azurerm_mssql_job_credential - add password_wo, password_wo_version and split create/update (#28808)

sreallymatt · web-flow · commit df7190c4a44e · 2025-02-24T08:24:48.000-07:00
* add write-only password attr and split create/update

* add note to docs
diff --git a/internal/services/mssql/mssql_job_credential_resource.go b/internal/services/mssql/mssql_job_credential_resource.go
@@ -8,22 +8,25 @@ import (
 	"log"
 	"time"
 
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/sql/2023-08-01-preview/jobcredentials"
+	"github.com/hashicorp/go-cty/cty"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/parse"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/timeouts"
-	"github.com/hashicorp/terraform-provider-azurerm/utils"
 )
 
 func resourceMsSqlJobCredential() *pluginsdk.Resource {
 	return &pluginsdk.Resource{
-		Create: resourceMsSqlJobCredentialCreateUpdate,
+		Create: resourceMsSqlJobCredentialCreate,
 		Read:   resourceMsSqlJobCredentialRead,
-		Update: resourceMsSqlJobCredentialCreateUpdate,
+		Update: resourceMsSqlJobCredentialUpdate,
 		Delete: resourceMsSqlJobCredentialDelete,
 
 		Importer: pluginsdk.ImporterValidatingResourceId(func(id string) error {
@@ -38,6 +41,10 @@ func resourceMsSqlJobCredential() *pluginsdk.Resource {
 			Delete: pluginsdk.DefaultTimeout(60 * time.Minute),
 		},
 
+		ValidateRawResourceConfigFuncs: []schema.ValidateRawResourceConfigFunc{
+			validation.PreferWriteOnlyAttribute(cty.GetAttrPath("password"), cty.GetAttrPath("password_wo")),
+		},
+
 		Schema: map[string]*pluginsdk.Schema{
 			"name": {
 				Type:     pluginsdk.TypeString,
@@ -58,17 +65,32 @@ func resourceMsSqlJobCredential() *pluginsdk.Resource {
 			},
 
 			"password": {
-				Type:      pluginsdk.TypeString,
-				Required:  true,
-				Sensitive: true,
+				Type:          pluginsdk.TypeString,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"password_wo"},
+				ExactlyOneOf:  []string{"password", "password_wo"},
+			},
+			"password_wo": {
+				Type:          pluginsdk.TypeString,
+				Optional:      true,
+				WriteOnly:     true,
+				RequiredWith:  []string{"password_wo_version"},
+				ConflictsWith: []string{"password"},
+				ExactlyOneOf:  []string{"password_wo", "password"},
+			},
+			"password_wo_version": {
+				Type:         pluginsdk.TypeInt,
+				Optional:     true,
+				RequiredWith: []string{"password_wo"},
 			},
 		},
 	}
 }
 
-func resourceMsSqlJobCredentialCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+func resourceMsSqlJobCredentialCreate(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).MSSQL.JobCredentialsClient
-	ctx, cancel := timeouts.ForCreateUpdate(meta.(*clients.Client).StopContext, d)
+	ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
 	log.Printf("[INFO] preparing arguments for Job Credential creation.")
@@ -79,39 +101,95 @@ func resourceMsSqlJobCredentialCreateUpdate(d *pluginsdk.ResourceData, meta inte
 	}
 	jobCredentialId := jobcredentials.NewCredentialID(jaId.SubscriptionId, jaId.ResourceGroupName, jaId.ServerName, jaId.JobAgentName, d.Get("name").(string))
 
-	username := d.Get("username").(string)
-	password := d.Get("password").(string)
+	existing, err := client.Get(ctx, jobCredentialId)
+	if err != nil && !response.WasNotFound(existing.HttpResponse) {
+		return fmt.Errorf("checking for presence of existing %s: %+v", jobCredentialId, err)
+	}
 
-	if d.IsNewResource() {
-		existing, err := client.Get(ctx, jobCredentialId)
-		if err != nil {
-			if !response.WasNotFound(existing.HttpResponse) {
-				return fmt.Errorf("checking for presence of existing MsSql %s: %+v", jobCredentialId, err)
-			}
-		}
+	if !response.WasNotFound(existing.HttpResponse) {
+		return tf.ImportAsExistsError("azurerm_mssql_job_credential", jobCredentialId.ID())
+	}
 
-		if !response.WasNotFound(existing.HttpResponse) {
-			return tf.ImportAsExistsError("azurerm_mssql_job_credential", jobCredentialId.ID())
-		}
+	woPassword, err := pluginsdk.GetWriteOnly(d, "password_wo", cty.String)
+	if err != nil {
+		return err
+	}
+
+	password := d.Get("password").(string)
+	if !woPassword.IsNull() {
+		password = woPassword.AsString()
 	}
 
 	jobCredential := jobcredentials.JobCredential{
-		Name: utils.String(jobCredentialId.CredentialName),
+		Name: pointer.To(jobCredentialId.CredentialName),
 		Properties: &jobcredentials.JobCredentialProperties{
-			Username: username,
+			Username: d.Get("username").(string),
 			Password: password,
 		},
 	}
 
