diff --git a/docs/resources/repository_secret.md b/docs/resources/repository_secret.md new file mode 100644 index 0000000..441365a --- /dev/null +++ b/docs/resources/repository_secret.md @@ -0,0 +1,55 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "woodpecker_repository_secret Resource - terraform-provider-woodpecker" +subcategory: "" +description: |- + This resource allows you to add/remove secrets that are only available to specific repositories. When applied, a new secret will be created. When destroyed, that secret will be removed. For more information see the Woodpecker docs https://woodpecker-ci.org/docs/usage/secrets. +--- + +# woodpecker_repository_secret (Resource) + +This resource allows you to add/remove secrets that are only available to specific repositories. When applied, a new secret will be created. When destroyed, that secret will be removed. For more information see [the Woodpecker docs](https://woodpecker-ci.org/docs/usage/secrets). + +## Example Usage + +```terraform +resource "woodpecker_repository" "test_repo" { + full_name = "Kichiyaki/test-repo" + is_trusted = true + visibility = "public" +} + +resource "woodpecker_repository_secret" "test" { + repository_id = woodpecker_repository.test_repo.id + name = "test" + value = "test" + events = ["cron", "deployment"] +} +``` + + +## Schema + +### Required + +- `events` (Set of String) events for which the secret is available (push, tag, pull_request, deployment, cron, manual) +- `name` (String) the name of the secret +- `repository_id` (Number) the ID of the repository +- `value` (String, Sensitive) the value of the secret + +### Optional + +- `images` (Set of String) list of Docker images for which this secret is available, leave blank to allow all images +- `plugins_only` (Boolean) whether secret is only available for [plugins](https://woodpecker-ci.org/docs/usage/plugins/plugins) + +### Read-Only + +- `id` (Number) the secret's id + +## Import + +Import is supported using the following syntax: + +```shell +terraform import woodpecker_repository_secret.test "/" +``` diff --git a/examples/resources/woodpecker_repository_secret/import.sh b/examples/resources/woodpecker_repository_secret/import.sh new file mode 100644 index 0000000..54f423d --- /dev/null +++ b/examples/resources/woodpecker_repository_secret/import.sh @@ -0,0 +1 @@ +terraform import woodpecker_repository_secret.test "/" diff --git a/examples/resources/woodpecker_repository_secret/resource.tf b/examples/resources/woodpecker_repository_secret/resource.tf new file mode 100644 index 0000000..61aa834 --- /dev/null +++ b/examples/resources/woodpecker_repository_secret/resource.tf @@ -0,0 +1,12 @@ +resource "woodpecker_repository" "test_repo" { + full_name = "Kichiyaki/test-repo" + is_trusted = true + visibility = "public" +} + +resource "woodpecker_repository_secret" "test" { + repository_id = woodpecker_repository.test_repo.id + name = "test" + value = "test" + events = ["cron", "deployment"] +} diff --git a/internal/models.go b/internal/models.go index 5a89b6b..f85d6f7 100644 --- a/internal/models.go +++ b/internal/models.go @@ -153,3 +153,43 @@ func (m *repositoryModel) toWoodpeckerPatch(ctx context.Context) (*woodpecker.Re AllowPull: m.AllowPullRequests.ValueBoolPointer(), }, nil } + +type repositorySecretResourceModel struct { + ID types.Int64 `tfsdk:"id"` + RepositoryID types.Int64 `tfsdk:"repository_id"` + Name types.String `tfsdk:"name"` + Value types.String `tfsdk:"value"` + Images types.Set `tfsdk:"images"` + PluginsOnly types.Bool `tfsdk:"plugins_only"` + Events types.Set `tfsdk:"events"` +} + +func (m *repositorySecretResourceModel) setValues(ctx context.Context, secret *woodpecker.Secret) diag.Diagnostics { + var diagsRes diag.Diagnostics + var diags diag.Diagnostics + + m.ID = types.Int64Value(secret.ID) + m.Name = types.StringValue(secret.Name) + m.Images, diags = types.SetValueFrom(ctx, types.StringType, secret.Images) + diagsRes.Append(diags...) + m.PluginsOnly = types.BoolValue(secret.PluginsOnly) + m.Events, diags = types.SetValueFrom(ctx, types.StringType, secret.Events) + diagsRes.Append(diags...) + + return diagsRes +} + +func (m *repositorySecretResourceModel) toWoodpeckerModel(ctx context.Context) (*woodpecker.Secret, diag.Diagnostics) { + var diags diag.Diagnostics + + secret := &woodpecker.Secret{ + ID: m.ID.ValueInt64(), + Name: