refactor: equip meshstack_integration with proper secret handling

Author: grubmeshi

client/integration.go

@@ -4,24 +4,21 @@ import (
 	"context"
 
 	"github.com/meshcloud/terraform-provider-meshstack/client/internal"
-	"github.com/meshcloud/terraform-provider-meshstack/client/types"
 )
 
 type MeshIntegration struct {
-	ApiVersion string                  `json:"apiVersion"`
-	Kind       string                  `json:"kind"`
-	Metadata   MeshIntegrationMetadata `json:"metadata"`
-	Spec       MeshIntegrationSpec     `json:"spec"`
-	Status     *MeshIntegrationStatus  `json:"status"`
+	ApiVersion string                  `json:"apiVersion" tfsdk:"-"`
+	Kind       string                  `json:"kind" tfsdk:"-"`
+	Metadata   MeshIntegrationMetadata `json:"metadata" tfsdk:"metadata"`
+	Spec       MeshIntegrationSpec     `json:"spec" tfsdk:"spec"`
+	Status     *MeshIntegrationStatus  `json:"status" tfsdk:"status"`
 }
 
-type MeshIntegrationMetadataAdapter[String any] struct {
-	Uuid             String `json:"uuid,omitempty" tfsdk:"uuid"`
-	OwnedByWorkspace string `json:"ownedByWorkspace" tfsdk:"owned_by_workspace"`
+type MeshIntegrationMetadata struct {
+	Uuid             *string `json:"uuid,omitempty" tfsdk:"uuid"`
+	OwnedByWorkspace string  `json:"ownedByWorkspace" tfsdk:"owned_by_workspace"`
 }
 
-type MeshIntegrationMetadata = MeshIntegrationMetadataAdapter[*types.String]
-
 type MeshIntegrationSpec struct {
 	DisplayName string                `json:"displayName" tfsdk:"display_name"`
 	Config      MeshIntegrationConfig `json:"config" tfsdk:"config"`

client/integration_config.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"reflect"
 
+	"github.com/meshcloud/terraform-provider-meshstack/client/types"
 	"github.com/meshcloud/terraform-provider-meshstack/client/types/enum"
 )
 
@@ -21,7 +22,7 @@ type MeshIntegrationGithubConfig struct {
 	Owner         string                 `json:"owner" tfsdk:"owner"`
 	BaseUrl       string                 `json:"baseUrl" tfsdk:"base_url"`
 	AppId         string                 `json:"appId" tfsdk:"app_id"`
-	AppPrivateKey string                 `json:"appPrivateKey" tfsdk:"app_private_key"`
+	AppPrivateKey types.Secret           `json:"appPrivateKey" tfsdk:"app_private_key"`
 	RunnerRef     BuildingBlockRunnerRef `json:"runnerRef" tfsdk:"runner_ref"`
 }
 
@@ -33,7 +34,7 @@ type MeshIntegrationGitlabConfig struct {
 type MeshIntegrationAzureDevopsConfig struct {
 	BaseUrl             string                 `json:"baseUrl" tfsdk:"base_url"`
 	Organization        string                 `json:"organization" tfsdk:"organization"`
-	PersonalAccessToken string                 `json:"personalAccessToken" tfsdk:"personal_access_token"`
+	PersonalAccessToken types.Secret           `json:"personalAccessToken" tfsdk:"personal_access_token"`
 	RunnerRef           BuildingBlockRunnerRef `json:"runnerRef" tfsdk:"runner_ref"`
 }
 

docs/data-sources/integrations.md

@@ -113,13 +113,24 @@ Optional:
 <a id="nestedatt--integrations--spec--config--azuredevops"></a>
 ### Nested Schema for `integrations.spec.config.azuredevops`
 
+Required:
+
+- `personal_access_token` (Attributes) (see [below for nested schema](#nestedatt--integrations--spec--config--azuredevops--personal_access_token))
+
 Read-Only:
 
 - `base_url` (String)
 - `organization` (String)
-- `personal_access_token` (String)
 - `runner_ref` (Attributes) (see [below for nested schema](#nestedatt--integrations--spec--config--azuredevops--runner_ref))
 
