feat(#222): manage v5 sensitive values

docs/resources/download_client.md

@@ -43,7 +43,7 @@ resource "radarr_download_client" "example" {
 - `add_paused` (Boolean) Add paused flag.
 - `add_stopped` (Boolean) Add stopped flag.
 - `additional_tags` (Set of Number) Additional tags, `0` TitleSlug, `1` Quality, `2` Language, `3` ReleaseGroup, `4` Year, `5` Indexer, `6` Network.
-- `api_key` (String) API key.
+- `api_key` (String, Sensitive) API key.
 - `api_url` (String) API URL.
 - `app_id` (String) App ID.
 - `app_token` (String, Sensitive) App Token.
@@ -74,7 +74,7 @@ resource "radarr_download_client" "example" {
 - `remove_failed_downloads` (Boolean) Remove failed downloads flag.
 - `rpc_path` (String) RPC path.
 - `save_magnet_files` (Boolean) Save magnet files flag.
-- `secret_token` (String) Secret token.
+- `secret_token` (String, Sensitive) Secret token.
 - `sequential_order` (Boolean) Sequential order flag.
 - `start_on_add` (Boolean) Start on add flag.
 - `strm_folder` (String) STRM folder.

docs/resources/download_client_aria2.md

@@ -41,7 +41,7 @@ resource "radarr_download_client_aria2" "example" {
 - `remove_completed_downloads` (Boolean) Remove completed downloads flag.
 - `remove_failed_downloads` (Boolean) Remove failed downloads flag.
 - `rpc_path` (String) RPC path.
-- `secret_token` (String) Secret token.
+- `secret_token` (String, Sensitive) Secret token.
 - `tags` (Set of Number) List of associated tags.
 - `use_ssl` (Boolean) Use SSL flag.
 

docs/resources/download_client_nzbvortex.md

@@ -30,7 +30,7 @@ resource "radarr_download_client_nzbvortex" "example" {
 
 ### Required
 
-- `api_key` (String) API key.
+- `api_key` (String, Sensitive) API key.
 - `name` (String) Download Client name.
 
 ### Optional

docs/resources/indexer.md

@@ -42,7 +42,7 @@ resource "radarr_indexer" "example" {
 
 - `additional_parameters` (String) Additional parameters.
 - `allow_zero_size` (Boolean) Allow zero size files.
-- `api_key` (String) API key.
+- `api_key` (String, Sensitive) API key.
 - `api_path` (String) API path.
 - `api_user` (String) API User.
 - `base_url` (String) Base URL.
@@ -58,7 +58,7 @@ resource "radarr_indexer" "example" {
 - `mediums` (Set of Number) Mediumd.
 - `minimum_seeders` (Number) Minimum seeders.
 - `multi_languages` (Set of Number) Language list.
-- `passkey` (String) Passkey.
+- `passkey` (String, Sensitive) Passkey.
 - `priority` (Number) Priority.
 - `ranked_only` (Boolean) Allow ranked only.
 - `remove_year` (Boolean) Remove year.

docs/resources/indexer_newznab.md

@@ -35,7 +35,7 @@ resource "radarr_indexer_newznab" "example" {
 ### Optional
 
 - `additional_parameters` (String) Additional parameters.
-- `api_key` (String) API key.
+- `api_key` (String, Sensitive) API key.
 - `api_path` (String) API path.
 - `base_url` (String) Base URL.
 - `categories` (Set of Number) Series list.

docs/resources/notification.md

@@ -52,8 +52,8 @@ resource "radarr_notification" "example" {
 - `access_token` (String) Access token.
 - `access_token_secret` (String) Access token secret.
 - `always_update` (Boolean) Always update flag.
-- `api_key` (String) API key.
-- `app_token` (String) App token.
+- `api_key` (String, Sensitive) API key.
+- `app_token` (String, Sensitive) App token.
 - `arguments` (String) Arguments.
 - `auth_password` (String, Sensitive) Password.
 - `auth_token` (String) Auth token.
@@ -71,7 +71,7 @@ resource "radarr_notification" "example" {
 - `click_url` (String) Click URL.
 - `configuration_key` (String, Sensitive) Configuration key.
 - `consumer_key` (String) Consumer key.
-- `consumer_secret` (String) Consumer secret.
+- `consumer_secret` (String, Sensitive) Consumer secret.
 - `device_ids` (Set of String) Device IDs.
 - `device_names` (String) Device names.
 - `devices` (Set of String) Devices.

