add write-only option for token attribute for notification configuration resource

Author: uturunku1

CHANGELOG.md

@@ -25,6 +25,8 @@ ENHANCEMENTS:
 
 * resource/tfe_saml_settings: Add `private_key_wo` write-only attribute, by @uturunku1 ([#1660](https://github.com/hashicorp/terraform-provider-tfe/pull/1660))
 
+* resource/tfe_notification_configuration: Add `token_wo` write-only attribute, by @uturunku1 ([#1664](https://github.com/hashicorp/terraform-provider-tfe/pull/1664))
+
 ## v.0.64.0
 
 FEATURES:

internal/provider/resource_tfe_notification_configuration.go

@@ -21,6 +21,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 	"github.com/hashicorp/terraform-provider-tfe/internal/provider/validators"
 )
 
@@ -48,13 +50,14 @@ type modelTFENotificationConfiguration struct {
 	EmailUserIDs    types.Set    `tfsdk:"email_user_ids"`
 	Enabled         types.Bool   `tfsdk:"enabled"`
 	Token           types.String `tfsdk:"token"`
+	TokenWO         types.String `tfsdk:"token_wo"`
 	Triggers        types.Set    `tfsdk:"triggers"`
 	URL             types.String `tfsdk:"url"`
 	WorkspaceID     types.String `tfsdk:"workspace_id"`
 }
 
 // modelFromTFENotificationConfiguration builds a modelTFENotificationConfiguration struct from a tfe.NotificationConfiguration value.
-func modelFromTFENotificationConfiguration(v *tfe.NotificationConfiguration) (modelTFENotificationConfiguration, diag.Diagnostics) {
+func modelFromTFENotificationConfiguration(v *tfe.NotificationConfiguration, isWriteOnlyValue bool) (modelTFENotificationConfiguration, diag.Diagnostics) {
 	var diags diag.Diagnostics
 	result := modelTFENotificationConfiguration{
 		ID:              types.StringValue(v.ID),
@@ -99,6 +102,10 @@ func modelFromTFENotificationConfiguration(v *tfe.NotificationConfiguration) (mo
 	if v.Token != "" {
 		result.Token = types.StringValue(v.Token)
 	}
+	// Don't retrieve values if write-only is being used. Unset the value and readable_value fields before updating the state.
+	if isWriteOnlyValue {
+		result.Token = types.StringNull()
+	}
 
 	if v.URL != "" {
 		result.URL = types.StringValue(v.URL)
@@ -196,7 +203,6 @@ func (r *resourceTFENotificationConfiguration) Schema(ctx context.Context, req r
 				Computed:    true,
 				Default:     booldefault.StaticBool(false),
 			},
-
 			"token": schema.StringAttribute{
 				Description: "A write-only secure token for the notification configuration, which can be used by the receiving server to verify request authenticity when configured for notification configurations with a destination type of `generic`. Defaults to `null`. This value _must not_ be provided if `destination_type` is `email`, `microsoft-teams`, or `slack`.",
 				Optional:    true,
@@ -206,9 +212,21 @@ func (r *resourceTFENotificationConfiguration) Schema(ctx context.Context, req r
 						"destination_type",
 						[]string{"email", "microsoft-teams", "slack"},
 					),
+					stringvalidator.ConflictsWith(path.MatchRoot("token_wo")),
+				},
+			},
+			"token_wo": schema.StringAttribute{
+				Optional:    true,
+				WriteOnly:   true,
+				Sensitive:   true,
+				Description: "Value of the token in write-only mode",
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("token")),
+				},
+				PlanModifiers: []planmodifier.String{
+					planmodifiers.NewReplaceForWriteOnlyStringValue("token_wo"),
 				},
 			},
-
 			"triggers": schema.SetAttribute{
 				Description: "The array of triggers for which this notification configuration will send notifications. If omitted, no notification triggers are configured.",
 				Optional:    true,
@@ -264,11 +282,15 @@ func (r *resourceTFENotificationConfiguration) Schema(ctx context.Context, req r
 
 // Create implements resource.Resource
 func (r *resourceTFENotificationConfiguration) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
-	var plan modelTFENotificationConfiguration
-
+	var plan, config modelTFENotificationConfiguration
 	// Read Terraform plan data into the model
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
 
