[Feature] Add databricks_secret write-only attributes

Author: ashenm

NEXT_CHANGELOG.md

@@ -7,6 +7,7 @@
 ### New Features and Improvements
 * Add resource and data sources for `databricks_environments_workspace_base_environment`.
 * Add resource and data source for `databricks_environments_default_workspace_base_environment`.
+* Add `string_value_wo` and `string_value_wo_version` attributes to `databricks_secret` resource ([#5480](https://github.com/databricks/terraform-provider-databricks/pull/5480))
 
 * Added optional `cloud` argument to `databricks_current_config` data source to explicitly set the cloud type (`aws`, `azure`, `gcp`) instead of relying on host-based detection.
 

docs/resources/secret.md

@@ -7,6 +7,8 @@ With this resource you can insert a secret under the provided scope with the giv
 
 -> This resource can only be used with a workspace-level provider!
 
+-> **Note** Write-Only argument string_value_wo is available to use in place of string_value. Write-Only argumentss are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/manage-sensitive-data/ephemeral#write-only-arguments).
+
 ## Example Usage
 
 ```hcl
@@ -33,7 +35,9 @@ resource "databricks_cluster" "this" {
 
 The following arguments are required:
 
-* `string_value` - (Required) (String) super secret sensitive value.
+* `string_value` - (Optional) (String) Specifies text data that you want to encrypt and store in the secret. This is required if `string_value_wo` is not set.
+* `string_value_wo` (Optional) (String) Specifies text data that you want to encrypt and store in the secret. This is required if `string_value` is not set.
+* `string_value_wo_version` (Optional) (Integer) Use together with string_value_wo to trigger an update. Increment this value when an update to `string_value_wo` is required.
 * `scope` - (Required) (String) name of databricks secret scope. Must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.
 * `key` - (Required) (String) key within secret scope. Must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.
 * `provider_config` - (Optional) Configure the provider for management through account provider. This block consists of the following fields:

qa/cty.go

@@ -0,0 +1,49 @@
+package qa
+
+import (
+	"github.com/hashicorp/go-cty/cty"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+// https://github.com/hashicorp/terraform-plugin-sdk/blob/866d0b19a878fe2241fa8e008bee8c6cb8b2c32b/internal/configs/hcl2shim/values.go#L130-L194
+func hcl2ValueFromConfigValue(v interface{}) cty.Value {
+	if v == nil {
+		return cty.NullVal(cty.DynamicPseudoType)
+	}
+
+	switch tv := v.(type) {
+	case bool:
+		return cty.BoolVal(tv)
+	case string:
+		return cty.StringVal(tv)
+	case int:
+		return cty.NumberIntVal(int64(tv))
+	case float64:
+		return cty.NumberFloatVal(tv)
+	case []interface{}:
+		vals := make([]cty.Value, len(tv))
+		for i, ev := range tv {
+			vals[i] = hcl2ValueFromConfigValue(ev)
+		}
+		return cty.TupleVal(vals)
+	case map[string]interface{}:
+		vals := map[string]cty.Value{}
+		for k, ev := range tv {
+			vals[k] = hcl2ValueFromConfigValue(ev)
+		}
+		return cty.ObjectVal(vals)
+	default:
+		return cty.NullVal(cty.DynamicPseudoType)
+	}
+}
+
+func makeResourceRawConfig(config *terraform.ResourceConfig, resource *schema.Resource) cty.Value {
+	original := hcl2ValueFromConfigValue(config.Raw)
+	coerced, err := resource.CoreConfigSchema().CoerceValue(original)
+	if err != nil {
+		return cty.NullVal(cty.DynamicPseudoType)
+	}
+	return coerced
+}

qa/testing.go

@@ -324,6 +324,11 @@ func (f ResourceFixture) Apply(t *testing.T) (*schema.ResourceData, error) {
 	if err != nil {
 		return nil, err
 	}
+	// Populate diff.RawConfig to allow d.GetRawConfigAt() works in tests
+	// In actual runs terraform's gRPC pipeline will populate this
+	if diff != nil {
+		diff.RawConfig = makeResourceRawConfig(resourceConfig, resource)
+	}
 	if f.Update {
 		err = f.requiresNew(diff)
 		if err != nil {

secrets/resource_secret.go

@@ -8,7 +8,7 @@ import (
 	"github.com/databricks/databricks-sdk-go/apierr"
 	"github.com/databricks/databricks-sdk-go/service/workspace"
 	"github.com/databricks/terraform-provider-databricks/common"
-
+	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
@@ -35,16 +35,41 @@ func readSecret(ctx context.Context, w *databricks.WorkspaceClient, scope string
 	}
 }
 
+func getStringValue(d *schema.ResourceData) (string, error) {
+	woValue, diags := d.GetRawConfigAt(cty.GetAttrPath("string_value_wo"))
+	if !diags.HasError() && woValue.Type().Equals(cty.String) && !woValue.IsNull() {
+		return woValue.AsString(), nil
+	}
+	if v, ok := d.GetOk("string_value"); ok {
+		return v.(string), nil
+	}
+	return "", fmt.Errorf("failed to get one of attributes `string_value_wo` or `string_value`")
+}
+
 // ResourceSecret manages secrets
 func ResourceSecret() common.Resource {
 	p := common.NewPairSeparatedID("scope", "key", "|||")
 	s := map[string]*schema.Schema{
 		"string_value": {
 			Type:         schema.TypeString,
 			ValidateFunc: validation.StringIsNotEmpty,
-			Required:     true,
-			ForceNew:     true,
+			Optional:     true,
 			Sensitive:    true,
