Merge pull request #44559 from hashicorp/f-aws_transfer_host_key

r/aws_transfer_host_key: New resource

Author: ewbankkit

.changelog/44559.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_transfer_host_key
+```

internal/framework/planmodifiers/stringplanmodifier/requires_replace_wo.go

@@ -0,0 +1,65 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package stringplanmodifier
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-provider-aws/internal/framework/privatestate"
+)
+
+// RequiresReplaceWO returns a plan modifier that forces resource replacement
+// if a write-only value changes.
+func RequiresReplaceWO(privateStateKey string) planmodifier.String {
+	return requiresReplaceWO{
+		privateStateKey: privateStateKey,
+	}
+}
+
+type requiresReplaceWO struct {
+	privateStateKey string
+}
+
+func (m requiresReplaceWO) Description(ctx context.Context) string {
+	return m.MarkdownDescription(ctx)
+}
+
+func (m requiresReplaceWO) MarkdownDescription(context.Context) string {
+	return "If the value of this write-only attribute changes, Terraform will destroy and recreate the resource."
+}
+
+func (m requiresReplaceWO) PlanModifyString(ctx context.Context, request planmodifier.StringRequest, response *planmodifier.StringResponse) {
+	newValue := request.ConfigValue
+	newValueExists := !newValue.IsNull()
+
+	woStore := privatestate.NewWriteOnlyValueStore(request.Private, m.privateStateKey)
+	oldValueExists, diags := woStore.HasValue(ctx)
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	if !newValueExists {
+		if oldValueExists {
+			response.RequiresReplace = true
+		}
+		return
+	}
+
+	if !oldValueExists {
+		response.RequiresReplace = true
+		return
+	}
+
+	equal, diags := woStore.EqualValue(ctx, newValue)
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	if !equal {
+		response.RequiresReplace = true
+	}
+}

internal/framework/privatestate/private_state.go

@@ -0,0 +1,18 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package privatestate
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+)
+
+// PrivateState defines an interface for managing provider-defined resource private state data.
+type PrivateState interface {
+	// GetKey returns the private state data associated with the given key.
+	GetKey(context.Context, string) ([]byte, diag.Diagnostics)
+	// SetKey sets the private state data at the given key.
+	SetKey(context.Context, string, []byte) diag.Diagnostics
+}

internal/framework/privatestate/write_only.go

@@ -0,0 +1,61 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package privatestate
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"strconv"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	tfjson "github.com/hashicorp/terraform-provider-aws/internal/json"
+)
+
+func NewWriteOnlyValueStore(private PrivateState, key string) *WriteOnlyValueStore {
+	return &WriteOnlyValueStore{
+		key:     key,
+		private: private,
+	}
+}
+
+type WriteOnlyValueStore struct {
+	key     string
+	private PrivateState
+}
+
+func (w *WriteOnlyValueStore) EqualValue(ctx context.Context, value types.String) (bool, diag.Diagnostics) {
+	bytes, diags := w.private.GetKey(ctx, w.key)
+	if diags.HasError() {
+		return false, diags
+	}
+
+	var s string
+	if err := tfjson.DecodeFromBytes(bytes, &s); err != nil {
+		diags.AddError("decoding private state", err.Error())
+		return false, diags
+	}
+
+	return s == sha256Hash(value.ValueString()), diags
+}
+
+func (w *WriteOnlyValueStore) HasValue(ctx context.Context) (bool, diag.Diagnostics) {
+	bytes, diags := w.private.GetKey(ctx, w.key)
+	return len(bytes) > 0, diags
+}
+
+func (w *WriteOnlyValueStore) SetValue(ctx context.Context, val types.String) diag.Diagnostics {
+	if val.IsNull() {
+		return w.private.SetKey(ctx, w.key, []byte(""))
+	}
+
+	return w.private.SetKey(ctx, w.key, []byte(strconv.Quote(sha256Hash(val.ValueString()))))
+}
+
+func sha256Hash(data string) string {
+	hash := sha256.New()
+	hash.Write([]byte(data))
+	return hex.EncodeToString(hash.Sum(nil))
+}

