Add write only token_wo attribute to tfe_team_notification_configuration (#1665)

* Resource changes

* Implement test

* Update CHANGELOG.md

* use lastValue approach

* Revert "use lastValue approach"

This reverts commit 1881650.

* Fix failing test cases

* Resource changes

* Implement test

* Update CHANGELOG.md

* use lastValue approach

* Revert "use lastValue approach"

This reverts commit 1881650.

* Fix failing test cases

* add last value

* Update internal/provider/resource_tfe_team_notification_configuration.go

Co-authored-by: Chris Trombley <[email protected]>

* Update team_notification_configuration.html.markdown

* address comments

---------

Co-authored-by: Chris Trombley <[email protected]>

Author: shwetamurali

CHANGELOG.md

@@ -33,6 +33,8 @@ ENHANCEMENTS:
 * resource/tfe_saml_settings: Add `private_key_wo` write-only attribute, by @uturunku1 ([#1660](https://github.com/hashicorp/terraform-provider-tfe/pull/1660))
 
 * resource/tfe_ssh_key: Add `key_wo` write-only attribute, by @ctrombley ([#1659](https://github.com/hashicorp/terraform-provider-tfe/pull/1659))
+
+* resource/tfe_team_notification_configuration: Add `token_wo` write-only attribute, by @shwetamurali ([#1665](https://github.com/hashicorp/terraform-provider-tfe/pull/1665))
 
 * resource/tfe_notification_configuration: Add `token_wo` write-only attribute, by @uturunku1 ([#1664](https://github.com/hashicorp/terraform-provider-tfe/pull/1664))
 

internal/provider/resource_tfe_team_notification_configuration.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	tfe "github.com/hashicorp/go-tfe"
@@ -21,6 +22,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 	"github.com/hashicorp/terraform-provider-tfe/internal/provider/validators"
 )
 
@@ -53,25 +56,28 @@ type modelTFETeamNotificationConfiguration struct {
 	Triggers        types.Set    `tfsdk:"triggers"`
 	URL             types.String `tfsdk:"url"`
 	TeamID          types.String `tfsdk:"team_id"`
+	TokenWO         types.String `tfsdk:"token_wo"`
 }
 
 // modelFromTFETeamNotificationConfiguration builds a modelTFETeamNotificationConfiguration
 // struct from a tfe.TeamNotificationConfiguration value.
-func modelFromTFETeamNotificationConfiguration(v *tfe.NotificationConfiguration) (*modelTFETeamNotificationConfiguration, *diag.Diagnostics) {
+func modelFromTFETeamNotificationConfiguration(v *tfe.NotificationConfiguration, isWriteOnly bool, lastValue types.String) (*modelTFETeamNotificationConfiguration, diag.Diagnostics) {
+	var diags diag.Diagnostics
 	result := modelTFETeamNotificationConfiguration{
 		ID:              types.StringValue(v.ID),
 		Name:            types.StringValue(v.Name),
 		DestinationType: types.StringValue(string(v.DestinationType)),
 		Enabled:         types.BoolValue(v.Enabled),
 		TeamID:          types.StringValue(v.SubscribableChoice.Team.ID),
+		Token:           types.StringValue(""),
 	}
 
 	if len(v.EmailAddresses) == 0 {
 		result.EmailAddresses = types.SetNull(types.StringType)
 	} else {
 		emailAddresses, diags := types.SetValueFrom(ctx, types.StringType, v.EmailAddresses)
 		if diags != nil && diags.HasError() {
-			return nil, &diags
+			return nil, diags
 		}
 		result.EmailAddresses = emailAddresses
 	}
@@ -81,7 +87,7 @@ func modelFromTFETeamNotificationConfiguration(v *tfe.NotificationConfiguration)
 	} else {
 		triggers, diags := types.SetValueFrom(ctx, types.StringType, v.Triggers)
 		if diags != nil && diags.HasError() {
-			return nil, &diags
+			return nil, diags
 		}
 
 		result.Triggers = triggers
@@ -98,15 +104,19 @@ func modelFromTFETeamNotificationConfiguration(v *tfe.NotificationConfiguration)
 		result.EmailUserIDs = types.SetValueMust(types.StringType, emailUserIDs)
 	}
 
