When trying to update a Rollbar project access token to use a different scope, status, or name than it was created with, the API returns status 200 OK indicating success. However subsequently listing the tokens shows no update was actually made.

If it is intentional that a token's scope, status, & name cannot be changed after creation, then the API should return status 400 Bad Request with a helpful error message. If this behavior is unintentional, then the API should update the token's record in the data store before returning 200 OK.

Example

jmcvetta@carbon:~/projects/terraform-provider-rollbar$ http PATCH https://api.rollbar.com/api/1/project/413779/access_token/055ab702454e40798fd22bdac249eb2e X-Rollbar-Access-Token:redacted status:='"disabled"'
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 14
Content-Type: application/json; charset=utf-8
Date: Wed, 14 Oct 2020 14:04:50 GMT
Server: nginx/1.17.9
Via: 1.1 google
X-Rate-Limit-Limit: 5000
X-Rate-Limit-Remaining: 4997
X-Rate-Limit-Remaining-Seconds: 41
X-Rate-Limit-Reset: 1602684331
X-Response-Time: 101ms

{
    "err": 0
}


$ http GET https://api.rollbar.com/api/1/project/413779/access_tokens X-Rollbar-Access-Token:redacted  | head -18
{
  "err": 0,
  "result": [
    {
      "project_id": 413779,
      "access_token": "055ab702454e40798fd22bdac249eb2e",
      "name": "test-token",
      "status": "enabled",
      "rate_limit_window_size": null,
      "rate_limit_window_count": null,
      "cur_rate_limit_window_start": 1602684290,
      "cur_rate_limit_window_count": 0,
      "date_created": 1602683433,
      "date_modified": 1602684290,
      "scopes": [
        "read"
      ]
    },

As part of merging https://github.com/babbel/rollbar-go/ (per #1) into our own Rollbar API client, we need better API mocking.

The existing tests for https://github.com/babbel/rollbar-go/ do manual API mocking. It would be better to use an open source mocking tool.

The internal Rollbar API client in the jmcvetta provider uses Resty as a REST client. Resty supports supports httpmock for mocking. Therefore that's probably a good choice.

Add badges for CodeQL and ShiftLeft to Status section of README.

A different set of fields is returned when listing all users versus getting a single user. The field email_enabled is only returned by the single user endpoint.

$ http GET https://api.rollbar.com/api/1/users X-Rollbar-Access-Token:redacted

{
    "err": 0,
    "result": {
        "users": [
            {
                "email": "[email protected]",
                "id": 238101,
                "username": "jmcvetta"
            }
        ]
    }
}


$ http GET https://api.rollbar.com/api/1/user/238101 X-Rollbar-Access-Token:redacted

{
    "err": 0,
    "result": {
        "email": "[email protected]",
        "email_enabled": 1,
        "id": 238101,
        "username": "jmcvetta"
    }
}

It would be better if both endpoints returned the same data shape for a user.

Also...

• Since email_enabled is a boolean value, it would be nice if the API returned a bool rather than a number.
• List users returns a users key under result. Most other Rollbar API list functions (that I've looked at so far) return the list itself as result.

Implement Terraform resource rollbar_team.

How will team to user relationships be expressed? Cf #61.

Terraform syntax compatibility checks should be run in a separate workflow from unit tests. Because caching for the Terraform Action conflicts with caching for the Go Action.

We should add import support for Rollbar projects.

Currently we have documented the new (plural) data sources rollbar_projects and rollbar_project_access_tokens. We need to document the (singular) data sources carried over from babbel provider.

It's important that we test the process of rotating project access tokens.

Blocked by #12

Create Terraform resource project_access_token to allow CRUD of access tokens.

Depends on #12.

If possible we should eliminate the dependency on go-model. It can potentially throw errors in a way that's hard to account for in unit tests. And the library is not very widely used, so its long term maintenance is a risk factor.

The babbel provider code can read the API key from environment variable ROLLBAR_APIKEY. That variable name is non-standard and doesn't match the field name in Terraform, api_key.

Therefore I will change the code to look for the API key in environment variable ROLLBAR_API_KEY.

Notifying @parabolic, @jtsaito, and @fmasuhr so there will be no surprises on the next release.

https://www.terraform.io/docs/extend/testing/acceptance-tests/sweepers.html

The API documentation for Get a team does not show the complete URL path needed to retrieve a team resource. The doc mentions team_id as a required path parameter, but does not show it in the example URL path.

