resources: use sets for properties where order has no significance

Author: wasaga

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
         run: go mod download
 
       - name: Run tests
-        run: go test -v -cover ./internal/provider/...
+        run: make test
 
       - name: Run acceptance tests
         run: |

Makefile

@@ -12,4 +12,10 @@ build:
 
 .PHONY: docs
 docs:
+	@echo "@==> $@"
 	go run github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest generate --provider-dir . -provider-name pomerium
+
+.PHONY: test
+test:
+	@echo "@==> $@"
+	@go test ./internal/provider/...

example/main.tf

@@ -76,12 +76,30 @@ resource "pomerium_policy" "test_policy" {
   })
 }
 
+resource "pomerium_policy" "test_policy_group" {
+  name         = "group test policy"
+  namespace_id = pomerium_namespace.test_namespace.id
+  ppl = yamlencode({
+    allow = {
+      and = [
+        {
+          groups = {
+            has = "gid-123456"
+          }
+        }
+      ]
+    }
+  })
+}
 resource "pomerium_route" "test_route" {
   name         = "test-route"
   namespace_id = pomerium_namespace.test_namespace.id
   from         = "https://verify-tf.localhost.pomerium.io"
   to           = ["https://verify.pomerium.com"]
-  policies     = [pomerium_policy.test_policy.id]
+  policies = [
+    pomerium_policy.test_policy_group.id,
+    pomerium_policy.test_policy.id,
+  ]
 }
 
 resource "pomerium_key_pair" "test_key_pair" {

internal/provider/convert.go

@@ -17,7 +17,18 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
-func FromStringSlice(slice []string) types.List {
+func FromStringSliceToSet(slice []string) types.Set {
+	if slice == nil {
+		return types.SetNull(types.StringType)
+	}
+	fields := make([]attr.Value, 0)
+	for _, v := range slice {
+		fields = append(fields, types.StringValue(v))
+	}
+	return types.SetValueMust(types.StringType, fields)
+}
+
+func FromStringSliceToList(slice []string) types.List {
 	if slice == nil {
 		return types.ListNull(types.StringType)
 	}
@@ -28,12 +39,12 @@ func FromStringSlice(slice []string) types.List {
 	return types.ListValueMust(types.StringType, fields)
 }
 
-// FromStringList converts a Settings_StringList to a types.List
-func FromStringList(sl *pb.Settings_StringList) types.List {
+// FromStringListToSet converts a Settings_StringList to a types.List
+func FromStringListToSet(sl *pb.Settings_StringList) types.Set {
 	if sl == nil {
-		return types.ListNull(types.StringType)
+		return types.SetNull(types.StringType)
 	}
-	return FromStringSlice(sl.Values)
+	return FromStringSliceToSet(sl.Values)
 }
 
 // FromStringMap converts a map[string]string to a types.Map
@@ -49,14 +60,14 @@ func FromStringMap(m map[string]string) types.Map {
 }
 
 // ToStringList converts a types.List to Settings_StringList and handles diagnostics internally
-func ToStringList(ctx context.Context, dst **pb.Settings_StringList, list types.List, diagnostics *diag.Diagnostics) {
-	if list.IsNull() {
+func ToStringListFromSet(ctx context.Context, dst **pb.Settings_StringList, set types.Set, diagnostics *diag.Diagnostics) {
+	if set.IsNull() {
 		*dst = nil
 		return
 	}
 
 	var values []string
-	diagnostics.Append(list.ElementsAs(ctx, &values, false)...)
+	diagnostics.Append(set.ElementsAs(ctx, &values, false)...)
 	if !diagnostics.HasError() {
 		*dst = &pb.Settings_StringList{Values: values}
 	}
@@ -76,8 +87,19 @@ func ToStringMap(ctx context.Context, dst *map[string]string, m types.Map, diagn
 	}
 }
 