-	if v.Token != "" {
-		result.Token = types.StringValue(v.Token)
+	if lastValue.String() != "" {
+		result.Token = lastValue
+	}
+
+	if isWriteOnly {
+		result.Token = types.StringNull()
 	}
 
 	if v.URL != "" {
 		result.URL = types.StringValue(v.URL)
 	}
 
-	return &result, nil
+	return &result, diags
 }
 
 func (r *resourceTFETeamNotificationConfiguration) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
@@ -186,6 +196,25 @@ func (r *resourceTFETeamNotificationConfiguration) Schema(ctx context.Context, r
 						"destination_type",
 						[]string{"email", "microsoft-teams", "slack"},
 					),
+					stringvalidator.ConflictsWith(path.MatchRoot("token_wo")),
+					stringvalidator.PreferWriteOnlyAttribute(path.MatchRoot("token_wo")),
+				},
+			},
+
+			"token_wo": schema.StringAttribute{
+				Description: "A write-only secure token for the notification configuration, guaranteed not to be written to plan or state artifacts.",
+				Optional:    true,
+				WriteOnly:   true,
+				Sensitive:   true,
+				Validators: []validator.String{
+					validators.AttributeValueConflictValidator(
+						"destination_type",
+						[]string{"email", "microsoft-teams", "slack"},
+					),
+					stringvalidator.ConflictsWith(path.MatchRoot("token")),
+				},
+				PlanModifiers: []planmodifier.String{
+					planmodifiers.NewReplaceForWriteOnlyStringValue("token_wo"),
 				},
 			},
 
@@ -250,10 +279,11 @@ func (r *resourceTFETeamNotificationConfiguration) Configure(ctx context.Context
 }
 
 func (r *resourceTFETeamNotificationConfiguration) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
-	var plan modelTFETeamNotificationConfiguration
+	var plan, config modelTFETeamNotificationConfiguration
 
-	// Read Terraform plan data into the model
+	// Read Terraform plan and config data into the model
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
 
 	if resp.Diagnostics.HasError() {
 		return
@@ -267,13 +297,20 @@ func (r *resourceTFETeamNotificationConfiguration) Create(ctx context.Context, r
 		DestinationType: tfe.NotificationDestination(tfe.NotificationDestinationType(plan.DestinationType.ValueString())),
 		Enabled:         plan.Enabled.ValueBoolPointer(),
 		Name:            plan.Name.ValueStringPointer(),
-		Token:           plan.Token.ValueStringPointer(),
 		URL:             plan.URL.ValueStringPointer(),
 		SubscribableChoice: &tfe.NotificationConfigurationSubscribableChoice{
 			Team: &tfe.Team{ID: teamID},
 		},
 	}
 
+	// Set Token from `token_wo` if set, otherwise use the normal value
+	isWriteOnly := !config.TokenWO.IsNull()
+	if isWriteOnly {
+		options.Token = config.TokenWO.ValueStringPointer()
+	} else {
+		options.Token = plan.Token.ValueStringPointer()
+	}
+
 	// Add triggers set to the options struct
 	var triggers []types.String
 	if diags := plan.Triggers.ElementsAs(ctx, &triggers, true); diags != nil && diags.HasError() {
@@ -323,9 +360,18 @@ func (r *resourceTFETeamNotificationConfiguration) Create(ctx context.Context, r
 		tnc.Token = plan.Token.ValueString()
 	}
 
-	result, diags := modelFromTFETeamNotificationConfiguration(tnc)
-	if diags != nil && diags.HasError() {
-		resp.Diagnostics.Append((*diags)...)
+	result, diags := modelFromTFETeamNotificationConfiguration(tnc, isWriteOnly, plan.Token)
+	if diags.HasError() {
+		resp.Diagnostics.Append(diags...)
+		return
+	}
+
+	// Write the hashed private token to the state if it was provided
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.TokenWO)...)
+
+	if diags.HasError() {
+		resp.Diagnostics.Append((diags)...)
 		return
 	}
 
