Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for worker text bindings #710

Merged
merged 11 commits into from
Jun 21, 2020

Conversation

blakeembrey
Copy link
Contributor

@blakeembrey blakeembrey commented Jun 14, 2020

Closes https://github.com/terraform-providers/terraform-provider-cloudflare/issues/615, closes https://github.com/terraform-providers/terraform-provider-cloudflare/issues/164. Not entirely sure on the terraform idioms so feel free to correct anything I'm doing incorrectly.

I wanted to use separate keys in binding because they have different requirements for things like sensitive and possibly values in the future. The key in the schema determines the "type" of the binding, e.g. secret_text, plain_text or kv_namespace_id. Roughly follows https://github.com/terraform-providers/terraform-provider-cloudflare/issues/615#issuecomment-598801105 but didn't see the need for specifying type since every binding is different enough so far they can be differentiated easily by the key set.

We ended up using separate binding groups for each type of binding since it makes validation in Terraform a lot easier to do and maintains backward compatibility with the existing kv_namespace_binding.

@ghost ghost added the size/M label Jun 14, 2020
@jacobbednarz
Copy link
Member

I've kicked off an integration test run for this one and will report the findings back shortly.

@jacobbednarz
Copy link
Member

Looks like we've got a new failure.

------- Stdout: -------
=== RUN   TestAccCloudflareWorkerScript_MultiScriptEnt
=== PAUSE TestAccCloudflareWorkerScript_MultiScriptEnt
=== CONT  TestAccCloudflareWorkerScript_MultiScriptEnt
--- FAIL: TestAccCloudflareWorkerScript_MultiScriptEnt (7.54s)
testing.go:684: Step 2 error: errors during apply:
Error: error updating worker script: NamespaceID for binding "PLAIN_TEXT" cannot be empty
on /opt/teamcity-agent/temp/buildTmp/tf-test036547402/main.tf line 6:
(source code not available)
FAIL

@blakeembrey
Copy link
Contributor Author

@jacobbednarz Thanks, I think I might be misunderstanding the map provided by terraform from the TypeSet list method. I'll take a look now.

@blakeembrey
Copy link
Contributor Author

blakeembrey commented Jun 16, 2020

@jacobbednarz can you try it again? If it doesn’t pass this time I’ll put some more work into figuring out how to test it myself properly.

@ghost ghost added kind/documentation Categorizes issue or PR as related to documentation. size/L and removed size/M labels Jun 16, 2020
@blakeembrey blakeembrey force-pushed the be/add-text-binding branch from a9427b6 to e3464b5 Compare June 16, 2020 05:51
@blakeembrey
Copy link
Contributor Author

blakeembrey commented Jun 16, 2020

I have things working locally but appear to have run into hashicorp/terraform#21901 on binding. Doesn't seem to be a major blocker but trying to figure out how to avoid having secret_text always attempt to change.

@blakeembrey
Copy link
Contributor Author

@jacobbednarz I've resolved the secret text issue by using the text value from the existing resource during read. This seems to be how other providers work, i.e. AWS resources with passwords. The bindings only cause a change in two cases now:

  1. When the value of the binding changes (from the read or previous state in the case of secret_text)
  2. When a secret text binding has been removed from terraform but not Cloudflare

For 2, I didn't see the APIs available to handle it within the cloudflare package or documented on their site. Having the diff show up each time is probably enough to prompt that it's not being deleted properly, but happy to document this behavior and how to delete it from the cloudflare UI.

@jacobbednarz
Copy link
Member

@blakeembrey That seems like a reasonable fix. We do have other cases of write-once-never-seen-again APIs in Cloudflare however their values are just masked so we write the masked value to state instead of pulling it from the schema.

Your second point is also fine for now 👍 If it becomes a bigger issue than we can poke Cloudflare to improve the UX somehow.

@blakeembrey
Copy link
Contributor Author

Sweet, I ported all my local code to use this and it's been working great so far. By masked value do you mean an empty string or a value like xxx?

@jacobbednarz
Copy link
Member

Integration is looking good! I'm going to leave this for today and make sure that no one else has any thoughts before we land this one.

Thanks for the PR so far 🙇

@blakeembrey
Copy link
Contributor Author

@jacobbednarz Any opinion on using the singular binding versus many bindings? For example:

text_binding {
  name = "TEXT"
  value = "TEXT"
}

secret_binding {
  name = "SECRET"
  value = "SECRET"
}

This would make the change backward compatible (no need to deprecate the existing binding) and makes something like the concealed StateFunc easier to implement.

@jacobbednarz
Copy link
Member

I personally prefer the individual blocks as it is more explicit and gives us a little more flexibility with changes to individual resources. In turn, you end up with less complex code branches and more readable code.

If you want to swap it over to help with backwards compatibility, I'd be 👍 for it.

@blakeembrey
Copy link
Contributor Author

@jacobbednarz Done, though I couldn't get the concealed text behavior to easily work within the set so I fell back on the existing logic of looking up the previous value to diff.

Copy link
Member

@jacobbednarz jacobbednarz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is really great, thanks @blakeembrey! i've just kicked off a final integration test run and we'll land this as soon as that is green.

@jacobbednarz jacobbednarz merged commit 5936102 into cloudflare:master Jun 21, 2020
@blakeembrey blakeembrey deleted the be/add-text-binding branch June 22, 2020 00:24
@blakeembrey
Copy link
Contributor Author

Awesome! Really excited to see it released 😄

boekkooi-lengoo pushed a commit to boekkooi-lengoo/terraform-provider-cloudflare that referenced this pull request Feb 28, 2022
…evel-for-rulesets

ruleset: add sensitivity level for overrides
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/documentation Categorizes issue or PR as related to documentation. size/L
Projects
None yet
2 participants