better update

Author: Gnoale

internal/locality/validation.go

@@ -30,11 +30,25 @@ func ValidateStringInSliceWithWarning(correctValues []string, field string) sche
 	}
 }
 
-func ValidateRegionalUUID() schema.SchemaValidateFunc {
+func ValidateRegionalUUID() schema.SchemaValidateDiagFunc {
 	regions := make([]string, 0, len(scw.AllRegions))
 	for _, region := range scw.AllRegions {
 		regions = append(regions, region.String())
 	}
 
-	return validation.StringMatch(regexp.MustCompile(`^`+strings.Join(regions, "|")+`/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`), "must be in the form region/UUID")
+	return func(i interface{}, path cty.Path) diag.Diagnostics {
+		var res diag.Diagnostics
+
+		_, rawErr := validation.StringMatch(regexp.MustCompile(`^`+strings.Join(regions, "|")+`/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`), "must be in the form region/UUID")(i, "")
+
+		for _, e := range rawErr {
+			res = append(res, diag.Diagnostic{
+				Severity:      diag.Error,
+				Summary:       e.Error(),
+				AttributePath: path,
+			})
+		}
+
+		return res
+	}
 }

internal/services/jobs/definition.go

@@ -97,20 +97,13 @@ func ResourceDefinition() *schema.Resource {
 				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "A reference to a Secret Manager secret.",
-				//Set: func(v interface{}) int {
-				//	secret := v.(map[string]interface{})
-				//	if secret["file"] == nil {
-				//		return schema.HashString(secret["secret_id"].(string) + secret["secret_version"].(string) + secret["environment"].(string))
-				//	}
-				//	return schema.HashString(secret["secret_id"].(string) + secret["secret_version"].(string) + secret["file"].(string))
-				//},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"secret_id": {
-							Type:         schema.TypeString,
-							Description:  "The secret unique identifier, it must be in the form region/UUID. The region must be the same as the job definition.",
-							Required:     true,
-							ValidateFunc: locality.ValidateRegionalUUID(),
+							Type:             schema.TypeString,
+							Description:      "The secret unique identifier, it must be in the form region/UUID. The region must be the same as the job definition.",
+							Required:         true,
+							ValidateDiagFunc: locality.ValidateRegionalUUID(),
 						},
 						"secret_reference_id": {
 							Type:        schema.TypeString,
@@ -146,6 +139,7 @@ func ResourceJobDefinitionCreate(ctx context.Context, d *schema.ResourceData, m
 	if err != nil {
 		return diag.FromErr(err)
 	}
+
 	req := &jobs.CreateJobDefinitionRequest{
 		Region:               region,
 		Name:                 types.ExpandOrGenerateString(d.Get("name").(string), "job"),
@@ -179,7 +173,7 @@ func ResourceJobDefinitionCreate(ctx context.Context, d *schema.ResourceData, m
 	}
 
 	if rawSecretReference, ok := d.GetOk("secret_reference"); ok {
-		if err := CreateJobDefinitionSecret(expandJobDefinitionSecret(rawSecretReference), api, region, definition.ID); err != nil {
+		if err := CreateJobDefinitionSecret(ctx, api, expandJobDefinitionSecret(rawSecretReference), region, definition.ID); err != nil {
 			return diag.FromErr(err)
 		}
 	}
@@ -222,7 +216,7 @@ func ResourceJobDefinitionRead(ctx context.Context, d *schema.ResourceData, m in
 	for i, secret := range rawSecretRefs.Secrets {
 		secretRef := make(map[string]interface{})
 		secretRef["secret_id"] = fmt.Sprintf("%s/%s", definition.Region, secret.SecretManagerID)
-		//secretRef["secret_id"] = secret.SecretManagerID
+		// secretRef["secret_id"] = secret.SecretManagerID
 		secretRef["secret_reference_id"] = secret.SecretID
 		secretRef["secret_version"] = secret.SecretManagerVersion
 
