fix: [CDS-99290]: Handle credentials as sensitive for repo and repo c…

…reds, recreate repo creds if url or harness identifiers changed. (#1066) * fix: [CDS-99290]: Fix repo creds, repos, add some validation Signed-off-by: Mirko Teodorovic <[email protected]> * fix: [CDS-99290]: Fix repo creds, repos, add some validation Signed-off-by: Mirko Teodorovic <[email protected]> * docs Signed-off-by: Mirko Teodorovic <[email protected]> * docs Signed-off-by: Mirko Teodorovic <[email protected]> * docs Signed-off-by: Mirko Teodorovic <[email protected]> * remove validation for data Signed-off-by: Mirko Teodorovic <[email protected]> * revert Signed-off-by: Mirko Teodorovic <[email protected]> * Update platform_gitops_repo_cred.md --------- Signed-off-by: Mirko Teodorovic <[email protected]>
harness · Sep 25, 2024 · e7198b0 · e7198b0
1 parent 81b8807
commit e7198b0
Show file tree

Hide file tree

Showing 9 changed files with 94 additions and 87 deletions.
diff --git a/.changelog/1029.txt b/.changelog/1029.txt
@@ -0,0 +1,6 @@
+```release-note:fix
+harness_platform_gitops_repository: make fields computed, add sensitive for credentials
+harness_platform_gitops_repository: add sensitive for credentials, fix validation add missing value GITHUB_ENTERPRISE
+harness_platform_gitops_repo_cred: add sensitive for credentials, modify fields to computed
+resource_gitops_repo_cred.go: add sensitive for credentials, add ForceNew for harness identifiers and for url.
+```
diff --git a/docs/data-sources/platform_gitops_repo_cred.md b/docs/data-sources/platform_gitops_repo_cred.md
@@ -33,18 +33,18 @@ data "harness_platform_gitops_repo_cred" "test" {
 
 ### Optional
 
-- `creds` (Block List) credential details. (see [below for nested schema](#nestedblock--creds))
 - `org_id` (String) Organization identifier of the Repository Credentials.
 - `project_id` (String) Project identifier of the Repository Credentials.
 
 ### Read-Only
 
+- `creds` (List of Object) credential details. (see [below for nested schema](#nestedatt--creds))
 - `id` (String) The ID of this resource.
 
-<a id="nestedblock--creds"></a>
+<a id="nestedatt--creds"></a>
 ### Nested Schema for `creds`
 
-Optional:
+Read-Only:
 
 - `enable_oci` (Boolean) Specifies whether helm-oci support should be enabled for this repo.
 - `github_app_enterprise_base_url` (String) Specifies the GitHub API URL for GitHub app authentication.

diff --git a/docs/data-sources/platform_gitops_repository.md b/docs/data-sources/platform_gitops_repository.md
@@ -33,24 +33,15 @@ data "harness_platform_gitops_repository" "example" {
 
 ### Optional
 
-- `enable_oci` (Boolean) Indicates if helm-oci support must be enabled for this repo.
 - `org_id` (String) Organization identifier of the GitOps repository.
 - `project_id` (String) Project identifier of the GitOps repository.
-- `update_mask` (Block List) Update mask of the repository. (see [below for nested schema](#nestedblock--update_mask))
 
 ### Read-Only
 
+- `enable_oci` (Boolean) Indicates if helm-oci support must be enabled for this repo.
 - `id` (String) The ID of this resource.
 - `repo` (List of Object) Repo details holding application configurations. (see [below for nested schema](#nestedatt--repo))
 
-<a id="nestedblock--update_mask"></a>
-### Nested Schema for `update_mask`
-
-Optional:
-
-- `paths` (List of String) The set of field mask paths.
-
-
 <a id="nestedatt--repo"></a>
 ### Nested Schema for `repo`
 

