Add immutable field to kubernetes_secret (#1280)

Co-authored-by: John Houston <[email protected]>

Author: DrFaust92

kubernetes/data_source_kubernetes_secret.go

@@ -31,6 +31,11 @@ func dataSourceKubernetesSecret() *schema.Resource {
 				Description: "Type of secret",
 				Computed:    true,
 			},
+			"immutable": {
+				Type:        schema.TypeBool,
+				Description: "Ensures that data stored in the Secret cannot be updated (only object metadata can be modified).",
+				Computed:    true,
+			},
 		},
 	}
 }

kubernetes/data_source_kubernetes_secret_test.go

@@ -10,50 +10,36 @@ import (
 
 func TestAccKubernetesDataSourceSecret_basic(t *testing.T) {
 	name := fmt.Sprintf("tf-acc-test-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
+	resourceName := "kubernetes_secret.test"
+	datasourceName := "data.kubernetes_secret.test"
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:          func() { testAccPreCheck(t) },
 		ProviderFactories: testAccProviderFactories,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccKubernetesDataSourceSecretConfig_basic(name),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.name", name),
-					resource.TestCheckResourceAttrSet("kubernetes_secret.test", "metadata.0.generation"),
-					resource.TestCheckResourceAttrSet("kubernetes_secret.test", "metadata.0.resource_version"),
-					resource.TestCheckResourceAttrSet("kubernetes_secret.test", "metadata.0.uid"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.annotations.%", "2"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.annotations.TestAnnotationOne", "one"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.annotations.TestAnnotationTwo", "two"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.labels.TestLabelOne", "one"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.labels.TestLabelTwo", "two"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "metadata.0.labels.TestLabelThree", "three"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "data.%", "2"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "data.one", "first"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "data.two", "second"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "type", "Opaque"),
-					resource.TestCheckResourceAttr("kubernetes_secret.test", "binary_data.raw", "UmF3IGRhdGEgc2hvdWxkIGNvbWUgYmFjayBhcyBpcyBpbiB0aGUgcG9k"),
-				),
 			},
 			{
 				Config: testAccKubernetesDataSourceSecretConfig_basic(name) +
 					testAccKubernetesDataSourceSecretConfig_read(),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.name", name),
-					resource.TestCheckResourceAttrSet("data.kubernetes_secret.test", "metadata.0.generation"),
-					resource.TestCheckResourceAttrSet("data.kubernetes_secret.test", "metadata.0.resource_version"),
-					resource.TestCheckResourceAttrSet("data.kubernetes_secret.test", "metadata.0.uid"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.annotations.%", "2"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.annotations.TestAnnotationOne", "one"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.annotations.TestAnnotationTwo", "two"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.labels.TestLabelOne", "one"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.labels.TestLabelTwo", "two"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "metadata.0.labels.TestLabelThree", "three"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.%", "2"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.one", "first"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.two", "second"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "type", "Opaque"),
-					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "binary_data.raw", "UmF3IGRhdGEgc2hvdWxkIGNvbWUgYmFjayBhcyBpcyBpbiB0aGUgcG9k"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.name", resourceName, "metadata.0.name"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.generation", resourceName, "metadata.0.generation"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.resource_version", resourceName, "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.uid", resourceName, "metadata.0.uid"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.annotations.%", resourceName, "metadata.0.annotations.%"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.annotations.TestAnnotationOne", resourceName, "metadata.0.annotations.TestAnnotationOne"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.annotations.TestAnnotationTwo", resourceName, "metadata.0.annotations.TestAnnotationTwo"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.labels.TestLabelOne", resourceName, "metadata.0.labels.TestLabelOne"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.labels.TestLabelTwo", resourceName, "metadata.0.labels.TestLabelTwo"),
+					resource.TestCheckResourceAttrPair(datasourceName, "metadata.0.labels.TestLabelThree", resourceName, "metadata.0.labels.TestLabelThree"),
+					resource.TestCheckResourceAttrPair(datasourceName, "data.%", resourceName, "data.%"),
+					resource.TestCheckResourceAttrPair(datasourceName, "data.one", resourceName, "data.one"),
+					resource.TestCheckResourceAttrPair(datasourceName, "data.two", resourceName, "data.two"),
+					resource.TestCheckResourceAttrPair(datasourceName, "type", resourceName, "type"),
+					resource.TestCheckResourceAttrPair(datasourceName, "immutable", resourceName, "immutable"),
+					resource.TestCheckResourceAttrPair(datasourceName, "binary_data.raw", resourceName, "binary_data.raw"),
 				),
 			},
 		},
@@ -92,7 +78,7 @@ func testAccKubernetesDataSourceSecretConfig_basic(name string) string {
 func testAccKubernetesDataSourceSecretConfig_read() string {
 	return fmt.Sprintf(`data "kubernetes_secret" "test" {
   metadata {
-    name = "${kubernetes_secret.test.metadata.0.name}"
+    name = kubernetes_secret.test.metadata.0.name
   }
 
