feat: add woodpecker_repository_secret resource (#7)

docs/resources/repository_secret.md

@@ -0,0 +1,55 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "woodpecker_repository_secret Resource - terraform-provider-woodpecker"
+subcategory: ""
+description: |-
+  This resource allows you to add/remove secrets that are only available to specific repositories. When applied, a new secret will be created. When destroyed, that secret will be removed. For more information see the Woodpecker docs https://woodpecker-ci.org/docs/usage/secrets.
+---
+
+# woodpecker_repository_secret (Resource)
+
+This resource allows you to add/remove secrets that are only available to specific repositories. When applied, a new secret will be created. When destroyed, that secret will be removed. For more information see [the Woodpecker docs](https://woodpecker-ci.org/docs/usage/secrets).
+
+## Example Usage
+
+```terraform
+resource "woodpecker_repository" "test_repo" {
+  full_name  = "Kichiyaki/test-repo"
+  is_trusted = true
+  visibility = "public"
+}
+
+resource "woodpecker_repository_secret" "test" {
+  repository_id = woodpecker_repository.test_repo.id
+  name          = "test"
+  value         = "test"
+  events        = ["cron", "deployment"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `events` (Set of String) events for which the secret is available (push, tag, pull_request, deployment, cron, manual)
+- `name` (String) the name of the secret
+- `repository_id` (Number) the ID of the repository
+- `value` (String, Sensitive) the value of the secret
+
+### Optional
+
+- `images` (Set of String) list of Docker images for which this secret is available, leave blank to allow all images
+- `plugins_only` (Boolean) whether secret is only available for [plugins](https://woodpecker-ci.org/docs/usage/plugins/plugins)
+
+### Read-Only
+
+- `id` (Number) the secret's id
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import woodpecker_repository_secret.test "<repository_id>/<name>"
+```

examples/resources/woodpecker_repository_secret/import.sh

@@ -0,0 +1 @@
+terraform import woodpecker_repository_secret.test "<repository_id>/<name>"

examples/resources/woodpecker_repository_secret/resource.tf

@@ -0,0 +1,12 @@
+resource "woodpecker_repository" "test_repo" {
+  full_name  = "Kichiyaki/test-repo"
+  is_trusted = true
+  visibility = "public"
+}
+
+resource "woodpecker_repository_secret" "test" {
+  repository_id = woodpecker_repository.test_repo.id
+  name          = "test"
+  value         = "test"
+  events        = ["cron", "deployment"]
+}

internal/models.go

@@ -153,3 +153,43 @@ func (m *repositoryModel) toWoodpeckerPatch(ctx context.Context) (*woodpecker.Re
 		AllowPull:  m.AllowPullRequests.ValueBoolPointer(),
 	}, nil
 }
+
+type repositorySecretResourceModel struct {
+	ID           types.Int64  `tfsdk:"id"`
+	RepositoryID types.Int64  `tfsdk:"repository_id"`
+	Name         types.String `tfsdk:"name"`
+	Value        types.String `tfsdk:"value"`
+	Images       types.Set    `tfsdk:"images"`
+	PluginsOnly  types.Bool   `tfsdk:"plugins_only"`
+	Events       types.Set    `tfsdk:"events"`
+}
+
+func (m *repositorySecretResourceModel) setValues(ctx context.Context, secret *woodpecker.Secret) diag.Diagnostics {
+	var diagsRes diag.Diagnostics
+	var diags diag.Diagnostics
+
+	m.ID = types.Int64Value(secret.ID)
+	m.Name = types.StringValue(secret.Name)
+	m.Images, diags = types.SetValueFrom(ctx, types.StringType, secret.Images)
+	diagsRes.Append(diags...)
+	m.PluginsOnly = types.BoolValue(secret.PluginsOnly)
+	m.Events, diags = types.SetValueFrom(ctx, types.StringType, secret.Events)
+	diagsRes.Append(diags...)
+
+	return diagsRes
+}
+
+func (m *repositorySecretResourceModel) toWoodpeckerModel(ctx context.Context) (*woodpecker.Secret, diag.Diagnostics) {
+	var diags diag.Diagnostics
+
+	secret := &woodpecker.Secret{
+		ID:          m.ID.ValueInt64(),
+		Name:        m.Name.ValueString(),
+		Value:       m.Value.ValueString(),
+		PluginsOnly: m.PluginsOnly.ValueBool(),
+	}
+	diags.Append(m.Images.ElementsAs(ctx, &secret.Images, false)...)
+	diags.Append(m.Events.ElementsAs(ctx, &secret.Events, false)...)
+
+	return secret, diags
+}

internal/provider.go

@@ -65,6 +65,7 @@ func (p *woodpeckerProvider) Resources(_ context.Context) []func() resource.Reso
 		newUserResource,
 		newSecretResource,
 		newRepositoryResource,
+		newRepositorySecretResource,
 	}
 }
 