m.Name.ValueString(), + Value: m.Value.ValueString(), + PluginsOnly: m.PluginsOnly.ValueBool(), + } + diags.Append(m.Images.ElementsAs(ctx, &secret.Images, false)...) + diags.Append(m.Events.ElementsAs(ctx, &secret.Events, false)...) + + return secret, diags +} diff --git a/internal/provider.go b/internal/provider.go index c40dd9c..779b4ee 100644 --- a/internal/provider.go +++ b/internal/provider.go @@ -65,6 +65,7 @@ func (p *woodpeckerProvider) Resources(_ context.Context) []func() resource.Reso newUserResource, newSecretResource, newRepositoryResource, + newRepositorySecretResource, } } diff --git a/internal/resource_repository_secret.go b/internal/resource_repository_secret.go new file mode 100644 index 0000000..139ca33 --- /dev/null +++ b/internal/resource_repository_secret.go @@ -0,0 +1,240 @@ +package internal + +import ( + "context" + "fmt" + "strconv" + "strings" + + "github.com/hashicorp/terraform-plugin-framework-validators/setvalidator" + "github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator" + "github.com/hashicorp/terraform-plugin-framework/path" + "github.com/hashicorp/terraform-plugin-framework/resource" + "github.com/hashicorp/terraform-plugin-framework/resource/schema" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/int64planmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/setplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/schema/validator" + "github.com/hashicorp/terraform-plugin-framework/types" + "github.com/woodpecker-ci/woodpecker/woodpecker-go/woodpecker" +) + +type repositorySecretResource struct { + client woodpecker.Client +} + +var _ resource.Resource = (*repositorySecretResource)(nil) +var _ resource.ResourceWithConfigure = (*repositorySecretResource)(nil) +var _ resource.ResourceWithImportState = (*repositorySecretResource)(nil) + +func newRepositorySecretResource() resource.Resource { + return &repositorySecretResource{} +} + +func (r *repositorySecretResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) { + resp.TypeName = req.ProviderTypeName + "_repository_secret" +} + +func (r *repositorySecretResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) { + resp.Schema = schema.Schema{ + MarkdownDescription: "This resource allows you to add/remove secrets that are only available to specific repositories." + + " When applied, a new secret will be created." + + " When destroyed, that secret will be removed." + + " For more information see [the Woodpecker docs](https://woodpecker-ci.org/docs/usage/secrets).", + Attributes: map[string]schema.Attribute{ + "id": schema.Int64Attribute{ + Computed: true, + Description: "the secret's id", + PlanModifiers: []planmodifier.Int64{ + int64planmodifier.UseStateForUnknown(), + }, + }, + "repository_id": schema.Int64Attribute{ + Required: true, + Description: "the ID of the repository", + PlanModifiers: []planmodifier.Int64{ + int64planmodifier.RequiresReplace(), + }, + }, + "name": schema.StringAttribute{ + Required: true, + Description: "the name of the secret", + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + "value": schema.StringAttribute{ + Required: true, + Description: "the value of the secret", + Sensitive: true, + PlanModifiers: []planmodifier.String{ + stringplanmodifier.UseStateForUnknown(), + }, + }, + "events": schema.SetAttribute{ + ElementType: types.StringType, + Required: true, + Description: "events for which the secret is available (push, tag, pull_request, deployment, cron, manual)", + Validators: []validator.Set{ + setvalidator.ValueStringsAre( + stringvalidator.OneOfCaseInsensitive("push", "tag", "pull_request", "deployment", "cron", "manual"), + ), + }, + PlanModifiers: []planmodifier.Set{ + setplanmodifier.UseStateForUnknown(), + }, + }, + "plugins_only": schema.BoolAttribute{ + Optional: true, + Computed: true, + MarkdownDescription: "whether secret is only available for [plugins](https://woodpecker-ci.org/docs/usage/plugins/plugins)", + PlanModifiers: []planmodifier.Bool{ + boolplanmodifier.UseStateForUnknown(), + }, + }, + "images": schema.SetAttribute{ + ElementType: types.StringType, + Optional: true, + Computed: true, + Description: "list of Docker images for which this secret is available, leave blank to allow all images", + PlanModifiers: []planmodifier.Set{ + setplanmodifier.UseStateForUnknown(), + }, + }, + }, + } +} + +func (r *repositorySecretResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) { + // Prevent panic if the provider has not been configured. + if req.ProviderData == nil { + return + } + + client, ok := req.ProviderData.