[TF-24656] implement write only values for tfe_organization_run_task (#1646)

* trying to add WO value to resource

* add debug lines to troubleshoot for run task resource data

* Write acceptance test

* add config state check

* Update CHANGELOG.md

* trying to add WO value to resource

* add debug lines to troubleshoot for run task resource data

* Write acceptance test

* add config state check

* Update CHANGELOG.md

* clean up

* move isWriteOnlyValueInPrivateState to resourceOrgRunTask

* update function

* refactor complex if block

* whitespace

* comment out test

* remove commented out test

* add stuff back

* add to documentation

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update CHANGELOG.md

---------

Co-authored-by: uturunku1 <luces.huayhuaca@gmail.com>

Author: shwetamurali

CHANGELOG.md

@@ -21,6 +21,8 @@ ENHANCEMENTS:
 
 * resource/tfe_policy_set_parameter: Add `value_wo` write-only attribute, by @ctrombley ([#1641](https://github.com/hashicorp/terraform-provider-tfe/pull/1641))
 
+* resource/tfe_organization_run_task: Add `hmac_key_wo` write-only attribute, by @shwetamurali ([#1646](https://github.com/hashicorp/terraform-provider-tfe/pull/1646))
+
 ## v.0.64.0
 
 FEATURES:

internal/provider/resource_tfe_organization_run_task.go

@@ -5,11 +5,15 @@ package provider
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"strings"
 
 	tfe "github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
@@ -46,9 +50,10 @@ type modelTFEOrganizationRunTaskV0 struct {
 	Name         types.String `tfsdk:"name"`
 	Organization types.String `tfsdk:"organization"`
 	URL          types.String `tfsdk:"url"`
+	HMACKeyWO    types.String `tfsdk:"hmac_key_wo"`
 }
 
-func modelFromTFEOrganizationRunTask(v *tfe.RunTask, hmacKey types.String) modelTFEOrganizationRunTaskV0 {
+func modelFromTFEOrganizationRunTask(v *tfe.RunTask, hmacKey types.String, isWriteOnlyValue bool) modelTFEOrganizationRunTaskV0 {
 	result := modelTFEOrganizationRunTaskV0{
 		Category:     types.StringValue(v.Category),
 		Description:  types.StringValue(v.Description),
@@ -64,6 +69,11 @@ func modelFromTFEOrganizationRunTask(v *tfe.RunTask, hmacKey types.String) model
 		result.HMACKey = hmacKey
 	}
 
+	// Don't retrieve values if write-only is being used. Unset the hmac key field before updating the state.
+	if isWriteOnlyValue {
+		result.HMACKey = types.StringValue("")
+	}
+
 	return result
 }
 
@@ -131,6 +141,21 @@ func (r *resourceOrgRunTask) Schema(ctx context.Context, req resource.SchemaRequ
 				Optional:  true,
 				Computed:  true,
 				Default:   stringdefault.StaticString(""),
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("hmac_key_wo")),
+				},
+			},
+			"hmac_key_wo": schema.StringAttribute{
+				Optional:    true,
+				WriteOnly:   true,
+				Sensitive:   true,
+				Description: "HMAC key in write-only mode",
+				Validators: []validator.String{
+					stringvalidator.ConflictsWith(path.MatchRoot("hmac_key")),
+				},
+				PlanModifiers: []planmodifier.String{
+					&replaceHMACKeyWOPlanModifier{},
+				},
 			},
 			"enabled": schema.BoolAttribute{
 				Optional: true,
@@ -146,6 +171,67 @@ func (r *resourceOrgRunTask) Schema(ctx context.Context, req resource.SchemaRequ
 	}
 }
 
