fix(container/function): improve secret_environment_variables states management (#3050)

* fix(containerNamespace): support secret_environment_variable state

* fix(function): support secret_environment_variable state

* fix(functionNamespace): support secret_environment_variable state

Author: Gnoale

internal/services/container/container.go

@@ -397,7 +397,7 @@ func ResourceContainerUpdate(ctx context.Context, d *schema.ResourceData, m inte
 
 	if d.HasChanges("secret_environment_variables") {
 		oldEnv, newEnv := d.GetChange("secret_environment_variables")
-		req.SecretEnvironmentVariables = FilterSecretEnvsToPatch(expandContainerSecrets(oldEnv), expandContainerSecrets(newEnv))
+		req.SecretEnvironmentVariables = filterSecretEnvsToPatch(expandContainerSecrets(oldEnv), expandContainerSecrets(newEnv))
 	}
 
 	if d.HasChanges("min_scale") {

internal/services/container/container_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/container"
 	containerchecks "github.com/scaleway/terraform-provider-scaleway/v2/internal/services/container/testfuncs"
-	"github.com/stretchr/testify/assert"
 )
 
 func TestAccContainer_Basic(t *testing.T) {
@@ -629,26 +628,3 @@ func passwordMatchHash(parent string, key string, password string) resource.Test
 		return nil
 	}
 }
-
-func TestFilterSecretEnvsToPatch(t *testing.T) {
-	testSecret := "test_secret"
-	secretToDelete := "secret_to_delete"
-	updatedSecret := "updated_secret"
-	newSecret := "new_secret"
-
-	oldEnv := []*containerSDK.Secret{
-		{Key: testSecret, Value: &testSecret},
-		{Key: secretToDelete, Value: &secretToDelete},
-	}
-	newEnv := []*containerSDK.Secret{
-		{Key: testSecret, Value: &updatedSecret},
-		{Key: newSecret, Value: &newSecret},
-	}
-
-	toPatch := container.FilterSecretEnvsToPatch(oldEnv, newEnv)
-	assert.Equal(t, []*containerSDK.Secret{
-		{Key: testSecret, Value: &updatedSecret},
-		{Key: newSecret, Value: &newSecret},
-		{Key: secretToDelete, Value: nil},
-	}, toPatch)
-}

internal/services/container/helpers_container.go

@@ -3,7 +3,6 @@ package container
 import (
 	"context"
 	"errors"
-	"fmt"
 	"slices"
 	"strings"
 	"time"
@@ -317,30 +316,6 @@ func expandContainerSecrets(secretsRawMap interface{}) []*container.Secret {
 	return secrets
 }
 
-func convertToMapStringInterface(raw interface{}) map[string]interface{} {
-	out := make(map[string]interface{})
-	if raw == nil {
-		return out
-	}
-
-	m, ok := raw.(map[interface{}]interface{})
-	if ok {
-		for k, v := range m {
-			stringKey := fmt.Sprintf("%v", k)
-			out[stringKey] = v
-		}
-
-		return out
-	}
-
-	m2, ok := raw.(map[string]interface{})
-	if ok {
-		return m2
-	}
-
-	return out
-}
-
 func isContainerDNSResolveError(err error) bool {
 	responseError := &scw.ResponseError{}
 
@@ -373,7 +348,7 @@ func retryCreateContainerDomain(ctx context.Context, containerAPI *container.API
 	}
 }
 
-func FilterSecretEnvsToPatch(oldEnv []*container.Secret, newEnv []*container.Secret) []*container.Secret {
+func filterSecretEnvsToPatch(oldEnv []*container.Secret, newEnv []*container.Secret) []*container.Secret {
 	toPatch := []*container.Secret{}
 	// create and update - ignore hashed values
 	for _, env := range newEnv {

