[IPL-7245] Fix OAuth Token ID updates not registering (#1631)

* [IPL-7245] Ensure `oauth_token_id` updates register when performing a `terraform apply`

This resolves the issue where when updating the `oauth_token_id`, `terraform apply` would have to be performed twice before to confirm the change in the state file. The first apply would perform the change on the server but would not register the change in the state file as expected.

* tests: use muxed provider factory

* chore: update changelog

---------

Co-authored-by: Chris Trombley <[email protected]>

Author: hashimoon

CHANGELOG.md

@@ -13,6 +13,9 @@ FEATURES:
 * **New Ephemeral Resource:** `agent_token` is a new ephemeral
   resource for creating and managing agent tokens, by @uturunku1 ([#1627](https://github.com/hashicorp/terraform-provider-tfe/pull/1627))
 
+BUG FIXES:
+* `r/tfe_oauth_client`: Ensure `oauth_token_id` updates register when performing a `terraform apply`, by @hashimoon [#1631](https://github.com/hashicorp/terraform-provider-tfe/pull/1631)
+
 ENHANCEMENTS:
 
 * resource/tfe_variable: Add `value_wo` write-only attribute, by @uturunku ([#1639](https://github.com/hashicorp/terraform-provider-tfe/pull/1639))

docs/testing.md

@@ -36,18 +36,19 @@ these values with the environment variables specified below:
 
 ##### Optional:
 1. `TFE_USER1` and `TFE_USER2`: The usernames of two pre-existing users on the HCP Terraform or Terraform Enterprise instance being used for testing. Required for running team membership tests.
-2. `GITHUB_TOKEN` - [GitHub personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). Used to establish a VCS provider connection.
-3. `GITHUB_POLICY_SET_IDENTIFIER` - GitHub policy set repository identifier in the format `username/repository`. Required for running policy set tests.
-4. `GITHUB_POLICY_SET_BRANCH`: A GitHub branch for the repository specified by `GITHUB_POLICY_SET_IDENTIFIER`. Required for running policy set tests.
-5. `GITHUB_POLICY_SET_PATH`: A GitHub subdirectory for the repository specified by `GITHUB_POLICY_SET_IDENTIFIER`. Required for running policy set tests.
-6. `GITHUB_REGISTRY_MODULE_IDENTIFIER` - GitHub registry module repository identifier in the format `username/repository`. Required for running registry module tests.
-7. `GITHUB_WORKSPACE_IDENTIFIER` - GitHub workspace repository identifier in the format `username/repository`. Required for running workspace tests.
-8. `GITHUB_WORKSPACE_BRANCH`: A GitHub branch for the repository specified by `GITHUB_WORKSPACE_IDENTIFIER`. Required for running workspace tests.
-9. `ENABLE_TFE` - Some tests cover features available only in HCP Terraform. To skip these tests when running against a Terraform Enterprise instance, set `ENABLE_TFE=1`.
-10. `RUN_TASKS_URL` - External URL to use for testing Run Tasks operations, for example `RUN_TASKS_URL=http://somewhere.local:8080/pass`. Required for running run tasks tests.
-11. `RUN_TASKS_HMAC` - The optional HMAC Key that should be used for Run Task operations. The default is no key.
-12. `GITHUB_APP_INSTALLATION_ID` - GitHub App installation internal id in the format `ghain-xxxxxxx`. Required for running any tests that use GitHub App VCS (workspace, policy sets, registry module).
-13. `GITHUB_APP_INSTALLATION_NAME` - GitHub App installation name. Required for running tfe_github_app_installation data source test.
+1. `GITHUB_TOKEN` - [GitHub personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). Used to establish a VCS provider connection.
+1. `GITHUB_TOKEN2` - [GitHub personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). Used to establish a secondary VCS provider connection.
+1. `GITHUB_POLICY_SET_IDENTIFIER` - GitHub policy set repository identifier in the format `username/repository`. Required for running policy set tests.
+1. `GITHUB_POLICY_SET_BRANCH`: A GitHub branch for the repository specified by `GITHUB_POLICY_SET_IDENTIFIER`. Required for running policy set tests.
+1. `GITHUB_POLICY_SET_PATH`: A GitHub subdirectory for the repository specified by `GITHUB_POLICY_SET_IDENTIFIER`. Required for running policy set tests.
+1. `GITHUB_REGISTRY_MODULE_IDENTIFIER` - GitHub registry module repository identifier in the format `username/repository`. Required for running registry module tests.
+1. `GITHUB_WORKSPACE_IDENTIFIER` - GitHub workspace repository identifier in the format `username/repository`. Required for running workspace tests.
+1. `GITHUB_WORKSPACE_BRANCH`: A GitHub branch for the repository specified by `GITHUB_WORKSPACE_IDENTIFIER`. Required for running workspace tests.
+1. `ENABLE_TFE` - Some tests cover features available only in HCP Terraform. To skip these tests when running against a Terraform Enterprise instance, set `ENABLE_TFE=1`.
+1. `RUN_TASKS_URL` - External URL to use for testing Run Tasks operations, for example `RUN_TASKS_URL=http://somewhere.local:8080/pass`. Required for running run tasks tests.
+1. `RUN_TASKS_HMAC` - The optional HMAC Key that should be used for Run Task operations. The default is no key.
+1. `GITHUB_APP_INSTALLATION_ID` - GitHub App installation internal id in the format `ghain-xxxxxxx`. Required for running any tests that use GitHub App VCS (workspace, policy sets, registry module).
+1. `GITHUB_APP_INSTALLATION_NAME` - GitHub App installation name. Required for running tfe_github_app_installation data source test.
 