   binary_data = {

kubernetes/resource_kubernetes_secret.go

@@ -22,6 +22,29 @@ func resourceKubernetesSecret() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
+		CustomizeDiff: func(ctx context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+			if diff.Id() == "" {
+				return nil
+			}
+
+			// ForceNew if immutable has been set to true
+			// and there are any changes to data, binary_data, or immutable
+			immutable, _ := diff.GetChange("immutable")
+			if immutable.(bool) {
+				immutableFields := []string{
+					"data",
+					"binary_data",
+					"immutable",
+				}
+				for _, f := range immutableFields {
+					if diff.HasChange(f) {
+						diff.ForceNew(f)
+					}
+				}
+			}
+
+			return nil
+		},
 
 		Schema: map[string]*schema.Schema{
 			"metadata": namespacedMetadataSchema("secret", true),
@@ -38,10 +61,15 @@ func resourceKubernetesSecret() *schema.Resource {
 				Sensitive:   true,
 				Description: "A map of the secret data in base64 encoding. Use this for binary data.",
 			},
+			"immutable": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Ensures that data stored in the Secret cannot be updated (only object metadata can be modified).",
+			},
 			"type": {
 				Type:        schema.TypeString,
 				Description: "Type of secret",
-				Default:     "Opaque",
+				Default:     string(api.SecretTypeOpaque),
 				Optional:    true,
 				ForceNew:    true,
 			},
@@ -81,6 +109,10 @@ func resourceKubernetesSecretCreate(ctx context.Context, d *schema.ResourceData,
 		secret.Type = api.SecretType(v.(string))
 	}
 
+	if v, ok := d.GetOkExists("immutable"); ok {
+		secret.Immutable = ptrToBool(v.(bool))
+	}
+
 	log.Printf("[INFO] Creating new secret: %#v", secret)
 	out, err := conn.CoreV1().Secrets(metadata.Namespace).Create(ctx, &secret, metav1.CreateOptions{})
 	if err != nil {
@@ -139,6 +171,8 @@ func resourceKubernetesSecretRead(ctx context.Context, d *schema.ResourceData, m
 	}
 	d.Set("data", flattenByteMapToStringMap(secret.Data))
 	d.Set("type", secret.Type)
+	d.Set("immutable", secret.Immutable)
+
 	return nil
 }
 
@@ -156,12 +190,14 @@ func resourceKubernetesSecretUpdate(ctx context.Context, d *schema.ResourceData,
 	ops := patchMetadata("metadata.0.", "/metadata/", d)
 
 	newData := map[string]interface{}{}
+	updateData := false
 	if d.HasChange("data") {
 		_, new := d.GetChange("data")
 		new = base64EncodeStringMap(new.(map[string]interface{}))
 		for k, v := range new.(map[string]interface{}) {
 			newData[k] = v
 		}
+		updateData = true
 	} else if v, ok := d.GetOk("data"); ok {
 		for k, vv := range base64EncodeStringMap(v.(map[string]interface{})) {
 			newData[k] = vv
@@ -172,16 +208,26 @@ func resourceKubernetesSecretUpdate(ctx context.Context, d *schema.ResourceData,
 		for k, v := range new.(map[string]interface{}) {
 			newData[k] = v
 		}
+		updateData = true
 	} else if v, ok := d.GetOk("binary_data"); ok {
 		for k, vv := range v.(map[string]interface{}) {
 			newData[k] = vv
 		}
 	}
 
-	ops = append(ops, &AddOperation{
-		Path:  "/data",
-		Value: newData,
-	})
+	if updateData {
+		ops = append(ops, &AddOperation{
+			Path:  "/data",
+			Value: newData,
+		})
+	}
+
+	if d.HasChange("immutable") {
+		ops = append(ops, &ReplaceOperation{
+			Path:  "/immutable",
+			Value: ptrToBool(d.Get("immutable").(bool)),
+		})
+	}
 
 	data, err := ops.MarshalJSON()
 	if err != nil {