[TF-23089] implement write only values for tfe_policy_set_parameter (#1641)

* feat: add a write-only value to tfe_policy_set_parameter

* docs: update changelog

* docs: update docs

Author: ctrombley

CHANGELOG.md

@@ -15,9 +15,11 @@ FEATURES:
 
 ENHANCEMENTS:
 
-* resource/tfe_variable: Add `value_wo` write-only attribute ([#1639](https://github.com/hashicorp/terraform-provider-tfe/pull/1639))
+* resource/tfe_variable: Add `value_wo` write-only attribute, by @uturunku ([#1639](https://github.com/hashicorp/terraform-provider-tfe/pull/1639))
 
-* resource/tfe_test_variable: Add `value_wo` write-only attribute ([#1639](https://github.com/hashicorp/terraform-provider-tfe/pull/1639))
+* resource/tfe_test_variable: Add `value_wo` write-only attribute, by @uturunku ([#1639](https://github.com/hashicorp/terraform-provider-tfe/pull/1639))
+
+* resource/tfe_policy_set_parameter: Add `value_wo` write-only attribute, by @ctrombley ([#1641](https://github.com/hashicorp/terraform-provider-tfe/pull/1641))
 
 ## v.0.64.0
 

internal/provider/helpers/write_only.go

@@ -0,0 +1,71 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package helpers
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+func NewWriteOnlyValueStore(private PrivateState, attributeName string) *WriteOnlyValueStore {
+	return &WriteOnlyValueStore{
+		private:       private,
+		attributeName: attributeName,
+	}
+}
+
+type WriteOnlyValueStore struct {
+	private       PrivateState
+	attributeName string
+}
+
+type PrivateState interface {
+	SetKey(ctx context.Context, key string, value []byte) diag.Diagnostics
+	GetKey(ctx context.Context, key string) ([]byte, diag.Diagnostics)
+}
+
+// MatchesPriorValue determines if the given string value matches the prior
+// value in state by comparing the hased values of each.
+func (w *WriteOnlyValueStore) MatchesPriorValue(ctx context.Context, configValue types.String) (bool, diag.Diagnostics) {
+	serializedPriorValue, diags := w.private.GetKey(ctx, w.attributeName)
+	var hashedPriorValue string
+	err := json.Unmarshal(serializedPriorValue, &hashedPriorValue)
+	if err != nil {
+		diags.AddError(fmt.Sprintf("failed to unmarshal prior value for `%s`", w.attributeName), err.Error())
+	}
+
+	hashedValue := generateSHA256Hash(configValue.ValueString())
+	return hashedPriorValue == hashedValue, diags
+}
+
+// PriorValueExists determines if a hashed prior value exists in state.
+func (w *WriteOnlyValueStore) PriorValueExists(ctx context.Context) (bool, diag.Diagnostics) {
+	serializedPriorValue, diags := w.private.GetKey(ctx, w.attributeName)
+	return len(serializedPriorValue) != 0, diags
+}
+
+// SetPriorValue stores the hashed value of the given string value in state.
+func (w *WriteOnlyValueStore) SetPriorValue(ctx context.Context, configValue types.String) diag.Diagnostics {
+	// If not write-only, then remove the hashed value from private state.
+	// Setting a key with an empty byte slice is interpreted by the framework as a request to remove the key from the ProviderData map.
+	if configValue.IsNull() {
+		return w.private.SetKey(ctx, w.attributeName, []byte(""))
+	}
+
+	// Store the hashed value of the string in private state.
+	hashedValue := generateSHA256Hash(configValue.ValueString())
+	return w.private.SetKey(ctx, w.attributeName, fmt.Appendf(nil, `"%s"`, hashedValue))
+}
+
+func generateSHA256Hash(data string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(data))
+	return hex.EncodeToString(hasher.Sum(nil))
+}

