feat(secret): add protected field (#2693)

Codelax · web-flow · commit bddd49f4c562 · 2024-08-07T14:11:39.000Z
* feat(secret): add protected field

* lint

* fix cassette validation
diff --git a/docs/resources/secret.md b/docs/resources/secret.md
@@ -26,6 +26,7 @@ The following arguments are supported:
 
 - `name` - (Required) Name of the secret (e.g. `my-secret`).
 - `path` - (Optional) Path of the secret, defaults to `/`.
+- `protected` - (Optional) True if secret protection is enabled on the secret. A protected secret cannot be deleted, terraform will fail to destroy unless this is set to false.
 - `description` - (Optional) Description of the secret (e.g. `my-new-description`).
 - `tags` - (Optional) Tags of the secret (e.g. `["tag", "secret"]`).
 - `region` - (Defaults to [provider](../index.md#region) `region`) The [region](../guides/regions_and_zones.md#regions)
diff --git a/internal/acctest/validate_cassettes_test.go b/internal/acctest/validate_cassettes_test.go
@@ -26,6 +26,7 @@ func exceptionsCassettesCases() map[string]struct{} {
 		"../services/rdb/testdata/data-source-privilege-basic.cassette.yaml":    {},
 		"../services/rdb/testdata/privilege-basic.cassette.yaml":                {},
 		"../services/object/testdata/object-bucket-destroy-force.cassette.yaml": {},
+		"../services/secret/testdata/secret-protected.cassette.yaml":            {},
 	}
 }
 
diff --git a/internal/services/secret/helpers.go b/internal/services/secret/helpers.go
@@ -2,6 +2,8 @@ package secret
 
 import (
 	"encoding/base64"
+	"errors"
+	"fmt"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -16,6 +18,8 @@ const (
 	defaultSecretTimeout = 5 * time.Minute
 )
 
+var ErrCannotDeleteProtectedSecret = errors.New("cannot delete a protected secret")
+
 // newAPIWithRegion returns a new Secret API and the region for a Create request
 func newAPIWithRegion(d *schema.ResourceData, m interface{}) (*secret.API, scw.Region, error) {
 	api := secret.NewAPI(meta.ExtractScwClient(m))
@@ -87,3 +91,38 @@ func Base64Encoded(data []byte) string {
 	}
 	return base64.StdEncoding.EncodeToString(data)
 }
+
+// updateSecretProtection sets the protected value of a secret to requested one.
+func updateSecretProtection(api *secret.API, region scw.Region, secretID string, protected bool) error {
+	s, err := api.GetSecret(&secret.GetSecretRequest{
+		Region:   region,
+		SecretID: secretID,
+	})
+	if err != nil {
+		return err
+	}
+
+	if s.Protected == protected {
+		return nil
+	}
+
+	if protected {
+		_, err = api.ProtectSecret(&secret.ProtectSecretRequest{
+			Region:   region,
+			SecretID: secretID,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to protect secret %s: %w", secretID, err)
+		}
+	} else {
+		_, err = api.UnprotectSecret(&secret.UnprotectSecretRequest{
+			Region:   region,
+			SecretID: secretID,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to unprotect secret %s: %w", secretID, err)
+		}
+	}
+
+	return nil
+}
diff --git a/internal/services/secret/secret.go b/internal/services/secret/secret.go
@@ -75,6 +75,11 @@ func ResourceSecret() *schema.Resource {
 					return filepath.Clean(oldValue) == filepath.Clean(newValue)
 				},
 			},
+			"protected": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "True if secret protection is enabled on a given secret. A protected secret cannot be deleted.",
+			},
 			"region":     regional.Schema(),
 			"project_id": account.ProjectIDSchema(),
 		},
@@ -91,6 +96,7 @@ func ResourceSecretCreate(ctx context.Context, d *schema.ResourceData, m interfa
 		Region:    region,
 		ProjectID: d.Get("project_id").(string),
 		Name:      d.Get("name").(string),
+		Protected: d.Get("protected").(bool),
 	}
 
 	rawTag, tagExist := d.GetOk("tags")
@@ -149,6 +155,7 @@ func ResourceSecretRead(ctx context.Context, d *schema.ResourceData, m interface
 	_ = d.Set("region", string(region))
 	_ = d.Set("project_id", secretResponse.ProjectID)
 	_ = d.Set("path", secretResponse.Path)
+	_ = d.Set("protected", secretResponse.Protected)
 
 	return nil
 }
@@ -191,7 +198,10 @@ func ResourceSecretUpdate(ctx context.Context, d *schema.ResourceData, m interfa
 		if err != nil {
 			return diag.FromErr(err)
 		}
+	}
 
+	if d.HasChange("protected") {
+		err = updateSecretProtection(api, region, id, d.Get("protected").(bool))
 		if err != nil {
 			return diag.FromErr(err)
 		}
diff --git a/internal/services/secret/secret_test.go b/internal/services/secret/secret_test.go
@@ -2,6 +2,7 @@ package secret_test
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -157,6 +158,59 @@ func TestAccSecret_Path(t *testing.T) {
 	})
 }
 
+func TestAccSecret_Protected(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      testAccCheckSecretDestroy(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: `
+				resource "scaleway_secret" "main" {
+					name = "test-secret-protected-secret"
+					protected = true
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckSecretExists(tt, "scaleway_secret.main"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "name", "test-secret-protected-secret"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "path", "/"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "protected", "true"),
+					acctest.CheckResourceAttrUUID("scaleway_secret.main", "id"),
+				),
+			},
+			{
+				Destroy: true,
+				Config: `
+				resource "scaleway_secret" "main" {
+					name = "test-secret-protected-secret"
+					protected = true
+				}
+				`,
+				ExpectError: regexp.MustCompile(secret.ErrCannotDeleteProtectedSecret.Error()),
+			},
+			{
+				Config: `
+				resource "scaleway_secret" "main" {
+					name = "test-secret-protected-secret"
+					protected = false
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckSecretExists(tt, "scaleway_secret.main"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "name", "test-secret-protected-secret"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "path", "/"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "protected", "false"),
+					acctest.CheckResourceAttrUUID("scaleway_secret.main", "id"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckSecretExists(tt *acctest.TestTools, n string) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		rs, ok := state.RootModule().Resources[n]
diff --git a/internal/services/secret/testdata/secret-protected.cassette.yaml b/internal/services/secret/testdata/secret-protected.cassette.yaml

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ func exceptionsCassettesCases() map[string]struct{} {`
`26`	`26`	`"../services/rdb/testdata/data-source-privilege-basic.cassette.yaml": {},`
`27`	`27`	`"../services/rdb/testdata/privilege-basic.cassette.yaml": {},`
`28`	`28`	`"../services/object/testdata/object-bucket-destroy-force.cassette.yaml": {},`
	`29`	`+ "../services/secret/testdata/secret-protected.cassette.yaml": {},`
`29`	`30`	`}`
`30`	`31`	`}`
`31`	`32`