Merge pull request #1660 from hashicorp/token-wo

uturunku1 · web-flow · commit 175f48d804b7 · 2025-03-24T12:35:02.000-07:00
feat: add write-only private_key_wo attribute to tfe_saml_settings
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,8 @@ ENHANCEMENTS:
 
 * resource/tfe_organization_run_task: Add `hmac_key_wo` write-only attribute, by @shwetamurali ([#1646](https://github.com/hashicorp/terraform-provider-tfe/pull/1646))
 
+* resource/tfe_saml_settings: Add `private_key_wo` write-only attribute, by @uturunku1 ([#1660](https://github.com/hashicorp/terraform-provider-tfe/pull/1660))
+
 ## v.0.64.0
 
 FEATURES:
diff --git a/internal/provider/data_source_saml_settings.go b/internal/provider/data_source_saml_settings.go
@@ -29,8 +29,8 @@ type dataSourceTFESAMLSettings struct {
 	client *tfe.Client
 }
 
-// modelTFESAMLSettings maps the data source schema data.
-type modelTFESAMLSettings struct {
+// modelDataTFESAMLSettings maps the data source schema data.
+type modelDataTFESAMLSettings struct {
 	ID                        types.String `tfsdk:"id"`
 	Enabled                   types.Bool   `tfsdk:"enabled"`
 	Debug                     types.Bool   `tfsdk:"debug"`
@@ -158,7 +158,7 @@ func (d *dataSourceTFESAMLSettings) Read(ctx context.Context, _ datasource.ReadR
 	}
 
 	// Set state
-	diags := resp.State.Set(ctx, &modelTFESAMLSettings{
+	diags := resp.State.Set(ctx, &modelDataTFESAMLSettings{
 		ID:                        types.StringValue(s.ID),
 		Enabled:                   types.BoolValue(s.Enabled),
 		Debug:                     types.BoolValue(s.Debug),
diff --git a/internal/provider/resource_tfe_saml_settings.go b/internal/provider/resource_tfe_saml_settings.go
@@ -9,15 +9,19 @@ import (
 
 	tfe "github.com/hashicorp/go-tfe"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 )
 
 const (
@@ -30,13 +34,38 @@ const (
 	samlDefaultSSOAPITokenSessionTimeoutSeconds int64  = 1209600 // 14 days
 )
 
+type modelTFESAMLSettings struct {
+	ID                        types.String `tfsdk:"id"`
+	Enabled                   types.Bool   `tfsdk:"enabled"`
+	Debug                     types.Bool   `tfsdk:"debug"`
+	TeamManagementEnabled     types.Bool   `tfsdk:"team_management_enabled"`
+	AuthnRequestsSigned       types.Bool   `tfsdk:"authn_requests_signed"`
+	WantAssertionsSigned      types.Bool   `tfsdk:"want_assertions_signed"`
+	IDPCert                   types.String `tfsdk:"idp_cert"`
+	OldIDPCert                types.String `tfsdk:"old_idp_cert"`
+	SLOEndpointURL            types.String `tfsdk:"slo_endpoint_url"`
+	SSOEndpointURL            types.String `tfsdk:"sso_endpoint_url"`
+	AttrUsername              types.String `tfsdk:"attr_username"`
+	AttrGroups                types.String `tfsdk:"attr_groups"`
+	AttrSiteAdmin             types.String `tfsdk:"attr_site_admin"`
+	SiteAdminRole             types.String `tfsdk:"site_admin_role"`
+	SSOAPITokenSessionTimeout types.Int64  `tfsdk:"sso_api_token_session_timeout"`
+	ACSConsumerURL            types.String `tfsdk:"acs_consumer_url"`
+	MetadataURL               types.String `tfsdk:"metadata_url"`
+	Certificate               types.String `tfsdk:"certificate"`
+	PrivateKey                types.String `tfsdk:"private_key"`
+	PrivateKeyWO              types.String `tfsdk:"private_key_wo"`
+	SignatureSigningMethod    types.String `tfsdk:"signature_signing_method"`
+	SignatureDigestMethod     types.String `tfsdk:"signature_digest_method"`
+}
+
 // resourceTFESAMLSettings implements the tfe_saml_settings resource type
 type resourceTFESAMLSettings struct {
 	client *tfe.Client
 }
 
 // modelFromTFEAdminSAMLSettings builds a modelTFESAMLSettings struct from a tfe.AdminSAMLSetting value
-func modelFromTFEAdminSAMLSettings(v tfe.AdminSAMLSetting, privateKey types.String) modelTFESAMLSettings {
+func modelFromTFEAdminSAMLSettings(v tfe.AdminSAMLSetting, privateKey types.String, isWriteOnly bool) modelTFESAMLSettings {
 	m := modelTFESAMLSettings{
 		ID:                        types.StringValue(v.ID),
 		Enabled:                   types.BoolValue(v.Enabled),
@@ -60,9 +89,16 @@ func modelFromTFEAdminSAMLSettings(v tfe.AdminSAMLSetting, privateKey types.Stri
 		SignatureSigningMethod:    types.StringValue(v.SignatureSigningMethod),
 		SignatureDigestMethod:     types.StringValue(v.SignatureDigestMethod),
 	}
+
 	if len(privateKey.String()) > 0 {
 		m.PrivateKey = privateKey
 	}
+
+	// Don't retrieve values if write-only is being used. Unset the private key field before updating the state.
+	if isWriteOnly {
+		m.PrivateKey = types.StringValue("")
+	}
+
 	return m
 }
 