internal/provider/planmodifiers/write_only.go

@@ -0,0 +1,92 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package planmodifiers
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers"
+)
+
+var _ planmodifier.String = &replaceForWriteOnlyStringValue{}
+
+func NewReplaceForWriteOnlyStringValue(attributeWriteOnly string) planmodifier.String {
+	return &replaceForWriteOnlyStringValue{
+		attributeWriteOnly: attributeWriteOnly,
+	}
+}
+
+// replaceForWriteOnlyStringValue is a plan modifier that will cause a resource
+// to be replaced if the value of a write-only attribute has changed.
+//
+// For this to work, the write-only attribute must be added to private state
+// using WriteOnlyValueStore.SetPriorValue() after creating or updating the value.
+type replaceForWriteOnlyStringValue struct {
+	attributeWriteOnly string
+}
+
+func (p *replaceForWriteOnlyStringValue) Description(ctx context.Context) string {
+	return "The resource will be replaced when the value of `%s` has changed"
+}
+
+func (p *replaceForWriteOnlyStringValue) MarkdownDescription(ctx context.Context) string {
+	return p.Description(ctx)
+}
+
+func (p *replaceForWriteOnlyStringValue) PlanModifyString(ctx context.Context, request planmodifier.StringRequest, response *planmodifier.StringResponse) {
+	// This plan modifier can be used to trigger a resource replacement when the
+	// value of a write-only attribute has changed.
+	//
+	// Write-only argument values cannot produce a Terraform plan difference on
+	// their own. The prior state value for a write-only argument will always be
+	// null, and the planned state value will also be null.
+	//
+	// The one exception to this case is if the write-only argument is added to
+	// requires_replace during Plan Modification, in that case, the write-only
+	// argument will always cause a diff/trigger a resource recreation.
+	var writeOnlyValue types.String
+	diags := request.Config.GetAttribute(ctx, path.Root(p.attributeWriteOnly), &writeOnlyValue)
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	writeOnlyValueExists := !writeOnlyValue.IsNull()
+	writeOnlyValueStore := helpers.NewWriteOnlyValueStore(request.Private, p.attributeWriteOnly)
+	priorWriteOnlyValueExists, diags := writeOnlyValueStore.PriorValueExists(ctx)
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	if !writeOnlyValueExists && priorWriteOnlyValueExists {
+		tflog.Debug(ctx, fmt.Sprintf("Replacing resource because the write-only `%s` attribute has been removed", p.attributeWriteOnly))
+		response.RequiresReplace = true
+		return
+	}
+
+	if !writeOnlyValueExists {
+		return
+	}
+
+	// Now are dealing with a write-only attribute that has a value set.
+	if !priorWriteOnlyValueExists {
+		tflog.Debug(ctx, fmt.Sprintf("Replacing resource because the write-only `%s` attribute has been newly added to a resource in state", p.attributeWriteOnly))
+		response.RequiresReplace = true
+		return
+	}
+
+	matches, diags := writeOnlyValueStore.MatchesPriorValue(ctx, writeOnlyValue)
+	response.Diagnostics.Append(diags...)
+
+	if !matches {
+		tflog.Debug(ctx, fmt.Sprintf("Replacing resource because the value of the write-only `%s` attribute has changed", p.attributeWriteOnly))
+		response.RequiresReplace = true
+	}
+}

internal/provider/resource_tfe_policy_set_parameter.go

@@ -7,7 +7,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"log"
 	"regexp"
 	"strings"
 
@@ -23,6 +22,9 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 )
 
 var (
@@ -43,11 +45,12 @@ type modelTFEPolicySetParameter struct {
 	ID          types.String `tfsdk:"id"`
 	Key         types.String `tfsdk:"key"`
 	Value       types.String `tfsdk:"value"`
+	ValueWO     types.String `tfsdk:"value_wo"`
 	Sensitive   types.Bool   `tfsdk:"sensitive"`
 	PolicySetID types.String `tfsdk:"policy_set_id"`
 }
 
-func modelFromTFEPolicySetParameter(v *tfe.PolicySetParameter, lastValue types.String) modelTFEPolicySetParameter {
+func modelFromTFEPolicySetParameter(v *tfe.PolicySetParameter, lastValue types.String, isWriteOnly bool) modelTFEPolicySetParameter {
 	p := modelTFEPolicySetParameter{
 		ID:          types.StringValue(v.ID),
 		Key:         types.StringValue(v.Key),
@@ -62,6 +65,11 @@ func modelFromTFEPolicySetParameter(v *tfe.PolicySetParameter, lastValue types.S
 		p.Value = lastValue
 	}
 
+	// If the variable is write-only, clear the value.
+	if isWriteOnly {
+		p.Value = types.StringValue("")
+	}
+
 	return p
 }
 
@@ -126,6 +134,22 @@ func (r *resourceTFEPolicySetParameter) Schema(ctx context.Context, req resource
 				Computed:    true,
 				Default:     stringdefault.StaticString(""),
 				Sensitive:   true,
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("value_wo")),
+				},
+			},
+
+			"value_wo": schema.StringAttribute{
+				Optional:    true,
+				WriteOnly:   true,
+				Sensitive:   true,
+				Description: "Value of the parameter in write-only mode",
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("value")),
+				},
+				PlanModifiers: []planmodifier.String{
+					planmodifiers.NewReplaceForWriteOnlyStringValue("value_wo"),
+				},
 			},
 
 			"sensitive": schema.BoolAttribute{
@@ -168,30 +192,46 @@ func (r *resourceTFEPolicySetParameter) Schema(ctx context.Context, req resource
 }
 
 func (r *resourceTFEPolicySetParameter) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
-	// Read the Terraform plan into the model
-	var plan modelTFEPolicySetParameter
+	// Read the Terraform plan and config into the model
+	var plan, config modelTFEPolicySetParameter
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
 	// Create an options struct
 	options := tfe.PolicySetParameterCreateOptions{
 		Key:       plan.Key.ValueStringPointer(),
-		Value:     plan.Value.ValueStringPointer(),
 		Category:  tfe.Category(tfe.CategoryPolicySet),
 		Sensitive: plan.Sensitive.ValueBoolPointer(),
 	}
 
