auth0 · sergiught · Jun 16, 2022 · Jun 16, 2022 · Jun 16, 2022 · Jun 16, 2022
@@ -17,8 +17,8 @@ indent_style = tab
 [*.md]
 trim_trailing_whitespace = false
 
-[*.{yml, yaml, raml, yml.dist, feature, toml}]
+[*.{yml, yaml, raml, yml.dist, feature, toml, tf}]
 indent_size = 2
 
-[GNUmakefile]
+[Makefile]
 indent_style = tab
@@ -2,11 +2,12 @@ package auth0
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"regexp"
 
-	"github.com/auth0/go-auth0"
 	"github.com/auth0/go-auth0/management"
+	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -58,9 +59,10 @@ func newHook() *schema.Resource {
 			},
 			"secrets": {
 				Type:        schema.TypeMap,
+				Elem:        schema.TypeString,
+				Sensitive:   true,
 				Optional:    true,
 				Description: "The secrets associated with the hook",
-				Elem:        schema.TypeString,
 			},
 			"enabled": {
 				Type:        schema.TypeBool,
@@ -73,15 +75,15 @@ func newHook() *schema.Resource {
 }
 
 func createHook(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
-	hook := buildHook(d)
+	hook := expandHook(d)
 	api := m.(*management.Management)
 	if err := api.Hook.Create(hook); err != nil {
 		return diag.FromErr(err)
 	}
 
-	d.SetId(auth0.StringValue(hook.ID))
+	d.SetId(hook.GetID())
 
-	if err := upsertHookSecrets(d, m); err != nil {
+	if err := upsertHookSecrets(ctx, d, m); err != nil {
 		return diag.FromErr(err)
 	}
 
@@ -101,6 +103,8 @@ func readHook(ctx context.Context, d *schema.ResourceData, m interface{}) diag.D
 		return diag.FromErr(err)
 	}
 
+	diagnostics := checkForUntrackedHookSecrets(ctx, d, m)
+
 	result := multierror.Append(
 		d.Set("name", hook.Name),
 		d.Set("dependencies", hook.Dependencies),
@@ -109,44 +113,27 @@ func readHook(ctx context.Context, d *schema.ResourceData, m interface{}) diag.D
 		d.Set("enabled", hook.Enabled),
 	)
 
-	return diag.FromErr(result.ErrorOrNil())
+	if err = result.ErrorOrNil(); err != nil {
+		diagnostics = append(diagnostics, diag.FromErr(err)...)
+	}
+
+	return diagnostics
 }
 
 func updateHook(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
-	hook := buildHook(d)
+	hook := expandHook(d)
 	api := m.(*management.Management)
 	if err := api.Hook.Update(d.Id(), hook); err != nil {
 		return diag.FromErr(err)
 	}
 
-	if err := upsertHookSecrets(d, m); err != nil {
+	if err := upsertHookSecrets(ctx, d, m); err != nil {
 		return diag.FromErr(err)
 	}
 
 	return readHook(ctx, d, m)
 }
 
-func upsertHookSecrets(d *schema.ResourceData, m interface{}) error {
-	if d.IsNewResource() || d.HasChange("secrets") {
-		secrets := Map(d, "secrets")
-		api := m.(*management.Management)
-		hookSecrets := toHookSecrets(secrets)
-		return api.Hook.ReplaceSecrets(d.Id(), hookSecrets)
-	}
-
-	return nil
-}
-
-func toHookSecrets(val map[string]interface{}) management.HookSecrets {
-	hookSecrets := management.HookSecrets{}
-	for key, value := range val {
-		if strVal, ok := value.(string); ok {
-			hookSecrets[key] = strVal
-		}
-	}
-	return hookSecrets
-}
-
 func deleteHook(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	api := m.(*management.Management)
 	if err := api.Hook.Delete(d.Id()); err != nil {
@@ -162,22 +149,70 @@ func deleteHook(ctx context.Context, d *schema.ResourceData, m interface{}) diag
 	return nil
 }
 
-func buildHook(d *schema.ResourceData) *management.Hook {
+func checkForUntrackedHookSecrets(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	secretsFromConfig := Map(d, "secrets")
+
+	api := m.(*management.Management)
+	secretsFromAPI, err := api.Hook.Secrets(d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	var warnings diag.Diagnostics
+	for key := range secretsFromAPI {
+		if _, ok := secretsFromConfig[key]; !ok {
+			warnings = append(warnings, diag.Diagnostic{
+				Severity: diag.Warning,
+				Summary:  "Unexpected Hook Secrets",
+				Detail: fmt.Sprintf("Found unexpected hook secrets with key: %s. ", key) +
+					"To prevent issues, manage them through terraform. If you've just imported this resource " +
+					"(and your secrets match), to make this warning disappear, run a terraform apply.",
+				AttributePath: cty.Path{cty.GetAttrStep{Name: "secrets"}},
+			})
+		}
+	}
+
+	return warnings
+}
+
+func upsertHookSecrets(ctx context.Context, d *schema.ResourceData, m interface{}) error {
+	if d.IsNewResource() || d.HasChange("secrets") {
+		hookSecrets := expandHookSecrets(d)
+		api := m.(*management.Management)
+		return api.Hook.ReplaceSecrets(d.Id(), hookSecrets)
+	}
+
+	return nil
+}
+
+func expandHook(d *schema.ResourceData) *management.Hook {
 	hook := &management.Hook{
 		Name:      String(d, "name"),
 		Script:    String(d, "script"),
 		TriggerID: String(d, "trigger_id", IsNewResource()),
 		Enabled:   Bool(d, "enabled"),
 	}
 