internal/resource_repository_secret.go

@@ -0,0 +1,240 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/setvalidator"
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/setplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/woodpecker-ci/woodpecker/woodpecker-go/woodpecker"
+)
+
+type repositorySecretResource struct {
+	client woodpecker.Client
+}
+
+var _ resource.Resource = (*repositorySecretResource)(nil)
+var _ resource.ResourceWithConfigure = (*repositorySecretResource)(nil)
+var _ resource.ResourceWithImportState = (*repositorySecretResource)(nil)
+
+func newRepositorySecretResource() resource.Resource {
+	return &repositorySecretResource{}
+}
+
+func (r *repositorySecretResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_repository_secret"
+}
+
+func (r *repositorySecretResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		MarkdownDescription: "This resource allows you to add/remove secrets that are only available to specific repositories." +
+			" When applied, a new secret will be created." +
+			" When destroyed, that secret will be removed." +
+			" For more information see [the Woodpecker docs](https://woodpecker-ci.org/docs/usage/secrets).",
+		Attributes: map[string]schema.Attribute{
+			"id": schema.Int64Attribute{
+				Computed:    true,
+				Description: "the secret's id",
+				PlanModifiers: []planmodifier.Int64{
+					int64planmodifier.UseStateForUnknown(),
+				},
+			},
+			"repository_id": schema.Int64Attribute{
+				Required:    true,
+				Description: "the ID of the repository",
+				PlanModifiers: []planmodifier.Int64{
+					int64planmodifier.RequiresReplace(),
+				},
+			},
+			"name": schema.StringAttribute{
+				Required:    true,
+				Description: "the name of the secret",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"value": schema.StringAttribute{
+				Required:    true,
+				Description: "the value of the secret",
+				Sensitive:   true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"events": schema.SetAttribute{
+				ElementType: types.StringType,
+				Required:    true,
+				Description: "events for which the secret is available (push, tag, pull_request, deployment, cron, manual)",
+				Validators: []validator.Set{
+					setvalidator.ValueStringsAre(
+						stringvalidator.OneOfCaseInsensitive("push", "tag", "pull_request", "deployment", "cron", "manual"),
+					),
+				},
+				PlanModifiers: []planmodifier.Set{
+					setplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"plugins_only": schema.BoolAttribute{
+				Optional:            true,
+				Computed:            true,
+				MarkdownDescription: "whether secret is only available for [plugins](https://woodpecker-ci.org/docs/usage/plugins/plugins)",
+				PlanModifiers: []planmodifier.Bool{
+					boolplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"images": schema.SetAttribute{
+				ElementType: types.StringType,
+				Optional:    true,
+				Computed:    true,
+				Description: "list of Docker images for which this secret is available, leave blank to allow all images",
+				PlanModifiers: []planmodifier.Set{
+					setplanmodifier.UseStateForUnknown(),
+				},
+			},
+		},
+	}
+}
+
+func (r *repositorySecretResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	client, ok := req.ProviderData.(woodpecker.Client)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			fmt.Sprintf("Expected woodpecker.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	r.client = client
+}
+
+func (r *repositorySecretResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var data repositorySecretResourceModel
+
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	wData, diags := data.toWoodpeckerModel(ctx)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	secret, err := r.client.SecretCreate(data.RepositoryID.ValueInt64(), wData)
+	if err != nil {
+		resp.Diagnostics.AddError("Couldn't create secret", err.Error())
+		return
+	}
+
+	resp.Diagnostics.Append(data.setValues(ctx, secret)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *repositorySecretResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var data repositorySecretResourceModel
+
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	secret, err := r.client.Secret(data.RepositoryID.ValueInt64(), data.Name.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError("Couldn't get secret", err.Error())
+	}
+
+	resp.Diagnostics.Append(data.setValues(ctx, secret)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *repositorySecretResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var data repositorySecretResourceModel
+
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	wData, diags := data.toWoodpeckerModel(ctx)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	secret, err := r.client.SecretUpdate(data.RepositoryID.ValueInt64(), wData)
+	if err != nil {
+		resp.Diagnostics.AddError("Couldn't update secret", err.Error())
+		return
+	}
+
+	resp.Diagnostics.Append(data.setValues(ctx, secret)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *repositorySecretResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var data repositorySecretResourceModel
+
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if err := r.client.SecretDelete(data.RepositoryID.ValueInt64(), data.Name.ValueString()); err != nil {
+		resp.Diagnostics.AddError("Couldn't delete secret", err.Error())
+		return
+	}
+
+	resp.State.RemoveResource(ctx)
+}
+
+func (r *repositorySecretResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+	idParts := strings.Split(req.ID, "/")
+
+	if len(idParts) != 2 || idParts[0] == "" || idParts[1] == "" {
+		resp.Diagnostics.AddError(
+			"Unexpected Import Identifier",
+			fmt.Sprintf("Expected import identifier with format: repository_id/name. Got: %q", req.ID),
+		)
+		return
+	}
+
+	repoID, err := strconv.ParseInt(idParts[0], 10, 64)
+	if err != nil {
+		resp.Diagnostics.AddError("Invalid repository id", err.Error())
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("repository_id"), repoID)...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), idParts[1])...)
+}