(woodpecker.Client) + if !ok { + resp.Diagnostics.AddError( + "Unexpected Data Source Configure Type", + fmt.Sprintf("Expected woodpecker.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData), + ) + return + } + + r.client = client +} + +func (r *repositorySecretResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { + var data repositorySecretResourceModel + + resp.Diagnostics.Append(req.Config.Get(ctx, &data)...) + if resp.Diagnostics.HasError() { + return + } + + wData, diags := data.toWoodpeckerModel(ctx) + resp.Diagnostics.Append(diags...) + if resp.Diagnostics.HasError() { + return + } + + secret, err := r.client.SecretCreate(data.RepositoryID.ValueInt64(), wData) + if err != nil { + resp.Diagnostics.AddError("Couldn't create secret", err.Error()) + return + } + + resp.Diagnostics.Append(data.setValues(ctx, secret)...) + if resp.Diagnostics.HasError() { + return + } + + resp.Diagnostics.Append(resp.State.Set(ctx, &data)...) +} + +func (r *repositorySecretResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) { + var data repositorySecretResourceModel + + resp.Diagnostics.Append(req.State.Get(ctx, &data)...) + if resp.Diagnostics.HasError() { + return + } + + secret, err := r.client.Secret(data.RepositoryID.ValueInt64(), data.Name.ValueString()) + if err != nil { + resp.Diagnostics.AddError("Couldn't get secret", err.Error()) + } + + resp.Diagnostics.Append(data.setValues(ctx, secret)...) + if resp.Diagnostics.HasError() { + return + } + + resp.Diagnostics.Append(resp.State.Set(ctx, &data)...) +} + +func (r *repositorySecretResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) { + var data repositorySecretResourceModel + + resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...) + if resp.Diagnostics.HasError() { + return + } + + wData, diags := data.toWoodpeckerModel(ctx) + resp.Diagnostics.Append(diags...) + if resp.Diagnostics.HasError() { + return + } + + secret, err := r.client.SecretUpdate(data.RepositoryID.ValueInt64(), wData) + if err != nil { + resp.Diagnostics.AddError("Couldn't update secret", err.Error()) + return + } + + resp.Diagnostics.Append(data.setValues(ctx, secret)...) + if resp.Diagnostics.HasError() { + return + } + + resp.Diagnostics.Append(resp.State.Set(ctx, &data)...) +} + +func (r *repositorySecretResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { + var data repositorySecretResourceModel + + resp.Diagnostics.Append(req.State.Get(ctx, &data)...) + if resp.Diagnostics.HasError() { + return + } + + if err := r.client.SecretDelete(data.RepositoryID.ValueInt64(), data.Name.ValueString()); err != nil { + resp.Diagnostics.AddError("Couldn't delete secret", err.Error()) + return + } + + resp.State.RemoveResource(ctx) +} + +func (r *repositorySecretResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) { + idParts := strings.Split(req.ID, "/") + + if len(idParts) != 2 || idParts[0] == "" || idParts[1] == "" { + resp.Diagnostics.AddError( + "Unexpected Import Identifier", + fmt.Sprintf("Expected import identifier with format: repository_id/name. Got: %q", req.ID), + ) + return + } + + repoID, err := strconv.ParseInt(idParts[0], 10, 64) + if err != nil { + resp.Diagnostics.AddError("Invalid repository id", err.Error()) + return + } + + resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("repository_id"), repoID)...) + resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), idParts[1])...) +} diff --git a/internal/resource_repository_secret_test.go b/internal/resource_repository_secret_test.go new file mode 100644 index 0000000..31c0578 --- /dev/null +++ b/internal/resource_repository_secret_test.go @@ -0,0 +1,167 @@ +package internal_test + +import ( + "errors" + "fmt" + "regexp" + "slices" + "strconv" + "testing" + + "github.com/google/uuid" + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/plancheck" + "github.com/hashicorp/terraform-plugin-testing/terraform" + "github.com/woodpecker-ci/woodpecker/woodpecker-go/woodpecker" +) + +func TestRepositorySecretResource(t *testing.T) { + t.Parallel() + + t.Run("OK", func(t *testing.T) { + t.Parallel() + + repo := activateRepo(t, createRepo(t)) + + name := uuid.NewString() + newName := uuid.NewString() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, + CheckDestroy: testAccCheckRepositorySecretResourceDestroy(repo.ID, name, newName), + Steps: []resource.TestStep{ + { // create secret + Config: fmt.Sprintf(` +resource "woodpecker_repository_secret" "test_secret" { + repository_id = %d + name = "%s" + value = "test123" + events = ["push"] +} +`, repo.ID, name), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", name), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "false"), + ), + }, + { // update secret + Config: fmt.Sprintf(` +resource "woodpecker_repository_secret" "test_secret" { + repository_id = %d + name = "%s" + value = "test123123" + events = ["push", "deployment"] + plugins_only = true + images = ["testimage"] +} +`, repo.ID, name), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", name), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123123"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "deployment"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "true"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "images.*", "testimage"), + ), + }, + { // update secret + Config: fmt.Sprintf(` +resource "woodpecker_repository_secret" "test_secret" { + repository_id = %d + name = "%s" + value = "test123123" + events = ["push", "deployment", "cron"] +} +//`, repo.ID, name), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", name), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123123"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "deployment"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "cron"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "true"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "images.*", "testimage"), + ), + }, + { // import + ResourceName: "woodpecker_repository_secret.test_secret", + ImportState: true, + ImportStateId: fmt.Sprintf("%d/%s", repo.ID, name), + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"value"}, + }, + { // replace secret + Config: fmt.Sprintf(` +resource "woodpecker_repository_secret" "test_secret" { + repository_id = %d + name = "%s" + value = "test123New" + events = ["push"] +} +`, repo.ID, newName), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("woodpecker_repository_secret.test_secret", plancheck.ResourceActionReplace), + }, + }, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet("woodpecker_repository_secret.test_secret", "id"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "repository_id", strconv.FormatInt(repo.ID, 10)), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "name", newName), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "value", "test123New"), + resource.TestCheckTypeSetElemAttr("woodpecker_repository_secret.test_secret", "events.*", "push"), + resource.TestCheckResourceAttr("woodpecker_repository_secret.test_secret", "plugins_only", "false"), + ), + }, + }, + }) + }) + + t.Run("ERR: incorrect event value", func(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(` +resource "woodpecker_repository_secret" "test_secret" { + repository_id = 123 + name = "%s" + value = "test123" + events = ["random"] +} +`, uuid.NewString()), + ExpectError: regexp.MustCompile(`Attribute events\[Value\("random"\)] value must be one of`), + }, + }, + }) + }) +} + +func testAccCheckRepositorySecretResourceDestroy(repoID int64, names ...string) func(state *terraform.State) error { + return func(state *terraform.State) error { + secrets, err := woodpeckerClient.SecretList(repoID) + if err != nil { + return fmt.Errorf("couldn't list secrets: %w", err) + } + + if slices.ContainsFunc(secrets, func(secret *woodpecker.Secret) bool { + return slices.Contains(names, secret.Name) + }) { + return errors.New("at least one of the created secrets isn't deleted") + } + + return nil + } +} diff --git a/internal/resource_repository_test.go b/internal/resource_repository_test.go index d050d30..7a28685 100644 --- a/internal/resource_repository_test.go +++ b/internal/resource_repository_test.go @@ -233,3 +233,17 @@ func createRepo(tb testing.TB) *gitea.Repository { return repo } + +func activateRepo(tb testing.TB, giteaRepo *gitea.Repository) *woodpecker.Repo { + tb.Helper() + + repo, err := woodpeckerClient.RepoPost(giteaRepo.ID) + if err != nil { + tb.Fatalf("got unexpected error while activating repo: %s", err) + } + tb.Cleanup(func() { + _ = woodpeckerClient.RepoDel(repo.ID) + }) + + return repo +}