diff --git a/docs/resources/platform_gitops_repo_cred.md b/docs/resources/platform_gitops_repo_cred.md
@@ -62,11 +62,11 @@ Optional:
 - `github_app_enterprise_base_url` (String) Specifies the GitHub API URL for GitHub app authentication.
 - `github_app_id` (String) Specifies the Github App ID of the app used to access the repo for GitHub app authentication.
 - `github_app_installation_id` (String) Specifies the ID of the installed GitHub App for GitHub app authentication.
-- `github_app_private_key` (String) github_app_private_key specifies the private key PEM data for authentication via GitHub app.
-- `password` (String) Password or PAT to be used for authenticating the remote repository.
-- `ssh_private_key` (String) SSH Key in PEM format for authenticating the repository. Used only for Git repository.
-- `tls_client_cert_data` (String) Certificate in PEM format for authenticating at the repo server. This is used for mTLS.
-- `tls_client_cert_key` (String) Private key in PEM format for authenticating at the repo server. This is used for mTLS.
+- `github_app_private_key` (String, Sensitive) github_app_private_key specifies the private key PEM data for authentication via GitHub app.
+- `password` (String, Sensitive) Password or PAT to be used for authenticating the remote repository.
+- `ssh_private_key` (String, Sensitive) SSH Key in PEM format for authenticating the repository. Used only for Git repository.
+- `tls_client_cert_data` (String, Sensitive) Certificate in PEM format for authenticating at the repo server. This is used for mTLS.
+- `tls_client_cert_key` (String, Sensitive) Private key in PEM format for authenticating at the repo server. This is used for mTLS.
 - `type` (String) Type specifies the type of the repoCreds.Can be either 'git' or 'helm. 'git' is assumed if empty or absent
 - `url` (String) URL of the remote repository. Make sure you pass at least an org, this will not work if you just provide the host, for eg. "https://github.com"
 - `username` (String) Username to be used for authenticating the remote repository.

diff --git a/docs/resources/platform_gitops_repository.md b/docs/resources/platform_gitops_repository.md
@@ -230,7 +230,7 @@ Enum: "UNSET" "AWS_ECR" "GOOGLE_GCR"
 
 Required:
 
-- `connection_type` (String) Identifies the authentication method used to connect to the repository. Possible values: "HTTPS" "SSH" "GITHUB" "HTTPS_ANONYMOUS_CONNECTION_TYPE"
+- `connection_type` (String) Identifies the authentication method used to connect to the repository. Possible values: "HTTPS" "SSH" "GITHUB" "HTTPS_ANONYMOUS", "GITHUB_ENTERPRISE".
 - `repo` (String) URL to the remote repository.
 
 Optional:
@@ -240,20 +240,23 @@ Optional:
 - `github_app_enterprise_base_url` (String) Base URL of GitHub Enterprise installation. If left empty, this defaults to https://api.github.com.
 - `github_app_id` (String) Id of the GitHub app used to access the repo.
 - `github_app_installation_id` (String) Installation id of the GitHub app used to access the repo.
-- `github_app_private_key` (String) GitHub app private key PEM data.
-- `inherited_creds` (Boolean) Indicates if the credentials were inherited from a repository credential.
+- `github_app_private_key` (String, Sensitive) GitHub app private key PEM data.
 - `insecure` (Boolean) Indicates if the connection to the repository ignores any errors when verifying TLS certificates or SSH host keys.
 - `insecure_ignore_host_key` (Boolean) Indicates if InsecureIgnoreHostKey should be used. Insecure is favored used only for git repos. Deprecated.
 - `name` (String) Name to be used for this repo. Only used with Helm repos.
-- `password` (String) Password or PAT to be used for authenticating the remote repository.
+- `password` (String, Sensitive) Password or PAT to be used for authenticating the remote repository.
 - `project` (String) The ArgoCD project name corresponding to this GitOps repository. An empty string means that the GitOps repository belongs to the default project created by Harness.
 - `proxy` (String) The HTTP/HTTPS proxy used to access the repo.
-- `ssh_private_key` (String) SSH Key in PEM format for authenticating the repository. Used only for Git repository.
-- `tls_client_cert_data` (String) Certificate in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.
-- `tls_client_cert_key` (String) Private key in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.
+- `ssh_private_key` (String, Sensitive) SSH Key in PEM format for authenticating the repository. Used only for Git repository.
+- `tls_client_cert_data` (String, Sensitive) Certificate in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.
+- `tls_client_cert_key` (String, Sensitive) Private key in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.
 - `type_` (String) Type specifies the type of the repo. Can be either "git" or "helm. "git" is assumed if empty or absent.
 - `username` (String) Username to be used for authenticating the remote repository.
 
+Read-Only:
+
+- `inherited_creds` (Boolean) Indicates if the credentials were inherited from a repository credential.
+
 
 <a id="nestedblock--ecr_gen"></a>
 ### Nested Schema for `ecr_gen`
@@ -280,8 +283,8 @@ Optional:
 Optional:
 
 - `aws_access_key_id` (String) AWS access key id.
-- `aws_secret_access_key` (String) AWS secret access key.
-- `aws_session_token` (String) AWS session token.
+- `aws_secret_access_key` (String, Sensitive) AWS secret access key.
+- `aws_session_token` (String, Sensitive) AWS session token.
 