 **Note:** In order to run integration tests for **Paid** features you will need a token `TFE_TOKEN` with HCP Terraform or Terraform Enterprise administrator privileges, otherwise the attempt to upgrade an organization's feature set will fail.
 

internal/provider/provider_test.go

@@ -264,6 +264,7 @@ func init() {
 	envGithubPolicySetPath = os.Getenv("GITHUB_POLICY_SET_PATH")
 	envGithubRegistryModuleIdentifer = os.Getenv("GITHUB_REGISTRY_MODULE_IDENTIFIER")
 	envGithubToken = os.Getenv("GITHUB_TOKEN")
+	envGithubToken2 = os.Getenv("GITHUB_TOKEN2")
 	envGithubAppInstallationID = os.Getenv("GITHUB_APP_INSTALLATION_ID")
 	envGithubAppInstallationName = os.Getenv("GITHUB_APP_INSTALLATION_NAME")
 	envGithubWorkspaceIdentifier = os.Getenv("GITHUB_WORKSPACE_IDENTIFIER")
@@ -277,6 +278,7 @@ var envGithubPolicySetBranch string
 var envGithubPolicySetPath string
 var envGithubRegistryModuleIdentifer string
 var envGithubToken string
+var envGithubToken2 string
 var envGithubAppInstallationID string
 var envGithubAppInstallationName string
 var envGithubWorkspaceIdentifier string

internal/provider/resource_tfe_oauth_client.go

@@ -181,6 +181,12 @@ func resourceTFEOAuthClientCreate(d *schema.ResourceData, meta interface{}) erro
 
 	d.SetId(oc.ID)
 
+	if len(oc.OAuthTokens) > 0 {
+		d.Set("oauth_token_id", oc.OAuthTokens[0].ID)
+	} else {
+		d.Set("oauth_token_id", "")
+	}
+
 	return resourceTFEOAuthClientRead(d, meta)
 }
 
@@ -238,6 +244,7 @@ func resourceTFEOAuthClientUpdate(d *schema.ResourceData, meta interface{}) erro
 	// Create a new options struct.
 	options := tfe.OAuthClientUpdateOptions{
 		OrganizationScoped: tfe.Bool(d.Get("organization_scoped").(bool)),
+		OAuthToken:         tfe.String(d.Get("oauth_token").(string)),
 	}
 
 	log.Printf("[DEBUG] Update OAuth client %s", d.Id())

internal/provider/resource_tfe_oauth_client_test.go

@@ -134,6 +134,60 @@ func TestAccTFEOAuthClient_agentPool(t *testing.T) {
 	})
 }
 
+func TestAccTFEOAuthClient_updateOAuthTokenID(t *testing.T) {
+	oc := &tfe.OAuthClient{}
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+	var initialOAuthTokenID string
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			if envGithubToken == "" {
+				t.Skip("Please set GITHUB_TOKEN to run this test")
+			}
+
+			if envGithubToken2 == "" {
+				t.Skip("Please set GITHUB_TOKEN2 to run this test")
+			}
+		},
+		ProtoV5ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFEOAuthClientDestroy,
+		Steps: []resource.TestStep{
+			// Step 1: Create with the initial oauth_token_id.
+			{
+				Config: testAccTFEOAuthClient_updateOAuthTokenID(rInt, envGithubToken),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEOAuthClientExists("tfe_oauth_client.foobar", oc),
+					resource.TestCheckResourceAttrSet("tfe_oauth_client.foobar", "oauth_token_id"),
+					func(s *terraform.State) error {
+						initialOAuthTokenID = oc.OAuthTokens[0].ID
+						return nil
+					},
+				),
+			},
+			// Step 2: Update the oauth_token_id value.
+			{
+				Config: testAccTFEOAuthClient_updateOAuthTokenID(rInt, envGithubToken2),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEOAuthClientExists("tfe_oauth_client.foobar", oc),
+					resource.TestCheckResourceAttrSet("tfe_oauth_client.foobar", "oauth_token_id"),
+					func(s *terraform.State) error {
+						if initialOAuthTokenID == oc.OAuthTokens[0].ID {
+							return fmt.Errorf("oauth_token_id did not change")
+						}
+						return nil
+					},
+				),
+			},
+			// Step 3: Run a plan-only step to ensure no changes.
+			{
+				Config:   testAccTFEOAuthClient_updateOAuthTokenID(rInt, envGithubToken2),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 func testAccCheckTFEOAuthClientExists(
 	n string, oc *tfe.OAuthClient) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -260,3 +314,19 @@ resource "tfe_oauth_client" "foobar" {
   agent_pool_id    = data.tfe_agent_pool.foobar.id
 }`, envGithubToken)
 }
+
+func testAccTFEOAuthClient_updateOAuthTokenID(rInt int, oAuthToken string) string {
+	return fmt.Sprintf(`
+resource "tfe_organization" "foobar" {
+  name  = "tst-terraform-%d"
+  email = "[email protected]"
+}
+resource "tfe_oauth_client" "foobar" {
+  organization     = tfe_organization.foobar.id
+  api_url          = "https://api.github.com"
+  http_url         = "https://github.com"
+  oauth_token      = "%s"
+  service_provider = "github"
+  organization_scoped = true
+}`, rInt, oAuthToken)
+}