+<a id="nestedatt--integrations--spec--config--azuredevops--personal_access_token"></a>
+### Nested Schema for `integrations.spec.config.azuredevops.personal_access_token`
+
+Read-Only:
+
+- `secret_hash` (String) Hash value of the secret stored in the backend. If this hash has changed without changes in the version attribute, the secret was changed externally.
+
+
 <a id="nestedatt--integrations--spec--config--azuredevops--runner_ref"></a>
 ### Nested Schema for `integrations.spec.config.azuredevops.runner_ref`
 
@@ -133,14 +144,25 @@ Read-Only:
 <a id="nestedatt--integrations--spec--config--github"></a>
 ### Nested Schema for `integrations.spec.config.github`
 
+Required:
+
+- `app_private_key` (Attributes) (see [below for nested schema](#nestedatt--integrations--spec--config--github--app_private_key))
+
 Read-Only:
 
 - `app_id` (String)
-- `app_private_key` (String)
 - `base_url` (String)
 - `owner` (String)
 - `runner_ref` (Attributes) (see [below for nested schema](#nestedatt--integrations--spec--config--github--runner_ref))
 
+<a id="nestedatt--integrations--spec--config--github--app_private_key"></a>
+### Nested Schema for `integrations.spec.config.github.app_private_key`
+
+Read-Only:
+
+- `secret_hash` (String) Hash value of the secret stored in the backend. If this hash has changed without changes in the version attribute, the secret was changed externally.
+
+
 <a id="nestedatt--integrations--spec--config--github--runner_ref"></a>
 ### Nested Schema for `integrations.spec.config.github.runner_ref`
 

docs/resources/integration.md

@@ -25,19 +25,14 @@ resource "meshstack_integration" "example_github" {
         owner           = "my-org"
         base_url        = "https://github.com"
         app_id          = "123456"
-        app_private_key = "-----BEGIN RSA PRIVATE KEY-----\nMOCK_KEY_CONTENT\n-----END RSA PRIVATE KEY-----"
+        app_private_key = { value = "-----BEGIN RSA PRIVATE KEY-----\nMOCK_KEY_CONTENT\n-----END RSA PRIVATE KEY-----" }
         runner_ref = {
           uuid = "dc8c57a1-823f-4e96-8582-0275fa27dc7b"
         }
       }
     }
   }
 }
-
-# Access workload identity federation for GCP
-output "github_wif_gcp_audience" {
-  value = meshstack_integration.example_github.status.workload_identity_federation.gcp.audience
-}
 ```
 
 ```terraform
@@ -50,9 +45,11 @@ resource "meshstack_integration" "example_azure_devops" {
     display_name = "Azure DevOps Integration"
     config = {
       azuredevops = {
-        base_url              = "https://dev.azure.com"
-        organization          = "my-organization"
-        personal_access_token = "mock-pat-token-12345"
+        base_url     = "https://dev.azure.com"
+        organization = "my-organization"
+        personal_access_token = {
+          value = "mock-pat-token-12345"
+        }
         runner_ref = {
           uuid = "05cfa85f-2818-4bdd-b193-620e0187d7de"
         }
@@ -130,9 +127,12 @@ Required:
 
 - `base_url` (String) Base URL of the Azure DevOps instance (e.g., `https://dev.azure.com`).
 - `organization` (String) Azure DevOps organization name.
-- `personal_access_token` (String) Personal Access Token (PAT) for authentication. This is a sensitive value.
 - `runner_ref` (Attributes) Reference to the building block runner that executes Azure DevOps pipelines. (see [below for nested schema](#nestedatt--spec--config--azuredevops--runner_ref))
 
+Optional:
+
+- `personal_access_token` (Attributes) Personal Access Token (PAT) for authentication. (see [below for nested schema](#nestedatt--spec--config--azuredevops--personal_access_token))
+
 <a id="nestedatt--spec--config--azuredevops--runner_ref"></a>
 ### Nested Schema for `spec.config.azuredevops.runner_ref`
 
@@ -145,18 +145,50 @@ Read-Only:
 - `kind` (String) Kind of the runner reference.
 