 
 
@@ -290,7 +293,7 @@ Optional:
 
 Optional:
 
-- `access_key` (String) GCP access key.
+- `access_key` (String, Sensitive) GCP access key.
 - `project_id` (String) GCP project id.
 - `workload_identity` (Block List, Max: 1) GCP workload identity. (see [below for nested schema](#nestedblock--gcr_gen--workload_identity))
 

diff --git a/internal/service/platform/gitops/repository/data_source_gitops_repository.go b/internal/service/platform/gitops/repository/data_source_gitops_repository.go
@@ -8,7 +8,6 @@ import (
 	"github.com/harness/terraform-provider-harness/internal"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
 func DataSourceGitopsRepository() *schema.Resource {
@@ -52,133 +51,117 @@ func DataSourceGitopsRepository() *schema.Resource {
 						"repo": {
 							Description: "URL to the remote repository.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 						"username": {
 							Description: "Username to be used for authenticating the remote repository.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Sensitive:   true,
+							Computed:    true,
 						},
 						"password": {
 							Description: "Password or PAT to be used for authenticating the remote repository.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Sensitive:   true,
+							Computed:    true,
 						},
 						"ssh_private_key": {
 							Description: "SSH Key in PEM format for authenticating the repository. Used only for Git repository.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Sensitive:   true,
+							Computed:    true,
 						},
 						"insecure_ignore_host_key": {
 							Description: "Indicates if InsecureIgnoreHostKey should be used. Insecure is favored used only for git repos. Deprecated.",
 							Type:        schema.TypeBool,
-							Optional:    true,
+							Computed:    true,
 						},
 						"insecure": {
 							Description: "Indicates if the connection to the repository ignores any errors when verifying TLS certificates or SSH host keys.",
 							Type:        schema.TypeBool,
-							Optional:    true,
+							Computed:    true,
 						},
 						"enable_lfs": {
 							Description: "Indicates if git-lfs support must be enabled for this repo. This is valid only for Git repositories.",
 							Type:        schema.TypeBool,
-							Optional:    true,
+							Computed:    true,
 						},
 						"tls_client_cert_data": {
 							Description: "Certificate in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Sensitive:   true,
+							Computed:    true,
 						},
 						"tls_client_cert_key": {
 							Description: "Private key in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Sensitive:   true,
+							Computed:    true,
 						},
 						"type_": {
-							Description:  "Type specifies the type of the repo. Can be either \"git\" or \"helm. \"git\" is assumed if empty or absent.",
-							Type:         schema.TypeString,
-							Optional:     true,
-							Computed:     true,
-							ValidateFunc: validation.StringInSlice([]string{"git", "helm"}, false),
+							Description: "Type specifies the type of the repo. Can be either \"git\" or \"helm. \"git\" is assumed if empty or absent.",
+							Type:        schema.TypeString,
+							Computed:    true,
 						},
 						"name": {
 							Description: "Name to be used for this repo. Only used with Helm repos.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 						"inherited_creds": {
 							Description: "Indicates if the credentials were inherited from a repository credential.",
 							Type:        schema.TypeBool,
-							Optional:    true,
+							Computed:    true,
 						},
 						"enable_oci": {
 							Description: "Indicates if helm-oci support must be enabled for this repo.",
 							Type:        schema.TypeBool,
-							Optional:    true,
+							Computed:    true,
 						},
 						"github_app_private_key": {
 							Description: "GitHub app private key PEM data.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Sensitive:   true,
+							Computed:    true,
 						},
 						"github_app_id": {
 							Description: "Id of the GitHub app used to access the repo.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 						"github_app_installation_id": {
 							Description: "Installation id of the GitHub app used to access the repo.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 						"github_app_enterprise_base_url": {
 							Description: "Base URL of GitHub Enterprise installation. If left empty, this defaults to https://api.github.com.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 						"proxy": {
 							Description: "The HTTP/HTTPS proxy used to access the repo.",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 						"project": {
 							Description: "The ArgoCD project name corresponding to this GitOps repository. An empty string means that the GitOps repository belongs to the default project created by Harness.",
 							Type:        schema.TypeString,
-							Optional:    true,
 							Computed:    true,
 						},
 						"connection_type": {
 							Description: "Identifies the authentication method used to connect to the repository. Possible values: \"HTTPS\" \"SSH\" \"GITHUB\" \"HTTPS_ANONYMOUS_CONNECTION_TYPE\"",
 							Type:        schema.TypeString,
-							Optional:    true,
+							Computed:    true,
 						},
 					},
 				},
 			},
 			"enable_oci": {
 				Description: "Indicates if helm-oci support must be enabled for this repo.",
 				Type:        schema.TypeBool,
-				Optional:    true,
 				Computed:    true,
 			},
-			"update_mask": {
-				Description: "Update mask of the repository.",
-				Type:        schema.TypeList,
-				Optional:    true,
-				Computed:    true,
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"paths": {
-							Description: "The set of field mask paths.",
-							Optional:    true,
-							Type:        schema.TypeList,
-							Elem: &schema.Schema{
-								Type: schema.TypeString,
-							},
-						},
-					},
-				},
-			},
 		},
 	}
 	return resource

