feat(secret-version): resource secret version (#1815)

* feat(secret_versions): add resource secret version

* feat(secret-versions): add helpers and cassette test

* docs: secret version

* feat(secret_version): add option with_access and data encoded 64

* docs: secret version add options

* test: add cassettes

* feat(secret_versions): add helpers encode 64

* Update scaleway/helpers.go

Co-authored-by: Nathanael Demacon <[email protected]>

* fix: remove base64 test

* fix(secrets-versions): remove option update_with and make data base64 required

* chore: bump cassettes

* fix(secrets-version): update helpers

* docs: bump documentation

* feat(lb): add ips datasource (#1791)

* feat(lb): add ips datasource

* fix

* fix

* add support for returning multiple ips sharing the same prexif

* typo

* fix ci

* fix ci

* update cassette

* rename to ipv4Match

* fix

* match with cidr

* fix(domain): correctly check for NoSuchDNSZone error code (#1812)

* fix(baremetal): fix updating of name and description (#1826)

* docs: update index.md with new links for credentials and project ID (#1827)

* fix(secret-version): remove the base64 encoded restriction

* Update scaleway/helpers_secret.go

Co-authored-by: Nathanael Demacon <[email protected]>

* Update docs/resources/secret_version.md

Co-authored-by: Nathanael Demacon <[email protected]>

* Update docs/resources/secret_version.md

Co-authored-by: Nathanael Demacon <[email protected]>

* Update docs/resources/secret_version.md

Co-authored-by: Nathanael Demacon <[email protected]>

* Update scaleway/resource_secret_version.go

Co-authored-by: Nathanael Demacon <[email protected]>

---------

Co-authored-by: Nathanael Demacon <[email protected]>
Co-authored-by: Rémy Léone <[email protected]>
Co-authored-by: Yacine Fodil <[email protected]>
Co-authored-by: ndrpnt <[email protected]>
Co-authored-by: Jules Castéran <[email protected]>

Author: 6 people

docs/resources/secret_version.md

@@ -0,0 +1,68 @@
+---
+page_title: "Scaleway: scaleway_secret_version"
+description: |-
+Manages Scaleway Secret Versions
+---
+
+# scaleway_secret
+
+Creates and manages Scaleway Secret Versions.
+For more information, see [the documentation](https://developers.scaleway.com/en/products/secret_manager/api/v1alpha1/#secret-versions-079501).
+
+## Examples
+
+### Basic
+
+```hcl
+resource "scaleway_secret" "main" {
+  name        = "foo"
+  description = "barr"
+  tags        = ["foo", "terraform"]
+}
+
+resource "scaleway_secret_version" "v1" {
+  description = "version1"
+  secret_id   = scaleway_secret.main.id
+  data        = "my_new_secret"
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+- `secret_id` - (Required) The Secret ID associated wit the secret version.
+- `data` - (Optional) The data payload of the secret version. Must be no larger than 64KiB. (e.g. `my-secret-version-payload`). more on the [data section](#data)
+- `description` - (Optional) Description of the secret version (e.g. `my-new-description`).
+- `region` - (Defaults to [provider](../index.md#region) `region`) The [region](../guides/regions_and_zones.md#regions)
+  in which the resource exists.
+
+## Data
+
+Note: The `data` should be a base64 encoded string when sent from the API. **It is already handled by the provider so you don't need to encode it yourself.**
+
+Updating `data` will force creating a new the secret version.
+
+Be aware that this is a sensitive attribute. For more information, see [Sensitive Data in State](https://developer.hashicorp.com/terraform/language/state/sensitive-data).
+
+~> **Important:**  This property is sensitive and will not be displayed in the plan.
+
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `revision` - The revision for this Secret Version.
+- `status` - The status of the Secret Version.
+- `created_at` - Date and time of secret version's creation (RFC 3339 format).
+- `updated_at` - Date and time of secret version's last update (RFC 3339 format).
+
+## Import
+
+The Secret Version can be imported using the `{region}/{id}/{revision}`, e.g.
+
+~> **Important:** Be aware if you import with revision `latest` you will overwrite the version you used before.
+
+```bash
+$ terraform import scaleway_secret.main fr-par/11111111-1111-1111-1111-111111111111/2
+```

scaleway/helpers_secret.go

@@ -1,6 +1,7 @@
 package scaleway
 
 import (
+	"encoding/base64"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -35,3 +36,28 @@ func secretAPIWithRegionAndID(m interface{}, id string) (*secret.API, scw.Region
 	}
 	return api, region, id, nil
 }
+
+// secretVersionAPIWithRegionAndID returns a Secret API with locality and Nested ID extracted from the state
+func secretVersionAPIWithRegionAndID(m interface{}, id string) (*secret.API, scw.Region, string, string, error) {
+	meta := m.(*Meta)
+
+	region, id, revision, err := parseLocalizedNestedID(id)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+
+	api := secret.NewAPI(meta.scwClient)
+	return api, scw.Region(region), id, revision, nil
+}
+
+func isBase64Encoded(data []byte) bool {
+	_, err := base64.StdEncoding.DecodeString(string(data))
+	return err == nil
+}
+
+func base64Encoded(data []byte) string {
+	if isBase64Encoded(data) {
+		return string(data)
+	}
+	return base64.StdEncoding.EncodeToString(data)
+}

