Update system user client funcs to use fw diags

tobio · tobio · commit 9d4eaa7d2c10 · 2025-06-04T15:29:07.000+10:00
diff --git a/internal/clients/elasticsearch/security.go b/internal/clients/elasticsearch/security.go
@@ -89,60 +89,88 @@ func DeleteUser(ctx context.Context, apiClient *clients.ApiClient, username stri
 	return diags
 }
 
-func EnableUser(ctx context.Context, apiClient *clients.ApiClient, username string) diag.Diagnostics {
-	var diags diag.Diagnostics
+func EnableUser(ctx context.Context, apiClient *clients.ApiClient, username string) fwdiag.Diagnostics {
+	var diags fwdiag.Diagnostics
 	esClient, err := apiClient.GetESClient()
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to get Elasticsearch client",
+			err.Error(),
+		)
+		return diags
 	}
 	res, err := esClient.Security.EnableUser(username, esClient.Security.EnableUser.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to enable system user",
+			err.Error(),
+		)
+		return diags
 	}
 	defer res.Body.Close()
-	if diags := utils.CheckError(res, "Unable to enable system user"); diags.HasError() {
+	if diags := utils.CheckErrorFromFW(res, "Unable to enable system user"); diags.HasError() {
 		return diags
 	}
 	return diags
 }
 
-func DisableUser(ctx context.Context, apiClient *clients.ApiClient, username string) diag.Diagnostics {
-	var diags diag.Diagnostics
+func DisableUser(ctx context.Context, apiClient *clients.ApiClient, username string) fwdiag.Diagnostics {
+	var diags fwdiag.Diagnostics
 	esClient, err := apiClient.GetESClient()
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to get Elasticsearch client",
+			err.Error(),
+		)
+		return diags
 	}
 	res, err := esClient.Security.DisableUser(username, esClient.Security.DisableUser.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to disable system user",
+			err.Error(),
+		)
+		return diags
 	}
 	defer res.Body.Close()
-	if diags := utils.CheckError(res, "Unable to disable system user"); diags.HasError() {
+	if diags := utils.CheckErrorFromFW(res, "Unable to disable system user"); diags.HasError() {
 		return diags
 	}
 	return diags
 }
 
-func ChangeUserPassword(ctx context.Context, apiClient *clients.ApiClient, username string, userPassword *models.UserPassword) diag.Diagnostics {
-	var diags diag.Diagnostics
+func ChangeUserPassword(ctx context.Context, apiClient *clients.ApiClient, username string, userPassword *models.UserPassword) fwdiag.Diagnostics {
+	var diags fwdiag.Diagnostics
 	userPasswordBytes, err := json.Marshal(userPassword)
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to marshal user password",
+			err.Error(),
+		)
+		return diags
 	}
 	esClient, err := apiClient.GetESClient()
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to get Elasticsearch client",
+			err.Error(),
+		)
+		return diags
 	}
 	res, err := esClient.Security.ChangePassword(
 		bytes.NewReader(userPasswordBytes),
 		esClient.Security.ChangePassword.WithUsername(username),
 		esClient.Security.ChangePassword.WithContext(ctx),
 	)
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError(
+			"Unable to change user password",
+			err.Error(),
+		)
+		return diags
 	}
 	defer res.Body.Close()
-	if diags := utils.CheckError(res, "Unable to change user's password"); diags.HasError() {
+	if diags := utils.CheckErrorFromFW(res, "Unable to change user's password"); diags.HasError() {
 		return diags
 	}
 	return diags
diff --git a/internal/elasticsearch/security/system_user/update.go b/internal/elasticsearch/security/system_user/update.go
@@ -46,27 +46,25 @@ func (r *systemUserResource) update(ctx context.Context, plan tfsdk.Plan, state
 	}
 