+			ExactlyOneOf: []string{"string_value", "string_value_wo"},
+		},
+		"string_value_wo": {
+			Type:         schema.TypeString,
+			ValidateFunc: validation.StringIsNotEmpty,
+			Optional:     true,
+			WriteOnly:    true,
+			Sensitive:    true,
+			RequiredWith: []string{"string_value_wo_version"},
+			ExactlyOneOf: []string{"string_value", "string_value_wo"},
+		},
+		"string_value_wo_version": {
+			Type:         schema.TypeInt,
+			Optional:     true,
+			RequiredWith: []string{"string_value_wo"},
 		},
 		"scope": {
 			Type:         schema.TypeString,
@@ -69,25 +94,32 @@ func ResourceSecret() common.Resource {
 	}
 	common.AddNamespaceInSchema(s)
 	common.NamespaceCustomizeSchemaMap(s)
+	upsertSecret := func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+		w, err := c.WorkspaceClientUnifiedProvider(ctx, d)
+		if err != nil {
+			return err
+		}
+		var putSecretReq workspace.PutSecret
+		common.DataToStructPointer(d, s, &putSecretReq)
+		stringValue, err := getStringValue(d)
+		if err != nil {
+			return err
+		}
+		putSecretReq.StringValue = stringValue
+		err = w.Secrets.PutSecret(ctx, putSecretReq)
+		if err != nil {
+			return err
+		}
+		p.Pack(d)
+		return nil
+	}
 	return common.Resource{
 		Schema: s,
 		CustomizeDiff: func(ctx context.Context, d *schema.ResourceDiff, c *common.DatabricksClient) error {
 			return common.NamespaceCustomizeDiff(ctx, d, c)
 		},
-		Create: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
-			w, err := c.WorkspaceClientUnifiedProvider(ctx, d)
-			if err != nil {
-				return err
-			}
-			var putSecretReq workspace.PutSecret
-			common.DataToStructPointer(d, s, &putSecretReq)
-			err = w.Secrets.PutSecret(ctx, putSecretReq)
-			if err != nil {
-				return err
-			}
-			p.Pack(d)
-			return nil
-		},
+		Create: upsertSecret,
+		Update: upsertSecret,
 		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
 			scope, key, err := p.Unpack(d)
 			if err != nil {

secrets/resource_secret_test.go

@@ -121,6 +121,133 @@ func TestResourceSecretCreate(t *testing.T) {
 	assert.Equal(t, "foo|||bar", d.Id())
 }
 
+func TestResourceSecretUpdate(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/secrets/put",
+				ExpectedRequest: workspace.PutSecret{
+					StringValue: "SparkIsTh3Be$t-v2",
+					Scope:       "foo",
+					Key:         "bar",
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/secrets/list?scope=foo",
+				Response: workspace.ListSecretsResponse{
+					Secrets: []workspace.SecretMetadata{
+						{
+							Key:                  "bar",
+							LastUpdatedTimestamp: 12345678,
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceSecret(),
+		InstanceState: map[string]string{
+			"scope":                   "foo",
+			"key":                     "bar",
+			"string_value_wo_version": "1",
+		},
+		State: map[string]any{
+			"scope":        "foo",
+			"key":          "bar",
+			"string_value": "SparkIsTh3Be$t-v2",
+		},
+		Update: true,
+		ID:     "foo|||bar",
+	}.Apply(t)
+	assert.NoError(t, err)
+	assert.Equal(t, "foo|||bar", d.Id())
+}
+
+func TestResourceSecretCreate_WriteOnlyValue(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/secrets/put",
+				ExpectedRequest: workspace.PutSecret{
+					StringValue: "SparkIsTh3Be$t",
+					Scope:       "foo",
+					Key:         "bar",
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/secrets/list?scope=foo",
+				Response: workspace.ListSecretsResponse{
+					Secrets: []workspace.SecretMetadata{
+						{
+							Key:                  "bar",
+							LastUpdatedTimestamp: 12345678,
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceSecret(),
+		State: map[string]any{
+			"scope":                   "foo",
+			"key":                     "bar",
+			"string_value_wo":         "SparkIsTh3Be$t",
+			"string_value_wo_version": 1,
+		},
+		Create: true,
+	}.Apply(t)
+	assert.NoError(t, err)
+	assert.Equal(t, "foo|||bar", d.Id())
+	assert.Equal(t, "", d.Get("string_value"))
+}
+
+func TestResourceSecretUpdate_WriteOnlyValueVersionChange(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/secrets/put",
+				ExpectedRequest: workspace.PutSecret{
+					StringValue: "SparkIsTh3Be$t-v2",
+					Scope:       "foo",
+					Key:         "bar",
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/secrets/list?scope=foo",
+				Response: workspace.ListSecretsResponse{
+					Secrets: []workspace.SecretMetadata{
+						{
+							Key:                  "bar",
+							LastUpdatedTimestamp: 12345679,
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceSecret(),
+		InstanceState: map[string]string{
+			"scope":                   "foo",
+			"key":                     "bar",
+			"string_value_wo_version": "1",
+		},
+		State: map[string]any{
+			"scope":                   "foo",
+			"key":                     "bar",
+			"string_value_wo":         "SparkIsTh3Be$t-v2",
+			"string_value_wo_version": 2,
+		},
+		Update: true,
+		ID:     "foo|||bar",
+	}.Apply(t)
+	assert.NoError(t, err)
+	assert.Equal(t, "foo|||bar", d.Id())
+	assert.Equal(t, 2, d.Get("string_value_wo_version"))
+}
+
 func TestResourceSecretCreate_Error(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{