internal/services/container/helpers_container_internal_test.go

@@ -0,0 +1,31 @@
+package container
+
+import (
+	"testing"
+
+	containerSDK "github.com/scaleway/scaleway-sdk-go/api/container/v1beta1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFilterSecretEnvsToPatch(t *testing.T) {
+	testSecret := "test_secret"
+	secretToDelete := "secret_to_delete"
+	updatedSecret := "updated_secret"
+	newSecret := "new_secret"
+
+	oldEnv := []*containerSDK.Secret{
+		{Key: testSecret, Value: &testSecret},
+		{Key: secretToDelete, Value: &secretToDelete},
+	}
+	newEnv := []*containerSDK.Secret{
+		{Key: testSecret, Value: &updatedSecret},
+		{Key: newSecret, Value: &newSecret},
+	}
+
+	toPatch := filterSecretEnvsToPatch(oldEnv, newEnv)
+	assert.Equal(t, []*containerSDK.Secret{
+		{Key: testSecret, Value: &updatedSecret},
+		{Key: newSecret, Value: &newSecret},
+		{Key: secretToDelete, Value: nil},
+	}, toPatch)
+}

internal/services/container/namespace.go

@@ -9,6 +9,7 @@ import (
 	container "github.com/scaleway/scaleway-sdk-go/api/container/v1beta1"
 	registrySDK "github.com/scaleway/scaleway-sdk-go/api/registry/v1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/dsf"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/account"
@@ -73,7 +74,9 @@ func ResourceNamespace() *schema.Resource {
 					Type:         schema.TypeString,
 					ValidateFunc: validation.StringLenBetween(0, 1000),
 				},
-				ValidateDiagFunc: validation.MapKeyLenBetween(0, 100),
+				ValidateDiagFunc:      validation.MapKeyLenBetween(0, 100),
+				DiffSuppressFunc:      dsf.CompareArgon2idPasswordAndHash,
+				DiffSuppressOnRefresh: true,
 			},
 			"registry_endpoint": {
 				Type:        schema.TypeString,
@@ -160,6 +163,7 @@ func ResourceContainerNamespaceRead(ctx context.Context, d *schema.ResourceData,
 	_ = d.Set("region", ns.Region)
 	_ = d.Set("registry_endpoint", ns.RegistryEndpoint)
 	_ = d.Set("registry_namespace_id", ns.RegistryNamespaceID)
+	_ = d.Set("secret_environment_variables", flattenContainerSecrets(ns.SecretEnvironmentVariables))
 
 	return nil
 }
@@ -192,29 +196,9 @@ func ResourceContainerNamespaceUpdate(ctx context.Context, d *schema.ResourceDat
 		req.EnvironmentVariables = types.ExpandMapPtrStringString(d.Get("environment_variables"))
 	}
 
-	if d.HasChange("secret_environment_variables") {
-		oldSecretsRaw, newSecretsRaw := d.GetChange("secret_environment_variables")
-
-		oldSecretsMap := convertToMapStringInterface(oldSecretsRaw)
-		newSecretsMap := convertToMapStringInterface(newSecretsRaw)
-
-		oldSecrets := expandContainerSecrets(oldSecretsMap)
-		newSecrets := expandContainerSecrets(newSecretsMap)
-
-		deletedSecrets := make([]*container.Secret, 0)
-
-		for _, oldSecret := range oldSecrets {
-			if _, exists := newSecretsMap[oldSecret.Key]; !exists {
-				deletedSecrets = append(deletedSecrets, &container.Secret{
-					Key:   oldSecret.Key,
-					Value: nil,
-				})
-			}
-		}
-
-		deletedSecrets = append(deletedSecrets, newSecrets...)
-
-		req.SecretEnvironmentVariables = deletedSecrets
+	if d.HasChanges("secret_environment_variables") {
+		oldEnv, newEnv := d.GetChange("secret_environment_variables")
+		req.SecretEnvironmentVariables = filterSecretEnvsToPatch(expandContainerSecrets(oldEnv), expandContainerSecrets(newEnv))
 	}
 
 	if _, err := api.UpdateNamespace(req, scw.WithContext(ctx)); err != nil {

internal/services/container/namespace_test.go

@@ -67,7 +67,7 @@ func TestAccNamespace_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "description", ""),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "name", "test-cr-ns-01"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "environment_variables.test", "test"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.test_secret", "test_secret"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.test_secret", "test_secret"),
 