 
+<a id="nestedatt--spec--config--azuredevops--personal_access_token"></a>
+### Nested Schema for `spec.config.azuredevops.personal_access_token`
+
+Required:
+
+- `value` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Personal Access Token (PAT) for authentication.
+
+Optional:
+
+- `fingerprint` (String) Fingerprint of the secret value. Change this to trigger rotation of the associated write-only attribute `value`. Can be omitted if resource is imported, in this case the hash is used as an initial fingerprint (computed output).
+
+Read-Only:
+
+- `hash` (String) Hash value of the secret stored in the backend. If this hash has changed without changes in the version attribute, the secret was changed externally.
+
+
 
 <a id="nestedatt--spec--config--github"></a>
 ### Nested Schema for `spec.config.github`
 
 Required:
 
 - `app_id` (String) GitHub App ID for authentication.
-- `app_private_key` (String) Private key for the GitHub App. This is a sensitive value.
+- `app_private_key` (Attributes) Private key for the GitHub App. (see [below for nested schema](#nestedatt--spec--config--github--app_private_key))
 - `base_url` (String) Base URL of the GitHub instance (e.g., `https://github.com` for GitHub.com or your GitHub Enterprise URL).
 - `owner` (String) GitHub organization or user that owns the repositories.
 - `runner_ref` (Attributes) Reference to the building block runner that executes GitHub workflows. (see [below for nested schema](#nestedatt--spec--config--github--runner_ref))
 
+<a id="nestedatt--spec--config--github--app_private_key"></a>
+### Nested Schema for `spec.config.github.app_private_key`
+
+Required:
+
+- `value` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Private key for the GitHub App.
+
+Optional:
+
+- `fingerprint` (String) Fingerprint of the secret value. Change this to trigger rotation of the associated write-only attribute `value`. Can be omitted if resource is imported, in this case the hash is used as an initial fingerprint (computed output).
+
+Read-Only:
+
+- `hash` (String) Hash value of the secret stored in the backend. If this hash has changed without changes in the version attribute, the secret was changed externally.
+
+
 <a id="nestedatt--spec--config--github--runner_ref"></a>
 ### Nested Schema for `spec.config.github.runner_ref`
 

examples/resources/meshstack_integration/resource_01_github.tf

@@ -10,16 +10,11 @@ resource "meshstack_integration" "example_github" {
         owner           = "my-org"
         base_url        = "https://github.com"
         app_id          = "123456"
-        app_private_key = "-----BEGIN RSA PRIVATE KEY-----\nMOCK_KEY_CONTENT\n-----END RSA PRIVATE KEY-----"
+        app_private_key = { secret_value = "-----BEGIN RSA PRIVATE KEY-----\nMOCK_KEY_CONTENT\n-----END RSA PRIVATE KEY-----" }
         runner_ref = {
           uuid = "dc8c57a1-823f-4e96-8582-0275fa27dc7b"
         }
       }
     }
   }
 }
-
-# Access workload identity federation for GCP
-output "github_wif_gcp_audience" {
-  value = meshstack_integration.example_github.status.workload_identity_federation.gcp.audience
-}

examples/resources/meshstack_integration/resource_02_azure_devops.tf

@@ -7,9 +7,11 @@ resource "meshstack_integration" "example_azure_devops" {
     display_name = "Azure DevOps Integration"
     config = {
       azuredevops = {
-        base_url              = "https://dev.azure.com"
-        organization          = "my-organization"
-        personal_access_token = "mock-pat-token-12345"
+        base_url     = "https://dev.azure.com"
+        organization = "my-organization"
+        personal_access_token = {
+          secret_value = "mock-pat-token-12345"
+        }
         runner_ref = {
           uuid = "05cfa85f-2818-4bdd-b193-620e0187d7de"
         }

internal/clientmock/mock_integration.go

@@ -26,22 +26,9 @@ func (m MeshIntegrationClient) Create(_ context.Context, integration client.Mesh
 		Spec: integration.Spec,
 		Status: &client.MeshIntegrationStatus{
 			IsBuiltIn: false,
-			WorkloadIdentityFederation: &client.MeshWorkloadIdentityFederation{
-				Issuer:  "https://meshstack.example.com",
-				Subject: "integration:" + integrationUuid,
-				Gcp: &client.MeshWifProvider{
-					Audience: "gcp-audience",
-				},
-				Aws: &client.MeshAwsWifProvider{
-					Audience:   "aws-audience",
-					Thumbprint: "abc123",
-				},
-				Azure: &client.MeshWifProvider{
-					Audience: "azure-audience",
-				},
-			},
 		},
 	}
+	backendSecretBehavior(true, created, nil)
 	m.Store[integrationUuid] = created
 	return created, nil
 }