+func (r *resourceOrgRunTask) isWriteOnlyHMACKeyInPrivateState(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) bool {
+	storedValueWO, diags := req.Private.GetKey(ctx, "hmac_key_wo")
+	resp.Diagnostics.Append(diags...)
+	return len(storedValueWO) != 0
+}
+
+type replaceHMACKeyWOPlanModifier struct{}
+
+func (v *replaceHMACKeyWOPlanModifier) Description(ctx context.Context) string {
+	return "The resource will be replaced when the value of hmac_key_wo has changed"
+}
+
+func (v *replaceHMACKeyWOPlanModifier) MarkdownDescription(ctx context.Context) string {
+	return v.Description(ctx)
+}
+
+func (v *replaceHMACKeyWOPlanModifier) PlanModifyString(ctx context.Context, request planmodifier.StringRequest, response *planmodifier.StringResponse) {
+	// Write-only argument values cannot produce a Terraform plan difference. The prior state value for a write-only argument will always be null and the planned state value will also be null, therefore, it cannot produce a diff on its own. The one exception to this case is if the write-only argument is added to requires_replace during Plan Modification, in that case, the write-only argument will always cause a diff/trigger a resource recreation.
+	var configHMACKeyWO types.String
+	diag := request.Config.GetAttribute(ctx, path.Root("hmac_key_wo"), &configHMACKeyWO)
+	response.Diagnostics.Append(diag...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	storedHMACWO, diags := request.Private.GetKey(ctx, "hmac_key_wo")
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	if configHMACKeyWO.IsNull() {
+		if len(storedHMACWO) != 0 {
+			response.RequiresReplace = true
+		}
+		return
+	}
+
+	if len(storedHMACWO) == 0 {
+		log.Printf("[DEBUG] Replacing resource because `hmac_key_wo` attribute has been added to a pre-existing variable resource")
+		response.RequiresReplace = true
+		return
+	}
+
+	var hashedStoredHMACWO string
+	err := json.Unmarshal(storedHMACWO, &hashedStoredHMACWO)
+	if err != nil {
+		response.Diagnostics.AddError("Error unmarshalling stored hmac_key_wo", err.Error())
+		return
+	}
+
+	hashedConfigHMACKeyWO := generateSHA256Hash(configHMACKeyWO.ValueString())
+
+	// when an ephemeral value is being used, they will generate a new token on every run.
+	// So the previous hmac_key_wo will not match the current one.
+	if hashedStoredHMACWO != hashedConfigHMACKeyWO {
+		log.Printf("[DEBUG] Replacing resource because the value of `hmac_key_wo` attribute has changed")
+		response.RequiresReplace = true
+	}
+}
+
 func (r *resourceOrgRunTask) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
 	var state modelTFEOrganizationRunTaskV0
 
@@ -168,8 +254,12 @@ func (r *resourceOrgRunTask) Read(ctx context.Context, req resource.ReadRequest,
 		return
 	}
 
-	result := modelFromTFEOrganizationRunTask(task, state.HMACKey)
-
+	isWriteOnlyValue := r.isWriteOnlyHMACKeyInPrivateState(ctx, req, resp) // to avoid reading from written-only values
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	// update state
+	result := modelFromTFEOrganizationRunTask(task, state.HMACKey, isWriteOnlyValue)
 	// Save updated data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 }
@@ -183,6 +273,13 @@ func (r *resourceOrgRunTask) Create(ctx context.Context, req resource.CreateRequ
 		return
 	}
 
+	var config modelTFEOrganizationRunTaskV0
+	diags := req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
 	var organization string
 	resp.Diagnostics.Append(r.config.dataOrDefaultOrganization(ctx, req.Plan, &organization)...)
 
@@ -194,19 +291,34 @@ func (r *resourceOrgRunTask) Create(ctx context.Context, req resource.CreateRequ
 		Name:        plan.Name.ValueString(),
 		URL:         plan.URL.ValueString(),
 		Category:    plan.Category.ValueString(),
-		HMACKey:     plan.HMACKey.ValueStringPointer(),
 		Enabled:     plan.Enabled.ValueBoolPointer(),
 		Description: plan.Description.ValueStringPointer(),
 	}
 
+	if !config.HMACKeyWO.IsNull() {
+		options.HMACKey = config.HMACKeyWO.ValueStringPointer()
+	} else {
+		options.HMACKey = plan.HMACKey.ValueStringPointer()
+	}
+
 	tflog.Debug(ctx, fmt.Sprintf("Create task %s for organization: %s", options.Name, organization))
 	task, err := r.config.Client.RunTasks.Create(ctx, organization, options)
 	if err != nil {
 		resp.Diagnostics.AddError("Unable to create organization task", err.Error())
 		return
 	}
 
