INTMDB-162: Fixes bug about detecting changes and make sensitive values (#383)

coderGo93 · Edgar López · web-flow · commit 080d3b253c79 · 2021-01-17T23:07:58.000-06:00
* fix: fixes about when appearing changes when it should not and make parameters sensitives

* test: deleted check because parameters are now sensitive and cannot be read to avoid fail test

* fix: added validation to avoid changes or other similar bug for other parameters

* test: uncommented the skip part

Co-authored-by: Edgar López &lt;edgarlopez@pop-os.localdomain&gt;
diff --git a/mongodbatlas/resource_mongodbatlas_encryption_at_rest.go b/mongodbatlas/resource_mongodbatlas_encryption_at_rest.go
@@ -33,8 +33,9 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
 				ForceNew: true,
 			},
 			"aws_kms": {
-				Type:     schema.TypeMap,
-				Optional: true,
+				Type:      schema.TypeMap,
+				Optional:  true,
+				Sensitive: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"enabled": {
@@ -82,8 +83,9 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
 				},
 			},
 			"azure_key_vault": {
-				Type:     schema.TypeMap,
-				Optional: true,
+				Type:      schema.TypeMap,
+				Optional:  true,
+				Sensitive: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"enabled": {
@@ -92,61 +94,62 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
 						},
 						"client_id": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 						"azure_environment": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
 						},
 						"subscription_id": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 						"resource_group_name": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
 						},
 						"key_vault_name": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
 						},
 						"key_identifier": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 						"secret": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 						"tenant_id": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 					},
 				},
 			},
 			"google_cloud_kms": {
-				Type:     schema.TypeMap,
-				Optional: true,
+				Type:      schema.TypeMap,
+				Optional:  true,
+				Sensitive: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"enabled": {
 							Type:     schema.TypeBool,
-							Required: true,
+							Optional: true,
 						},
 						"service_account_key": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 						"key_version_resource_id": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 					},
@@ -160,10 +163,20 @@ func resourceMongoDBAtlasEncryptionAtRestCreate(d *schema.ResourceData, meta int
 	conn := meta.(*matlas.Client)
 
 	encryptionAtRestReq := &matlas.EncryptionAtRest{
-		GroupID:        d.Get("project_id").(string),
-		AwsKms:         expandAwsKms(d.Get("aws_kms").(map[string]interface{})),
-		AzureKeyVault:  expandAzureKeyVault(d.Get("azure_key_vault").(map[string]interface{})),
-		GoogleCloudKms: expandGCPKms(d.Get("google_cloud_kms").(map[string]interface{})),
+		GroupID: d.Get("project_id").(string),
+	}
+
+	aws, awsOk := d.GetOk("aws_kms")
+	if awsOk {
+		encryptionAtRestReq.AwsKms = expandAwsKms(aws.(map[string]interface{}))
+	}
+	azure, azureOk := d.GetOk("azure_key_vault")
+	if azureOk {
+		encryptionAtRestReq.AzureKeyVault = expandAzureKeyVault(azure.(map[string]interface{}))
+	}
+	gcp, gcpOk := d.GetOk("google_cloud_kms")
+	if gcpOk {
+		encryptionAtRestReq.GoogleCloudKms = expandGCPKms(gcp.(map[string]interface{}))
 	}
 
 	_, _, err := conn.EncryptionsAtRest.Create(context.Background(), encryptionAtRestReq)
@@ -184,16 +197,42 @@ func resourceMongoDBAtlasEncryptionAtRestRead(d *schema.ResourceData, meta inter
 		return fmt.Errorf(errorReadEncryptionAtRest, err)
 	}
 
