feat: add write-only private_key_wo attribute to tfe_saml_settings

Author: uturunku1

internal/provider/data_source_saml_settings.go

@@ -50,6 +50,7 @@ type modelTFESAMLSettings struct {
 	MetadataURL               types.String `tfsdk:"metadata_url"`
 	Certificate               types.String `tfsdk:"certificate"`
 	PrivateKey                types.String `tfsdk:"private_key"`
+	PrivateKeyWO              types.String `tfsdk:"private_key_wo"`
 	SignatureSigningMethod    types.String `tfsdk:"signature_signing_method"`
 	SignatureDigestMethod     types.String `tfsdk:"signature_digest_method"`
 }

internal/provider/resource_tfe_saml_settings.go

@@ -9,15 +9,19 @@ import (
 
 	tfe "github.com/hashicorp/go-tfe"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 )
 
 const (
@@ -36,7 +40,7 @@ type resourceTFESAMLSettings struct {
 }
 
 // modelFromTFEAdminSAMLSettings builds a modelTFESAMLSettings struct from a tfe.AdminSAMLSetting value
-func modelFromTFEAdminSAMLSettings(v tfe.AdminSAMLSetting, privateKey types.String) modelTFESAMLSettings {
+func modelFromTFEAdminSAMLSettings(v tfe.AdminSAMLSetting, privateKey types.String, isWriteOnly bool) modelTFESAMLSettings {
 	m := modelTFESAMLSettings{
 		ID:                        types.StringValue(v.ID),
 		Enabled:                   types.BoolValue(v.Enabled),
@@ -60,9 +64,16 @@ func modelFromTFEAdminSAMLSettings(v tfe.AdminSAMLSetting, privateKey types.Stri
 		SignatureSigningMethod:    types.StringValue(v.SignatureSigningMethod),
 		SignatureDigestMethod:     types.StringValue(v.SignatureDigestMethod),
 	}
+
 	if len(privateKey.String()) > 0 {
 		m.PrivateKey = privateKey
 	}
+
+	// Don't retrieve values if write-only is being used. Unset the hmac key field before updating the state.
+	if isWriteOnly {
+		m.PrivateKey = types.StringValue("")
+	}
+
 	return m
 }
 
@@ -187,6 +198,21 @@ func (r *resourceTFESAMLSettings) Schema(ctx context.Context, req resource.Schem
 				Optional:    true,
 				Computed:    true,
 				Sensitive:   true,
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("private_key_wo")),
+				},
+			},
+			"private_key_wo": schema.StringAttribute{
+				Description: "The private key in write-only mode used for request and assertion signing",
+				Optional:    true,
+				Sensitive:   true,
+				WriteOnly:   true,
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("private_key")),
+				},
+				PlanModifiers: []planmodifier.String{
+					planmodifiers.NewReplaceForWriteOnlyStringValue("private_key_wo"),
+				},
 			},
 			"signature_signing_method": schema.StringAttribute{
 				Description: fmt.Sprintf("Signature Signing Method. Must be either `%s` or `%s`. Defaults to `%s`", samlSignatureMethodSHA1, samlSignatureMethodSHA256, samlSignatureMethodSHA256),
@@ -225,13 +251,22 @@ func (r *resourceTFESAMLSettings) Read(ctx context.Context, req resource.ReadReq
 		return
 	}
 
+	tflog.Debug(ctx, "Reading SAML Settings")
+
 	samlSettings, err := r.client.Admin.Settings.SAML.Read(ctx)
 	if err != nil {
 		resp.Diagnostics.AddError("Error reading SAML Settings", "Could not read SAML Settings, unexpected error: "+err.Error())
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey)
+	isWriteOnly, diags := r.writeOnlyValueStore(resp.Private).PriorValueExists(ctx)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
+	}
+
+	// update state
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey, isWriteOnly)
 	diags = resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -245,14 +280,28 @@ func (r *resourceTFESAMLSettings) Create(ctx context.Context, req resource.Creat
 		return
 	}
 
+	var config modelTFESAMLSettings
+	diags = req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if !config.PrivateKeyWO.IsNull() {
+		m.PrivateKey = config.PrivateKeyWO
+	}
+
 	tflog.Debug(ctx, "Create SAML Settings")
 	samlSettings, err := r.updateSAMLSettings(ctx, m)
 	if err != nil {
 		resp.Diagnostics.AddError("Error creating SAML Settings", "Could not set SAML Settings, unexpected error: "+err.Error())
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey)
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey, !config.PrivateKeyWO.IsNull())
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.PrivateKeyWO)...)
 	diags = resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -266,14 +315,33 @@ func (r *resourceTFESAMLSettings) Update(ctx context.Context, req resource.Updat
 		return
 	}
 