@@ -187,6 +223,21 @@ func (r *resourceTFESAMLSettings) Schema(ctx context.Context, req resource.Schem
 				Optional:    true,
 				Computed:    true,
 				Sensitive:   true,
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("private_key_wo")),
+				},
+			},
+			"private_key_wo": schema.StringAttribute{
+				Description: "The private key in write-only mode used for request and assertion signing",
+				Optional:    true,
+				Sensitive:   true,
+				WriteOnly:   true,
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("private_key")),
+				},
+				PlanModifiers: []planmodifier.String{
+					planmodifiers.NewReplaceForWriteOnlyStringValue("private_key_wo"),
+				},
 			},
 			"signature_signing_method": schema.StringAttribute{
 				Description: fmt.Sprintf("Signature Signing Method. Must be either `%s` or `%s`. Defaults to `%s`", samlSignatureMethodSHA1, samlSignatureMethodSHA256, samlSignatureMethodSHA256),
@@ -225,13 +276,22 @@ func (r *resourceTFESAMLSettings) Read(ctx context.Context, req resource.ReadReq
 		return
 	}
 
+	tflog.Debug(ctx, "Reading SAML Settings")
+
 	samlSettings, err := r.client.Admin.Settings.SAML.Read(ctx)
 	if err != nil {
 		resp.Diagnostics.AddError("Error reading SAML Settings", "Could not read SAML Settings, unexpected error: "+err.Error())
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey)
+	isWriteOnly, diags := r.writeOnlyValueStore(resp.Private).PriorValueExists(ctx)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
+	}
+
+	// update state
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey, isWriteOnly)
 	diags = resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -245,14 +305,28 @@ func (r *resourceTFESAMLSettings) Create(ctx context.Context, req resource.Creat
 		return
 	}
 
+	var config modelTFESAMLSettings
+	diags = req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if !config.PrivateKeyWO.IsNull() {
+		m.PrivateKey = config.PrivateKeyWO
+	}
+
 	tflog.Debug(ctx, "Create SAML Settings")
 	samlSettings, err := r.updateSAMLSettings(ctx, m)
 	if err != nil {
 		resp.Diagnostics.AddError("Error creating SAML Settings", "Could not set SAML Settings, unexpected error: "+err.Error())
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey)
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey, !config.PrivateKeyWO.IsNull())
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.PrivateKeyWO)...)
 	diags = resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -266,14 +340,33 @@ func (r *resourceTFESAMLSettings) Update(ctx context.Context, req resource.Updat
 		return
 	}
 
+	var config modelTFESAMLSettings
+	diags = req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if !config.PrivateKeyWO.IsNull() {
+		m.PrivateKey = config.PrivateKeyWO
+	}
+
 	tflog.Debug(ctx, "Update SAML Settings")
 	samlSettings, err := r.updateSAMLSettings(ctx, m)
 	if err != nil {
 		resp.Diagnostics.AddError("Error updating SAML Settings", "Could not set SAML Settings, unexpected error: "+err.Error())
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey)
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.PrivateKeyWO)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, m.PrivateKey, !config.PrivateKeyWO.IsNull())
+	// Save data into Terraform state
 	diags = resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -321,7 +414,7 @@ func (r *resourceTFESAMLSettings) ImportState(ctx context.Context, req resource.
 		return
 	}
 
-	result := modelFromTFEAdminSAMLSettings(*samlSettings, types.StringValue(""))
+	result := modelFromTFEAdminSAMLSettings(*samlSettings, types.StringValue(""), false)
 	diags := resp.State.Set(ctx, &result)
 	resp.Diagnostics.Append(diags...)
 }
@@ -363,3 +456,7 @@ func (r *resourceTFESAMLSettings) updateSAMLSettings(ctx context.Context, m mode
 	}
 	return s, nil
 }
+
+func (r *resourceTFESAMLSettings) writeOnlyValueStore(private helpers.PrivateState) *helpers.WriteOnlyValueStore {
+	return helpers.NewWriteOnlyValueStore(private, "private_key_wo")
+}
diff --git a/internal/provider/resource_tfe_saml_settings_test.go b/internal/provider/resource_tfe_saml_settings_test.go
@@ -10,8 +10,10 @@ import (
 	"testing"
 
 	"github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
 )
 
 const testResourceName = "tfe_saml_settings.foobar"
@@ -30,6 +32,46 @@ const testResourceName = "tfe_saml_settings.foobar"
 
