access-token: handle ExpiresAt state transition (#123)

nicks · web-flow · commit a47d7544f924 · 2025-11-25T15:40:08.000-05:00
fixes #122 Signed-off-by: Nick Santos <nick.santos@docker.com>
diff --git a/internal/provider/resource_access_token.go b/internal/provider/resource_access_token.go
@@ -163,7 +163,7 @@ func (r *AccessTokenResource) Create(ctx context.Context, req resource.CreateReq
 		return
 	}
 
-	data = r.toModel(ctx, at)
+	data = r.toModel(ctx, at, nil)
 	if resp.Diagnostics.HasError() {
 		return
 	}
@@ -191,7 +191,7 @@ func (r *AccessTokenResource) Read(ctx context.Context, req resource.ReadRequest
 		return
 	}
 
-	fromAPI := r.toModel(ctx, at)
+	fromAPI := r.toModel(ctx, at, &fromState)
 	if resp.Diagnostics.HasError() {
 		return
 	}
@@ -230,15 +230,11 @@ func (r *AccessTokenResource) Update(ctx context.Context, req resource.UpdateReq
 		return
 	}
 
-	fromAPI := r.toModel(ctx, at)
+	fromAPI := r.toModel(ctx, at, &fromState)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	// The token is not returned by the API after initial creation,
-	// so we need to copy it from the state
-	fromAPI.Token = fromState.Token
-
 	resp.Diagnostics.Append(resp.State.Set(ctx, &fromAPI)...)
 }
 
@@ -261,14 +257,27 @@ func (r *AccessTokenResource) ImportState(ctx context.Context, req resource.Impo
 	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("uuid"), req.ID)...)
 }
 
-func (r *AccessTokenResource) toModel(ctx context.Context, at hubclient.AccessToken) AccessTokenResourceModel {
+func (r *AccessTokenResource) toModel(ctx context.Context, at hubclient.AccessToken, currentState *AccessTokenResourceModel) AccessTokenResourceModel {
 	scopes, _ := types.ListValueFrom(ctx, types.StringType, at.Scopes)
-	return AccessTokenResourceModel{
+	result := AccessTokenResourceModel{
 		UUID:       types.StringValue(at.UUID),
 		IsActive:   types.BoolValue(at.IsActive),
 		TokenLabel: types.StringValue(at.TokenLabel),
 		Scopes:     scopes,
 		Token:      types.StringValue(at.Token),
 		ExpiresAt:  types.StringValue(at.ExpiresAt),
 	}
+
+	// If the current state is null, keep it as null instead of changing to empty string.
+	if at.ExpiresAt == "" && currentState != nil && currentState.ExpiresAt.IsNull() {
+		result.ExpiresAt = types.StringNull()
+	}
+
+	// The token is not returned by the API after initial creation,
+	// so we need to copy it from the state
+	if currentState != nil {
+		result.Token = currentState.Token
+	}
+
+	return result
 }
diff --git a/internal/provider/resource_access_token_test.go b/internal/provider/resource_access_token_test.go
@@ -62,3 +62,36 @@ resource "docker_access_token" "test" {
   expires_at  = "2029-12-31T23:59:59Z"
 }
 `
+
+func TestAccessTokenResource_Upgrade(t *testing.T) {
+	config := `
+resource "docker_access_token" "test" {
+  token_label = "test-label"
+  scopes      = ["repo:read"]
+}
+`
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() { testAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				ExternalProviders: map[string]resource.ExternalProvider{
+					"docker": {
+						VersionConstraint: "0.4.1",
+						Source:            "docker/docker",
+					},
+				},
+				Config: config,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet("docker_access_token.test", "uuid"),
+				),
+			},
+			{
+				ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+				Config:                   config,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet("docker_access_token.test", "uuid"),
+				),
+			},
+		},
+	})
+}