-	result := modelFromTFEOrganizationRunTask(task, plan.HMACKey)
+	result := modelFromTFEOrganizationRunTask(task, plan.HMACKey, !config.HMACKeyWO.IsNull())
+	if !config.HMACKeyWO.IsNull() {
+		// Use the resource's private state to store secure hashes of write-only argument values, the provider during planmodify will use the hash to determine if a write-only argument value has changed in later Terraform runs.
+		hashedValue := generateSHA256Hash(config.HMACKeyWO.ValueString())
+		diags := resp.Private.SetKey(ctx, "hmac_key_wo", fmt.Appendf(nil, `"%s"`, hashedValue))
+		resp.Diagnostics.Append(diags...)
+	} else {
+		// if the key is not configured as write-only, then remove HMACKeyWO key from private state. Setting a key with an empty byte slice is interpreted by the framework as a request to remove the key from the ProviderData map.
+		diags := resp.Private.SetKey(ctx, "hmac_key_wo", []byte(""))
+		resp.Diagnostics.Append(diags...)
+	}
 
 	// Save data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
@@ -228,6 +340,13 @@ func (r *resourceOrgRunTask) Update(ctx context.Context, req resource.UpdateRequ
 		return
 	}
 
+	var config modelTFEOrganizationRunTaskV0
+	diags := req.Config.Get(ctx, &config)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
 	options := tfe.RunTaskUpdateOptions{
 		Name:        plan.Name.ValueStringPointer(),
 		URL:         plan.URL.ValueStringPointer(),
@@ -245,13 +364,15 @@ func (r *resourceOrgRunTask) Update(ctx context.Context, req resource.UpdateRequ
 	taskID := plan.ID.ValueString()
 
 	tflog.Debug(ctx, fmt.Sprintf("Update task %s", taskID))
+
 	task, err := r.config.Client.RunTasks.Update(ctx, taskID, options)
 	if err != nil {
 		resp.Diagnostics.AddError("Unable to update organization task", err.Error())
 		return
 	}
 
-	result := modelFromTFEOrganizationRunTask(task, plan.HMACKey)
+	result := modelFromTFEOrganizationRunTask(task, plan.HMACKey, !config.HMACKeyWO.IsNull())
+	r.updatePrivateState(ctx, resp, config.HMACKeyWO)
 
 	// Save data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
@@ -304,7 +425,22 @@ func (r *resourceOrgRunTask) ImportState(ctx context.Context, req resource.Impor
 		)
 	} else {
 		// We can never import the HMACkey (Write-only) so assume it's the default (empty)
-		result := modelFromTFEOrganizationRunTask(task, types.StringValue(""))
+		result := modelFromTFEOrganizationRunTask(task, types.StringValue(""), false)
 		resp.Diagnostics.Append(resp.State.Set(ctx, &result)...)
 	}
 }
+
+func (r *resourceOrgRunTask) updatePrivateState(ctx context.Context, resp *resource.UpdateResponse, configHMACKeyWO types.String) {
+	if !configHMACKeyWO.IsNull() {
+		// Use the resource's private state to store secure hashes of write-only argument values, planModify will use the hash to determine if a write-only argument value has changed in later Terraform runs.
+		hashedValue := generateSHA256Hash(configHMACKeyWO.ValueString())
+		diags := resp.Private.SetKey(ctx, "hmac_key_wo", fmt.Appendf(nil, `"%s"`, hashedValue))
+		resp.Diagnostics.Append(diags...)
+	} else {
+		// if key is not configured as write-only, remove hmacKeyWO key from private state
+		diags := resp.Private.SetKey(ctx, "hmac_key_wo", []byte(""))
+		resp.Diagnostics.Append(diags...)
+	}
+}
+
+var _ planmodifier.String = &replaceHMACKeyWOPlanModifier{}

internal/provider/resource_tfe_organization_run_task_test.go

@@ -11,8 +11,11 @@ import (
 	"time"
 
 	tfe "github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/terraform-plugin-testing/compare"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestAccTFEOrganizationRunTask_validateSchemaAttributeUrl(t *testing.T) {
@@ -184,6 +187,70 @@ func TestAccTFEOrganizationRunTask_Read(t *testing.T) {
 	})
 }
 