@@ -346,18 +392,25 @@ func (r *resourceTFETeamNotificationConfiguration) Read(ctx context.Context, req
 	tflog.Debug(ctx, fmt.Sprintf("Reading team notification configuration %q", state.ID.ValueString()))
 	tnc, err := r.config.Client.NotificationConfigurations.Read(ctx, state.ID.ValueString())
 	if err != nil {
-		resp.Diagnostics.AddError("Unable to read team notification configuration", err.Error())
+		if errors.Is(err, tfe.ErrResourceNotFound) {
+			tflog.Debug(ctx, fmt.Sprintf("`Notification configuration %s no longer exists", state.ID))
+			resp.State.RemoveResource(ctx)
+		} else {
+			resp.Diagnostics.AddError("Error reading notification configuration", "Could not read notification configuration, unexpected error: "+err.Error())
+		}
 		return
 	}
 
-	// Restore token from state because it is write only
-	if !state.Token.IsNull() {
-		tnc.Token = state.Token.ValueString()
+	// Check if the parameter is write-only
+	isWriteOnly, diags := r.writeOnlyValueStore(resp.Private).PriorValueExists(ctx)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
 	}
 
-	result, diags := modelFromTFETeamNotificationConfiguration(tnc)
-	if diags != nil && diags.HasError() {
-		resp.Diagnostics.Append((*diags)...)
+	result, diags := modelFromTFETeamNotificationConfiguration(tnc, isWriteOnly, state.Token)
+	if diags.HasError() {
+		resp.Diagnostics.Append(diags...)
 		return
 	}
 
@@ -368,6 +421,7 @@ func (r *resourceTFETeamNotificationConfiguration) Read(ctx context.Context, req
 func (r *resourceTFETeamNotificationConfiguration) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
 	var plan modelTFETeamNotificationConfiguration
 	var state modelTFETeamNotificationConfiguration
+	var config modelTFETeamNotificationConfiguration
 
 	// Read Terraform plan data into the model
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
@@ -430,17 +484,16 @@ func (r *resourceTFETeamNotificationConfiguration) Update(ctx context.Context, r
 		return
 	}
 
-	// Restore token from plan because it is write only
-	if !plan.Token.IsNull() {
-		tnc.Token = plan.Token.ValueString()
-	}
-
-	result, diags := modelFromTFETeamNotificationConfiguration(tnc)
-	if diags != nil && diags.HasError() {
-		resp.Diagnostics.Append((*diags)...)
+	result, diags := modelFromTFETeamNotificationConfiguration(tnc, !config.TokenWO.IsNull(), plan.Token)
+	if diags.HasError() {
+		resp.Diagnostics.Append((diags)...)
 		return
 	}
 
+	// Write the hashed private key to the state if it was provided
+	store := r.writeOnlyValueStore(resp.Private)
+	resp.Diagnostics.Append(store.SetPriorValue(ctx, config.TokenWO)...)
+
 	// Save data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 }
@@ -466,3 +519,7 @@ func (r *resourceTFETeamNotificationConfiguration) Delete(ctx context.Context, r
 func (r *resourceTFETeamNotificationConfiguration) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
 	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), req.ID)...)
 }
+
+func (r *resourceTFETeamNotificationConfiguration) writeOnlyValueStore(private helpers.PrivateState) *helpers.WriteOnlyValueStore {
+	return helpers.NewWriteOnlyValueStore(private, "token_wo")
+}

internal/provider/resource_tfe_team_notification_configuration_test.go

@@ -10,8 +10,11 @@ import (
 	"testing"
 
 	"github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/terraform-plugin-testing/compare"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestAccTFETeamNotificationConfiguration_basic(t *testing.T) {
@@ -926,6 +929,72 @@ func testAccCheckTFETeamNotificationConfigurationDestroy(s *terraform.State) err
 	return nil
 }
 
