strict regional secret id

Gnoale · Gnoale · commit e13f92307ab5 · 2025-04-09T18:26:09.000+02:00
diff --git a/internal/locality/validation.go b/internal/locality/validation.go
@@ -1,10 +1,14 @@
 package locality
 
 import (
+	"regexp"
+	"strings"
+
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/scaleway/scaleway-sdk-go/scw"
 )
 
 // ValidateStringInSliceWithWarning helps to only returns warnings in case we got a non-public locality passed
@@ -25,3 +29,12 @@ func ValidateStringInSliceWithWarning(correctValues []string, field string) sche
 		return res
 	}
 }
+
+func ValidateRegionalUUID() schema.SchemaValidateFunc {
+	regions := make([]string, 0, len(scw.AllRegions))
+	for _, region := range scw.AllRegions {
+		regions = append(regions, region.String())
+	}
+
+	return validation.StringMatch(regexp.MustCompile(`^`+strings.Join(regions, "|")+`/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`), "must be in the form region/UUID")
+}
diff --git a/internal/services/jobs/definition.go b/internal/services/jobs/definition.go
@@ -2,6 +2,7 @@ package jobs
 
 import (
 	"context"
+	"fmt"
 	"regexp"
 	"time"
 
@@ -13,6 +14,7 @@ import (
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/dsf"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/account"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
@@ -95,12 +97,20 @@ func ResourceDefinition() *schema.Resource {
 				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "A reference to a Secret Manager secret.",
+				//Set: func(v interface{}) int {
+				//	secret := v.(map[string]interface{})
+				//	if secret["file"] == nil {
+				//		return schema.HashString(secret["secret_id"].(string) + secret["secret_version"].(string) + secret["environment"].(string))
+				//	}
+				//	return schema.HashString(secret["secret_id"].(string) + secret["secret_version"].(string) + secret["file"].(string))
+				//},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"secret_id": {
-							Type:        schema.TypeString,
-							Description: "The secret unique identifier, it could be formatted as UUID or region/UUID. The secret must be in the same region as the job definition.",
-							Required:    true,
+							Type:         schema.TypeString,
+							Description:  "The secret unique identifier, it must be in the form region/UUID. The region must be the same as the job definition.",
+							Required:     true,
+							ValidateFunc: locality.ValidateRegionalUUID(),
 						},
 						"secret_reference_id": {
 							Type:        schema.TypeString,
@@ -136,7 +146,6 @@ func ResourceJobDefinitionCreate(ctx context.Context, d *schema.ResourceData, m
 	if err != nil {
 		return diag.FromErr(err)
 	}
-
 	req := &jobs.CreateJobDefinitionRequest{
 		Region:               region,
 		Name:                 types.ExpandOrGenerateString(d.Get("name").(string), "job"),
@@ -212,7 +221,8 @@ func ResourceJobDefinitionRead(ctx context.Context, d *schema.ResourceData, m in
 
 	for i, secret := range rawSecretRefs.Secrets {
 		secretRef := make(map[string]interface{})
-		secretRef["secret_id"] = secret.SecretManagerID
+		secretRef["secret_id"] = fmt.Sprintf("%s/%s", definition.Region, secret.SecretManagerID)
+		//secretRef["secret_id"] = secret.SecretManagerID
 		secretRef["secret_reference_id"] = secret.SecretID
 		secretRef["secret_version"] = secret.SecretManagerVersion
 