-// ToStringSlice converts a types.List to string slice and handles diagnostics internally
-func ToStringSlice(ctx context.Context, dst *[]string, list types.List, diagnostics *diag.Diagnostics) {
+func ToStringSliceFromSet(ctx context.Context, dst *[]string, set types.Set, diagnostics *diag.Diagnostics) {
+	*dst = make([]string, 0)
+	if !set.IsNull() {
+		var values []string
+		diagnostics.Append(set.ElementsAs(ctx, &values, false)...)
+		if !diagnostics.HasError() {
+			*dst = values
+		}
+	}
+}
+
+// ToStringSliceFromList converts a types.List to string slice and handles diagnostics internally
+func ToStringSliceFromList(ctx context.Context, dst *[]string, list types.List, diagnostics *diag.Diagnostics) {
 	*dst = make([]string, 0)
 	if !list.IsNull() {
 		var values []string

internal/provider/convert_test.go

@@ -49,7 +49,7 @@ func TestFromStringSlice(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := provider.FromStringSlice(tt.input)
+			result := provider.FromStringSliceToList(tt.input)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
@@ -136,32 +136,32 @@ func TestToDuration(t *testing.T) {
 	}
 }
 
-func TestToStringList(t *testing.T) {
+func TestToStringListFromSet(t *testing.T) {
 	ctx := context.Background()
 	tests := []struct {
 		name        string
-		input       types.List
+		input       types.Set
 		expectError bool
 		validate    func(*testing.T, *pb.Settings_StringList)
 	}{
 		{
 			name:  "null list",
-			input: types.ListNull(types.StringType),
+			input: types.SetNull(types.StringType),
 			validate: func(t *testing.T, s *pb.Settings_StringList) {
 				assert.Nil(t, s)
 			},
 		},
 		{
 			name:  "empty list",
-			input: types.ListValueMust(types.StringType, []attr.Value{}),
+			input: types.SetValueMust(types.StringType, []attr.Value{}),
 			validate: func(t *testing.T, s *pb.Settings_StringList) {
 				require.NotNil(t, s)
 				assert.Empty(t, s.Values)
 			},
 		},
 		{
 			name: "valid list",
-			input: types.ListValueMust(types.StringType, []attr.Value{
+			input: types.SetValueMust(types.StringType, []attr.Value{
 				types.StringValue("value1"),
 				types.StringValue("value2"),
 			}),
@@ -176,7 +176,7 @@ func TestToStringList(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			var result *pb.Settings_StringList
 			diagnostics := diag.Diagnostics{}
-			provider.ToStringList(ctx, &result, tt.input, &diagnostics)
+			provider.ToStringListFromSet(ctx, &result, tt.input, &diagnostics)
 
 			if tt.expectError {
 				assert.True(t, diagnostics.HasError())

internal/provider/policy_model.go

@@ -49,7 +49,7 @@ func ConvertPolicyFromPB(dst *PolicyResourceModel, src *pb.Policy) diag.Diagnost
 	dst.Enforced = types.BoolValue(src.Enforced)
 	dst.Explanation = types.StringValue(src.Explanation)
 	dst.Remediation = types.StringValue(src.Remediation)
-	dst.Rego = FromStringSlice(src.Rego)
+	dst.Rego = FromStringSliceToList(src.Rego)
 	ppl, err := PolicyLanguageType{}.Parse(types.StringValue(src.Ppl))
 	if err != nil {
 		diagnostics.AddError("converting PPL", err.Error())

internal/provider/route.go

@@ -59,7 +59,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Description: "From URL.",
 				Required:    true,
 			},
-			"to": schema.ListAttribute{
+			"to": schema.SetAttribute{
 				ElementType: types.StringType,
 				Description: "To URLs.",
 				Required:    true,
@@ -68,7 +68,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Description: "ID of the namespace the route belongs to.",
 				Required:    true,
 			},
-			"policies": schema.ListAttribute{
+			"policies": schema.SetAttribute{
 				ElementType: types.StringType,
 				Description: "List of policy IDs associated with the route.",
 				Optional:    true,
@@ -163,7 +163,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Description: "Set request headers.",
 				Optional:    true,
 			},
-			"remove_request_headers": schema.ListAttribute{
+			"remove_request_headers": schema.SetAttribute{
 				ElementType: types.StringType,
 				Description: "Remove request headers.",
 				Optional:    true,

