  to = dbtcloud_group.my_service_token
+  to = dbtcloud_service_token.my_service_token
   id = "service_token_id"
 }
 
 import {
-  to = dbtcloud_group.my_service_token
+  to = dbtcloud_service_token.my_service_token
   id = "12345"
 }
 
 # using the older import command
-terraform import dbtcloud_group.my_service_token "service_token_id"
-terraform import dbtcloud_group.my_service_token 12345
+terraform import dbtcloud_service_token.my_service_token "service_token_id"
+terraform import dbtcloud_service_token.my_service_token 12345
 ```

examples/resources/dbtcloud_service_token/import.sh

@@ -1,14 +1,14 @@
 # using  import blocks (requires Terraform >= 1.5)
 import {
-  to = dbtcloud_group.my_service_token
+  to = dbtcloud_service_token.my_service_token
   id = "service_token_id"
 }
 
 import {
-  to = dbtcloud_group.my_service_token
+  to = dbtcloud_service_token.my_service_token
   id = "12345"
 }
 
 # using the older import command
-terraform import dbtcloud_group.my_service_token "service_token_id"
-terraform import dbtcloud_group.my_service_token 12345
+terraform import dbtcloud_service_token.my_service_token "service_token_id"
+terraform import dbtcloud_service_token.my_service_token 12345

examples/resources/dbtcloud_service_token/resource.tf

@@ -1,12 +1,29 @@
 resource "dbtcloud_service_token" "test_service_token" {
   name = "Test Service Token"
+
+  // Grant the service token `git_admin` permissions on all projects
   service_token_permissions {
     permission_set = "git_admin"
     all_projects   = true
   }
+
+  // Grant the service token `job_admin` permissions on a specific project
   service_token_permissions {
     permission_set = "job_admin"
     all_projects   = false
     project_id     = dbtcloud_project.dbt_project.id
   }
+
+  // Grant the service token `developer` permissions on all projects, 
+  // but only in the `development` and `staging` environments
+  //
+  // NOTE: This is only configurable for certain `permission_set` values
+  service_token_permissions {
+    permission_set = "developer"
+    all_projects   = true
+    writable_environment_categories = [
+      "development",
+      "staging"
+    ]
+  }
 }

pkg/dbt_cloud/environment_category.go

@@ -0,0 +1,26 @@
+package dbt_cloud
+
+// EnvironmentCategory is a type for the different environment categories
+type EnvironmentCategory = string
+
+const (
+	// All is the category for all environments
+	EnvironmentCategory_All EnvironmentCategory = "all"
+	// Development is the category for development environments
+	EnvironmentCategory_Development EnvironmentCategory = "development"
+	// Staging is the category for staging environments
+	EnvironmentCategory_Staging EnvironmentCategory = "staging"
+	// Production is the category for production environments
+	EnvironmentCategory_Production EnvironmentCategory = "production"
+	// Other is the category for other environments
+	EnvironmentCategory_Other EnvironmentCategory = "other"
+)
+
+// EnvironmentCategories is a list of all possible environment categories
+var EnvironmentCategories = []EnvironmentCategory{
+	EnvironmentCategory_All,
+	EnvironmentCategory_Development,
+	EnvironmentCategory_Staging,
+	EnvironmentCategory_Production,
+	EnvironmentCategory_Other,
+}

pkg/dbt_cloud/group.go

@@ -17,7 +17,7 @@ type GroupPermission struct {
 	State                         int      `json:"state,omitempty"`
 	Set                           string   `json:"permission_set,omitempty"`
 	Level                         string   `json:"permission_level,omitempty"`
-	WritableEnvironmentCategories []string `json:"writable_environment_categories,omitempty"`
+	WritableEnvironmentCategories []string `json:"writable_environment_categories,omitempty"` // TODO(cwalden): use environment_category.go#EnvironmentCategory ?
 }
 
 type Group struct {

pkg/dbt_cloud/service_token.go

@@ -9,13 +9,14 @@ import (
 )
 
 type ServiceTokenPermission struct {
-	ID             *int   `json:"id,omitempty"`
-	AccountID      int    `json:"account_id"`
-	ServiceTokenID int    `json:"service_token_id"`
-	ProjectID      int    `json:"project_id,omitempty"`
-	AllProjects    bool   `json:"all_projects"`
-	State          int    `json:"state,omitempty"`
-	Set            string `json:"permission_set,omitempty"`
+	ID             *int                  `json:"id,omitempty"`
+	AccountID      int                   `json:"account_id"`
+	ServiceTokenID int                   `json:"service_token_id"`
+	ProjectID      int                   `json:"project_id,omitempty"`
+	AllProjects    bool                  `json:"all_projects"`
+	State          int                   `json:"state,omitempty"`
+	Set            string                `json:"permission_set,omitempty"`
+	WritableEnvs   []EnvironmentCategory `json:"writable_environment_categories,omitempty"`
 }
 
 type ServiceToken struct {
@@ -154,6 +155,7 @@ func (c *Client) UpdateServiceToken(serviceTokenID int, serviceToken ServiceToke
 
 func (c *Client) UpdateServiceTokenPermissions(serviceTokenID int, serviceTokenPermissions []ServiceTokenPermission) (*[]ServiceTokenPermission, error) {
 	serviceTokenPermissionData, err := json.Marshal(serviceTokenPermissions)
+
 	if err != nil {
 		return nil, err
 	}

pkg/framework/objects/group/data_source.go

@@ -36,7 +36,7 @@ func (d *groupDataSource) Read(
 	resp *datasource.ReadResponse,
 ) {
 
-	var data GroupDatasourceModel
+	var data GroupDataSourceModel
 
 	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
 

pkg/framework/objects/group/model.go

@@ -18,7 +18,7 @@ type GroupResourceModel struct {
 }
 
 // we need a different one just because historically the data source uses `group_id` instead of `id`
-type GroupDatasourceModel struct {
+type GroupDataSourceModel struct {
 	ID               types.Int64       `tfsdk:"id"`
 	GroupID          types.Int64       `tfsdk:"group_id"`
 	Name             types.String      `tfsdk:"name"`