 	if _, err := client.CreateOrUpdate(ctx, jobCredentialId, jobCredential); err != nil {
-		return fmt.Errorf("creating MsSql %s: %+v", jobCredentialId, err)
+		return fmt.Errorf("creating %s: %+v", jobCredentialId, err)
 	}
 
 	d.SetId(jobCredentialId.ID())
 
 	return resourceMsSqlJobCredentialRead(d, meta)
 }
 
+func resourceMsSqlJobCredentialUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+	client := meta.(*clients.Client).MSSQL.JobCredentialsClient
+	ctx, cancel := timeouts.ForUpdate(meta.(*clients.Client).StopContext, d)
+	defer cancel()
+
+	log.Printf("[INFO] preparing arguments for Job Credential update.")
+
+	jaId, err := jobcredentials.ParseJobAgentID(d.Get("job_agent_id").(string))
+	if err != nil {
+		return err
+	}
+	jobCredentialId := jobcredentials.NewCredentialID(jaId.SubscriptionId, jaId.ResourceGroupName, jaId.ServerName, jaId.JobAgentName, d.Get("name").(string))
+
+	existing, err := client.Get(ctx, jobCredentialId)
+	if err != nil {
+		return fmt.Errorf("retrieving %s: %+v", jobCredentialId, err)
+	}
+
+	if existing.Model == nil {
+		return fmt.Errorf("retrieving %s: `model` was nil", jobCredentialId)
+	}
+
+	if existing.Model.Properties == nil {
+		return fmt.Errorf("retrieving %s: `model.Properties` was nil", jobCredentialId)
+	}
+	payload := existing.Model
+
+	if d.HasChange("username") {
+		payload.Properties.Username = d.Get("username").(string)
+	}
+
+	if d.HasChange("password") {
+		payload.Properties.Password = d.Get("password").(string)
+	}
+
+	if d.HasChange("password_wo_version") {
+		woPassword, err := pluginsdk.GetWriteOnly(d, "password_wo", cty.String)
+		if err != nil {
+			return err
+		}
+
+		if !woPassword.IsNull() {
+			payload.Properties.Password = woPassword.AsString()
+		}
+	}
+
+	if _, err := client.CreateOrUpdate(ctx, jobCredentialId, *payload); err != nil {
+		return fmt.Errorf("updating %s: %+v", jobCredentialId, err)
+	}
+
+	return resourceMsSqlJobCredentialRead(d, meta)
+}
+
 func resourceMsSqlJobCredentialRead(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).MSSQL.JobCredentialsClient
 	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
@@ -140,6 +218,9 @@ func resourceMsSqlJobCredentialRead(d *pluginsdk.ResourceData, meta interface{})
 			d.Set("username", props.Username)
 		}
 	}
+
+	d.Set("password_wo_version", d.Get("password_wo_version").(int))
+
 	return nil
 }
 
diff --git a/internal/services/mssql/mssql_job_credential_resource_test.go b/internal/services/mssql/mssql_job_credential_resource_test.go
@@ -11,9 +11,13 @@ import (
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/sql/2023-08-01-preview/jobcredentials"
+	"github.com/hashicorp/go-version"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/provider/framework"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
 )
 
@@ -71,6 +75,59 @@ func TestAccMsSqlJobCredential_update(t *testing.T) {
 	})
 }
 
+func TestAccMsSqlJobCredential_writeOnlyPassword(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_mssql_job_credential", "test")
+	r := MsSqlJobCredentialResource{}
+
+	resource.ParallelTest(t, resource.TestCase{
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(version.Must(version.NewVersion("1.11.0"))),
+		},
+		ProtoV5ProviderFactories: framework.ProtoV5ProviderFactoriesInit(context.Background(), "azurerm"),
+		Steps: []resource.TestStep{
+			{
+				Config: r.writeOnlyPassword(data, "secret", 1),
+				Check:  check.That(data.ResourceName).ExistsInAzure(r),
+			},
+			data.ImportStep("password_wo_version"),
+			{
+				Config: r.writeOnlyPassword(data, "secretUpdate", 2),
+				Check:  check.That(data.ResourceName).ExistsInAzure(r),
+			},
+			data.ImportStep("password_wo_version"),
+		},
+	})
+}
+
+func TestAccMsSqlJobCredential_updateToWriteOnlyPassword(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_mssql_job_credential", "test")
+	r := MsSqlJobCredentialResource{}
+
+	resource.ParallelTest(t, resource.TestCase{
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(version.Must(version.NewVersion("1.11.0"))),
+		},
+		ProtoV5ProviderFactories: framework.ProtoV5ProviderFactoriesInit(context.Background(), "azurerm"),
+		Steps: []resource.TestStep{
+			{
+				Config: r.basic(data),
+				Check:  check.That(data.ResourceName).ExistsInAzure(r),
+			},
+			data.ImportStep("password"),
+			{
+				Config: r.writeOnlyPassword(data, "secret", 1),
+				Check:  check.That(data.ResourceName).ExistsInAzure(r),
+			},
+			data.ImportStep("password", "password_wo_version"),
+			{
+				Config: r.basic(data),
+				Check:  check.That(data.ResourceName).ExistsInAzure(r),
+			},
+			data.ImportStep("password"),
+		},
+	})
+}
+
 func (MsSqlJobCredentialResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := jobcredentials.ParseCredentialID(state.ID)
 	if err != nil {
@@ -88,46 +145,17 @@ func (MsSqlJobCredentialResource) Exists(ctx context.Context, client *clients.Cl
 	return pointer.To(resp.Model != nil), nil
 }
 
