Fix handling encrypted string values for config properties

Author: ottramst

CHANGELOG.md

@@ -1,3 +1,14 @@
+## v0.2.2
+
+BUG FIXES:
+
+* resource/config_property: Fixed "Provider produced inconsistent result after apply" error when managing `ENCRYPTEDSTRING` type properties. The provider now correctly handles the API's `HiddenDecryptedPropertyPlaceholder` response and preserves the configured value in state
+
+ENHANCEMENTS:
+
+* tests: Added acceptance test `TestAccConfigPropertyResource_EncryptedString_APIKey` to verify encrypted config property handling
+* docs: Removed read-only fields `include_children` and `global` from `dependencytrack_policy` resource example
+
 ## v0.2.1
 
 BREAKING CHANGES:
@@ -26,13 +37,6 @@ ENHANCEMENTS:
 * resource/user_team_membership: Works with managed, LDAP, and OIDC users
 * tests: Added acceptance tests for `dependencytrack_user_team_membership` resource using API key authentication
 
-BUG FIXES:
-
-* build: Fixed artifact path in GitHub workflow to use correct binary name `terraform-provider-dependencytrack`
-* build: Updated .gitignore to reflect correct binary name
-* module: Renamed Go module from `terraform-provider-dependency-track` to `terraform-provider-dependencytrack` for consistency
-* docs: Fixed GitHub repository URLs in CHANGELOG.md to use correct repository name
-
 ## v0.1.0
 
 FEATURES:

docs/resources/policy.md

@@ -14,11 +14,9 @@ Manages a Dependency-Track policy. Policies are used to automatically audit comp
 
 ```terraform
 resource "dependencytrack_policy" "example" {
-  name             = "Critical Vulnerabilities"
-  operator         = "ALL"
-  violation_state  = "FAIL"
-  include_children = true
-  global           = true
+  name            = "Critical Vulnerabilities"
+  operator        = "ALL"
+  violation_state = "FAIL"
 
   conditions = [
     {

examples/resources/dependencytrack_policy/resource.tf

@@ -1,9 +1,7 @@
 resource "dependencytrack_policy" "example" {
-  name             = "Critical Vulnerabilities"
-  operator         = "ALL"
-  violation_state  = "FAIL"
-  include_children = true
-  global           = true
+  name            = "Critical Vulnerabilities"
+  operator        = "ALL"
+  violation_state = "FAIL"
 
   conditions = [
     {

internal/provider/config_property_resource.go

@@ -153,7 +153,16 @@ func (r *ConfigPropertyResource) Create(ctx context.Context, req resource.Create
 
 	// Set the ID and all attributes in state
 	data.ID = types.StringValue(fmt.Sprintf("%s/%s", updatedProp.GroupName, updatedProp.Name))
-	data.Value = types.StringValue(updatedProp.Value)
+
+	// For encrypted properties, the API returns a placeholder instead of the actual value
+	// We need to preserve the configured value in state
+	if updatedProp.Type == "ENCRYPTEDSTRING" && updatedProp.Value == "HiddenDecryptedPropertyPlaceholder" {
+		// Keep the configured value that was set in data.Value
+		// Don't update it with the placeholder from the API
+	} else {
+		data.Value = types.StringValue(updatedProp.Value)
+	}
+
 	data.Type = types.StringValue(updatedProp.Type)
 	data.Description = types.StringValue(updatedProp.Description)
 
@@ -181,7 +190,15 @@ func (r *ConfigPropertyResource) Read(ctx context.Context, req resource.ReadRequ
 		return
 	}
 
-	data.Value = types.StringValue(prop.Value)
+	// For encrypted properties, the API returns a placeholder instead of the actual value
+	// We need to preserve the existing state value
+	if prop.Type == "ENCRYPTEDSTRING" && prop.Value == "HiddenDecryptedPropertyPlaceholder" {
+		// Keep the existing value from state (data.Value)
+		// Don't update it with the placeholder from the API
+	} else {
+		data.Value = types.StringValue(prop.Value)
+	}
+
 	data.Type = types.StringValue(prop.Type)
 	data.Description = types.StringValue(prop.Description)
 
@@ -217,7 +234,15 @@ func (r *ConfigPropertyResource) Update(ctx context.Context, req resource.Update
 		return
 	}
 
-	data.Value = types.StringValue(updatedProp.Value)
+	// For encrypted properties, the API returns a placeholder instead of the actual value
+	// We need to preserve the configured value in state
+	if updatedProp.Type == "ENCRYPTEDSTRING" && updatedProp.Value == "HiddenDecryptedPropertyPlaceholder" {
+		// Keep the configured value that was set in data.Value
+		// Don't update it with the placeholder from the API
+	} else {
+		data.Value = types.StringValue(updatedProp.Value)
+	}
+
 	data.Type = types.StringValue(updatedProp.Type)
 	data.Description = types.StringValue(updatedProp.Description)
 

internal/provider/config_property_resource_test.go

@@ -59,6 +59,82 @@ func TestAccConfigPropertyResource_APIKey(t *testing.T) {
 	})
 }
 
+// TestAccConfigPropertyResource_EncryptedString_APIKey tests the config_property resource with an encrypted string property.
+// This test ensures that encrypted properties (ENCRYPTEDSTRING type) are handled correctly,
+// as the API returns "HiddenDecryptedPropertyPlaceholder" instead of the actual value.
+func TestAccConfigPropertyResource_EncryptedString_APIKey(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheckAPIKey(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Adopt and Update testing with encrypted property
+			{
+				Config: testAccConfigPropertyResourceConfigWithAPIKey("email", "smtp.password", "initial-password-123"),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("group_name"),
+						knownvalue.StringExact("email"),
+					),
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("name"),
+						knownvalue.StringExact("smtp.password"),
+					),
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("value"),
+						knownvalue.StringExact("initial-password-123"),
+					),
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("type"),
+						knownvalue.StringExact("ENCRYPTEDSTRING"),
+					),
+				},
+			},
+			// ImportState testing
+			// Note: We cannot verify the value field for encrypted properties because
+			// the API returns "HiddenDecryptedPropertyPlaceholder" instead of the actual value
+			{
+				ResourceName:            "dependencytrack_config_property.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"value"},
+			},
+			// Update testing - this is critical for encrypted properties
+			// Previously this would fail with "Provider produced inconsistent result after apply"
+			{
+				Config: testAccConfigPropertyResourceConfigWithAPIKey("email", "smtp.password", "updated-password-456"),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("value"),
+						knownvalue.StringExact("updated-password-456"),
+					),
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("type"),
+						knownvalue.StringExact("ENCRYPTEDSTRING"),
+					),
+				},
+			},
+			// Another update to ensure consistency is maintained
+			{
+				Config: testAccConfigPropertyResourceConfigWithAPIKey("email", "smtp.password", "final-password-789"),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"dependencytrack_config_property.test",
+						tfjsonpath.New("value"),
+						knownvalue.StringExact("final-password-789"),
+					),
+				},
+			},
+			// Delete testing automatically occurs in TestCase
+		},
+	})
+}
+
 func testAccConfigPropertyResourceConfigWithAPIKey(groupName, name, value string) string {
 	return testAccProviderConfigWithAPIKey() + fmt.Sprintf(`
 resource "dependencytrack_config_property" "test" {