+func TestAccTFEOrganizationRunTask_HMACWriteOnly(t *testing.T) {
+	skipUnlessRunTasksDefined(t)
+
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	org, orgCleanup := createBusinessOrganization(t, tfeClient)
+	t.Cleanup(orgCleanup)
+
+	runTask := &tfe.RunTask{}
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+
+	// Create the value comparer so we can add state values to it during the test steps
+	compareValuesDiffer := statecheck.CompareValue(compare.ValuesDiffer())
+
+	// Note - We cannot easily test updating the HMAC Key as that would require coordination between this test suite
+	// and the external Run Task service to "magically" allow a different Key. Instead we "update" with the same key
+	// and manually test HMAC Key changes.
+	hmacKey := runTasksHMACKey()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV5ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFEOrganizationRunTaskDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccTFEOrganizationRunTask_hmacAndHMACWriteOnly(org.Name, rInt, runTasksURL()),
+				ExpectError: regexp.MustCompile(`Attribute "hmac_key_wo" cannot be specified when "hmac_key" is specified`),
+			},
+			{
+				Config: testAccTFEOrganizationRunTask_hmacWriteOnly(org.Name, rInt, runTasksURL(), hmacKey),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEOrganizationRunTaskExists("tfe_organization_run_task.foobar", runTask),
+					resource.TestCheckResourceAttr("tfe_organization_run_task.foobar", "hmac_key", ""),
+					resource.TestCheckNoResourceAttr("tfe_organization_run_task.foobar", "hmac_key_wo"),
+				),
+				// Register the id with the value comparer so we can assert that the
+				// resource has been replaced in the next step.
+				ConfigStateChecks: []statecheck.StateCheck{
+					compareValuesDiffer.AddStateValue(
+						"tfe_organization_run_task.foobar", tfjsonpath.New("id"),
+					),
+				},
+			},
+			{
+				Config: testAccTFEOrganizationRunTask_basic(org.Name, rInt, runTasksURL(), hmacKey),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEOrganizationRunTaskExists("tfe_organization_run_task.foobar", runTask),
+					resource.TestCheckResourceAttr("tfe_organization_run_task.foobar", "hmac_key", hmacKey),
+					resource.TestCheckNoResourceAttr("tfe_organization_run_task.foobar", "hmac_key_wo"),
+				),
+				// Ensure that the resource has been replaced
+				ConfigStateChecks: []statecheck.StateCheck{
+					compareValuesDiffer.AddStateValue(
+						"tfe_organization_run_task.foobar", tfjsonpath.New("id"),
+					),
+				},
+			},
+		},
+	})
+}
+
 func testAccCheckTFEOrganizationRunTaskExists(n string, runTask *tfe.RunTask) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		config := testAccProvider.Meta().(ConfiguredClient)
@@ -256,3 +323,28 @@ func testAccTFEOrganizationRunTask_update(orgName string, rInt int, runTaskURL,
 	}
 `, orgName, runTaskURL, rInt, runTaskHMACKey)
 }
+
+func testAccTFEOrganizationRunTask_hmacWriteOnly(orgName string, rInt int, runTaskURL, runTaskHMACKey string) string {
+	return fmt.Sprintf(`
+	resource "tfe_organization_run_task" "foobar" {
+		organization = "%s"
+		url          = "%s"
+		name         = "foobar-task-%d"
+		enabled      = false
+		hmac_key_wo  = "%s"
+	}
+	`, orgName, runTaskURL, rInt, runTaskHMACKey)
+}
+
+func testAccTFEOrganizationRunTask_hmacAndHMACWriteOnly(orgName string, rInt int, runTaskURL string) string {
+	return fmt.Sprintf(`
+	resource "tfe_organization_run_task" "foobar" {
+		organization = "%s"
+		url          = "%s"
+		name         = "foobar-task-%d"
+		enabled      = false
+		hmac_key     = "foo"
+		hmac_key_wo  = "foo"
+	}
+	`, orgName, runTaskURL, rInt)
+}

website/docs/r/organization_run_task.html.markdown

@@ -49,3 +49,4 @@ import ID. For example:
 ```shell
 terraform import tfe_organization_run_task.test my-org-name/task-name
 ```
+-> **Note:** Write-Only argument `hmac_key_wo` is available to use in place of `hmac_key`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/v1.11.x/resources/ephemeral#write-only-arguments).