+	// Set Value from `value_wo` if set, otherwise use the normal value
+	isWriteOnly := !config.ValueWO.IsNull()
+	if isWriteOnly {
+		options.Value = config.ValueWO.ValueStringPointer()
+	} else {
+		options.Value = plan.Value.ValueStringPointer()
+	}
+
 	// Create the policy set parameter
-	log.Printf("[DEBUG] Create %s parameter: %s", tfe.CategoryPolicySet, plan.Key.ValueString())
+	tflog.Debug(ctx, fmt.Sprintf("Create %s parameter: %s", tfe.CategoryPolicySet, plan.Key.ValueString()))
 	p, err := r.config.Client.PolicySetParameters.Create(ctx, plan.PolicySetID.ValueString(), options)
 	if err != nil {
 		resp.Diagnostics.AddError(fmt.Sprintf("Error creating %s parameter %s", tfe.CategoryPolicySet, plan.Key), err.Error())
 		return
 	}
 
-	result := modelFromTFEPolicySetParameter(p, plan.Value)
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.ValueWO)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Update state
+	result := modelFromTFEPolicySetParameter(p, plan.Value, isWriteOnly)
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 }
 
@@ -211,33 +251,36 @@ func (r *resourceTFEPolicySetParameter) Read(ctx context.Context, req resource.R
 	}
 
 	// Read the policy set parameter
-	log.Printf("[DEBUG] Read parameter: %s", state.ID)
+	tflog.Debug(ctx, fmt.Sprintf("Read parameter: %s", state.ID))
 	p, err := r.config.Client.PolicySetParameters.Read(ctx, state.PolicySetID.ValueString(), state.ID.ValueString())
 	if err != nil {
 		if errors.Is(err, tfe.ErrResourceNotFound) {
-			log.Printf("[DEBUG] Parameter %s no longer exists", state.ID)
+			tflog.Debug(ctx, fmt.Sprintf("Parameter %s no longer exists", state.ID))
 			resp.State.RemoveResource(ctx)
 		}
 
 		resp.Diagnostics.AddError(fmt.Sprintf("Error reading %s parameter %s", tfe.CategoryPolicySet, state.ID), err.Error())
 		return
 	}
 
-	result := modelFromTFEPolicySetParameter(p, state.Value)
+	// Check if the parameter is write-only
+	isWriteOnly, diags := r.writeOnlyValueStore(resp.Private).PriorValueExists(ctx)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
+	}
+
+	result := modelFromTFEPolicySetParameter(p, state.Value, isWriteOnly)
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 }
 
 // Update implements resource.Resource
 func (r *resourceTFEPolicySetParameter) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	// Read the Terraform plan into the model
-	var plan modelTFEPolicySetParameter
+	// Read the Terraform plan, state, and config into the model
+	var plan, state, config modelTFEPolicySetParameter
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-	// Read the Terraform state into the model
-	var state modelTFEPolicySetParameter
 	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
+	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
@@ -256,13 +299,21 @@ func (r *resourceTFEPolicySetParameter) Update(ctx context.Context, req resource
 	}
 
 	// Update the policy set parameter
-	log.Printf("[DEBUG] Update parameter: %s", plan.ID.ValueString())
+	tflog.Debug(ctx, fmt.Sprintf("Update parameter: %s", plan.ID.ValueString()))
 	p, err := r.config.Client.PolicySetParameters.Update(ctx, plan.PolicySetID.ValueString(), plan.ID.ValueString(), options)
 	if err != nil {
 		resp.Diagnostics.AddError(fmt.Sprintf("Error updating parameter %s", plan.ID), err.Error())
 	}
 
-	result := modelFromTFEPolicySetParameter(p, plan.Value)
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.ValueWO)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Update state
+	result := modelFromTFEPolicySetParameter(p, plan.Value, !config.ValueWO.IsNull())
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 }
 
@@ -283,7 +334,7 @@ func (r *resourceTFEPolicySetParameter) Delete(ctx context.Context, req resource
 	}
 
 	// Delete the policy set parameter
-	log.Printf("[DEBUG] Delete parameter: %s", state.ID)
+	tflog.Debug(ctx, fmt.Sprintf("Delete parameter: %s", state.ID))
 	err = r.config.Client.PolicySetParameters.Delete(ctx, state.PolicySetID.ValueString(), state.ID.ValueString())
 	if err != nil && !errors.Is(err, tfe.ErrResourceNotFound) {
 		resp.Diagnostics.AddError(
@@ -313,3 +364,7 @@ func (r *resourceTFEPolicySetParameter) ImportState(ctx context.Context, req res
 	diags := resp.State.Set(ctx, &data)
 	resp.Diagnostics.Append(diags...)
 }
+
+func (r *resourceTFEPolicySetParameter) writeOnlyValueStore(private helpers.PrivateState) *helpers.WriteOnlyValueStore {
+	return helpers.NewWriteOnlyValueStore(private, "value_wo")
+}