feat: add avoid jaas validators to existing resources

- Ensure certain resources cannot be used with JAAS and add tests for this.
- Tweak the error messaging based on previous feedback.
- Add constructors for JAAS validators.

internal/juju/client.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 	"time"
 
+	jaasApi "github.com/canonical/jimm-go-sdk/v3/api"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/juju/errors"
 	"github.com/juju/juju/api"
@@ -125,13 +126,18 @@ var isJAAS bool
 // IsJAAS uses a synchronisation object to only perform the check once and return the same result.
 func (sc *sharedClient) IsJAAS(defaultVal bool) bool {
 	checkJAASOnce.Do(func() {
+		isJAAS = defaultVal
 		conn, err := sc.GetConnection(nil)
 		if err != nil {
-			isJAAS = defaultVal
 			return
 		}
 		defer conn.Close()
-		isJAAS = conn.BestFacadeVersion("JIMM") != 0
+		jc := jaasApi.NewClient(conn)
+		_, err = jc.ListControllers()
+		if err == nil {
+			isJAAS = true
+			return
+		}
 	})
 	return isJAAS
 }

internal/provider/resource_access_generic.go

@@ -72,7 +72,7 @@ type genericJAASAccessModel struct {
 // ConfigValidators sets validators for the resource.
 func (r *genericJAASAccessResource) ConfigValidators(ctx context.Context) []resource.ConfigValidator {
 	return []resource.ConfigValidator{
-		RequiresJAASValidator{Client: r.client},
+		NewRequiresJAASValidator(r.client),
 		resourcevalidator.AtLeastOneOf(
 			path.MatchRoot("users"),
 			path.MatchRoot("groups"),

internal/provider/resource_access_model.go

@@ -52,6 +52,13 @@ func (a *accessModelResource) Metadata(_ context.Context, req resource.MetadataR
 	resp.TypeName = req.ProviderTypeName + "_access_model"
 }
 
+// ConfigValidators sets validators for the resource.
+func (r *accessModelResource) ConfigValidators(ctx context.Context) []resource.ConfigValidator {
+	return []resource.ConfigValidator{
+		NewAvoidJAASValidator(r.client, "juju_jaas_access_model"),
+	}
+}
+
 func (a *accessModelResource) Schema(_ context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
 	resp.Schema = schema.Schema{
 		Description: "A resource that represent a Juju Access Model.",

internal/provider/resource_access_model_test.go

@@ -106,6 +106,30 @@ func TestAcc_ResourceAccessModel_UpgradeProvider(t *testing.T) {
 	})
 }
 
+func TestAcc_ResourceAccessModel_ErrorWhenUsedWithJAAS(t *testing.T) {
+	OnlyTestAgainstJAAS(t)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: frameworkProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccResourceAccessModelFixedUser(),
+				ExpectError: regexp.MustCompile("This resource is not supported with JAAS"),
+			},
+		},
+	})
+}
+
+func testAccResourceAccessModelFixedUser() string {
+	return `
+resource "juju_access_model" "test" {
+  access = "write"
+  model = "foo"
+  users = ["bob"]
+}`
+}
+
 func testAccResourceAccessModel(userName, userPassword, modelName, access string) string {
 	return fmt.Sprintf(`
 resource "juju_user" "test-user" {

internal/provider/resource_user.go

@@ -51,6 +51,14 @@ func (r *userResource) Metadata(ctx context.Context, req resource.MetadataReques
 	resp.TypeName = req.ProviderTypeName + "_user"
 }
 
