support localized secret internal ID

Gnoale · Gnoale · commit c889407f5002 · 2025-04-09T18:26:09.000+02:00
diff --git a/internal/services/jobs/definition.go b/internal/services/jobs/definition.go
@@ -95,14 +95,12 @@ func ResourceDefinition() *schema.Resource {
 				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "A reference to a Secret Manager secret.",
-				MaxItems:    10,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"secret_id": {
-							Type:         schema.TypeString,
-							Description:  "The secret UUID.",
-							Required:     true,
-							ValidateFunc: validation.IsUUID,
+							Type:        schema.TypeString,
+							Description: "The secret unique identifier, it could be formatted as UUID or region/UUID. The secret must be in the same region as the job definition.",
+							Required:    true,
 						},
 						"secret_reference_id": {
 							Type:        schema.TypeString,
@@ -172,7 +170,7 @@ func ResourceJobDefinitionCreate(ctx context.Context, d *schema.ResourceData, m
 	}
 
 	if rawSecretReference, ok := d.GetOk("secret_reference"); ok {
-		if err := CreateJobDefinitionSecret(rawSecretReference, api, region, definition.ID); err != nil {
+		if err := CreateJobDefinitionSecret(expandJobDefinitionSecret(rawSecretReference), api, region, definition.ID); err != nil {
 			return diag.FromErr(err)
 		}
 	}
@@ -319,7 +317,7 @@ func ResourceJobDefinitionUpdate(ctx context.Context, d *schema.ResourceData, m
 		}
 
 		if rawSecretReference, ok := d.GetOk("secret_reference"); ok {
-			if err := CreateJobDefinitionSecret(rawSecretReference, api, region, id); err != nil {
+			if err := CreateJobDefinitionSecret(expandJobDefinitionSecret(rawSecretReference), api, region, id); err != nil {
 				return diag.FromErr(err)
 			}
 		}
diff --git a/internal/services/jobs/definition_test.go b/internal/services/jobs/definition_test.go
@@ -8,9 +8,11 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	jobsSDK "github.com/scaleway/scaleway-sdk-go/api/jobs/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/acctest"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/jobs"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestAccJobDefinition_Basic(t *testing.T) {
@@ -179,23 +181,19 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
   					  secret_id   = scaleway_secret.main.id
 					  data        = "your_secret"
 					}
-					locals {
-						parts = split("/", scaleway_secret.main.id)
-						secret_uuid = local.parts[1]
-					}
 
 					resource scaleway_job_definition main {
 						name = "test-jobs-job-definition-secret"
 						cpu_limit = 120
 						memory_limit = 256
 						image_uri = "docker.io/alpine:latest"
 						secret_reference {
-							secret_id = local.secret_uuid
+							secret_id = scaleway_secret.main.id
 							secret_version = "latest"
 							file = "/home/dev/env"
 						}
 						secret_reference {
-							secret_id = local.secret_uuid
+							secret_id = scaleway_secret.main.id
 							secret_version = "latest"
 							environment = "SOME_ENV"
 						}
@@ -220,23 +218,19 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
   					  secret_id   = scaleway_secret.main.id
 					  data        = "your_secret"
 					}
-					locals {
-						parts = split("/", scaleway_secret.main.id)
-						secret_uuid = local.parts[1]
-					}
 
 					resource scaleway_job_definition main {
 						name = "test-jobs-job-definition-secret"
 						cpu_limit = 120
 						memory_limit = 256
 						image_uri = "docker.io/alpine:latest"
 						secret_reference {
-							secret_id = local.secret_uuid
+							secret_id = scaleway_secret.main.id
 							secret_version = "latest"
 							file = "/home/dev/new_env"
 						}
 						secret_reference {
-							secret_id = local.secret_uuid
+							secret_id = scaleway_secret.main.id
 							secret_version = "latest"
 							environment = "SOME_ENV"
 						}
@@ -273,18 +267,14 @@ func TestAccJobDefinition_WrongSecretReference(t *testing.T) {
   					  secret_id   = scaleway_secret.main.id
 					  data        = "your_secret"
 					}
-					locals {
-						parts = split("/", scaleway_secret.main.id)
-						secret_uuid = local.parts[1]
-					}
 
