fix: handle obfusctated secrets in meshPlatform Azure Type

j0g3sc · j0g3sc · commit ceac56b40e34 · 2025-10-22T09:31:19.000+02:00
CU-86c63jkw8
diff --git a/docs/resources/platform.md b/docs/resources/platform.md
@@ -237,7 +237,7 @@ Optional:
 
 Optional:
 
-- `access_token` (String) The Access Token of the service account for replicator access.
+- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
 - `administrative_unit_id` (String) If you enter an administrative unit ID the replicated (and potentially existing) groups will be put into this AU. This can be used to limit the permission scopes which are required for the replicator principal. If you remove the AU ID again or change it, the groups will not be removed from the old AU.
 - `aks_cluster_name` (String) Name of the AKS cluster.
 - `aks_resource_group` (String) Resource group for the AKS cluster
diff --git a/internal/provider/platform_resource.go b/internal/provider/platform_resource.go
@@ -350,8 +350,6 @@ func openShiftPlatformSchema() schema.Attribute {
 	}
 }
 
-// TODO review done until here
-
 func aksReplicationConfigSchema() schema.Attribute {
 	return schema.SingleNestedAttribute{
 		MarkdownDescription: "Replication configuration for AKS (optional, but required for replication)",
@@ -360,6 +358,7 @@ func aksReplicationConfigSchema() schema.Attribute {
 			"access_token": schema.StringAttribute{
 				MarkdownDescription: "The Access Token of the service account for replicator access.",
 				Optional:            true,
+				Sensitive:           true,
 			},
 			"namespace_name_pattern": schema.StringAttribute{
 				MarkdownDescription: "Pattern for naming namespaces in AKS",
@@ -812,8 +811,6 @@ func azureReplicationConfigSchema() schema.Attribute {
 	}
 }
 
-// TODO continue here.
-
 func azureRgReplicationConfigSchema() schema.Attribute {
 	return schema.SingleNestedAttribute{
 		MarkdownDescription: "Azure Resource Group-specific replication configuration for the platform.",
@@ -1053,8 +1050,6 @@ func kubernetesReplicationConfigSchema() schema.Attribute {
 	}
 }
 
-// TODO continue here.
-
 func openShiftReplicationConfigSchema() schema.Attribute {
 	return schema.SingleNestedAttribute{
 		MarkdownDescription: "Replication configuration for OpenShift (optional, but required for replication)",
@@ -1155,6 +1150,8 @@ func (r *platformResource) Create(ctx context.Context, req resource.CreateReques
 		return
 	}
 
+	handleObfuscatedSecrets(&createdPlatform.Spec.Config, &platform.Spec.Config, resp.Diagnostics)
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, createdPlatform)...)
 }
 
@@ -1163,7 +1160,7 @@ func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, r
 	var uuid string
 	resp.Diagnostics.Append(req.State.GetAttribute(ctx, path.Root("metadata").AtName("uuid"), &uuid)...)
 
-	platform, err := r.client.ReadPlatform(uuid)
+	readPlatform, err := r.client.ReadPlatform(uuid)
 	if err != nil {
 		resp.Diagnostics.AddError(
 			fmt.Sprintf("Could not read platform with UUID '%s'", uuid),
@@ -1172,14 +1169,21 @@ func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, r
 		return
 	}
 
-	if platform == nil {
+	if readPlatform == nil {
 		// The platform was deleted outside of Terraform, so we remove it from the state
 		resp.State.RemoveResource(ctx)
 		return
 	}
 
-	// client data maps directly to the schema so we just need to set the state
-	resp.Diagnostics.Append(resp.State.Set(ctx, platform)...)
+	statePlatformSpec := client.MeshPlatformSpec{}
+	req.State.GetAttribute(ctx, path.Root("spec"), &statePlatformSpec)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	handleObfuscatedSecrets(&readPlatform.Spec.Config, &statePlatformSpec.Config, resp.Diagnostics)
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, readPlatform)...)
 }
 
 func (r *platformResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
@@ -1220,6 +1224,8 @@ func (r *platformResource) Update(ctx context.Context, req resource.UpdateReques
 		return
 	}
 