+	var config modelTFESAMLSettings
+	diags = req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if !config.PrivateKeyWO.IsNull() {
+		m.PrivateKey = config.PrivateKeyWO
+	}
+
 	tflog.Debug(ctx, "Update SAML Settings")
 	samlSettings, err := r.updateSAMLSettings(ctx, m)
 	if err != nil {
 		resp.Diagnostics.AddError("Error updating SAML Settings", "Could not set SAML Settings, unexpected error: "+err.Error())
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey)
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.PrivateKeyWO)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey, !config.PrivateKeyWO.IsNull())
+	// Save data into Terraform state
 	diags = resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -321,7 +389,7 @@ func (r *resourceTFESAMLSettings) ImportState(ctx context.Context, req resource.
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, types.StringValue(""))
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, types.StringValue(""), false)
 	diags := resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -363,3 +431,7 @@ func (r *resourceTFESAMLSettings) updateSAMLSettings(ctx context.Context, m mode
 	}
 	return s, nil
 }
+
+func (r *resourceTFESAMLSettings) writeOnlyValueStore(private helpers.PrivateState) *helpers.WriteOnlyValueStore {
+	return helpers.NewWriteOnlyValueStore(private, "private_key_wo")
+}

internal/provider/resource_tfe_saml_settings_test.go

@@ -10,8 +10,10 @@ import (
 	"testing"
 
 	"github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
 )
 
 const testResourceName = "tfe_saml_settings.foobar"
@@ -30,6 +32,46 @@ const testResourceName = "tfe_saml_settings.foobar"
 
 // TestAccTFESAMLSettings_omnibus test suite is skipped in the CI, and will only run in TFE Nightly workflow
 // Should this test name ever change, you will also need to update the regex in ci.yml
+func TestAccTFESAMLSettings_writeOnly(t *testing.T) {
+	s := tfe.AdminSAMLSetting{
+		IDPCert:        "testIDPCertBasic",
+		SLOEndpointURL: "https://foobar.com/slo_endpoint_url",
+		SSOEndpointURL: "https://foobar.com/sso_endpoint_url",
+		PrivateKey:     "TestPrivateKeyFull",
+	}
+	resource.Test(t, resource.TestCase{
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(version.Must(version.NewVersion("1.11.0"))),
+		},
+		ProtoV5ProviderFactories: testAccMuxedProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFESAMLSettings_writeOnly(s),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(testResourceName, "enabled", "true"),
+					resource.TestCheckResourceAttr(testResourceName, "debug", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "authn_requests_signed", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "want_assertions_signed", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "team_management_enabled", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "idp_cert", s.IDPCert),
+					resource.TestCheckResourceAttr(testResourceName, "slo_endpoint_url", s.SLOEndpointURL),
+					resource.TestCheckResourceAttr(testResourceName, "sso_endpoint_url", s.SSOEndpointURL),
+					resource.TestCheckResourceAttr(testResourceName, "attr_username", samlDefaultAttrUsername),
+					resource.TestCheckResourceAttr(testResourceName, "attr_site_admin", samlDefaultAttrSiteAdmin),
+					resource.TestCheckResourceAttr(testResourceName, "attr_groups", samlDefaultAttrGroups),
+					resource.TestCheckResourceAttr(testResourceName, "site_admin_role", samlDefaultSiteAdminRole),
+					resource.TestCheckResourceAttr(testResourceName, "sso_api_token_session_timeout", strconv.Itoa(int(samlDefaultSSOAPITokenSessionTimeoutSeconds))),
+					resource.TestCheckResourceAttrSet(testResourceName, "acs_consumer_url"),
+					resource.TestCheckResourceAttrSet(testResourceName, "metadata_url"),
+					resource.TestCheckResourceAttr(testResourceName, "signature_signing_method", samlSignatureMethodSHA256),
+					resource.TestCheckResourceAttr(testResourceName, "signature_digest_method", samlSignatureMethodSHA256),
+					resource.TestCheckNoResourceAttr(
+						testResourceName, "private_key_wo"),
+				),
+			},
+		},
+	})
+}
 func TestAccTFESAMLSettings_omnibus(t *testing.T) {
 	t.Run("basic SAML settings resource", func(t *testing.T) {
 		s := tfe.AdminSAMLSetting{
@@ -330,3 +372,13 @@ resource "tfe_saml_settings" "foobar" {
   signature_digest_method 		= "%s"
 }`, s.IDPCert, s.SLOEndpointURL, s.SSOEndpointURL, s.Debug, s.AuthnRequestsSigned, s.WantAssertionsSigned, s.TeamManagementEnabled, s.AttrUsername, s.AttrSiteAdmin, s.AttrGroups, s.SiteAdminRole, s.SSOAPITokenSessionTimeout, s.Certificate, s.PrivateKey, s.SignatureSigningMethod, s.SignatureDigestMethod)
 }
+
+func testAccTFESAMLSettings_writeOnly(s tfe.AdminSAMLSetting) string {
+	return fmt.Sprintf(`
+resource "tfe_saml_settings" "foobar" {
+  idp_cert         = "%s"
+  slo_endpoint_url = "%s"
+  sso_endpoint_url = "%s"
+  private_key_wo 					= "%s"
+}`, s.IDPCert, s.SLOEndpointURL, s.SSOEndpointURL, s.PrivateKey)
+}