 					resource scaleway_job_definition main {
 						name = "test-jobs-job-definition-secret"
 						cpu_limit = 120
 						memory_limit = 256
 						image_uri = "docker.io/alpine:latest"
 						secret_reference {
-							secret_id = local.secret_uuid
+							secret_id = scaleway_secret.main.id
 							secret_version = "1"
 						}
 					}
@@ -300,18 +290,14 @@ func TestAccJobDefinition_WrongSecretReference(t *testing.T) {
 		  			  secret_id   = scaleway_secret.main.id
 					  data        = "your_secret"
 					}
-					locals {
-						parts = split("/", scaleway_secret.main.id)
-						secret_uuid = local.parts[1]
-					}
 		
 					resource scaleway_job_definition main {
 						name = "test-jobs-job-definition-secret"
 						cpu_limit = 120
 						memory_limit = 256
 						image_uri = "docker.io/alpine:latest"
 						secret_reference {
-							secret_id = local.secret_uuid
+							secret_id = scaleway_secret.main.id
 							secret_version = "1"
 							environment = "SOME_ENV"
 							file = "/home/dev/env"
@@ -377,3 +363,30 @@ func testAccCheckJobDefinitionDestroy(tt *acctest.TestTools) resource.TestCheckF
 		return nil
 	}
 }
+
+func TestCreateJobDefinitionSecret(t *testing.T) {
+	jobSecrets := []jobs.JobDefinitionSecret{
+		{
+			SecretID:      "fr-par/11111111-1111-1111-1111-111111111111",
+			SecretVersion: "1",
+			Environment:   "SOME_ENV",
+		},
+		{
+			SecretID:      "11111111-1111-1111-1111-111111111111",
+			SecretVersion: "1",
+			File:          "/home/dev/env",
+		},
+		{
+			SecretID:      "nl-ams/11111111-1111-1111-1111-111111111111",
+			SecretVersion: "1",
+			File:          "/home/dev/env",
+		},
+	}
+
+	api := jobsSDK.NewAPI(&scw.Client{})
+	region := scw.RegionFrPar
+	jobID := "22222222-2222-2222-2222-222222222222"
+
+	err := jobs.CreateJobDefinitionSecret(jobSecrets, api, region, jobID)
+	assert.ErrorContains(t, err, fmt.Sprintf("the secret id %s does not appear to be in the same region as the job definition id %s", jobSecrets[2].SecretID, jobID))
+}
diff --git a/internal/services/jobs/helpers.go b/internal/services/jobs/helpers.go
@@ -134,27 +134,33 @@ func expandJobDefinitionSecret(i any) []JobDefinitionSecret {
 	return parsedSecrets
 }
 
-func CreateJobDefinitionSecret(rawSecretReference any, api *jobs.API, region scw.Region, jobID string) error {
-	parsedSecretReferences := expandJobDefinitionSecret(rawSecretReference)
-	secrets := []*jobs.CreateJobDefinitionSecretsRequestSecretConfig{}
+func CreateJobDefinitionSecret(jobSecrets []JobDefinitionSecret, api *jobs.API, region scw.Region, jobID string) error {
 
-	for _, parsedSecretRef := range parsedSecretReferences {
-		var secretConfig *jobs.CreateJobDefinitionSecretsRequestSecretConfig
+	secretConfigs := []*jobs.CreateJobDefinitionSecretsRequestSecretConfig{}
+
+	for _, parsedSecretRef := range jobSecrets {
+		secretConfig := &jobs.CreateJobDefinitionSecretsRequestSecretConfig{}
+
+		secretRegion, secretID, err := regional.ParseID(parsedSecretRef.SecretID)
+		if err != nil {
+			secretID = parsedSecretRef.SecretID
+		}
+
+		if secretRegion != "" && secretRegion != region {
+			return fmt.Errorf("the secret id %s does not appear to be in the same region as the job definition id %s", parsedSecretRef.SecretID, jobID)
+		}
+
+		secretConfigs = append(secretConfigs, secretConfig)
+
+		secretConfig.SecretManagerID = secretID
+		secretConfig.SecretManagerVersion = parsedSecretRef.SecretVersion
 