internal/helpers/fields.go

@@ -12,6 +12,8 @@ import (
 	"golang.org/x/exp/slices"
 )
 
+const SensitiveValue = "********"
+
 type fieldException struct {
 	apiName string
 	tfName  string
@@ -341,6 +343,13 @@ func WriteFields(ctx context.Context, fieldContainer interface{}, fields []*rada
 	// Loop over each field and populate the related container field with the corresponding write function.
 	for _, f := range fields {
 		fieldName := f.GetName()
+		// Manage sensitive data.
+		if f.GetValue() == SensitiveValue {
+			if tempField := readStringField(fieldName, fieldContainer); tempField.GetValue() != nil {
+				f = tempField
+			}
+		}
+
 		for listName, writeFunc := range writeFuncs {
 			if slices.Contains(fieldLists.getList(listName), fieldName) {
 				writeFunc(f, fieldContainer)

internal/helpers/fields_test.go

@@ -607,6 +607,12 @@ func TestWriteFields(t *testing.T) {
 			value:          append(make([]interface{}, 0), []string{"test1", "test2"}),
 			fieldContainer: Test{Set: types.SetValueMust(types.StringType, nil)},
 		},
+		"sensitive": {
+			fieldLists:     Fields{Strings: []string{"str"}},
+			name:           "str",
+			value:          SensitiveValue,
+			fieldContainer: Test{Str: types.StringValue("String")},
+		},
 	}
 	for name, test := range tests {
 		test := test
@@ -624,6 +630,13 @@ func TestWriteFields(t *testing.T) {
 			fields[0].SetValue(test.value)
 
 			container := Test{}
+			if test.value == SensitiveValue {
+				// emulate the sensitive behaviour
+				container = Test{
+					Str: types.StringValue("String"),
+				}
+			}
+
 			WriteFields(context.TODO(), &container, fields, test.fieldLists)
 			assert.Equal(t, &test.fieldContainer, &container)
 		})

internal/provider/download_client_aria2_resource.go

@@ -159,6 +159,7 @@ func (r *DownloadClientAria2Resource) Schema(_ context.Context, _ resource.Schem
 				MarkdownDescription: "Secret token.",
 				Optional:            true,
 				Computed:            true,
+				Sensitive:           true,
 			},
 		},
 	}

internal/provider/download_client_freebox_resource_test.go

@@ -42,9 +42,10 @@ func TestAccDownloadClientFreeboxResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_download_client_freebox.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_download_client_freebox.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"app_token"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/provider/download_client_hadouken_resource_test.go

@@ -43,9 +43,10 @@ func TestAccDownloadClientHadoukenResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_download_client_hadouken.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_download_client_hadouken.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"password"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/provider/download_client_nzbvortex_resource.go

@@ -174,6 +174,7 @@ func (r *DownloadClientNzbvortexResource) Schema(_ context.Context, _ resource.S
 			"api_key": schema.StringAttribute{
 				MarkdownDescription: "API key.",
 				Required:            true,
+				Sensitive:           true,
 			},
 		},
 	}

internal/provider/download_client_nzbvortex_resource_test.go

@@ -43,9 +43,10 @@ func TestAccDownloadClientNzbvortexResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_download_client_nzbvortex.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_download_client_nzbvortex.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"api_key"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/provider/download_client_resource.go