+	diags := req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
@@ -280,13 +302,19 @@ func (r *resourceTFENotificationConfiguration) Create(ctx context.Context, req r
 		DestinationType: tfe.NotificationDestination(tfe.NotificationDestinationType(plan.DestinationType.ValueString())),
 		Enabled:         plan.Enabled.ValueBoolPointer(),
 		Name:            plan.Name.ValueStringPointer(),
-		Token:           plan.Token.ValueStringPointer(),
 		URL:             plan.URL.ValueStringPointer(),
 		SubscribableChoice: &tfe.NotificationConfigurationSubscribableChoice{
 			Workspace: &tfe.Workspace{ID: workspaceID},
 		},
 	}
 
+	// Set Value from `token_wo` if set, otherwise use the normal value
+	if !config.TokenWO.IsNull() {
+		options.Token = config.TokenWO.ValueStringPointer()
+	} else {
+		options.Token = plan.Token.ValueStringPointer()
+	}
+
 	// Add triggers set to the options struct
 	var triggers []types.String
 	if diags := plan.Triggers.ElementsAs(ctx, &triggers, true); diags != nil && diags.HasError() {
@@ -336,12 +364,20 @@ func (r *resourceTFENotificationConfiguration) Create(ctx context.Context, req r
 		nc.Token = plan.Token.ValueString()
 	}
 
-	result, diags := modelFromTFENotificationConfiguration(nc)
+	// We got a notification, so set state to new values
+	result, diags := modelFromTFENotificationConfiguration(nc, !config.TokenWO.IsNull())
 	if diags != nil && diags.HasError() {
 		resp.Diagnostics.Append((diags)...)
 		return
 	}
 
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.TokenWO)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
 	// Save data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 }
@@ -368,7 +404,13 @@ func (r *resourceTFENotificationConfiguration) Read(ctx context.Context, req res
 		nc.Token = state.Token.ValueString()
 	}
 
-	result, diags := modelFromTFENotificationConfiguration(nc)
+	isWriteOnly, diags := r.writeOnlyValueStore(resp.Private).PriorValueExists(ctx)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
+	}
+
+	result, diags := modelFromTFENotificationConfiguration(nc, isWriteOnly)
 	if diags != nil && diags.HasError() {
 		resp.Diagnostics.Append((diags)...)
 		return
@@ -380,15 +422,19 @@ func (r *resourceTFENotificationConfiguration) Read(ctx context.Context, req res
 
 // Update implements resource.Resource
 func (r *resourceTFENotificationConfiguration) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	var plan modelTFENotificationConfiguration
-	var state modelTFENotificationConfiguration
-
+	var plan, state, config modelTFENotificationConfiguration
 	// Read Terraform plan data into the model
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
-
+	if resp.Diagnostics.HasError() {
+		return
+	}
 	// Read Terraform prior state data into the model
 	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
-
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	// Read configuration data into the model
+	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
@@ -449,7 +495,14 @@ func (r *resourceTFENotificationConfiguration) Update(ctx context.Context, req r
 		nc.Token = plan.Token.ValueString()
 	}
 
-	result, diags := modelFromTFENotificationConfiguration(nc)
+	// Store the hashed write-only value in the private state
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.TokenWO)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	result, diags := modelFromTFENotificationConfiguration(nc, !config.TokenWO.IsNull())
 	if diags != nil && diags.HasError() {
 		resp.Diagnostics.Append((diags)...)
 		return
@@ -480,3 +533,7 @@ func (r *resourceTFENotificationConfiguration) Delete(ctx context.Context, req r
 func (r *resourceTFENotificationConfiguration) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
 	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), req.ID)...)
 }
+
+func (r *resourceTFENotificationConfiguration) writeOnlyValueStore(private helpers.PrivateState) *helpers.WriteOnlyValueStore {
+	return helpers.NewWriteOnlyValueStore(private, "token_wo")
+}

internal/provider/resource_tfe_notification_configuration_test.go

@@ -47,6 +47,40 @@ func TestAccTFENotificationConfiguration_basic(t *testing.T) {
 	})
 }
 