 					acctest.CheckResourceAttrUUID("scaleway_container_namespace.main", "id"),
 				),
@@ -90,7 +90,7 @@ func TestAccNamespace_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "description", ""),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "name", "test-cr-ns-01"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "environment_variables.test", "test"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.test_secret", "test_secret"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.test_secret", "test_secret"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "tags.#", "2"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "tags.0", "tag1"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "tags.1", "tag2"),
@@ -127,7 +127,7 @@ func TestAccNamespace_Basic(t *testing.T) {
 					isNamespacePresent(tt, "scaleway_container_namespace.main"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "name", "tf-env-test"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "environment_variables.test", "test"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.test_secret", "test_secret"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.test_secret", "test_secret"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "tags.#", "0"),
 					acctest.CheckResourceAttrUUID("scaleway_container_namespace.main", "id"),
 				),
@@ -148,7 +148,7 @@ func TestAccNamespace_Basic(t *testing.T) {
 					isNamespacePresent(tt, "scaleway_container_namespace.main"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "name", "tf-env-test"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "environment_variables.foo", "bar"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.foo_secret", "bar_secret"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.foo_secret", "bar_secret"),
 					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "tags.#", "0"),
 					acctest.CheckResourceAttrUUID("scaleway_container_namespace.main", "id"),
 				),
@@ -189,24 +189,14 @@ func TestAccNamespace_SecretManagement(t *testing.T) {
 						name = "test-secret-ns"
 						secret_environment_variables = {
 							"SECRET_1" = "value1"
+							"SECRET_2" = "value2"
 						}
 					}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					isNamespacePresent(tt, "scaleway_container_namespace.main"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_1", "value1"),
-				),
-			},
-			{
-				Config: `
-					resource scaleway_container_namespace main {
-						name = "test-secret-ns"
-						secret_environment_variables = {}
-					}
-				`,
-				Check: resource.ComposeTestCheckFunc(
-					isNamespacePresent(tt, "scaleway_container_namespace.main"),
-					resource.TestCheckNoResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_1"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.SECRET_1", "value1"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.SECRET_2", "value2"),
 				),
 			},
 			{
@@ -215,44 +205,31 @@ func TestAccNamespace_SecretManagement(t *testing.T) {
 						name = "test-secret-ns"
 						secret_environment_variables = {
 							"SECRET_1" = "value1"
-							"SECRET_2" = "value2"
+							"SECRET_2" = "updated_value2"
 						}
 					}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					isNamespacePresent(tt, "scaleway_container_namespace.main"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_1", "value1"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_2", "value2"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.SECRET_1", "value1"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.SECRET_2", "updated_value2"),
 				),
 			},
 			{
 				Config: `
 					resource scaleway_container_namespace main {
 						name = "test-secret-ns"
 						secret_environment_variables = {
-							"SECRET_2" = "value2"
+							"SECRET_KEY_1" = "value1"
+							"SECRET_2" = "updated_value2"
 						}
 					}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					isNamespacePresent(tt, "scaleway_container_namespace.main"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.SECRET_KEY_1", "value1"),
 					resource.TestCheckNoResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_1"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_2", "value2"),
-				),
-			},
-			{
-				Config: `
-					resource scaleway_container_namespace main {
-						name = "test-secret-ns"
-						secret_environment_variables = {
-							"SECRET_3" = "value3"
-						}
-					}
-				`,
-				Check: resource.ComposeTestCheckFunc(
-					isNamespacePresent(tt, "scaleway_container_namespace.main"),
-					resource.TestCheckNoResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_2"),
-					resource.TestCheckResourceAttr("scaleway_container_namespace.main", "secret_environment_variables.SECRET_3", "value3"),
+					passwordMatchHash("scaleway_container_namespace.main", "secret_environment_variables.SECRET_2", "updated_value2"),
 				),
 			},
 		},