make iam_role scope_id immutable (#179)

internal/db/migrations/postgres.gen.go

@@ -736,6 +736,11 @@ create table iam_role (
     unique(scope_id, public_id)
   );
 
+create trigger immutable_scope_id
+before
+update on iam_role
+  for each row execute procedure iam_immutable_scope_id_func();
+
 create trigger 
   update_version_column
 after update on iam_role

internal/db/migrations/postgres/06_iam.up.sql

@@ -288,6 +288,11 @@ create table iam_role (
     unique(scope_id, public_id)
   );
 
+create trigger immutable_scope_id
+before
+update on iam_role
+  for each row execute procedure iam_immutable_scope_id_func();
+
 create trigger 
   update_version_column
 after update on iam_role

internal/iam/role_test.go

@@ -213,6 +213,7 @@ func Test_RoleUpdate(t *testing.T) {
 		fieldMaskPaths []string
 		nullPaths      []string
 		ScopeId        string
+		opts           []db.Option
 	}
 	tests := []struct {
 		name           string
@@ -307,6 +308,18 @@ func Test_RoleUpdate(t *testing.T) {
 			wantErr:        false,
 			wantRowsUpdate: 1,
 		},
+		{
+			name: "attempt scope id update",
+			args: args{
+				name:           "valid" + id,
+				fieldMaskPaths: []string{"ScopeId"},
+				ScopeId:        proj.PublicId,
+				opts:           []db.Option{db.WithSkipVetForWrite(true)},
+			},
+			wantErr:        true,
+			wantErrMsg:     "update: failed pq: scope_id cannot be set to " + proj.PublicId,
+			wantRowsUpdate: 0,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -326,7 +339,7 @@ func Test_RoleUpdate(t *testing.T) {
 			updateRole.Name = tt.args.name
 			updateRole.Description = tt.args.description
 
-			updatedRows, err := rw.Update(context.Background(), &updateRole, tt.args.fieldMaskPaths, tt.args.nullPaths)
+			updatedRows, err := rw.Update(context.Background(), &updateRole, tt.args.fieldMaskPaths, tt.args.nullPaths, tt.args.opts...)
 			if tt.wantErr {
 				require.Error(err)
 				assert.Equal(0, updatedRows)