internal/provider/route_model.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
-	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/pomerium/enterprise-client-go/pb"
@@ -15,9 +14,9 @@ type RouteModel struct {
 	ID                               types.String         `tfsdk:"id"`
 	Name                             types.String         `tfsdk:"name"`
 	From                             types.String         `tfsdk:"from"`
-	To                               types.List           `tfsdk:"to"`
+	To                               types.Set            `tfsdk:"to"`
 	NamespaceID                      types.String         `tfsdk:"namespace_id"`
-	Policies                         types.List           `tfsdk:"policies"`
+	Policies                         types.Set            `tfsdk:"policies"`
 	StatName                         types.String         `tfsdk:"stat_name"`
 	Prefix                           types.String         `tfsdk:"prefix"`
 	Path                             types.String         `tfsdk:"path"`
@@ -39,7 +38,7 @@ type RouteModel struct {
 	TLSDownstreamServerName          types.String         `tfsdk:"tls_downstream_server_name"`
 	TLSUpstreamAllowRenegotiation    types.Bool           `tfsdk:"tls_upstream_allow_renegotiation"`
 	SetRequestHeaders                types.Map            `tfsdk:"set_request_headers"`
-	RemoveRequestHeaders             types.List           `tfsdk:"remove_request_headers"`
+	RemoveRequestHeaders             types.Set            `tfsdk:"remove_request_headers"`
 	SetResponseHeaders               types.Map            `tfsdk:"set_response_headers"`
 	PreserveHostHeader               types.Bool           `tfsdk:"preserve_host_header"`
 	PassIdentityHeaders              types.Bool           `tfsdk:"pass_identity_headers"`
@@ -81,7 +80,7 @@ func ConvertRouteToPB(
 	pbRoute.TlsDownstreamServerName = src.TLSDownstreamServerName.ValueStringPointer()
 	pbRoute.TlsUpstreamAllowRenegotiation = src.TLSUpstreamAllowRenegotiation.ValueBoolPointer()
 	ToStringMap(ctx, &pbRoute.SetRequestHeaders, src.SetRequestHeaders, &diagnostics)
-	ToStringSlice(ctx, &pbRoute.RemoveRequestHeaders, src.RemoveRequestHeaders, &diagnostics)
+	ToStringSliceFromSet(ctx, &pbRoute.RemoveRequestHeaders, src.RemoveRequestHeaders, &diagnostics)
 	ToStringMap(ctx, &pbRoute.SetResponseHeaders, src.SetResponseHeaders, &diagnostics)
 	pbRoute.PreserveHostHeader = src.PreserveHostHeader.ValueBoolPointer()
 	pbRoute.PassIdentityHeaders = src.PassIdentityHeaders.ValueBoolPointer()
@@ -110,14 +109,8 @@ func ConvertRouteFromPB(
 	dst.Name = types.StringValue(src.Name)
 	dst.From = types.StringValue(src.From)
 	dst.NamespaceID = types.StringValue(src.NamespaceId)
-
-	toList := make([]attr.Value, len(src.To))
-	for i, v := range src.To {
-		toList[i] = types.StringValue(v)
-	}
-	dst.To = types.ListValueMust(types.StringType, toList)
-
-	dst.Policies = FromStringSlice(StringSliceExclude(src.PolicyIds, src.EnforcedPolicyIds))
+	dst.To = FromStringSliceToSet(src.To)
+	dst.Policies = FromStringSliceToSet(StringSliceExclude(src.PolicyIds, src.EnforcedPolicyIds))
 	dst.StatName = types.StringValue(src.StatName)
 	dst.Prefix = types.StringPointerValue(src.Prefix)
 	dst.Path = types.StringPointerValue(src.Path)
@@ -139,7 +132,7 @@ func ConvertRouteFromPB(
 	dst.TLSDownstreamServerName = types.StringPointerValue(src.TlsDownstreamServerName)
 	dst.TLSUpstreamAllowRenegotiation = types.BoolPointerValue(src.TlsUpstreamAllowRenegotiation)
 	dst.SetRequestHeaders = FromStringMap(src.SetRequestHeaders)
-	dst.RemoveRequestHeaders = FromStringSlice(src.RemoveRequestHeaders)
+	dst.RemoveRequestHeaders = FromStringSliceToSet(src.RemoveRequestHeaders)
 	dst.SetResponseHeaders = FromStringMap(src.SetResponseHeaders)
 	dst.PreserveHostHeader = types.BoolPointerValue(src.PreserveHostHeader)
 	dst.PassIdentityHeaders = types.BoolPointerValue(src.PassIdentityHeaders)