internal/resource_repository_secret_test.go

@@ -0,0 +1,167 @@
+package internal_test
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"slices"
+	"strconv"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/woodpecker-ci/woodpecker/woodpecker-go/woodpecker"
+)
+
+func TestRepositorySecretResource(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		repo := activateRepo(t, createRepo(t))
+
+		name := uuid.NewString()
+		newName := uuid.NewString()
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:                 func() { testAccPreCheck(t) },
+			ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+			CheckDestroy:             testAccCheckRepositorySecretResourceDestroy(repo.ID, name, newName),
+			Steps: []resource.TestStep{
+				{ // create secret
+					Config: fmt.Sprintf(`
+resource "woodpecker_repository_secret" "test_secret" {
+	repository_id = %d
+	name = "%s"
+	value = "test123"
+	events = ["push"]
+}
+`, repo.ID, name),
+					Check: resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", name),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "false"),
+					),
+				},
+				{ // update secret
+					Config: fmt.Sprintf(`
+resource "woodpecker_repository_secret" "test_secret" {
+	repository_id = %d
+	name = "%s"
+	value = "test123123"
+	events = ["push", "deployment"]
+	plugins_only = true
+	images = ["testimage"]
+}
+`, repo.ID, name),
+					Check: resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", name),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123123"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "deployment"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "true"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "images.*", "testimage"),
+					),
+				},
+				{ // update secret
+					Config: fmt.Sprintf(`
+resource "woodpecker_repository_secret" "test_secret" {
+	repository_id = %d
+	name = "%s"
+	value = "test123123"
+	events = ["push", "deployment", "cron"]
+}
+//`, repo.ID, name),
+					Check: resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", name),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123123"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "deployment"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "cron"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "true"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "images.*", "testimage"),
+					),
+				},
+				{ // import
+					ResourceName:            "woodpecker_repository_secret.test_secret",
+					ImportState:             true,
+					ImportStateId:           fmt.Sprintf("%d/%s", repo.ID, name),
+					ImportStateVerify:       true,
+					ImportStateVerifyIgnore: []string{"value"},
+				},
+				{ // replace secret
+					Config: fmt.Sprintf(`
+resource "woodpecker_repository_secret" "test_secret" {
+	repository_id = %d
+	name = "%s"
+	value = "test123New"
+	events = ["push"]
+}
+`, repo.ID, newName),
+					ConfigPlanChecks: resource.ConfigPlanChecks{
+						PreApply: []plancheck.PlanCheck{
+							plancheck.ExpectResourceAction("woodpecker_repository_secret.test_secret", plancheck.ResourceActionReplace),
+						},
+					},
+					Check: resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", newName),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123New"),
+						resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"),
+						resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "false"),
+					),
+				},
+			},
+		})
+	})
+
+	t.Run("ERR: incorrect event value", func(t *testing.T) {
+		t.Parallel()
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:                 func() { testAccPreCheck(t) },
+			ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(`
+resource "woodpecker_repository_secret" "test_secret" {
+	repository_id = 123
+	name = "%s"
+	value = "test123"
+	events = ["random"]
+}
+`, uuid.NewString()),
+					ExpectError: regexp.MustCompile(`Attribute events\[Value\("random"\)] value must be one of`),
+				},
+			},
+		})
+	})
+}
+
+func testAccCheckRepositorySecretResourceDestroy(repoID int64, names ...string) func(state *terraform.State) error {
+	return func(state *terraform.State) error {
+		secrets, err := woodpeckerClient.SecretList(repoID)
+		if err != nil {
+			return fmt.Errorf("couldn't list secrets: %w", err)
+		}
+
+		if slices.ContainsFunc(secrets, func(secret *woodpecker.Secret) bool {
+			return slices.Contains(names, secret.Name)
+		}) {
+			return errors.New("at least one of the created secrets isn't deleted")
+		}
+
+		return nil
+	}
+}

internal/resource_repository_test.go

@@ -233,3 +233,17 @@ func createRepo(tb testing.TB) *gitea.Repository {
 
 	return repo
 }
+
+func activateRepo(tb testing.TB, giteaRepo *gitea.Repository) *woodpecker.Repo {
+	tb.Helper()
+
+	repo, err := woodpeckerClient.RepoPost(giteaRepo.ID)
+	if err != nil {
+		tb.Fatalf("got unexpected error while activating repo: %s", err)
+	}
+	tb.Cleanup(func() {
+		_ = woodpeckerClient.RepoDel(repo.ID)
+	})
+
+	return repo
+}