@@ -313,21 +307,29 @@ func ResourceJobDefinitionUpdate(ctx context.Context, d *schema.ResourceData, m
 	}
 
 	if d.HasChange("secret_reference") {
-		oldRawSecretRefs, _ := d.GetChange("secret_reference")
+		oldRawSecretRefs, newRawSecretRefs := d.GetChange("secret_reference")
+
 		oldSecretRefs := expandJobDefinitionSecret(oldRawSecretRefs)
+		newSecretRefs := expandJobDefinitionSecret(newRawSecretRefs)
 
-		for _, oldSecretRef := range oldSecretRefs {
-			if err := api.DeleteJobDefinitionSecret(&jobs.DeleteJobDefinitionSecretRequest{
+		toCreate, toDelete, err := DiffJobDefinitionSecrets(oldSecretRefs, newSecretRefs)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+
+		for _, secret := range toDelete {
+			deleteReq := &jobs.DeleteJobDefinitionSecretRequest{
 				Region:          region,
 				JobDefinitionID: id,
-				SecretID:        oldSecretRef.SecretReferenceID,
-			}); err != nil {
+				SecretID:        secret.SecretReferenceID,
+			}
+			if err := api.DeleteJobDefinitionSecret(deleteReq, scw.WithContext(ctx)); err != nil {
 				return diag.FromErr(err)
 			}
 		}
 
-		if rawSecretReference, ok := d.GetOk("secret_reference"); ok {
-			if err := CreateJobDefinitionSecret(expandJobDefinitionSecret(rawSecretReference), api, region, id); err != nil {
+		if len(toCreate) > 0 {
+			if err := CreateJobDefinitionSecret(ctx, api, toCreate, region, id); err != nil {
 				return diag.FromErr(err)
 			}
 		}

internal/services/jobs/definition_test.go

@@ -227,7 +227,7 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
 						secret_reference {
 							secret_id = scaleway_secret.main.id
 							secret_version = "latest"
-							file = "/home/dev/new_env"
+							file = "/home/dev/secret_file"
 						}
 						secret_reference {
 							secret_id = scaleway_secret.main.id
@@ -241,7 +241,7 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
 					acctest.CheckResourceAttrUUID("scaleway_job_definition.main", "id"),
 					resource.TestCheckResourceAttr("scaleway_job_definition.main", "name", "test-jobs-job-definition-secret"),
 					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.#", "2"),
-					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/new_env"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/secret_file"),
 					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.1.environment", "SOME_ENV"),
 				),
 			},
@@ -264,7 +264,7 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
 						secret_reference {
 							secret_id = scaleway_secret.main.id
 							secret_version = "latest"
-							file = "/home/dev/new_env"
+							file = "/home/dev/secret_file"
 						}
 					}
 				`,
@@ -273,7 +273,7 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
 					acctest.CheckResourceAttrUUID("scaleway_job_definition.main", "id"),
 					resource.TestCheckResourceAttr("scaleway_job_definition.main", "name", "test-jobs-job-definition-secret"),
 					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.#", "1"),
-					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/new_env"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/secret_file"),
 				),
 			},
 		},
@@ -413,6 +413,6 @@ func TestCreateJobDefinitionSecret(t *testing.T) {
 	region := scw.RegionFrPar
 	jobID := "22222222-2222-2222-2222-222222222222"
 
-	err := jobs.CreateJobDefinitionSecret(jobSecrets, api, region, jobID)
+	err := jobs.CreateJobDefinitionSecret(t.Context(), api, jobSecrets, region, jobID)
 	assert.ErrorContains(t, err, fmt.Sprintf("the secret id %s does not appear to be in the same region as the job definition id %s", jobSecrets[1].SecretID, jobID))
 }

internal/services/jobs/helpers.go

@@ -1,13 +1,16 @@
 package jobs
 
 import (
+	"bytes"
+	"context"
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	jobs "github.com/scaleway/scaleway-sdk-go/api/jobs/v1alpha1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/meta"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
 )
 
 // newAPIWithRegion returns a new jobs API and the region for a Create request
@@ -134,8 +137,7 @@ func expandJobDefinitionSecret(i any) []JobDefinitionSecret {
 	return parsedSecrets
 }
 