internal/provider/route_test.go

@@ -37,7 +37,7 @@ func TestConvertRoute(t *testing.T) {
 		// Test conversion from model to pb
 		plan := provider.RouteResourceModel{
 			From: types.StringValue("from"),
-			To:   types.ListValueMust(types.StringType, []attr.Value{types.StringValue("to")}),
+			To:   types.SetValueMust(types.StringType, []attr.Value{types.StringValue("to")}),
 			Name: types.StringValue("route-name"),
 			ID:   types.StringValue("route-id"),
 		}

internal/provider/settings_model.go

@@ -10,11 +10,11 @@ import (
 )
 
 type SettingsModel struct {
-	AccessLogFields                                   types.List           `tfsdk:"access_log_fields"`
+	AccessLogFields                                   types.Set            `tfsdk:"access_log_fields"`
 	Address                                           types.String         `tfsdk:"address"`
 	AuthenticateCallbackPath                          types.String         `tfsdk:"authenticate_callback_path"`
 	AuthenticateServiceURL                            types.String         `tfsdk:"authenticate_service_url"`
-	AuthorizeLogFields                                types.List           `tfsdk:"authorize_log_fields"`
+	AuthorizeLogFields                                types.Set            `tfsdk:"authorize_log_fields"`
 	AuthorizeServiceURL                               types.String         `tfsdk:"authorize_service_url"`
 	Autocert                                          types.Bool           `tfsdk:"autocert"`
 	AutocertDir                                       types.String         `tfsdk:"autocert_dir"`
@@ -73,7 +73,7 @@ type SettingsModel struct {
 	PrimaryColor                                      types.String         `tfsdk:"primary_color"`
 	ProxyLogLevel                                     types.String         `tfsdk:"proxy_log_level"`
 	RequestParams                                     types.Map            `tfsdk:"request_params"`
-	Scopes                                            types.List           `tfsdk:"scopes"`
+	Scopes                                            types.Set            `tfsdk:"scopes"`
 	SecondaryColor                                    types.String         `tfsdk:"secondary_color"`
 	SetResponseHeaders                                types.Map            `tfsdk:"set_response_headers"`
 	SkipXFFAppend                                     types.Bool           `tfsdk:"skip_xff_append"`
@@ -89,11 +89,11 @@ func ConvertSettingsToPB(
 	var diagnostics diag.Diagnostics
 	pbSettings := &pb.Settings{}
 
