fix: Fixes change assigments in mongodbatlas_project_api_key (#2737)

* fix changed assigments

* fix TestAccProjectAPIKey_updateRole

* changelog

* join configMultiple to configBasic

* don't allow duplicate projectIDs

* fix TestAccProjectAPIKey_dataSources

* refactor Create

* refactor getAPIProjectAssignments and flattenProjectAssignments

* refactor Read

* refactor Delete

* fix TestAccProjectAPIKey_recreateWhenDeletedExternally

* refactor Import

* remove flattenProjectAssignments, flattenProjectAPIKeyRoles and getAPIProjectAssignments

* fix plural ds

* fix basicTestCase

* refactor Update description

* refactor Update

* refactor expandProjectAssignments

* update changelog

* initial checkAggr

* checkExists

* delete redundant TestAccProjectAPIKey_dataSources

* refactor configDuplicatedProject

* refactor configChangingProject

* model file

* more detailed changelog

* revert import

* doc

* refactor checks

Author: lantoli

.changelog/2737.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/mongodbatlas_project_api_key: Validates `project_id` are unique across `project_assignment` blocks and fixes update issues with error `API_KEY_ALREADY_IN_GROUP`
+```

internal/service/projectapikey/data_source_project_api_key.go

@@ -84,10 +84,12 @@ func dataSourceRead(ctx context.Context, d *schema.ResourceData, meta any) diag.
 			return diag.FromErr(fmt.Errorf("error setting `private_key`: %s", err))
 		}
 
-		if projectAssignments, err := newProjectAssignment(ctx, connV2, apiKeyID); err == nil {
-			if err := d.Set("project_assignment", projectAssignments); err != nil {
-				return diag.Errorf(ErrorProjectSetting, `project_assignment`, projectID, err)
-			}
+		details, _, err := getKeyDetails(ctx, connV2, apiKeyID)
+		if err != nil {
+			return diag.FromErr(fmt.Errorf("error getting api key information: %s", err))
+		}
+		if err := d.Set("project_assignment", flattenProjectAssignments(details.GetRoles())); err != nil {
+			return diag.FromErr(fmt.Errorf("error setting `project_assignment`: %s", err))
 		}
 	}
 

internal/service/projectapikey/data_source_project_api_keys.go

@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/config"
 	"go.mongodb.org/atlas-sdk/v20240805005/admin"
 )
@@ -76,12 +77,12 @@ func PluralDataSource() *schema.Resource {
 
 func pluralDataSourceRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	connV2 := meta.(*config.MongoDBClient).AtlasV2
-	pageNum := d.Get("page_num").(int)
-	itemsPerPage := d.Get("items_per_page").(int)
-
-	projectID := d.Get("project_id").(string)
-
-	apiKeys, _, err := connV2.ProgrammaticAPIKeysApi.ListProjectApiKeys(ctx, projectID).PageNum(pageNum).ItemsPerPage(itemsPerPage).Execute()
+	params := &admin.ListProjectApiKeysApiParams{
+		GroupId:      d.Get("project_id").(string),
+		PageNum:      conversion.IntPtr(d.Get("page_num").(int)),
+		ItemsPerPage: conversion.IntPtr(d.Get("items_per_page").(int)),
+	}
+	apiKeys, _, err := connV2.ProgrammaticAPIKeysApi.ListProjectApiKeysWithParams(ctx, params).Execute()
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("error getting api keys information: %s", err))
 	}
@@ -116,12 +117,11 @@ func flattenProjectAPIKeys(ctx context.Context, connV2 *admin.APIClient, apiKeys
 			"private_key": apiKey.GetPrivateKey(),
 		}
 
-		projectAssignment, err := newProjectAssignment(ctx, connV2, apiKey.GetId())
+		details, _, err := getKeyDetails(ctx, connV2, apiKey.GetId())
 		if err != nil {
 			return nil, err
 		}
-
-		results[k]["project_assignment"] = projectAssignment
+		results[k]["project_assignment"] = flattenProjectAssignments(details.GetRoles())
 	}
 	return results, nil
 }

internal/service/projectapikey/model_project_api_key.go

@@ -0,0 +1,101 @@
+package projectapikey
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
+	"go.mongodb.org/atlas-sdk/v20240805005/admin"
+)
+
+func expandProjectAssignments(projectAssignments *schema.Set) map[string][]string {
+	results := make(map[string][]string)
+	for _, val := range projectAssignments.List() {
+		results[val.(map[string]any)["project_id"].(string)] = conversion.ExpandStringList(val.(map[string]any)["role_names"].(*schema.Set).List())
+	}
+	return results
+}
+
+func flattenProjectAssignments(roles []admin.CloudAccessRoleAssignment) []map[string]any {
+	assignments := make(map[string][]string)
+	for _, role := range roles {
+		if groupID := role.GetGroupId(); groupID != "" {
+			assignments[groupID] = append(assignments[groupID], role.GetRoleName())
+		}
+	}
+	var results []map[string]any
+	for projectID, roles := range assignments {
+		results = append(results, map[string]any{
+			"project_id": projectID,
+			"role_names": roles,
+		})
+	}
+	return results
+}
+
+func getAssignmentChanges(d *schema.ResourceData) (add, remove, update map[string][]string) {
+	before, after := d.GetChange("project_assignment")
+	add = expandProjectAssignments(after.(*schema.Set))
+	remove = expandProjectAssignments(before.(*schema.Set))
+	update = make(map[string][]string)
+
+	for projectID, rolesAfter := range add {
+		if rolesBefore, ok := remove[projectID]; ok {
+			if !sameRoles(rolesBefore, rolesAfter) {
+				update[projectID] = rolesAfter
+			}
+			delete(remove, projectID)
+			delete(add, projectID)
+		}
+	}
+	return
+}
+
+func sameRoles(roles1, roles2 []string) bool {
+	set1 := make(map[string]struct{})
+	for _, role := range roles1 {
+		set1[role] = struct{}{}
+	}
+	set2 := make(map[string]struct{})
+	for _, role := range roles2 {
+		set2[role] = struct{}{}
+	}
+	return reflect.DeepEqual(set1, set2)
+}
+
+// getKeyDetails returns nil error and nil details if not found as it's not considered an error
+func getKeyDetails(ctx context.Context, connV2 *admin.APIClient, apiKeyID string) (*admin.ApiKeyUserDetails, string, error) {
+	root, _, err := connV2.RootApi.GetSystemStatus(ctx).Execute()
+	if err != nil {
+		return nil, "", err
+	}
+	for _, role := range root.ApiKey.GetRoles() {
+		if orgID := role.GetOrgId(); orgID != "" {
+			key, _, err := connV2.ProgrammaticAPIKeysApi.GetApiKey(ctx, orgID, apiKeyID).Execute()
+			if err != nil {
+				if admin.IsErrorCode(err, "API_KEY_NOT_FOUND") {
+					return nil, orgID, nil
+				}
+				return nil, orgID, fmt.Errorf("error getting api key information: %s", err)
+			}
+			return key, orgID, nil
+		}
+	}
+	return nil, "", nil
+}
+
+func validateUniqueProjectIDs(d *schema.ResourceData) error {
+	if projectAssignments, ok := d.GetOk("project_assignment"); ok {
+		uniqueIDs := make(map[string]bool)
+		for _, val := range projectAssignments.(*schema.Set).List() {
+			projectID := val.(map[string]any)["project_id"].(string)
+			if uniqueIDs[projectID] {
+				return fmt.Errorf("duplicated projectID in assignments: %s", projectID)
+			}
+			uniqueIDs[projectID] = true
+		}
+	}
+	return nil
+}