-func (MsSqlJobCredentialResource) basic(data acceptance.TestData) string {
+func (r MsSqlJobCredentialResource) basic(data acceptance.TestData) string {
 	return fmt.Sprintf(`
-provider "azurerm" {
-  features {}
-}
-
-resource "azurerm_resource_group" "test" {
-  name     = "acctestRG-jobcredential-%[1]d"
-  location = "%[2]s"
-}
-
-resource "azurerm_mssql_server" "test" {
-  name                         = "acctestmssqlserver%[1]d"
-  resource_group_name          = azurerm_resource_group.test.name
-  location                     = azurerm_resource_group.test.location
-  version                      = "12.0"
-  administrator_login          = "4dministr4t0r"
-  administrator_login_password = "superSecur3!!!"
-}
-
-resource "azurerm_mssql_database" "test" {
-  name      = "acctestmssqldb%[1]d"
-  server_id = azurerm_mssql_server.test.id
-  collation = "SQL_Latin1_General_CP1_CI_AS"
-  sku_name  = "S1"
-}
-
-resource "azurerm_mssql_job_agent" "test" {
-  name        = "acctestmssqljobagent%[1]d"
-  location    = azurerm_resource_group.test.location
-  database_id = azurerm_mssql_database.test.id
-}
+%s
 
 resource "azurerm_mssql_job_credential" "test" {
-  name         = "acctestmssqljobcredential%[1]d"
+  name         = "acctestmssqljobcredential%[2]d"
   job_agent_id = azurerm_mssql_job_agent.test.id
   username     = "test"
   password     = "test"
 }
-`, data.RandomInteger, data.Locations.Primary)
+`, r.template(data), data.RandomInteger)
 }
 
 func (r MsSqlJobCredentialResource) requiresImport(data acceptance.TestData) string {
@@ -143,7 +171,36 @@ resource "azurerm_mssql_job_credential" "import" {
 `, r.basic(data))
 }
 
-func (MsSqlJobCredentialResource) update(data acceptance.TestData) string {
+func (r MsSqlJobCredentialResource) update(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_mssql_job_credential" "test" {
+  name         = "acctestmssqljobcredential%[2]d"
+  job_agent_id = azurerm_mssql_job_agent.test.id
+  username     = "test1"
+  password     = "test1"
+}
+`, r.template(data), data.RandomInteger)
+}
+
+func (r MsSqlJobCredentialResource) writeOnlyPassword(data acceptance.TestData, secret string, version int) string {
+	return fmt.Sprintf(`
+%[1]s
+
+%[2]s
+
+resource "azurerm_mssql_job_credential" "test" {
+  name                = "acctestmssqljobcredential%[3]d"
+  job_agent_id        = azurerm_mssql_job_agent.test.id
+  username            = "test"
+  password_wo         = ephemeral.azurerm_key_vault_secret.test.value
+  password_wo_version = %[4]d
+}
+`, r.template(data), acceptance.WriteOnlyKeyVaultSecretTemplate(data, secret), data.RandomInteger, version)
+}
+
+func (MsSqlJobCredentialResource) template(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}
@@ -175,12 +232,5 @@ resource "azurerm_mssql_job_agent" "test" {
   location    = azurerm_resource_group.test.location
   database_id = azurerm_mssql_database.test.id
 }
-
-resource "azurerm_mssql_job_credential" "test" {
-  name         = "acctestmssqljobcredential%[1]d"
-  job_agent_id = azurerm_mssql_job_agent.test.id
-  username     = "test1"
-  password     = "test1"
-}
 `, data.RandomInteger, data.Locations.Primary)
 }
diff --git a/website/docs/r/mssql_job_credential.html.markdown b/website/docs/r/mssql_job_credential.html.markdown
@@ -56,9 +56,16 @@ The following arguments are supported:
 
 * `job_agent_id` - (Required) The ID of the Elastic Job Agent. Changing this forces a new Elastic Job Credential to be created.
 
-* `username` - (Required) The username part of the credential.
+* `username` - (Required) The username to use for this Elastic Job credential.
+
+* `password` - (Optional) The password to use for this Elastic Job credential.
+
+* `password_wo` - (Optional, Write-Only) The password to use for this Elastic Job credential.
+
+~> **Note:** One of `password` or `password_wo` must be specified.
+
+* `password_wo_version` - (Optional) An integer value used to trigger an update for `password_wo`. This property should be incremented when updating `password_wo`.
 
-* `password` - (Required) The password part of the credential.
 
 ## Attributes Reference
 