+	handleObfuscatedSecrets(&updatedPlatform.Spec.Config, &platform.Spec.Config, resp.Diagnostics)
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, updatedPlatform)...)
 }
 
diff --git a/internal/provider/platform_resource_obfuscationhandling.go b/internal/provider/platform_resource_obfuscationhandling.go
@@ -0,0 +1,125 @@
+package provider
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/meshcloud/terraform-provider-meshstack/client"
+)
+
+const (
+	obfuscatedValue = "mesh/hidden-secret"
+)
+
+// This function is necessary to handle obfuscated secrets for meshPlatforms.
+// The meshPlatform API won't return secrets in plain text, but obfuscated values.
+// As a result we keep those from the plan/state and re-apply them to the object read from the API.
+//
+// MUST NOT PASS ANY NIL VALUES
+// MUST PASS compatible types
+func handleObfuscatedSecrets(obfuscated *client.PlatformConfig, plain *client.PlatformConfig, d diag.Diagnostics) {
+	if obfuscated == nil || plain == nil || obfuscated.Type != plain.Type {
+		d.AddError(
+			"Internal Error",
+			"Could not handle obfuscated secrets due to invalid input parameters.",
+		)
+		return
+	}
+
+	switch obfuscated.Type {
+
+	case "aks":
+		if obfuscated.Aks != nil && obfuscated.Aks.Replication != nil && plain.Aks != nil && plain.Aks.Replication != nil {
+			// access token
+			if obfuscated.Aks.Replication.AccessToken != nil &&
+				plain.Aks.Replication.AccessToken != nil &&
+				*obfuscated.Aks.Replication.AccessToken == obfuscatedValue {
+				obfuscated.Aks.Replication.AccessToken = plain.Aks.Replication.AccessToken
+			}
+			// SP client secret
+			if obfuscated.Aks.Replication.ServicePrincipal != nil &&
+				plain.Aks.Replication.ServicePrincipal != nil &&
+				*obfuscated.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
+				obfuscated.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret
+			}
+		}
+
+	case "aws":
+		if obfuscated.Aws != nil && obfuscated.Aws.Replication != nil && plain.Aws != nil && plain.Aws.Replication != nil {
+			// replication access-config service-user secret key
+			if obfuscated.Aws.Replication.AccessConfig != nil &&
+				plain.Aws.Replication.AccessConfig != nil &&
+				obfuscated.Aws.Replication.AccessConfig.ServiceUserConfig != nil &&
+				plain.Aws.Replication.AccessConfig.ServiceUserConfig != nil &&
+				*obfuscated.Aws.Replication.AccessConfig.ServiceUserConfig.SecretKey == obfuscatedValue {
+				obfuscated.Aws.Replication.AccessConfig.ServiceUserConfig.SecretKey = plain.Aws.Replication.AccessConfig.ServiceUserConfig.SecretKey
+			}
+			// replication AWS SSO token
+			if obfuscated.Aws.Replication.AwsSso != nil &&
+				plain.Aws.Replication.AwsSso != nil &&
+				*obfuscated.Aws.Replication.AwsSso.SsoAccessToken == obfuscatedValue {
+				obfuscated.Aws.Replication.AwsSso.SsoAccessToken = plain.Aws.Replication.AwsSso.SsoAccessToken
+			}
+		}
+
+	case "azure":
+		if obfuscated.Azure != nil && obfuscated.Azure.Replication != nil && plain.Azure != nil && plain.Azure.Replication != nil {
+			// replication SP client secret
+			if obfuscated.Azure.Replication.ServicePrincipal != nil &&
+				plain.Azure.Replication.ServicePrincipal != nil &&
+				*obfuscated.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
+				obfuscated.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret
+			}
+			// replication provisioning customer agreement SP client secret
