[5/X] DXCDT-455: Fix permissions update issue in auth0_role_permissions resource

docs/resources/user_permission.md

@@ -69,7 +69,6 @@ Import is supported using the following syntax:
 # This resource can be imported by specifying the
 # user ID, resource identifier and permission name separated by "::" (note the double colon)
 # <userID>::<resourceServerIdentifier>::<permission>
-
 #
 # Example:
 terraform import auth0_user_permission.permission "auth0|111111111111111111111111::https://api.travel0.com/v1::read:posts"

docs/resources/user_role.md

@@ -59,8 +59,10 @@ resource "auth0_user_role" "user_roles" {
 Import is supported using the following syntax:
 
 ```shell
-# This resource can be imported using the user ID.
+# This resource can be imported by specifying the
+# user ID and role ID separated by "::" (note the double colon)
+# <userID>::<roleID>
 #
 # Example:
-terraform import auth0_user_role.user_role "auth0|111111111111111111111111"
+terraform import auth0_user_role.user_role "auth0|111111111111111111111111::role_123"
 ```

examples/resources/auth0_user_permission/import.sh

@@ -1,7 +1,6 @@
 # This resource can be imported by specifying the
 # user ID, resource identifier and permission name separated by "::" (note the double colon)
 # <userID>::<resourceServerIdentifier>::<permission>
-
 #
 # Example:
 terraform import auth0_user_permission.permission "auth0|111111111111111111111111::https://api.travel0.com/v1::read:posts"

examples/resources/auth0_user_role/import.sh

@@ -1,4 +1,6 @@
-# This resource can be imported using the user ID.
+# This resource can be imported by specifying the
+# user ID and role ID separated by "::" (note the double colon)
+# <userID>::<roleID>
 #
 # Example:
-terraform import auth0_user_role.user_role "auth0|111111111111111111111111"
+terraform import auth0_user_role.user_role "auth0|111111111111111111111111::role_123"

internal/auth0/role/resource_permissions.go

@@ -66,46 +66,56 @@ func NewPermissionsResource() *schema.Resource {
 }
 
 func upsertRolePermissions(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if !data.HasChange("permissions") {
+		return nil
+	}
+
 	api := meta.(*config.Config).GetAPI()
 	mutex := meta.(*config.Config).GetMutex()
 
 	roleID := data.Get("role_id").(string)
 
-	if !data.HasChange("permissions") {
-		return nil
-	}
-
 	mutex.Lock(roleID)
 	defer mutex.Unlock(roleID)
 
 	toAdd, toRemove := value.Difference(data, "permissions")
 
-	var addPermissions []*management.Permission
-	for _, addPermission := range toAdd {
-		permission := addPermission.(map[string]interface{})
-		addPermissions = append(addPermissions, &management.Permission{
+	var rmPermissions []*management.Permission
+	for _, rmPermission := range toRemove {
+		permission := rmPermission.(map[string]interface{})
+		rmPermissions = append(rmPermissions, &management.Permission{
 			Name:                     auth0.String(permission["name"].(string)),
 			ResourceServerIdentifier: auth0.String(permission["resource_server_identifier"].(string)),
 		})
 	}
 
-	if len(addPermissions) > 0 {
-		if err := api.Role.AssociatePermissions(roleID, addPermissions); err != nil {
+	if len(rmPermissions) > 0 {
+		if err := api.Role.RemovePermissions(roleID, rmPermissions); err != nil {
+			if mErr, ok := err.(management.Error); ok && mErr.Status() == http.StatusNotFound {
+				data.SetId("")
+				return nil
+			}
+
 			return diag.FromErr(err)
 		}
 	}
 
-	var rmPermissions []*management.Permission
-	for _, rmPermission := range toRemove {
-		permission := rmPermission.(map[string]interface{})
-		rmPermissions = append(rmPermissions, &management.Permission{
+	var addPermissions []*management.Permission
+	for _, addPermission := range toAdd {
+		permission := addPermission.(map[string]interface{})
+		addPermissions = append(addPermissions, &management.Permission{
 			Name:                     auth0.String(permission["name"].(string)),
 			ResourceServerIdentifier: auth0.String(permission["resource_server_identifier"].(string)),
 		})
 	}
 
-	if len(rmPermissions) > 0 {
-		if err := api.Role.RemovePermissions(roleID, rmPermissions); err != nil {
+	if len(addPermissions) > 0 {
+		if err := api.Role.AssociatePermissions(roleID, addPermissions); err != nil {
+			if mErr, ok := err.(management.Error); ok && mErr.Status() == http.StatusNotFound {
+				data.SetId("")
+				return nil
+			}
+
 			return diag.FromErr(err)
 		}
 	}
@@ -145,6 +155,7 @@ func deleteRolePermissions(_ context.Context, data *schema.ResourceData, meta in
 	defer mutex.Unlock(roleID)
 
 	permissionsToRemove := data.Get("permissions").(*schema.Set).List()
+
 	var rmPermissions []*management.Permission
 	for _, p := range permissionsToRemove {
 		perm := p.(map[string]interface{})
@@ -155,17 +166,13 @@ func deleteRolePermissions(_ context.Context, data *schema.ResourceData, meta in
 		rmPermissions = append(rmPermissions, role)
 	}
 
-	if err := api.Role.RemovePermissions(
-		roleID,
-		rmPermissions,
-	); err != nil {
+	if err := api.Role.RemovePermissions(roleID, rmPermissions); err != nil {
 		if mErr, ok := err.(management.Error); ok && mErr.Status() == http.StatusNotFound {
-			data.SetId("")
 			return nil
 		}
+
 		return diag.FromErr(err)
 	}
 
-	data.SetId("")
 	return nil
 }