-	ToStringList(ctx, &pbSettings.AccessLogFields, src.AccessLogFields, &diagnostics)
+	ToStringListFromSet(ctx, &pbSettings.AccessLogFields, src.AccessLogFields, &diagnostics)
 	pbSettings.Address = src.Address.ValueStringPointer()
 	pbSettings.AuthenticateCallbackPath = src.AuthenticateCallbackPath.ValueStringPointer()
 	pbSettings.AuthenticateServiceUrl = src.AuthenticateServiceURL.ValueStringPointer()
-	ToStringList(ctx, &pbSettings.AuthorizeLogFields, src.AuthorizeLogFields, &diagnostics)
+	ToStringListFromSet(ctx, &pbSettings.AuthorizeLogFields, src.AuthorizeLogFields, &diagnostics)
 	pbSettings.AuthorizeServiceUrl = src.AuthorizeServiceURL.ValueStringPointer()
 	pbSettings.Autocert = src.Autocert.ValueBoolPointer()
 	pbSettings.AutocertDir = src.AutocertDir.ValueStringPointer()
@@ -144,7 +144,7 @@ func ConvertSettingsToPB(
 	pbSettings.PrimaryColor = src.PrimaryColor.ValueStringPointer()
 	pbSettings.ProxyLogLevel = src.ProxyLogLevel.ValueStringPointer()
 	ToStringMap(ctx, &pbSettings.RequestParams, src.RequestParams, &diagnostics)
-	ToStringSlice(ctx, &pbSettings.Scopes, src.Scopes, &diagnostics)
+	ToStringSliceFromSet(ctx, &pbSettings.Scopes, src.Scopes, &diagnostics)
 	pbSettings.SecondaryColor = src.SecondaryColor.ValueStringPointer()
 	ToStringMap(ctx, &pbSettings.SetResponseHeaders, src.SetResponseHeaders, &diagnostics)
 	pbSettings.SkipXffAppend = src.SkipXFFAppend.ValueBoolPointer()
@@ -161,11 +161,11 @@ func ConvertSettingsFromPB(
 ) diag.Diagnostics {
 	var diagnostics diag.Diagnostics
 
-	dst.AccessLogFields = FromStringList(src.AccessLogFields)
+	dst.AccessLogFields = FromStringListToSet(src.AccessLogFields)
 	dst.Address = types.StringPointerValue(src.Address)
 	dst.AuthenticateCallbackPath = types.StringPointerValue(src.AuthenticateCallbackPath)
 	dst.AuthenticateServiceURL = types.StringPointerValue(src.AuthenticateServiceUrl)
-	dst.AuthorizeLogFields = FromStringList(src.AuthorizeLogFields)
+	dst.AuthorizeLogFields = FromStringListToSet(src.AuthorizeLogFields)
 	dst.AuthorizeServiceURL = types.StringPointerValue(src.AuthorizeServiceUrl)
 	dst.Autocert = types.BoolPointerValue(src.Autocert)
 	dst.AutocertDir = types.StringPointerValue(src.AutocertDir)
@@ -216,7 +216,7 @@ func ConvertSettingsFromPB(
 	dst.PrimaryColor = types.StringPointerValue(src.PrimaryColor)
 	dst.ProxyLogLevel = types.StringPointerValue(src.ProxyLogLevel)
 	dst.RequestParams = FromStringMap(src.RequestParams)
-	dst.Scopes = FromStringSlice(src.Scopes)
+	dst.Scopes = FromStringSliceToSet(src.Scopes)
 	dst.SecondaryColor = types.StringPointerValue(src.SecondaryColor)
 	dst.SetResponseHeaders = FromStringMap(src.SetResponseHeaders)
 	dst.SkipXFFAppend = types.BoolPointerValue(src.SkipXffAppend)

internal/provider/settings_schema.go

@@ -139,7 +139,7 @@ var SettingsResourceSchema = schema.Schema{
 			Optional:    true,
 			Description: "IDP provider URL",
 		},
-		"scopes": schema.ListAttribute{
+		"scopes": schema.SetAttribute{
 			Optional:    true,
 			ElementType: types.StringType,
 			Description: "Scopes",
@@ -434,12 +434,12 @@ var SettingsResourceSchema = schema.Schema{
 			Description: "Identity provider refresh timeout",
 			CustomType:  timetypes.GoDurationType{},
 		},
-		"access_log_fields": schema.ListAttribute{
+		"access_log_fields": schema.SetAttribute{
 			Optional:    true,
 			ElementType: types.StringType,
 			Description: "Access log fields",
 		},
-		"authorize_log_fields": schema.ListAttribute{
+		"authorize_log_fields": schema.SetAttribute{
 			Optional:    true,
 			ElementType: types.StringType,
 			Description: "Authorize log fields",