 		if parsedSecretRef.Environment != "" {
-			secretConfig = &jobs.CreateJobDefinitionSecretsRequestSecretConfig{
-				SecretManagerID:      parsedSecretRef.SecretID,
-				SecretManagerVersion: parsedSecretRef.SecretVersion,
-				EnvVarName:           &parsedSecretRef.Environment,
-			}
+			secretConfig.EnvVarName = &parsedSecretRef.Environment
 		}
 
 		if parsedSecretRef.File != "" {
-			secretConfig = &jobs.CreateJobDefinitionSecretsRequestSecretConfig{
-				SecretManagerID:      parsedSecretRef.SecretID,
-				SecretManagerVersion: parsedSecretRef.SecretVersion,
-				Path:                 &parsedSecretRef.File,
-			}
+			secretConfig.Path = &parsedSecretRef.File
 		}
 
 		if parsedSecretRef.Environment != "" && parsedSecretRef.File != "" {
@@ -164,14 +170,12 @@ func CreateJobDefinitionSecret(rawSecretReference any, api *jobs.API, region scw
 		if parsedSecretRef.Environment == "" && parsedSecretRef.File == "" {
 			return fmt.Errorf("the secret id %s is missing a mount point: file or environment", parsedSecretRef.SecretID)
 		}
-
-		secrets = append(secrets, secretConfig)
 	}
 
 	_, err := api.CreateJobDefinitionSecrets(&jobs.CreateJobDefinitionSecretsRequest{
 		Region:          region,
 		JobDefinitionID: jobID,
-		Secrets:         secrets,
+		Secrets:         secretConfigs,
 	})
 
 	return err

Original file line number	Diff line number	Diff line change
`@@ -95,14 +95,12 @@ func ResourceDefinition() *schema.Resource {`
`95`	`95`	`Type: schema.TypeSet,`
`96`	`96`	`Optional: true,`
`97`	`97`	`Description: "A reference to a Secret Manager secret.",`
`98`		`- MaxItems: 10,`
`99`	`98`	`Elem: &schema.Resource{`
`100`	`99`	`Schema: map[string]*schema.Schema{`
`101`	`100`	`"secret_id": {`
`102`		`- Type: schema.TypeString,`
`103`		`- Description: "The secret UUID.",`
`104`		`- Required: true,`
`105`		`- ValidateFunc: validation.IsUUID,`
	`101`	`+ Type: schema.TypeString,`
	`102`	`+ Description: "The secret unique identifier, it could be formatted as UUID or region/UUID. The secret must be in the same region as the job definition.",`
	`103`	`+ Required: true,`
`106`	`104`	`},`
`107`	`105`	`"secret_reference_id": {`
`108`	`106`	`Type: schema.TypeString,`
`@@ -172,7 +170,7 @@ func ResourceJobDefinitionCreate(ctx context.Context, d *schema.ResourceData, m`
`172`	`170`	`}`
`173`	`171`
`174`	`172`	`if rawSecretReference, ok := d.GetOk("secret_reference"); ok {`
`175`		`- if err := CreateJobDefinitionSecret(rawSecretReference, api, region, definition.ID); err != nil {`
	`173`	`+ if err := CreateJobDefinitionSecret(expandJobDefinitionSecret(rawSecretReference), api, region, definition.ID); err != nil {`
`176`	`174`	`return diag.FromErr(err)`
`177`	`175`	`}`
`178`	`176`	`}`
`@@ -319,7 +317,7 @@ func ResourceJobDefinitionUpdate(ctx context.Context, d *schema.ResourceData, m`
`319`	`317`	`}`
`320`	`318`
`321`	`319`	`if rawSecretReference, ok := d.GetOk("secret_reference"); ok {`
`322`		`- if err := CreateJobDefinitionSecret(rawSecretReference, api, region, id); err != nil {`
	`320`	`+ if err := CreateJobDefinitionSecret(expandJobDefinitionSecret(rawSecretReference), api, region, id); err != nil {`
`323`	`321`	`return diag.FromErr(err)`
`324`	`322`	`}`
`325`	`323`	`}`