Fix conflicting superuser and syslog_access fields

Author: winglot

README.md

@@ -6,8 +6,8 @@ It's published on the [Terraform registry](https://registry.terraform.io/provide
 
 ## Requirements
 
-  - [Terraform](https://www.terraform.io/downloads.html) 0.12.x
-  - [Go](https://golang.org/doc/install) 1.16 (to build the provider plugin)
+  - [Terraform](https://www.terraform.io/downloads.html) >= 1.0
+  - [Go](https://golang.org/doc/install) 1.17 (to build the provider plugin)
 
 ## Building The Provider
 

docs/data-sources/user.md

@@ -33,6 +33,7 @@ data "redshift_user" "user" {
 
 - **connection_limit** (Number) The maximum number of database connections the user is permitted to have open concurrently. The limit isn't enforced for superusers.
 - **create_database** (Boolean) Indicates whether the user is allowed to create new databases.
+- **session_timeout** (Number) The maximum time in seconds that a session remains inactive or idle. The range is 60 seconds (one minute) to 1,728,000 seconds (20 days). If no session timeout is set for the user, the cluster setting applies.
 - **superuser** (Boolean) Indicates whether the user is a superuser with all database privileges.
 - **syslog_access** (String) A clause that specifies the level of access that the user has to the Amazon Redshift system tables and views. If `RESTRICTED` (default) is specified, the user can see only the rows generated by that user in user-visible system tables and views. If `UNRESTRICTED` is specified, the user can see all rows in user-visible system tables and views, including rows generated by another user. `UNRESTRICTED` doesn't give a regular user access to superuser-visible tables. Only superusers can see superuser-visible tables.
 - **valid_until** (String) Date and time after which the user's password is no longer valid. By default the password has no time limit.

docs/resources/user.md

@@ -38,6 +38,7 @@ resource "redshift_user" "user_with_unrestricted_syslog" {
 - **create_database** (Boolean) Allows the user to create new databases. By default user can't create new databases.
 - **id** (String) The ID of this resource.
 - **password** (String, Sensitive) Sets the user's password. Users can change their own passwords, unless the password is disabled. To disable password, omit this parameter or set it to `null`.
+- **session_timeout** (Number) The maximum time in seconds that a session remains inactive or idle. The range is 60 seconds (one minute) to 1,728,000 seconds (20 days). If no session timeout is set for the user, the cluster setting applies.
 - **superuser** (Boolean) Determine whether the user is a superuser with all database privileges.
 - **syslog_access** (String) A clause that specifies the level of access that the user has to the Amazon Redshift system tables and views. If `RESTRICTED` (default) is specified, the user can see only the rows generated by that user in user-visible system tables and views. If `UNRESTRICTED` is specified, the user can see all rows in user-visible system tables and views, including rows generated by another user. `UNRESTRICTED` doesn't give a regular user access to superuser-visible tables. Only superusers can see superuser-visible tables.
 - **valid_until** (String) Sets a date and time after which the user's password is no longer valid. By default the password has no time limit.

redshift/resource_redshift_user.go

@@ -54,17 +54,23 @@ Amazon Redshift user accounts can only be created and dropped by a database supe
 		),
 		Exists: RedshiftResourceExistsFunc(resourceRedshiftUserExists),
 		Importer: &schema.ResourceImporter{
-			State: schema.ImportStatePassthrough,
+			StateContext: schema.ImportStatePassthroughContext,
 		},
 		CustomizeDiff: func(_ context.Context, d *schema.ResourceDiff, p interface{}) error {
 			isSuperuser := d.Get(userSuperuserAttr).(bool)
-			isPasswordKnown := d.NewValueKnown(userPasswordAttr)
 
+			isPasswordKnown := d.NewValueKnown(userPasswordAttr)
 			password, hasPassword := d.GetOk(userPasswordAttr)
 			if isSuperuser && isPasswordKnown && (!hasPassword || password.(string) == "") {
 				return fmt.Errorf("Users that are superusers must define a password.")
 			}
 
+			isSyslogAccessKnown := d.NewValueKnown(userSyslogAccessAttr)
+			syslogAccess, hasSyslogAccess := d.GetOk(userSyslogAccessAttr)
+			if isSuperuser && isSyslogAccessKnown && hasSyslogAccess && syslogAccess != defaultUserSuperuserSyslogAccess {
+				return fmt.Errorf("Superusers must have syslog access set to %s.", defaultUserSuperuserSyslogAccess)
+			}
+
 			return nil
 		},
 
@@ -118,11 +124,10 @@ Amazon Redshift user accounts can only be created and dropped by a database supe
 				},
 			},
 			userSuperuserAttr: {
-				ConflictsWith: []string{userSyslogAccessAttr},
-				Type:          schema.TypeBool,
-				Optional:      true,
-				Default:       false,
-				Description:   `Determine whether the user is a superuser with all database privileges.`,
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: `Determine whether the user is a superuser with all database privileges.`,
 			},
 			userSessionTimeoutAttr: {
 				Type:         schema.TypeInt,

redshift/resource_redshift_user_test.go

@@ -234,6 +234,63 @@ resource "redshift_user" "superuser" {
 	})
 }
 
+func TestAccRedshiftUser_SuperuserSyslogAccess(t *testing.T) {
+	tests := map[string]struct {
+		isSuperuser  bool
+		syslogAccess string
+		expectError  *regexp.Regexp
+	}{
+		"(not superuser) UNRESTRICTED syslog access": {
+			isSuperuser:  false,
+			syslogAccess: defaultUserSuperuserSyslogAccess,
+		},
+		"(not superuser) RESTRICTED syslog access": {
+			isSuperuser:  false,
+			syslogAccess: defaultUserSyslogAccess,
+		},
+		"(superuser) RESTRICTED syslog access": {
+			isSuperuser:  true,
+			syslogAccess: defaultUserSyslogAccess,
+			expectError:  regexp.MustCompile("Superusers must have syslog access set to UNRESTRICTED."),
+		},
+		"(superuser) UNRESTRICTED syslog access": {
+			isSuperuser:  true,
+			syslogAccess: defaultUserSuperuserSyslogAccess,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			userName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_superuser"), "-", "_")
+			config := fmt.Sprintf(`
+			locals {
+				is_superuser = %[2]t
+			}
+
+			resource "redshift_user" "superuser" {
+			  name = %[1]q
+			  superuser = local.is_superuser
+			  password  = "foobar12355#"
+			  syslog_access = %[3]q
+			}
+			`, userName, test.isSuperuser, test.syslogAccess)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck:     func() { testAccPreCheck(t) },
+				Providers:    testAccProviders,
+				CheckDestroy: testAccCheckRedshiftUserDestroy,
+				Steps: []resource.TestStep{
+					{
+						Config:      config,
+						ExpectError: test.expectError,
+					},
+				},
+			})
+		})
+	}
+
+}
+
 func TestAccRedshiftUser_SuperuserUnknownPassword(t *testing.T) {
 	userName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_superuser"), "-", "_")
 	config := fmt.Sprintf(`