 	var userPassword models.UserPassword
+	// TB TODO Fix up this logic. It should only set the password when it's set in config
 	if utils.IsKnown(data.Password) && (user.Password == nil || data.Password.ValueString() != *user.Password) {
 		userPassword.Password = data.Password.ValueStringPointer()
 	}
 	if utils.IsKnown(data.PasswordHash) && (user.PasswordHash == nil || data.PasswordHash.ValueString() != *user.PasswordHash) {
 		userPassword.PasswordHash = data.PasswordHash.ValueStringPointer()
 	}
 	if userPassword.Password != nil || userPassword.PasswordHash != nil {
-		sdkDiags := elasticsearch.ChangeUserPassword(ctx, r.client, usernameId, &userPassword)
-		diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)
+		diags.Append(elasticsearch.ChangeUserPassword(ctx, r.client, usernameId, &userPassword)...)
 		if diags.HasError() {
 			return diags
 		}
 	}
 
 	if utils.IsKnown(data.Enabled) && !data.Enabled.IsNull() && data.Enabled.ValueBool() != user.Enabled {
 		if data.Enabled.ValueBool() {
-			sdkDiags := elasticsearch.EnableUser(ctx, r.client, usernameId)
-			diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)
+			diags.Append(elasticsearch.EnableUser(ctx, r.client, usernameId)...)
 		} else {
-			sdkDiags := elasticsearch.DisableUser(ctx, r.client, usernameId)
-			diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)
+			diags.Append(elasticsearch.DisableUser(ctx, r.client, usernameId)...)
 		}
 		if diags.HasError() {
 			return diags
diff --git a/internal/utils/diag.go b/internal/utils/diag.go
@@ -42,6 +42,21 @@ func CheckError(res *esapi.Response, errMsg string) sdkdiag.Diagnostics {
 	return diags
 }
 
+func CheckErrorFromFW(res *esapi.Response, errMsg string) fwdiag.Diagnostics {
+	var diags fwdiag.Diagnostics
+
+	if res.IsError() {
+		body, err := io.ReadAll(res.Body)
+		if err != nil {
+			diags.AddError(errMsg, err.Error())
+			return diags
+		}
+		diags.AddError(errMsg, fmt.Sprintf("Failed with: %s", body))
+		return diags
+	}
+	return diags
+}
+
 func CheckHttpError(res *http.Response, errMsg string) sdkdiag.Diagnostics {
 	var diags sdkdiag.Diagnostics
 

Original file line number	Diff line number	Diff line change
`@@ -46,27 +46,25 @@ func (r *systemUserResource) update(ctx context.Context, plan tfsdk.Plan, state`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`var userPassword models.UserPassword`
	`49`	`+ // TB TODO Fix up this logic. It should only set the password when it's set in config`
`49`	`50`	`if utils.IsKnown(data.Password) && (user.Password == nil \|\| data.Password.ValueString() != *user.Password) {`
`50`	`51`	`userPassword.Password = data.Password.ValueStringPointer()`
`51`	`52`	`}`
`52`	`53`	`if utils.IsKnown(data.PasswordHash) && (user.PasswordHash == nil \|\| data.PasswordHash.ValueString() != *user.PasswordHash) {`
`53`	`54`	`userPassword.PasswordHash = data.PasswordHash.ValueStringPointer()`
`54`	`55`	`}`
`55`	`56`	`if userPassword.Password != nil \|\| userPassword.PasswordHash != nil {`
`56`		`- sdkDiags := elasticsearch.ChangeUserPassword(ctx, r.client, usernameId, &userPassword)`
`57`		`- diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)`
	`57`	`+ diags.Append(elasticsearch.ChangeUserPassword(ctx, r.client, usernameId, &userPassword)...)`
`58`	`58`	`if diags.HasError() {`
`59`	`59`	`return diags`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`if utils.IsKnown(data.Enabled) && !data.Enabled.IsNull() && data.Enabled.ValueBool() != user.Enabled {`
`64`	`64`	`if data.Enabled.ValueBool() {`
`65`		`- sdkDiags := elasticsearch.EnableUser(ctx, r.client, usernameId)`
`66`		`- diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)`
	`65`	`+ diags.Append(elasticsearch.EnableUser(ctx, r.client, usernameId)...)`
`67`	`66`	`} else {`
`68`		`- sdkDiags := elasticsearch.DisableUser(ctx, r.client, usernameId)`
`69`		`- diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)`
	`67`	`+ diags.Append(elasticsearch.DisableUser(ctx, r.client, usernameId)...)`
`70`	`68`	`}`
`71`	`69`	`if diags.HasError() {`
`72`	`70`	`return diags`