+func TestAccTFETeamNotificationConfiguration_tokenWO(t *testing.T) {
+	skipUnlessBeta(t)
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	org, cleanupOrg := createPlusOrganization(t, tfeClient)
+	t.Cleanup(cleanupOrg)
+
+	// Create the value comparer so we can add state values to it during the test steps
+	compareValuesDiffer := statecheck.CompareValue(compare.ValuesDiffer())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { preCheckTFETeamNotificationConfiguration(t) },
+		ProtoV5ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFETeamNotificationConfigurationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccTFETeamNotificationConfiguration_tokenAndTokenWO(org.Name),
+				ExpectError: regexp.MustCompile(`Attribute "token_wo" cannot be specified when "token" is specified`),
+			},
+			{
+				Config: testAccTFETeamNotificationConfiguration_tokenWO(org.Name, "1234567890"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("tfe_team_notification_configuration.foobar", "token"),
+					resource.TestCheckNoResourceAttr("tfe_team_notification_configuration.foobar", "token_wo"),
+				),
+				// Register the id with the value comparer so we can assert that the
+				// resource has been replaced in the next step.
+				ConfigStateChecks: []statecheck.StateCheck{
+					compareValuesDiffer.AddStateValue(
+						"tfe_team_notification_configuration.foobar", tfjsonpath.New("id"),
+					),
+				},
+			},
+			{
+				Config: testAccTFETeamNotificationConfiguration_tokenWO(org.Name, "12345678901"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("tfe_team_notification_configuration.foobar", "token"),
+					resource.TestCheckNoResourceAttr("tfe_team_notification_configuration.foobar", "token_wo"),
+				),
+				// Register the id with the value comparer so we can assert that the
+				// resource has been replaced in the next step.
+				ConfigStateChecks: []statecheck.StateCheck{
+					compareValuesDiffer.AddStateValue(
+						"tfe_team_notification_configuration.foobar", tfjsonpath.New("id"),
+					),
+				},
+			},
+			{
+				Config: testAccTFETeamNotificationConfiguration_token(org.Name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("tfe_team_notification_configuration.foobar", "token", "1234567890"),
+				),
+				// Ensure that the resource has been replaced
+				ConfigStateChecks: []statecheck.StateCheck{
+					compareValuesDiffer.AddStateValue(
+						"tfe_team_notification_configuration.foobar", tfjsonpath.New("id"),
+					),
+				},
+			},
+		},
+	})
+}
+
 func testAccTFETeamNotificationConfiguration_basic(orgName string) string {
 	return fmt.Sprintf(`
 data "tfe_organization" "foobar" {
@@ -1360,6 +1429,67 @@ resource "tfe_team_notification_configuration" "foobar" {
 }`, orgName, runTasksURL())
 }
 
+func testAccTFETeamNotificationConfiguration_token(orgName string) string {
+	return fmt.Sprintf(`
+data "tfe_organization" "foobar" {
+  name = "%s"
+}
+
+resource "tfe_team" "foobar" {
+  name         = "team-test"
+  organization = data.tfe_organization.foobar.name
+}
+
+resource "tfe_team_notification_configuration" "foobar" {
+  name             = "notification_tokenWO_test"
+  destination_type = "generic"
+  url 			   = "%s"
+  token            = "1234567890"
+  team_id          = tfe_team.foobar.id
+}`, orgName, runTasksURL())
+}
+
+func testAccTFETeamNotificationConfiguration_tokenWO(orgName string, token string) string {
+	return fmt.Sprintf(`
+data "tfe_organization" "foobar" {
+  name = "%s"
+}
+
+resource "tfe_team" "foobar" {
+  name         = "team-test"
+  organization = data.tfe_organization.foobar.name
+}
+
+resource "tfe_team_notification_configuration" "foobar" {
+  name             = "notification_tokenWO_test"
+  destination_type = "generic"
+  url 			   = "%s"
+  token_wo         = "%s"
+  team_id          = tfe_team.foobar.id
+}`, orgName, runTasksURL(), token)
+}
+
+func testAccTFETeamNotificationConfiguration_tokenAndTokenWO(orgName string) string {
+	return fmt.Sprintf(`
+data "tfe_organization" "foobar" {
+  name = "%s"
+}
+
+resource "tfe_team" "foobar" {
+  name         = "team-test"
+  organization = data.tfe_organization.foobar.name
+}
+
+resource "tfe_team_notification_configuration" "foobar" {
+  name             = "notification_tokenWO_test"
+  destination_type = "generic"
+  url 			   = "%s"
+  token            = "1234567890"
+  token_wo         = "1234567890"
+  team_id          = tfe_team.foobar.id
+}`, orgName, runTasksURL())
+}
+
 func preCheckTFETeamNotificationConfiguration(t *testing.T) {
 	testAccPreCheck(t)