diff --git a/internal/service/platform/gitops/repository/resource_gitops_repository.go b/internal/service/platform/gitops/repository/resource_gitops_repository.go
@@ -75,12 +75,14 @@ func ResourceGitopsRepositories() *schema.Resource {
 							Description: "Password or PAT to be used for authenticating the remote repository.",
 							Type:        schema.TypeString,
 							Optional:    true,
+							Sensitive:   true,
 						},
 						"ssh_private_key": {
 							Description: "SSH Key in PEM format for authenticating the repository. Used only for Git repository.",
 							Type:        schema.TypeString,
 							Optional:    true,
 							Computed:    true,
+							Sensitive:   true,
 						},
 						"insecure_ignore_host_key": {
 							Description: "Indicates if InsecureIgnoreHostKey should be used. Insecure is favored used only for git repos. Deprecated.",
@@ -102,11 +104,13 @@ func ResourceGitopsRepositories() *schema.Resource {
 							Description: "Certificate in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.",
 							Type:        schema.TypeString,
 							Optional:    true,
+							Sensitive:   true,
 						},
 						"tls_client_cert_key": {
 							Description: "Private key in PEM format for authenticating at the repo server. This is used for mTLS. The value should be base64 encoded.",
 							Type:        schema.TypeString,
 							Optional:    true,
+							Sensitive:   true,
 						},
 						"type_": {
 							Description:  "Type specifies the type of the repo. Can be either \"git\" or \"helm. \"git\" is assumed if empty or absent.",
@@ -134,6 +138,7 @@ func ResourceGitopsRepositories() *schema.Resource {
 							Description: "GitHub app private key PEM data.",
 							Type:        schema.TypeString,
 							Optional:    true,
+							Sensitive:   true,
 						},
 						"github_app_id": {
 							Description: "Id of the GitHub app used to access the repo.",
@@ -162,10 +167,10 @@ func ResourceGitopsRepositories() *schema.Resource {
 							Computed:    true,
 						},
 						"connection_type": {
-							Description:  "Identifies the authentication method used to connect to the repository. Possible values: \"HTTPS\" \"SSH\" \"GITHUB\" \"HTTPS_ANONYMOUS\"",
+							Description:  "Identifies the authentication method used to connect to the repository. Possible values: \"HTTPS\" \"SSH\" \"GITHUB\" \"HTTPS_ANONYMOUS\", \"GITHUB_ENTERPRISE\".",
 							Type:         schema.TypeString,
 							Required:     true,
-							ValidateFunc: validation.StringInSlice([]string{"HTTPS", "SSH", "GITHUB", "HTTPS_ANONYMOUS"}, false),
+							ValidateFunc: validation.StringInSlice([]string{"HTTPS", "SSH", "GITHUB", "HTTPS_ANONYMOUS", "GITHUB_ENTERPRISE"}, false),
 						},
 					},
 				},
@@ -218,11 +223,13 @@ func ResourceGitopsRepositories() *schema.Resource {
 										Description: "AWS secret access key.",
 										Type:        schema.TypeString,
 										Optional:    true,
+										Sensitive:   true,
 									},
 									"aws_session_token": {
 										Description: "AWS session token.",
 										Type:        schema.TypeString,
 										Optional:    true,
+										Sensitive:   true,
 									},
 								},
 							},
@@ -274,6 +281,7 @@ func ResourceGitopsRepositories() *schema.Resource {
 							Description: "GCP access key.",
 							Type:        schema.TypeString,
 							Optional:    true,
+							Sensitive:   true,
 						},
 						"workload_identity": {
 							Description: "GCP workload identity.",