-	deps := Map(d, "dependencies")
-	if deps != nil {
+	if deps := Map(d, "dependencies"); deps != nil {
 		hook.Dependencies = &deps
 	}
 
 	return hook
 }
 
+func expandHookSecrets(d *schema.ResourceData) management.HookSecrets {
+	hookSecrets := management.HookSecrets{}
+	secrets := Map(d, "secrets")
+
+	for key, value := range secrets {
+		if strVal, ok := value.(string); ok {
+			hookSecrets[key] = strVal
+		}
+	}
+
+	return hookSecrets
+}
+
 func validateHookName() schema.SchemaValidateDiagFunc {
 	hookNameValidation := validation.StringMatch(
 		regexp.MustCompile(`^[^\s-][\w -]+[^\s-]$`),

@@ -6,6 +6,7 @@ import (
 
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestAccHook(t *testing.T) {
@@ -15,7 +16,7 @@ func TestAccHook(t *testing.T) {
 		ProviderFactories: testProviders(httpRecorder),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccHookCreate,
+				Config: fmt.Sprintf(testAccHookCreate, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "name", "pre-user-reg-hook"),
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "script", "function (user, context, callback) { callback(null, { user }); }"),
@@ -33,6 +34,7 @@ resource "auth0_hook" "my_hook" {
   script = "function (user, context, callback) { callback(null, { user }); }"
   trigger_id = "pre-user-registration"
   enabled = true
+  %s
 }
 `
 
@@ -43,7 +45,7 @@ func TestAccHookSecrets(t *testing.T) {
 		ProviderFactories: testProviders(httpRecorder),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccHookSecrets("alpha"),
+				Config: fmt.Sprintf(testAccHookCreate, testAccHookSecrets),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "name", "pre-user-reg-hook"),
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "dependencies.auth0", "2.30.0"),
@@ -55,7 +57,7 @@ func TestAccHookSecrets(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccHookSecrets2("gamma", "kappa"),
+				Config: fmt.Sprintf(testAccHookCreate, testAccHookSecretsUpdate),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "name", "pre-user-reg-hook"),
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "dependencies.auth0", "2.30.0"),
@@ -67,7 +69,7 @@ func TestAccHookSecrets(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccHookSecrets("delta"),
+				Config: fmt.Sprintf(testAccHookCreate, testAccHookSecretsUpdateAndRemoval),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "name", "pre-user-reg-hook"),
 					resource.TestCheckResourceAttr("auth0_hook.my_hook", "script", "function (user, context, callback) { callback(null, { user }); }"),
@@ -81,58 +83,44 @@ func TestAccHookSecrets(t *testing.T) {
 	})
 }
 
-func testAccHookSecrets(fooValue string) string {
-	return fmt.Sprintf(`
-resource "auth0_hook" "my_hook" {
-  name = "pre-user-reg-hook"
-  script = "function (user, context, callback) { callback(null, { user }); }"
-  trigger_id = "pre-user-registration"
-  enabled = true
+const testAccHookSecrets = `
   dependencies = {
     auth0 = "2.30.0"
   }
-	secrets = {
-    foo = "%s"
+  secrets = {
+    foo = "alpha"
   }
-}
-`, fooValue)
-}
+`
 
-func testAccHookSecrets2(fooValue string, barValue string) string {
-	return fmt.Sprintf(`
-resource "auth0_hook" "my_hook" {
-  name = "pre-user-reg-hook"
-  script = "function (user, context, callback) { callback(null, { user }); }"
-  trigger_id = "pre-user-registration"
+const testAccHookSecretsUpdate = `
   dependencies = {
     auth0 = "2.30.0"
   }
-  enabled = true
   secrets = {
-    foo = "%s"
-    bar = "%s"
+    foo = "gamma"
+    bar = "kappa"
   }
-}
-`, fooValue, barValue)
-}
+`
+
+const testAccHookSecretsUpdateAndRemoval = `
+  dependencies = {
+    auth0 = "2.30.0"
+  }
+  secrets = {
+    foo = "delta"
+  }
+`
 
 func TestHookNameRegexp(t *testing.T) {
-	for name, valid := range map[string]bool{
-		"my-hook-1":                 true,
-		"hook 2 name with spaces":   true,
-		" hook with a space prefix": false,
-		"hook with a space suffix ": false,
-		" ":                         false,
-		"   ":                       false,
+	for givenHookName, expectedError := range map[string]bool{
+		"my-hook-1":                 false,
+		"hook 2 name with spaces":   false,
+		" hook with a space prefix": true,
+		"hook with a space suffix ": true,
+		" ":                         true,
+		"   ":                       true,
 	} {
-		fn := validateHookName()
-
-		validationResult := fn(name, cty.Path{cty.GetAttrStep{Name: "name"}})
-		if validationResult.HasError() && valid {
-			t.Fatalf("Expected %q to be valid, but got validation errors %v", name, validationResult)
-		}
-		if !validationResult.HasError() && !valid {
-			t.Fatalf("Expected %q to be invalid, but got no validation errors.", name)
-		}
+		validationResult := validateHookName()(givenHookName, cty.Path{cty.GetAttrStep{Name: "name"}})
+		assert.Equal(t, expectedError, validationResult.HasError())
 	}
 }