scaleway/provider.go

@@ -151,6 +151,7 @@ func Provider(config *ProviderConfig) plugin.ProviderFunc {
 				"scaleway_mnq_namespace":                       resourceScalewayMNQNamespace(),
 				"scaleway_mnq_credential":                      resourceScalewayMNQCredential(),
 				"scaleway_secret":                              resourceScalewaySecret(),
+				"scaleway_secret_version":                      resourceScalewaySecretVersion(),
 				"scaleway_vpc_public_gateway":                  resourceScalewayVPCPublicGateway(),
 				"scaleway_vpc_gateway_network":                 resourceScalewayVPCGatewayNetwork(),
 				"scaleway_vpc_public_gateway_dhcp":             resourceScalewayVPCPublicGatewayDHCP(),

scaleway/resource_secret_version.go

@@ -0,0 +1,178 @@
+package scaleway
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	secret "github.com/scaleway/scaleway-sdk-go/api/secret/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+)
+
+func resourceScalewaySecretVersion() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceScalewaySecretVersionCreate,
+		ReadContext:   resourceScalewaySecretVersionRead,
+		UpdateContext: resourceScalewaySecretVersionUpdate,
+		DeleteContext: resourceScalewaySecretVersionDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Timeouts: &schema.ResourceTimeout{
+			Default: schema.DefaultTimeout(defaultSecretTimeout),
+		},
+		SchemaVersion: 0,
+		Schema: map[string]*schema.Schema{
+			"secret_id": {
+				Type:             schema.TypeString,
+				Required:         true,
+				Description:      "The secret ID associated with this version",
+				DiffSuppressFunc: diffSuppressFuncLocality,
+			},
+			"data": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The data payload of your secret version.",
+				Sensitive:   true,
+				ForceNew:    true,
+				StateFunc: func(i interface{}) string {
+					return base64Encoded([]byte(i.(string)))
+				},
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Description of the secret version",
+			},
+			"status": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Status of the secret version",
+			},
+			"revision": {
+				Type:        schema.TypeInt,
+				Computed:    true,
+				Description: "The revision of secret version",
+			},
+			"created_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date and time of secret version's creation (RFC 3339 format)",
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date and time of secret version's creation (RFC 3339 format)",
+			},
+			"region": regionSchema(),
+		},
+	}
+}
+
+func resourceScalewaySecretVersionCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api, region, err := secretAPIWithRegion(d, meta)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	secretID := expandID(d.Get("secret_id").(string))
+	payloadSecretRaw := []byte(d.Get("data").(string))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	secretCreateVersionRequest := &secret.CreateSecretVersionRequest{
+		Region:      region,
+		SecretID:    secretID,
+		Data:        payloadSecretRaw,
+		Description: expandStringPtr(d.Get("description")),
+	}
+
+	secretResponse, err := api.CreateSecretVersion(secretCreateVersionRequest, scw.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	_ = d.Set("data", base64Encoded(payloadSecretRaw))
+
+	d.SetId(newRegionalIDString(region, fmt.Sprintf("%s/%d", secretResponse.SecretID, secretResponse.Revision)))
+
+	return resourceScalewaySecretVersionRead(ctx, d, meta)
+}
+
+func resourceScalewaySecretVersionRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api, region, id, revision, err := secretVersionAPIWithRegionAndID(meta, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	secretResponse, err := api.GetSecretVersion(&secret.GetSecretVersionRequest{
+		Region:   region,
+		SecretID: id,
+		Revision: revision,
+	}, scw.WithContext(ctx))
+	if err != nil {
+		if is404Error(err) {
+			d.SetId("")
+			return nil
+		}
+		return diag.FromErr(err)
+	}
+
+	_ = d.Set("secret_id", newRegionalIDString(region, id))
+	_ = d.Set("description", flattenStringPtr(secretResponse.Description))
+	_ = d.Set("created_at", flattenTime(secretResponse.CreatedAt))
+	_ = d.Set("updated_at", flattenTime(secretResponse.UpdatedAt))
+	_ = d.Set("status", secretResponse.Status.String())
+	_ = d.Set("revision", int(secretResponse.Revision))
+	_ = d.Set("region", string(region))
+
+	return nil
+}
+
+func resourceScalewaySecretVersionUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api, region, id, revision, err := secretVersionAPIWithRegionAndID(meta, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	updateRequest := &secret.UpdateSecretVersionRequest{
+		Region:   region,
+		SecretID: id,
+		Revision: revision,
+	}
+
+	hasChanged := false
+
+	if d.HasChange("description") {
+		updateRequest.Description = expandUpdatedStringPtr(d.Get("description"))
+		hasChanged = true
+	}
+
+	if hasChanged {
+		_, err := api.UpdateSecretVersion(updateRequest, scw.WithContext(ctx))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
+	return resourceScalewaySecretVersionRead(ctx, d, meta)
+}
+
+func resourceScalewaySecretVersionDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api, region, id, revision, err := secretVersionAPIWithRegionAndID(meta, d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	_, err = api.DestroySecretVersion(&secret.DestroySecretVersionRequest{
+		Region:   region,
+		SecretID: id,
+		Revision: revision,
+	}, scw.WithContext(ctx))
+	if err != nil && !is404Error(err) {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}