internal/framework/privatestate/write_only_test.go

@@ -0,0 +1,112 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package privatestate_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-provider-aws/internal/framework/privatestate"
+)
+
+func TestWriteOnlyValueStore_HasValue(t *testing.T) {
+	t.Parallel()
+
+	ctx := t.Context()
+	store1 := privatestate.NewWriteOnlyValueStore(&privateState{}, "key")
+	store2 := privatestate.NewWriteOnlyValueStore(&privateState{}, "key")
+	store2.SetValue(ctx, types.StringValue("value1"))
+
+	testCases := []struct {
+		testName  string
+		store     *privatestate.WriteOnlyValueStore
+		wantValue bool
+	}{
+		{
+			testName: "empty state",
+			store:    store1,
+		},
+		{
+			testName:  "has value",
+			store:     store2,
+			wantValue: true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.testName, func(t *testing.T) {
+			t.Parallel()
+			gotValue, diags := testCase.store.HasValue(ctx)
+			if diags.HasError() {
+				t.Fatal("unexpected error")
+			}
+			if got, want := gotValue, testCase.wantValue; !cmp.Equal(got, want) {
+				t.Errorf("got %t, want %t", got, want)
+			}
+		})
+	}
+}
+
+func TestWriteOnlyValueStore_EqualValue(t *testing.T) {
+	t.Parallel()
+
+	ctx := t.Context()
+	store1 := privatestate.NewWriteOnlyValueStore(&privateState{}, "key")
+	store1.SetValue(ctx, types.StringValue("value1"))
+	store2 := privatestate.NewWriteOnlyValueStore(&privateState{}, "key")
+	store2.SetValue(ctx, types.StringValue("value2"))
+
+	testCases := []struct {
+		testName  string
+		store     *privatestate.WriteOnlyValueStore
+		wantEqual bool
+	}{
+		{
+			testName:  "equal",
+			store:     store1,
+			wantEqual: true,
+		},
+		{
+			testName: "not equal",
+			store:    store2,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.testName, func(t *testing.T) {
+			t.Parallel()
+			gotEqual, diags := testCase.store.EqualValue(ctx, types.StringValue("value1"))
+			if diags.HasError() {
+				t.Fatal("unexpected error")
+			}
+			if got, want := gotEqual, testCase.wantEqual; !cmp.Equal(got, want) {
+				t.Errorf("got %t, want %t", got, want)
+			}
+		})
+	}
+}
+
+type privateState struct {
+	data map[string][]byte
+}
+
+func (p *privateState) GetKey(_ context.Context, key string) ([]byte, diag.Diagnostics) {
+	var diags diag.Diagnostics
+	bytes := p.data[key]
+	return bytes, diags
+}
+
+func (p *privateState) SetKey(_ context.Context, key string, value []byte) diag.Diagnostics {
+	var diags diag.Diagnostics
+
+	if p.data == nil {
+		p.data = make(map[string][]byte)
+	}
+
+	p.data[key] = value
+	return diags
+}

internal/service/transfer/exports_test.go

@@ -9,6 +9,7 @@ var (
 	ResourceAgreement           = resourceAgreement
 	ResourceCertificate         = resourceCertificate
 	ResourceConnector           = resourceConnector
+	ResourceHostKey             = newHostKeyResource
 	ResourceProfile             = resourceProfile
 	ResourceServer              = resourceServer
 	ResourceSSHKey              = resourceSSHKey
@@ -22,6 +23,7 @@ var (
 	FindAgreementByTwoPartKey    = findAgreementByTwoPartKey
 	FindCertificateByID          = findCertificateByID
 	FindConnectorByID            = findConnectorByID
+	FindHostKeyByTwoPartKey      = findHostKeyByTwoPartKey
 	FindProfileByID              = findProfileByID
 	FindServerByID               = findServerByID
 	FindTag                      = findTag