+			if obfuscated.Azure.Replication.Provisioning.CustomerAgreement != nil &&
+				plain.Azure.Replication.Provisioning.CustomerAgreement != nil {
+				if obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal != nil &&
+					plain.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal != nil &&
+					*obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
+					obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret
+				}
+			}
+		}
+
+	case "azurerg":
+		if obfuscated.AzureRg != nil && obfuscated.AzureRg.Replication != nil && plain.AzureRg != nil && plain.AzureRg.Replication != nil {
+			// replication SP client secret
+			if obfuscated.AzureRg.Replication.ServicePrincipal != nil &&
+				plain.AzureRg.Replication.ServicePrincipal != nil &&
+				*obfuscated.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
+				obfuscated.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret
+			}
+		}
+
+	case "kubernetes":
+		if obfuscated.Kubernetes != nil && obfuscated.Kubernetes.Replication != nil && plain.Kubernetes != nil && plain.Kubernetes.Replication != nil {
+			// access token
+			if obfuscated.Kubernetes.Replication.ClientConfig != nil &&
+				plain.Kubernetes.Replication.ClientConfig != nil &&
+				*obfuscated.Kubernetes.Replication.ClientConfig.AccessToken == obfuscatedValue {
+				obfuscated.Kubernetes.Replication.ClientConfig.AccessToken = plain.Kubernetes.Replication.ClientConfig.AccessToken
+			}
+		}
+
+	case "gcp":
+		if obfuscated.Gcp != nil && obfuscated.Gcp.Replication != nil && plain.Gcp != nil && plain.Gcp.Replication != nil {
+			// service account credentials
+			if obfuscated.Gcp.Replication.ServiceAccountConfig != nil &&
+				plain.Gcp.Replication.ServiceAccountConfig != nil &&
+				obfuscated.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig != nil &&
+				plain.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig != nil &&
+				*obfuscated.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig.ServiceAccountCredentialsB64 == obfuscatedValue {
+				obfuscated.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig = plain.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig
+			}
+		}
+
+	case "openshift":
+		if obfuscated.OpenShift != nil && obfuscated.OpenShift.Replication != nil && plain.OpenShift != nil && plain.OpenShift.Replication != nil {
+			// access token
+			if obfuscated.OpenShift.Replication.ClientConfig != nil &&
+				plain.OpenShift.Replication.ClientConfig != nil &&
+				*obfuscated.OpenShift.Replication.ClientConfig.AccessToken == obfuscatedValue {
+				obfuscated.OpenShift.Replication.ClientConfig.AccessToken = plain.OpenShift.Replication.ClientConfig.AccessToken
+			}
+		}
+
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -350,8 +350,6 @@ func openShiftPlatformSchema() schema.Attribute {`
`350`	`350`	`}`
`351`	`351`	`}`
`352`	`352`
`353`		`-// TODO review done until here`
`354`		`-`
`355`	`353`	`func aksReplicationConfigSchema() schema.Attribute {`
`356`	`354`	`return schema.SingleNestedAttribute{`
`357`	`355`	`MarkdownDescription: "Replication configuration for AKS (optional, but required for replication)",`
`@@ -360,6 +358,7 @@ func aksReplicationConfigSchema() schema.Attribute {`
`360`	`358`	`"access_token": schema.StringAttribute{`
`361`	`359`	`MarkdownDescription: "The Access Token of the service account for replicator access.",`
`362`	`360`	`Optional: true,`
	`361`	`+ Sensitive: true,`
`363`	`362`	`},`