From the API docs:

standard is the only access level you can choose in the UI.

light and view are API-only team access levels. light gives the team read and write access, but not to all settings. view gives the team read-only access.

I'm a little concerned about this, since the UI and the API may have different logic on the backend. @mrunalk is it safe to use these API-only team access levels?

As pointed out by @jtsaito in #31, creating a notification currently requires a project access token, not an account access token.

This makes it difficult for Terraform to control notifications. The ROLLBAR_API_KEY used for API authentication is a local secret, not something that should for every different API call. It's not impossible, but it would be pretty weird & non-standard.

It seems better for this action to require a project access token with write scope or an account access token with write scope.

@mrunalk @coryvirok your thoughts?

Acceptance test for data source rollbar_projects fails when the Rollbar account contains projects other than the one created by the acceptance test.

    data_source_projects_test.go:18: Step 1/1 error: Check failed: Check 2/3 error: data.rollbar_projects.all: Attribute 'projects.#' expected "1", got "2"

--- FAIL: TestAccRollbarProjectsDataSource (2.44s)

The API allows creation of more than one token per project with the same name. This is potentially confusing, and probably a bug.

$ http POST https://api.rollbar.com/api/1/project/415372/access_tokens X-Rollbar-Access-Token:redacted name:='"foobar"' scopes:='["read"]' status:='"enabled"' 
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 420
Content-Type: application/json; charset=utf-8
Date: Mon, 19 Oct 2020 08:33:56 GMT
Server: nginx/1.17.9
Via: 1.1 google
X-Rate-Limit-Limit: 5000
X-Rate-Limit-Remaining: 4999
X-Rate-Limit-Remaining-Seconds: 60
X-Rate-Limit-Reset: 1603096495
X-Response-Time: 55ms

{
    "err": 0,
    "result": {
        "access_token": "7f6b30a1fb91485da233f52d0dca6302",
        "cur_rate_limit_window_count": 0,
        "cur_rate_limit_window_start": 1603096436,
        "date_created": 1603096436,
        "date_modified": 1603096436,
        "name": "foobar",
        "project_id": 415372,
        "rate_limit_window_count": null,
        "rate_limit_window_size": null,
        "scopes": [
            "read"
        ],
        "status": "enabled"
    }
}

$ http POST https://api.rollbar.com/api/1/project/415372/access_tokens X-Rollbar-Access-Token:redacted name:='"foobar"' scopes:='["read"]' status:='"enabled"' 
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 420
Content-Type: application/json; charset=utf-8
Date: Mon, 19 Oct 2020 08:34:03 GMT
Server: nginx/1.17.9
Via: 1.1 google
X-Rate-Limit-Limit: 5000
X-Rate-Limit-Remaining: 4998
X-Rate-Limit-Remaining-Seconds: 52
X-Rate-Limit-Reset: 1603096495
X-Response-Time: 58ms

{
    "err": 0,
    "result": {
        "access_token": "60b1cdbcdab340cca569ac48ae50f378",
        "cur_rate_limit_window_count": 0,
        "cur_rate_limit_window_start": 1603096443,
        "date_created": 1603096443,
        "date_modified": 1603096443,
        "name": "foobar",
        "project_id": 415372,
        "rate_limit_window_count": null,
        "rate_limit_window_size": null,
        "scopes": [
            "read"
        ],
        "status": "enabled"
    }
}

Does it even make sense for the Terraform provider to expose cur_rate_limit_window_count and cur_rate_limit_window_start as attributes on a rollbar_project_access_token resource? These values should change constantly - so I don't see how they would be useful as Terraform outputs. If anything, their presence as resource attributes may be confusing.

@coryvirok @mrunalk what are your thoughts?

Currently the API operations to create new Projects and Teams (and probably other entities) return HTTP status 200 OK on success. However as create operations they should instead return status 201 Created on success.

See 200 OK vs 201 Created for comparison.

Confirmed to affect:

• Project
• Project Access Token
• Team

When I create a team invitation through the web UI, that invitation shows my correct Rollbar user ID in the from_user_id field. However when I create an invitation through the API, it shows a different user ID (that does not belong to me).

It looks like maybe the invitation is recorded as coming from a special "API User" account, rather than the account that owns the token that authorized the API call.

