fix(function): support secret_environment_variable state

Author: Gnoale

internal/services/function/function.go

@@ -77,7 +77,9 @@ func ResourceFunction() *schema.Resource {
 					Type:         schema.TypeString,
 					ValidateFunc: validation.StringLenBetween(0, 1000),
 				},
-				ValidateDiagFunc: validation.MapKeyLenBetween(0, 100),
+				ValidateDiagFunc:      validation.MapKeyLenBetween(0, 100),
+				DiffSuppressFunc:      dsf.CompareArgon2idPasswordAndHash,
+				DiffSuppressOnRefresh: true,
 			},
 			"privacy": {
 				Type:             schema.TypeString,
@@ -307,6 +309,7 @@ func ResourceFunctionRead(ctx context.Context, d *schema.ResourceData, m interfa
 	_ = d.Set("http_option", f.HTTPOption)
 	_ = d.Set("namespace_id", f.NamespaceID)
 	_ = d.Set("sandbox", f.Sandbox)
+	_ = d.Set("secret_environment_variables", flattenFunctionSecrets(f.SecretEnvironmentVariables))
 
 	return diags
 }
@@ -340,7 +343,8 @@ func ResourceFunctionUpdate(ctx context.Context, d *schema.ResourceData, m inter
 	}
 
 	if d.HasChanges("secret_environment_variables") {
-		req.SecretEnvironmentVariables = expandFunctionsSecrets(d.Get("secret_environment_variables"))
+		oldEnv, newEnv := d.GetChange("secret_environment_variables")
+		req.SecretEnvironmentVariables = filterSecretEnvsToPatch(expandFunctionsSecrets(oldEnv), expandFunctionsSecrets(newEnv))
 		updated = true
 	}
 

internal/services/function/function_test.go

@@ -1,9 +1,11 @@
 package function_test
 
 import (
+	"errors"
 	"fmt"
 	"testing"
 
+	"github.com/alexedwards/argon2id"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	functionSDK "github.com/scaleway/scaleway-sdk-go/api/function/v1beta1"
@@ -142,7 +144,7 @@ func TestAccFunction_EnvironmentVariables(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckFunctionExists(tt, "scaleway_function.main"),
 					resource.TestCheckResourceAttr("scaleway_function.main", "environment_variables.test", "test"),
-					resource.TestCheckResourceAttr("scaleway_function.main", "secret_environment_variables.test_secret", "test_secret"),
+					passwordMatchHash("scaleway_function.main", "secret_environment_variables.test_secret", "test_secret"),
 				),
 			},
 			{
@@ -167,7 +169,7 @@ func TestAccFunction_EnvironmentVariables(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckFunctionExists(tt, "scaleway_function.main"),
 					resource.TestCheckResourceAttr("scaleway_function.main", "environment_variables.foo", "bar"),
-					resource.TestCheckResourceAttr("scaleway_function.main", "secret_environment_variables.foo_secret", "bar_secret"),
+					passwordMatchHash("scaleway_function.main", "secret_environment_variables.foo_secret", "bar_secret"),
 				),
 			},
 		},
@@ -457,3 +459,23 @@ func testAccCheckFunctionDestroy(tt *acctest.TestTools) resource.TestCheckFunc {
 		return nil
 	}
 }
+
+func passwordMatchHash(parent string, key string, password string) resource.TestCheckFunc {
+	return func(state *terraform.State) error {
+		rs, ok := state.RootModule().Resources[parent]
+		if !ok {
+			return fmt.Errorf("resource container not found: %s", parent)
+		}
+
+		match, err := argon2id.ComparePasswordAndHash(password, rs.Primary.Attributes[key])
+		if err != nil {
+			return err
+		}
+
+		if !match {
+			return errors.New("password and hash do not match")
+		}
+
+		return nil
+	}
+}

internal/services/function/helpers.go renamed to internal/services/function/helpers_function.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"os"
+	"slices"
 	"strings"
 	"time"
 
@@ -174,3 +175,39 @@ func retryCreateFunctionDomain(ctx context.Context, functionAPI *function.API, r
 		}
 	}
 }
+
+func flattenFunctionSecrets(secrets []*function.SecretHashedValue) interface{} {
+	if len(secrets) == 0 {
+		return nil
+	}
+
+	flattenedSecrets := make(map[string]interface{})
+	for _, secret := range secrets {
+		flattenedSecrets[secret.Key] = secret.HashedValue
+	}
+
+	return flattenedSecrets
+}
+
+func filterSecretEnvsToPatch(oldEnv []*function.Secret, newEnv []*function.Secret) []*function.Secret {
+	toPatch := []*function.Secret{}
+	// create and update - ignore hashed values
+	for _, env := range newEnv {
+		if env.Value != nil && strings.HasPrefix(*env.Value, "$argon2id") {
+			continue
+		}
+
+		toPatch = append(toPatch, env)
+	}
+
+	// delete
+	for _, env := range oldEnv {
+		if !slices.ContainsFunc(newEnv, func(s *function.Secret) bool {
+			return s.Key == env.Key
+		}) {
+			toPatch = append(toPatch, &function.Secret{Key: env.Key, Value: nil})
+		}
+	}
+
+	return toPatch
+}

internal/services/function/helpers_function_test.go

@@ -0,0 +1,31 @@
+package function
+
+import (
+	"testing"
+
+	functionSDK "github.com/scaleway/scaleway-sdk-go/api/function/v1beta1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFilterSecretEnvsToPatch(t *testing.T) {
+	testSecret := "test_secret"
+	secretToDelete := "secret_to_delete"
+	updatedSecret := "updated_secret"
+	newSecret := "new_secret"
+
+	oldEnv := []*functionSDK.Secret{
+		{Key: testSecret, Value: &testSecret},
+		{Key: secretToDelete, Value: &secretToDelete},
+	}
+	newEnv := []*functionSDK.Secret{
+		{Key: testSecret, Value: &updatedSecret},
+		{Key: newSecret, Value: &newSecret},
+	}
+
+	toPatch := filterSecretEnvsToPatch(oldEnv, newEnv)
+	assert.Equal(t, []*functionSDK.Secret{
+		{Key: testSecret, Value: &updatedSecret},
+		{Key: newSecret, Value: &newSecret},
+		{Key: secretToDelete, Value: nil},
+	}, toPatch)
+}