-	if err := d.Set("aws_kms", flattenAWSKMS(&resp.AwsKms)); err != nil {
-		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "aws_kms", d.Id(), err)
+	values := flattenAWSKMS(&resp.AwsKms)
+	if !counterEmptyValues(values) {
+		aws, awsOk := d.GetOk("aws_kms")
+		if awsOk {
+			aws2 := aws.(map[string]interface{})
+			values["secret_access_key"] = cast.ToString(aws2["secret_access_key"])
+			if v, sa := values["role_id"]; sa {
+				if v.(string) == "" {
+					delete(values, "role_id")
+				}
+			}
+			if v, sa := values["access_key_id"]; sa {
+				if v.(string) == "" {
+					delete(values, "access_key_id")
+					delete(values, "secret_access_key")
+				}
+			}
+		}
+
+		if err = d.Set("aws_kms", values); err != nil {
+			return fmt.Errorf(errorAlertEncryptionAtRestSetting, "aws_kms", d.Id(), err)
+		}
 	}
 
-	if err := d.Set("azure_key_vault", flattenAzureVault(&resp.AzureKeyVault)); err != nil {
-		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "azure_key_vault", d.Id(), err)
+	values = flattenAzureVault(&resp.AzureKeyVault)
+	if !counterEmptyValues(values) {
+		if err = d.Set("azure_key_vault", values); err != nil {
+			return fmt.Errorf(errorAlertEncryptionAtRestSetting, "azure_key_vault", d.Id(), err)
+		}
 	}
 
-	if err := d.Set("google_cloud_kms", flattenGCPKms(&resp.GoogleCloudKms)); err != nil {
-		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "google_cloud_kms", d.Id(), err)
+	values = flattenGCPKms(&resp.GoogleCloudKms)
+	if !counterEmptyValues(values) {
+		if err = d.Set("google_cloud_kms", values); err != nil {
+			return fmt.Errorf(errorAlertEncryptionAtRestSetting, "google_cloud_kms", d.Id(), err)
+		}
 	}
 
 	return nil
@@ -277,45 +316,47 @@ func expandGCPKms(gcpKms map[string]interface{}) matlas.GoogleCloudKms {
 }
 
 func flattenAWSKMS(m *matlas.AwsKms) map[string]interface{} {
-	if m != nil {
-		return map[string]interface{}{
-			"enabled":                cast.ToString(m.Enabled),
-			"access_key_id":          m.AccessKeyID,
-			"customer_master_key_id": m.CustomerMasterKeyID,
-			"region":                 m.Region,
-			"role_id":                m.RoleID,
-		}
+	return map[string]interface{}{
+		"enabled":                cast.ToString(m.Enabled),
+		"access_key_id":          m.AccessKeyID,
+		"customer_master_key_id": m.CustomerMasterKeyID,
+		"region":                 m.Region,
+		"role_id":                m.RoleID,
 	}
-
-	return map[string]interface{}{}
 }
 
 func flattenAzureVault(m *matlas.AzureKeyVault) map[string]interface{} {
-	if m != nil {
-		return map[string]interface{}{
-			"enabled":             cast.ToString(m.Enabled),
-			"client_id":           m.ClientID,
-			"azure_environment":   m.AzureEnvironment,
-			"subscription_id":     m.SubscriptionID,
-			"resource_group_name": m.ResourceGroupName,
-			"key_vault_name":      m.KeyVaultName,
-			"key_identifier":      m.KeyIdentifier,
-			"secret":              m.Secret,
-			"tenant_id":           m.TenantID,
-		}
+	return map[string]interface{}{
+		"enabled":             cast.ToString(m.Enabled),
+		"client_id":           m.ClientID,
+		"azure_environment":   m.AzureEnvironment,
+		"subscription_id":     m.SubscriptionID,
+		"resource_group_name": m.ResourceGroupName,
+		"key_vault_name":      m.KeyVaultName,
+		"key_identifier":      m.KeyIdentifier,
+		"secret":              m.Secret,
+		"tenant_id":           m.TenantID,
 	}
-
-	return map[string]interface{}{}
 }
 