-func CreateJobDefinitionSecret(jobSecrets []JobDefinitionSecret, api *jobs.API, region scw.Region, jobID string) error {
-
+func CreateJobDefinitionSecret(ctx context.Context, api *jobs.API, jobSecrets []JobDefinitionSecret, region scw.Region, jobID string) error {
 	secretConfigs := []*jobs.CreateJobDefinitionSecretsRequestSecretConfig{}
 
 	for _, parsedSecretRef := range jobSecrets {
@@ -155,28 +157,92 @@ func CreateJobDefinitionSecret(jobSecrets []JobDefinitionSecret, api *jobs.API,
 		secretConfig.SecretManagerID = secretID
 		secretConfig.SecretManagerVersion = parsedSecretRef.SecretVersion
 
+		if err := validateJobDefinitionSecret(&parsedSecretRef); err != nil {
+			return err
+		}
+
 		if parsedSecretRef.Environment != "" {
 			secretConfig.EnvVarName = &parsedSecretRef.Environment
 		}
 
 		if parsedSecretRef.File != "" {
 			secretConfig.Path = &parsedSecretRef.File
 		}
-
-		if parsedSecretRef.Environment != "" && parsedSecretRef.File != "" {
-			return fmt.Errorf("the secret id %s must have exactly one mount point: file or environment", parsedSecretRef.SecretID)
-		}
-
-		if parsedSecretRef.Environment == "" && parsedSecretRef.File == "" {
-			return fmt.Errorf("the secret id %s is missing a mount point: file or environment", parsedSecretRef.SecretID)
-		}
 	}
 
 	_, err := api.CreateJobDefinitionSecrets(&jobs.CreateJobDefinitionSecretsRequest{
 		Region:          region,
 		JobDefinitionID: jobID,
 		Secrets:         secretConfigs,
-	})
+	}, scw.WithContext(ctx))
 
 	return err
 }
+
+func crc32Hash(secret *JobDefinitionSecret) int {
+	buf := bytes.NewBufferString(secret.SecretID)
+	buf.WriteString(secret.SecretVersion)
+
+	if secret.Environment != "" {
+		buf.WriteString(secret.Environment)
+	}
+
+	if secret.File != "" {
+		buf.WriteString(secret.File)
+	}
+
+	return types.StringHashcode(buf.String())
+}
+
+func DiffJobDefinitionSecrets(oldSecretRefs, newSecretRefs []JobDefinitionSecret) (toCreate []JobDefinitionSecret, toDelete []JobDefinitionSecret, err error) {
+	toCreate = make([]JobDefinitionSecret, 0)
+	toDelete = make([]JobDefinitionSecret, 0)
+
+	// hash the new and old secret sets
+	oldSecretRefsMap := make(map[int]JobDefinitionSecret, len(oldSecretRefs))
+	for _, secret := range oldSecretRefs {
+		oldSecretRefsMap[crc32Hash(&secret)] = secret
+	}
+
+	newSecretRefsMap := make(map[int]JobDefinitionSecret, len(newSecretRefs))
+
+	for _, secret := range newSecretRefs {
+		if err := validateJobDefinitionSecret(&secret); err != nil {
+			return toCreate, toDelete, err
+		}
+
+		newSecretRefsMap[crc32Hash(&secret)] = secret
+	}
+
+	// find secrets to delete
+	for hash, secret := range oldSecretRefsMap {
+		if _, ok := newSecretRefsMap[hash]; !ok {
+			toDelete = append(toDelete, secret)
+		}
+	}
+
+	// find secrets to create
+	for hash, secret := range newSecretRefsMap {
+		if _, ok := oldSecretRefsMap[hash]; !ok {
+			toCreate = append(toCreate, secret)
+		}
+	}
+
+	return toCreate, toDelete, nil
+}
+
+func validateJobDefinitionSecret(secret *JobDefinitionSecret) error {
+	if secret == nil {
+		return nil
+	}
+
+	if secret.Environment != "" && secret.File != "" {
+		return fmt.Errorf("the secret id %s must have exactly one mount point: file or environment", secret.SecretID)
+	}
+
+	if secret.Environment == "" && secret.File == "" {
+		return fmt.Errorf("the secret id %s is missing a mount point: file or environment", secret.SecretID)
+	}
+
+	return nil
+}