+func TestAccTFENotificationConfiguration_WriteOnly(t *testing.T) {
+	notificationConfiguration := &tfe.NotificationConfiguration{}
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { preCheckTFENotificationConfiguration(t) },
+		ProtoV5ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFENotificationConfigurationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccTFENotificationConfiguration_tokenAndTokenWriteOnly(rInt),
+				ExpectError: regexp.MustCompile(`Attribute "token_wo" cannot be specified when "token" is specified`),
+			},
+			{
+				Config: testAccTFENotificationConfiguration_tokenWriteOnly(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFENotificationConfigurationExists(
+						"tfe_notification_configuration.foobar", notificationConfiguration),
+					testAccCheckTFENotificationConfigurationAttributes(notificationConfiguration),
+					resource.TestCheckResourceAttr(
+						"tfe_notification_configuration.foobar", "destination_type", "generic"),
+					resource.TestCheckResourceAttr(
+						"tfe_notification_configuration.foobar", "name", "notification_basic"),
+					resource.TestCheckResourceAttr(
+						"tfe_notification_configuration.foobar", "triggers.#", "0"),
+					resource.TestCheckResourceAttr(
+						"tfe_notification_configuration.foobar", "url", runTasksURL()),
+					resource.TestCheckNoResourceAttr("tfe_notification_configuration.foobar", "token_wo"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccTFENotificationConfiguration_emailUserIDs(t *testing.T) {
 	notificationConfiguration := &tfe.NotificationConfiguration{}
 	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
@@ -816,6 +850,49 @@ resource "tfe_notification_configuration" "foobar" {
 }`, rInt, runTasksURL())
 }
 
+func testAccTFENotificationConfiguration_tokenWriteOnly(rInt int) string {
+	return fmt.Sprintf(`
+resource "tfe_organization" "foobar" {
+  name  = "tst-terraform-%d"
+  email = "[email protected]"
+}
+
+resource "tfe_workspace" "foobar" {
+  name         = "workspace-test"
+  organization = tfe_organization.foobar.id
+}
+
+resource "tfe_notification_configuration" "foobar" {
+  name             = "notification_basic"
+  destination_type = "generic"
+  token			   = "some-token"
+  url              = "%s"
+  workspace_id     = tfe_workspace.foobar.id
+}`, rInt, runTasksURL())
+}
+
+func testAccTFENotificationConfiguration_tokenAndTokenWriteOnly(rInt int) string {
+	return fmt.Sprintf(`
+resource "tfe_organization" "foobar" {
+  name  = "tst-terraform-%d"
+  email = "[email protected]"
+}
+
+resource "tfe_workspace" "foobar" {
+  name         = "workspace-test"
+  organization = tfe_organization.foobar.id
+}
+
+resource "tfe_notification_configuration" "foobar" {
+  name             = "notification_basic"
+  destination_type = "generic"
+  token 		   = "some-token"
+  token_wo		   = "some-token"
+  url              = "%s"
+  workspace_id     = tfe_workspace.foobar.id
+}`, rInt, runTasksURL())
+}
+
 func testAccTFENotificationConfiguration_emailUserIDs(rInt int) string {
 	return fmt.Sprintf(`
 resource "tfe_organization" "foobar" {

website/docs/r/notification_configuration.html.markdown

@@ -111,7 +111,7 @@ The following arguments are supported:
   if `destination_type` is `generic`, `microsoft-teams`, or `slack`.
 * `enabled` - (Optional) Whether the notification configuration should be enabled or not.
   Disabled configurations will not send any notifications. Defaults to `false`.
-* `token` - (Optional) A write-only secure token for the notification configuration, which can
+* `token` - (Optional) A token for the notification configuration, which can
   be used by the receiving server to verify request authenticity when configured for notification
   configurations with a destination type of `generic`. Defaults to `null`.
   This value _must not_ be provided if `destination_type` is `email`, `microsoft-teams`, or `slack`.
@@ -124,6 +124,8 @@ The following arguments are supported:
   is `email`.
 * `workspace_id` - (Required) The id of the workspace that owns the notification configuration.
 
+-> **Note:** Write-Only argument `token_wo` is available to use in place of `token`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/v1.11.x/resources/ephemeral#write-only-arguments).
+
 ## Attributes Reference
 
 * `id` - The ID of the notification configuration.