 func flattenGCPKms(m *matlas.GoogleCloudKms) map[string]interface{} {
-	if m != nil {
-		return map[string]interface{}{
-			"enabled":                 cast.ToString(m.Enabled),
-			"service_account_key":     m.ServiceAccountKey,
-			"key_version_resource_id": m.KeyVersionResourceID,
+	return map[string]interface{}{
+		"enabled":                 cast.ToString(m.Enabled),
+		"service_account_key":     m.ServiceAccountKey,
+		"key_version_resource_id": m.KeyVersionResourceID,
+	}
+}
+
+func counterEmptyValues(values map[string]interface{}) bool {
+	count := 0
+	for i := range values {
+		if val, ok := values[i]; ok {
+			strval, okT := val.(string)
+			if okT && strval == "" || strval == "false" {
+				count++
+			}
 		}
 	}
 
-	return map[string]interface{}{}
+	return len(values) == count
 }
diff --git a/mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go b/mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go
@@ -11,7 +11,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
 	"github.com/mwielbut/pointy"
-	"github.com/spf13/cast"
 	matlas "go.mongodb.org/atlas/mongodbatlas"
 )
 
@@ -130,23 +129,13 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicAWS(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKms.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.access_key_id", awsKms.AccessKeyID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.secret_access_key", awsKms.SecretAccessKey),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKms.CustomerMasterKeyID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKms.Region),
 				),
 			},
 			{
 				Config: testAccMongoDBAtlasEncryptionAtRestConfigAwsKms(projectID, &awsKmsUpdated),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKmsUpdated.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.access_key_id", awsKmsUpdated.AccessKeyID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.secret_access_key", awsKmsUpdated.SecretAccessKey),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKmsUpdated.CustomerMasterKeyID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKmsUpdated.Region),
 				),
 			},
 		},
@@ -194,31 +183,13 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicAzure(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.enabled", cast.ToString(azureKeyVault.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.client_id", azureKeyVault.ClientID),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.azure_environment", azureKeyVault.AzureEnvironment),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.subscription_id", azureKeyVault.SubscriptionID),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.resource_group_name", azureKeyVault.ResourceGroupName),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_vault_name", azureKeyVault.KeyVaultName),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_identifier", azureKeyVault.KeyIdentifier),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.secret", azureKeyVault.Secret),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.tenant_id", azureKeyVault.TenantID),
 				),
 			},
 			{
 				Config: testAccMongoDBAtlasEncryptionAtRestConfigAzureKeyVault(projectID, &azureKeyVaultUpdated),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.enabled", cast.ToString(azureKeyVaultUpdated.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.client_id", azureKeyVaultUpdated.ClientID),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.azure_environment", azureKeyVaultUpdated.AzureEnvironment),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.subscription_id", azureKeyVaultUpdated.SubscriptionID),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.resource_group_name", azureKeyVaultUpdated.ResourceGroupName),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_vault_name", azureKeyVaultUpdated.KeyVaultName),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_identifier", azureKeyVaultUpdated.KeyIdentifier),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.secret", azureKeyVaultUpdated.Secret),
-					resource.TestCheckResourceAttr(resourceName, "azure_key_vault.tenant_id", azureKeyVaultUpdated.TenantID),
 				),
 			},
 		},
@@ -254,19 +225,13 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicGCP(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.enabled", cast.ToString(googleCloudKms.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.service_account_key", googleCloudKms.ServiceAccountKey),
-					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.key_version_resource_id", googleCloudKms.KeyVersionResourceID),
 				),
 			},
 			{
 				Config: testAccMongoDBAtlasEncryptionAtRestConfigGoogleCloudKms(projectID, &googleCloudKmsUpdated),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.enabled", cast.ToString(googleCloudKmsUpdated.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.service_account_key", googleCloudKmsUpdated.ServiceAccountKey),
-					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.key_version_resource_id", googleCloudKmsUpdated.KeyVersionResourceID),
 				),
 			},
 		},
@@ -304,9 +269,6 @@ func TestAccResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testing.T)
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKms.Enabled)),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKms.CustomerMasterKeyID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKms.Region),
 				),
 			},
 		},