# My user ID
$ http GET https://api.rollbar.com/api/1/users X-Rollbar-Access-Token:redacted

{
    "err": 0,
    "result": {
        "users": [
            {
                "email": "[email protected]",
                "id": 238101,
                "username": "jmcvetta"
            }
        ]
    }
}


# Invitation that was created through web UI
$ http GET https://api.rollbar.com/api/1/team/676971/invites X-Rollbar-Access-Token:redacted

{
    "err": 0,
    "result": [
        {
            "date_created": 1603192170,
            "date_redeemed": null,
            "from_user_id": 238101,
            "id": 153649,
            "status": "pending",
            "team_id": 676971,
            "to_email": "[email protected]"
        }
    ]
}


# Invitation created through the API
$ http POST https://api.rollbar.com/api/1/team/676971/invites X-Rollbar-Access-Token:redacted email:='"[email protected]"'

{
    "err": 0,
    "result": {
        "date_created": 1603192477,
        "date_redeemed": null,
        "from_user_id": 5325,
        "id": 153650,
        "status": "pending",
        "team_id": 676971,
        "to_email": "[email protected]"
    }
}

https://www.terraform.io/docs/registry/providers/publishing.html

Blocked by #12.

Terraform SDK v2 (which we're already using) added support for metadata on resources and fields. This is not yet actually used by Terraform for anything, but will be used in a future version. So we ought to add this now.

it’s recommended that you set these properties to whatever you’d document the resource or field as in your terraform.io docs for the resource.

Todo

• resource rollbar_project
• resource rollbar_projec_access_token
• resource rollbar_team
• resource rollbar_user
• data source rollbar_project
• data source rollbar_projects
• data source rollbar_project_access_token
• data source rollbar_project_access_tokens

Currently the API does not support deleting a project access token. This functionality is required for the Terraform provider to manage project access tokens.

$ http DELETE https://api.rollbar.com/api/1/project/411334/access_token/d6d4b456f72048dfb8a933afe3ac66f6 X-Rollbar-Access-Token:redacted
HTTP/1.1 404 Not Found
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 40
Content-Type: application/json; charset=utf-8
Date: Tue, 06 Oct 2020 11:48:58 GMT
Server: nginx/1.17.9
Via: 1.1 google
X-Response-Time: 1ms

{
    "err": 1,
    "message": "not found"
}

Trying to specify a rate_limit_window_size when creating a project access token, the API returns the following strange error:

$ http POST https://api.rollbar.com/api/1/project/415372/access_tokens X-Rollbar-Access-Token:redacted name:='"bar"' scopes:='["read"]' status:='"enabled"' rate_limit_window_size=60
HTTP/1.1 400 Bad Request
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 99
Content-Type: application/json; charset=utf-8
Date: Mon, 19 Oct 2020 07:07:36 GMT
Server: nginx/1.17.9
Via: 1.1 google
X-Rate-Limit-Limit: 5000
X-Rate-Limit-Remaining: 4999
X-Rate-Limit-Remaining-Seconds: 60
X-Rate-Limit-Reset: 1603091316
X-Response-Time: 41ms

{
    "err": 1,
    "message": "u'60' is not one of [0, 60, 300, 1800, 3600, 86400, 604800, 2592000]"
}

However if I first create a token without specifying rate_limit_window_size, calling PATCH on that token does successfully update rate_limit_window_size.

$ http PATCH https://api.rollbar.com/api/1/project/415372/access_token/972e844d22934f94a044e6e775a5cf55 X-Rollbar-Access-Token:redacted rate_limit_window_size:=60
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 14
Content-Type: application/json; charset=utf-8
Date: Mon, 19 Oct 2020 07:16:54 GMT
Server: nginx/1.17.9
Via: 1.1 google
X-Rate-Limit-Limit: 5000
X-Rate-Limit-Remaining: 4997
X-Rate-Limit-Remaining-Seconds: 19
X-Rate-Limit-Reset: 1603091833
X-Response-Time: 76ms

{
    "err": 0
}

Per the conclusion of #5 its better to use actual recorded API responses in the unit tests. Test for project and project access tokens should be converted to this style.

Maybe use https://github.com/bluele/factory-go?

https://golangci-lint.run/usage/install/#ci-installation

As part of project resource creation, the default project access tokens can be deleted, if an option is set on the project resource.

Hi @parabolic, @jtsaito, and @fmasuhr! I'm the developer Rollbar hired to build out the Terraform provider. Thanks for writing the provider up to this point!