 // TestAccTFESAMLSettings_omnibus test suite is skipped in the CI, and will only run in TFE Nightly workflow
 // Should this test name ever change, you will also need to update the regex in ci.yml
+func TestAccTFESAMLSettings_writeOnly(t *testing.T) {
+	s := tfe.AdminSAMLSetting{
+		IDPCert:        "testIDPCertBasic",
+		SLOEndpointURL: "https://foobar.com/slo_endpoint_url",
+		SSOEndpointURL: "https://foobar.com/sso_endpoint_url",
+		PrivateKey:     "TestPrivateKeyFull",
+	}
+	resource.Test(t, resource.TestCase{
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(version.Must(version.NewVersion("1.11.0"))),
+		},
+		ProtoV5ProviderFactories: testAccMuxedProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFESAMLSettings_writeOnly(s),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(testResourceName, "enabled", "true"),
+					resource.TestCheckResourceAttr(testResourceName, "debug", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "authn_requests_signed", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "want_assertions_signed", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "team_management_enabled", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "idp_cert", s.IDPCert),
+					resource.TestCheckResourceAttr(testResourceName, "slo_endpoint_url", s.SLOEndpointURL),
+					resource.TestCheckResourceAttr(testResourceName, "sso_endpoint_url", s.SSOEndpointURL),
+					resource.TestCheckResourceAttr(testResourceName, "attr_username", samlDefaultAttrUsername),
+					resource.TestCheckResourceAttr(testResourceName, "attr_site_admin", samlDefaultAttrSiteAdmin),
+					resource.TestCheckResourceAttr(testResourceName, "attr_groups", samlDefaultAttrGroups),
+					resource.TestCheckResourceAttr(testResourceName, "site_admin_role", samlDefaultSiteAdminRole),
+					resource.TestCheckResourceAttr(testResourceName, "sso_api_token_session_timeout", strconv.Itoa(int(samlDefaultSSOAPITokenSessionTimeoutSeconds))),
+					resource.TestCheckResourceAttrSet(testResourceName, "acs_consumer_url"),
+					resource.TestCheckResourceAttrSet(testResourceName, "metadata_url"),
+					resource.TestCheckResourceAttr(testResourceName, "signature_signing_method", samlSignatureMethodSHA256),
+					resource.TestCheckResourceAttr(testResourceName, "signature_digest_method", samlSignatureMethodSHA256),
+					resource.TestCheckNoResourceAttr(
+						testResourceName, "private_key_wo"),
+				),
+			},
+		},
+	})
+}
 func TestAccTFESAMLSettings_omnibus(t *testing.T) {
 	t.Run("basic SAML settings resource", func(t *testing.T) {
 		s := tfe.AdminSAMLSetting{
@@ -330,3 +372,13 @@ resource "tfe_saml_settings" "foobar" {
   signature_digest_method 		= "%s"
 }`, s.IDPCert, s.SLOEndpointURL, s.SSOEndpointURL, s.Debug, s.AuthnRequestsSigned, s.WantAssertionsSigned, s.TeamManagementEnabled, s.AttrUsername, s.AttrSiteAdmin, s.AttrGroups, s.SiteAdminRole, s.SSOAPITokenSessionTimeout, s.Certificate, s.PrivateKey, s.SignatureSigningMethod, s.SignatureDigestMethod)
 }
+
+func testAccTFESAMLSettings_writeOnly(s tfe.AdminSAMLSetting) string {
+	return fmt.Sprintf(`
+resource "tfe_saml_settings" "foobar" {
+  idp_cert         = "%s"
+  slo_endpoint_url = "%s"
+  sso_endpoint_url = "%s"
+  private_key_wo 					= "%s"
+}`, s.IDPCert, s.SLOEndpointURL, s.SSOEndpointURL, s.PrivateKey)
+}
diff --git a/website/docs/r/saml_settings.html.markdown b/website/docs/r/saml_settings.html.markdown
@@ -44,9 +44,12 @@ The following arguments are supported:
 * `sso_api_token_session_timeout` - (Optional) Specifies the Single Sign On session timeout in seconds. Defaults to 14 days.
 * `certificate` - (Optional) The certificate used for request and assertion signing.
 * `private_key` - (Optional) The private key used for request and assertion signing.
+* `private_key_wo` - (Optional) The private key used for request and assertion signing, guaranteed not to be written to plan or state artifacts. One of `private_key` or `private_key_wo` must be provided.
 * `signature_signing_method` - (Optional) Signature Signing Method. Must be either `SHA1` or `SHA256`. Defaults to `SHA256`.
 * `signature_digest_method` - (Optional) Signature Digest Method. Must be either `SHA1` or `SHA256`. Defaults to `SHA256`.
 
+-> **Note:** Write-Only argument `private_key_wo` is available to use in place of `private_key`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/v1.11.x/resources/ephemeral#write-only-arguments).
+
 ## Attributes Reference
 
 * `id` - The ID of the SAML Settings. Always `saml`.