+// ConfigValidators sets validators for the resource.
+func (r *userResource) ConfigValidators(ctx context.Context) []resource.ConfigValidator {
+	return []resource.ConfigValidator{
+		// There is no JAAS object that replaces the user resource since JAAS users come from an external identity provider.
+		NewAvoidJAASValidator(r.client, ""),
+	}
+}
+
 func (r *userResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
 	// The User resource maps to a juju user that is operated via
 	// `juju add-user`, `juju remove-user`

internal/provider/resource_user_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
@@ -26,7 +27,6 @@ func TestAcc_ResourceUser(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "name", userName),
 				),
-				PreConfig: func() { testAccPreCheck(t) },
 			},
 			{
 				Destroy:                 true,
@@ -78,3 +78,20 @@ func TestAcc_ResourceUser_UpgradeProvider(t *testing.T) {
 		},
 	})
 }
+
+func TestAcc_ResourceUser_ErrorWhenUsedWithJAAS(t *testing.T) {
+	OnlyTestAgainstJAAS(t)
+	userName := acctest.RandomWithPrefix("tfuser")
+	userPassword := acctest.RandomWithPrefix("tf-test-user")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: frameworkProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccResourceUser(userName, userPassword),
+				ExpectError: regexp.MustCompile("This resource is not supported with JAAS"),
+			},
+		},
+	})
+}

internal/provider/validator_avoid_jaas.go

@@ -19,8 +19,19 @@ var _ resource.ConfigValidator = &AvoidJAASValidator{}
 // AvoidJAASValidator enforces that the resource is not used with JAAS.
 // Useful to direct users to more capable resources.
 type AvoidJAASValidator struct {
-	Client          *juju.Client
-	PreferredObject string
+	client          *juju.Client
+	preferredObject string
+}
+
+// NewAvoidJAASValidator creates a new validator that can be used with resources or
+// data sources to enforce that the resource cannot be used with JAAS.
+// Provide a non-empty string for preferredObject to point users to an alternate object in the error messsage.
+// If preferredObject is empty, no hint on an alternate object will be offered in the error message.
+func NewAvoidJAASValidator(client *juju.Client, preferredObject string) AvoidJAASValidator {
+	return AvoidJAASValidator{
+		client:          client,
+		preferredObject: preferredObject,
+	}
 }
 
 // Description returns a plain text description of the validator's behavior, suitable for a practitioner to understand its impact.
@@ -49,15 +60,15 @@ func (v AvoidJAASValidator) validate() diag.Diagnostics {
 
 	// Return without error if a nil client is detected.
 	// This is possible since validation is called at various points throughout resource creation.
-	if v.Client != nil && v.Client.IsJAAS() {
+	if v.client != nil && v.client.IsJAAS() {
 		hint := ""
-		if v.PreferredObject != "" {
-			hint = "Try the " + v.PreferredObject + " resource instead."
+		if v.preferredObject != "" {
+			hint = "Try the " + v.preferredObject + " resource instead."
 		}
 		diags.AddError("Invalid use of resource with JAAS.",
 			"This resource is not supported with JAAS. "+
 				hint+
-				"JAAS offers additional enterprise features through the use of dedicated resources. "+
+				`JAAS offers additional enterprise features through the use of dedicated resources (those with "jaas" in the name). `+
 				"See https://jaas.ai/ for more details.")
 	}
 	return diags

internal/provider/validator_require_jaas.go

@@ -18,7 +18,13 @@ var _ resource.ConfigValidator = &RequiresJAASValidator{}
 
 // RequiresJAASValidator enforces that the resource can only be used with JAAS.
 type RequiresJAASValidator struct {
-	Client *juju.Client
+	client *juju.Client
+}
+
+func NewRequiresJAASValidator(client *juju.Client) RequiresJAASValidator {
+	return RequiresJAASValidator{
+		client: client,
+	}
 }
 
 // Description returns a plain text description of the validator's behavior, suitable for a practitioner to understand its impact.
@@ -47,7 +53,7 @@ func (v RequiresJAASValidator) validate() diag.Diagnostics {
 
 	// Return without error if a nil client is detected.
 	// This is possible since validation is called at various points throughout resource creation.
-	if v.Client != nil && !v.Client.IsJAAS() {
+	if v.client != nil && !v.client.IsJAAS() {
 		diags.AddError("Attempted use of resource without JAAS.",
 			"This resource can only be used with JAAS, which offers additional enterprise features - see https://jaas.ai/ for more details.")
 	}