I want to make sure future versions of the provider don't break your Terraform configurations. (Or if they do break them, we'll have discussed it well in advance of the release.) So it would be super helpful if you could give me some example configurations illustrating how you currently use the provider.

I'll add a new check to the automated testing workflow. To see if terraform plan works okay with your example configs. This will help ensure that the provider schemas remain compatible with your existing configurations.

All license comments in the code should be updated to reflect the MIT license.

Implement resource rollbar_user. There is some existing code in the babbel provider.

If I try to assign a non-existent (within the account) user ID to a team, the API responds with status 403 Forbidden. Likeweise if I try to add a valid user to a non-existent team ID, 403 Forbidden.

@mrunalk Do you think 404 Not Found would be a better response code?

Add support for Rollbar project settings.

Per the spec, as of 6 Oct 2020 the API may not yet support all project settings.

After deleting a project through the API, it still shows up in the list of projects returned by the API - only with its name set to nil. This seemingly undesirable behavior should be fixed on the API side. We work around it by removing any result with an empty name.

This does not seem like desirable behavior for the API. Once a project has been deleted, the API should not include it in the list or projects.

Testify is working very nicely for unit tests. So let's use it for acceptance tests, too.

Currently the API uses the access token itself is used as the identifier for a project access token object. This is undesirable, as the token may be exposed in intermediary HTTP logs, as well as in debug logs.

Instead the API should expose a standard integer id field to identify PAT objects.

The provider should fail gracefully if the user provides invalid configuration.

E.g. the user specifies a non-existent scope:

# Terraform should fail on this resource, with a helpful error message.
resource "rollbar_project_access_token" "foo" {
    name = "test-token"
    project_id = 12345
    scopes = [
        # There is no valid scope named "avocado"
        "avocado"
    ]
}

Correct handling of bad configuration must be tested. This is not covered in Terraform docs; need to research best practices.

Merge this repo with my proof of concept software.

@coryvirok Do we plan to participate in the Terraform Provider Development Program?

Per discussion with Cory on Slack, need to research if/how the provider can handle ErrNotFound returned by API client.

When trying to read a team with an ID that doesn't exist, the API returns status 403 Forbidden. Instead it should return 404 Not Found.

$ http GET https://api.rollbar.com/api/1/team/9999999999 X-Rollbar-Access-Token:redacted
HTTP/1.1 403 Forbidden
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 62
Content-Type: application/json; charset=utf-8
Date: Mon, 26 Oct 2020 06:53:39 GMT
ETag: "1635533788"
Server: nginx/1.17.9
Via: 1.1 google
X-Rate-Limit-Limit: 5000
X-Rate-Limit-Remaining: 4998
X-Rate-Limit-Remaining-Seconds: 23
X-Rate-Limit-Reset: 1603695242
X-Response-Time: 13ms

{
    "err": 1,
    "message": "Team not found in this account."
}

Ensure first release of Rollbar provider retains compatibility with https://github.com/babbel/terraform-provider-rollbar/.

Issue #31 solicits input from babbel developers.

Ensuring compatibility is a precondition to closing #4.

Let's get these running in parallel.

Add a link to godoc on the client sub-package's README.

This won't work until until branch merge-jmcvetta is merged into master.

The API docs show four possible scopes for a project access token: write, read, post_server_item, and post_client_server. Yet actual output of the API has post_client_item instead of post_client_server. This is is probably a typo in the API docs.

From the actual JSON response from API:

        {
            "access_token": "da62bed0067d4bfab7a2d91e8fcc4eb3",
            "cur_rate_limit_window_count": null,
            "cur_rate_limit_window_start": null,
            "date_created": 1602085340,
            "date_modified": 1602085340,
            "name": "post_client_item",
            "project_id": 411703,
            "rate_limit_window_count": null,
            "rate_limit_window_size": null,
            "scopes": [
                "post_client_item"
            ],
            "status": "enabled"
        }

Add resource import functionality to documentation.

Potentially Rollbar API could return 401 Unauthorized because we're using bad credentials. RollbarApiClient does not currently catch this. But it should, and return a custom error type ErrUnauthorized. Then the provider can interpret that result and give a friendly error message.

• Project
• Team
• Project access token

Currently data source rollbar_projects supports a larger set of fields on each project. We should those fields to data source rollbar_project.

Create Terraform data source project_access_tokens to list all tokens for a project.