`364`	`363`	`"namespace_name_pattern": schema.StringAttribute{`
`365`	`364`	`MarkdownDescription: "Pattern for naming namespaces in AKS",`
`@@ -812,8 +811,6 @@ func azureReplicationConfigSchema() schema.Attribute {`
`812`	`811`	`}`
`813`	`812`	`}`
`814`	`813`
`815`		`-// TODO continue here.`
`816`		`-`
`817`	`814`	`func azureRgReplicationConfigSchema() schema.Attribute {`
`818`	`815`	`return schema.SingleNestedAttribute{`
`819`	`816`	`MarkdownDescription: "Azure Resource Group-specific replication configuration for the platform.",`
`@@ -1053,8 +1050,6 @@ func kubernetesReplicationConfigSchema() schema.Attribute {`
`1053`	`1050`	`}`
`1054`	`1051`	`}`
`1055`	`1052`
`1056`		`-// TODO continue here.`
`1057`		`-`
`1058`	`1053`	`func openShiftReplicationConfigSchema() schema.Attribute {`
`1059`	`1054`	`return schema.SingleNestedAttribute{`
`1060`	`1055`	`MarkdownDescription: "Replication configuration for OpenShift (optional, but required for replication)",`
`@@ -1155,6 +1150,8 @@ func (r *platformResource) Create(ctx context.Context, req resource.CreateReques`
`1155`	`1150`	`return`
`1156`	`1151`	`}`
`1157`	`1152`
	`1153`	`+ handleObfuscatedSecrets(&createdPlatform.Spec.Config, &platform.Spec.Config, resp.Diagnostics)`
	`1154`	`+`
`1158`	`1155`	`resp.Diagnostics.Append(resp.State.Set(ctx, createdPlatform)...)`
`1159`	`1156`	`}`
`1160`	`1157`
`@@ -1163,7 +1160,7 @@ func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, r`
`1163`	`1160`	`var uuid string`
`1164`	`1161`	`resp.Diagnostics.Append(req.State.GetAttribute(ctx, path.Root("metadata").AtName("uuid"), &uuid)...)`
`1165`	`1162`
`1166`		`- platform, err := r.client.ReadPlatform(uuid)`
	`1163`	`+ readPlatform, err := r.client.ReadPlatform(uuid)`
`1167`	`1164`	`if err != nil {`
`1168`	`1165`	`resp.Diagnostics.AddError(`
`1169`	`1166`	`fmt.Sprintf("Could not read platform with UUID '%s'", uuid),`
`@@ -1172,14 +1169,21 @@ func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, r`
`1172`	`1169`	`return`
`1173`	`1170`	`}`
`1174`	`1171`
`1175`		`- if platform == nil {`
	`1172`	`+ if readPlatform == nil {`
`1176`	`1173`	`// The platform was deleted outside of Terraform, so we remove it from the state`
`1177`	`1174`	`resp.State.RemoveResource(ctx)`
`1178`	`1175`	`return`
`1179`	`1176`	`}`
`1180`	`1177`
`1181`		`- // client data maps directly to the schema so we just need to set the state`
`1182`		`- resp.Diagnostics.Append(resp.State.Set(ctx, platform)...)`
	`1178`	`+ statePlatformSpec := client.MeshPlatformSpec{}`
	`1179`	`+ req.State.GetAttribute(ctx, path.Root("spec"), &statePlatformSpec)`
	`1180`	`+ if resp.Diagnostics.HasError() {`
	`1181`	`+ return`
	`1182`	`+ }`
	`1183`	`+`
	`1184`	`+ handleObfuscatedSecrets(&readPlatform.Spec.Config, &statePlatformSpec.Config, resp.Diagnostics)`
	`1185`	`+`
	`1186`	`+ resp.Diagnostics.Append(resp.State.Set(ctx, readPlatform)...)`
`1183`	`1187`	`}`
`1184`	`1188`
`1185`	`1189`	`func (r platformResource) Update(ctx context.Context, req resource.UpdateRequest, resp resource.UpdateResponse) {`
`@@ -1220,6 +1224,8 @@ func (r *platformResource) Update(ctx context.Context, req resource.UpdateReques`
`1220`	`1224`	`return`
`1221`	`1225`	`}`
`1222`	`1226`
	`1227`	`+ handleObfuscatedSecrets(&updatedPlatform.Spec.Config, &platform.Spec.Config, resp.Diagnostics)`
	`1228`	`+`
`1223`	`1229`	`resp.Diagnostics.Append(resp.State.Set(ctx, updatedPlatform)...)`
`1224`	`1230`	`}`
`1225`	`1231`