diff --git a/internal/services/jobs/definition_test.go b/internal/services/jobs/definition_test.go
@@ -245,6 +245,37 @@ func TestAccJobDefinition_SecretReference(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.1.environment", "SOME_ENV"),
 				),
 			},
+			{
+				Config: `
+					resource "scaleway_secret" "main" {
+					  name = "job-secret"
+					  path = "/one"
+					}
+					resource "scaleway_secret_version" "main" {
+  					  secret_id   = scaleway_secret.main.id
+					  data        = "your_secret"
+					}
+
+					resource scaleway_job_definition main {
+						name = "test-jobs-job-definition-secret"
+						cpu_limit = 120
+						memory_limit = 256
+						image_uri = "docker.io/alpine:latest"
+						secret_reference {
+							secret_id = scaleway_secret.main.id
+							secret_version = "latest"
+							file = "/home/dev/new_env"
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckJobDefinitionExists(tt, "scaleway_job_definition.main"),
+					acctest.CheckResourceAttrUUID("scaleway_job_definition.main", "id"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "name", "test-jobs-job-definition-secret"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/new_env"),
+				),
+			},
 		},
 	})
 }
@@ -371,11 +402,6 @@ func TestCreateJobDefinitionSecret(t *testing.T) {
 			SecretVersion: "1",
 			Environment:   "SOME_ENV",
 		},
-		{
-			SecretID:      "11111111-1111-1111-1111-111111111111",
-			SecretVersion: "1",
-			File:          "/home/dev/env",
-		},
 		{
 			SecretID:      "nl-ams/11111111-1111-1111-1111-111111111111",
 			SecretVersion: "1",
@@ -388,5 +414,5 @@ func TestCreateJobDefinitionSecret(t *testing.T) {
 	jobID := "22222222-2222-2222-2222-222222222222"
 
 	err := jobs.CreateJobDefinitionSecret(jobSecrets, api, region, jobID)
-	assert.ErrorContains(t, err, fmt.Sprintf("the secret id %s does not appear to be in the same region as the job definition id %s", jobSecrets[2].SecretID, jobID))
+	assert.ErrorContains(t, err, fmt.Sprintf("the secret id %s does not appear to be in the same region as the job definition id %s", jobSecrets[1].SecretID, jobID))
 }
diff --git a/internal/services/jobs/helpers.go b/internal/services/jobs/helpers.go
@@ -143,10 +143,10 @@ func CreateJobDefinitionSecret(jobSecrets []JobDefinitionSecret, api *jobs.API,
 
 		secretRegion, secretID, err := regional.ParseID(parsedSecretRef.SecretID)
 		if err != nil {
-			secretID = parsedSecretRef.SecretID
+			return fmt.Errorf("the secret id %s is not a valid regional UUID", parsedSecretRef.SecretID)
 		}
 
-		if secretRegion != "" && secretRegion != region {
+		if secretRegion != region {
 			return fmt.Errorf("the secret id %s does not appear to be in the same region as the job definition id %s", parsedSecretRef.SecretID, jobID)
 		}
 
diff --git a/internal/services/jobs/testdata/job-definition-secret-reference.cassette.yaml b/internal/services/jobs/testdata/job-definition-secret-reference.cassette.yaml
diff --git a/internal/services/jobs/testdata/job-definition-wrong-secret-reference.cassette.yaml b/internal/services/jobs/testdata/job-definition-wrong-secret-reference.cassette.yaml

Original file line number	Diff line number	Diff line change
`@@ -143,10 +143,10 @@ func CreateJobDefinitionSecret(jobSecrets []JobDefinitionSecret, api *jobs.API,`
`143`	`143`
`144`	`144`	`secretRegion, secretID, err := regional.ParseID(parsedSecretRef.SecretID)`
`145`	`145`	`if err != nil {`
`146`		`- secretID = parsedSecretRef.SecretID`
	`146`	`+ return fmt.Errorf("the secret id %s is not a valid regional UUID", parsedSecretRef.SecretID)`
`147`	`147`	`}`
`148`	`148`
`149`		`- if secretRegion != "" && secretRegion != region {`
	`149`	`+ if secretRegion != region {`
`150`	`150`	`return fmt.Errorf("the secret id %s does not appear to be in the same region as the job definition id %s", parsedSecretRef.SecretID, jobID)`
`151`	`151`	`}`
`152`	`152`