@@ -314,6 +314,7 @@ func (r *DownloadClientResource) Schema(_ context.Context, _ resource.SchemaRequ
 				MarkdownDescription: "API key.",
 				Optional:            true,
 				Computed:            true,
+				Sensitive:           true,
 			},
 			"rpc_path": schema.StringAttribute{
 				MarkdownDescription: "RPC path.",
@@ -345,6 +346,7 @@ func (r *DownloadClientResource) Schema(_ context.Context, _ resource.SchemaRequ
 				MarkdownDescription: "Secret token.",
 				Optional:            true,
 				Computed:            true,
+				Sensitive:           true,
 			},
 			"username": schema.StringAttribute{
 				MarkdownDescription: "Username.",
@@ -465,13 +467,14 @@ func (r *DownloadClientResource) Create(ctx context.Context, req resource.Create
 	// this is needed because of many empty fields are unknown in both plan and read
 	var state DownloadClient
 
+	state.writeSensitive(client)
 	state.write(ctx, response, &resp.Diagnostics)
 	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
 }
 
 func (r *DownloadClientResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
 	// Get current state
-	var client DownloadClient
+	var client *DownloadClient
 
 	resp.Diagnostics.Append(req.State.Get(ctx, &client)...)
 
@@ -492,6 +495,7 @@ func (r *DownloadClientResource) Read(ctx context.Context, req resource.ReadRequ
 	// this is needed because of many empty fields are unknown in both plan and read
 	var state DownloadClient
 
+	state.writeSensitive(client)
 	state.write(ctx, response, &resp.Diagnostics)
 	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
 }
@@ -521,6 +525,7 @@ func (r *DownloadClientResource) Update(ctx context.Context, req resource.Update
 	// this is needed because of many empty fields are unknown in both plan and read
 	var state DownloadClient
 
+	state.writeSensitive(client)
 	state.write(ctx, response, &resp.Diagnostics)
 	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
 }
@@ -588,3 +593,22 @@ func (d *DownloadClient) read(ctx context.Context, diags *diag.Diagnostics) *rad
 
 	return client
 }
+
+// writeSensitive copy sensitive data from another resource.
+func (d *DownloadClient) writeSensitive(client *DownloadClient) {
+	if !client.Password.IsUnknown() {
+		d.Password = client.Password
+	}
+
+	if !client.APIKey.IsUnknown() {
+		d.APIKey = client.APIKey
+	}
+
+	if !client.SecretToken.IsUnknown() {
+		d.SecretToken = client.SecretToken
+	}
+
+	if !client.AppToken.IsUnknown() {
+		d.AppToken = client.AppToken
+	}
+}

internal/provider/download_client_resource_test.go

@@ -47,6 +47,12 @@ func TestAccDownloadClientResource(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				ResourceName:            "radarr_download_client.test_sensitive",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"password"},
+			},
 			// Delete testing automatically occurs in TestCase
 		},
 	})
@@ -64,5 +70,20 @@ func testAccDownloadClientResourceConfig(name, enable string) string {
 		host = "transmission"
 		url_base = "/transmission/"
 		port = 9091
-	}`, enable, name)
+	}
+
+	resource "radarr_download_client" "test_sensitive" {
+		enable = false
+		priority = 1
+		name = "%sWithSensitive"
+		host = "hadouken"
+		url_base = "/hadouken/"
+		port = 9091
+		category = "sonarr-tv"
+		username = "username"
+		password = "password"
+		protocol = "torrent"
+		config_contract = "HadoukenSettings"
+		implementation = "Hadouken"
+	}`, enable, name, name)
 }

internal/provider/download_client_sabnzbd_resource_test.go

@@ -43,9 +43,10 @@ func TestAccDownloadClientSabnzbdResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_download_client_sabnzbd.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_download_client_sabnzbd.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"api_key"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/provider/import_list_couch_potato_resource_test.go

@@ -43,9 +43,10 @@ func TestAccImportListCouchPotatoResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_import_list_couch_potato.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_import_list_couch_potato.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"api_key"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/provider/import_list_radarr_resource_test.go

@@ -43,9 +43,10 @@ func TestAccImportListRadarrResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_import_list_radarr.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_import_list_radarr.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"api_key"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/provider/import_list_resource.go

@@ -501,6 +501,7 @@ func (r *ImportListResource) Create(ctx context.Context, req resource.CreateRequ
 	// this is needed because of many empty fields are unknown in both plan and read
 	var state ImportList
 
+	state.writeSensitive(importList)
 	state.write(ctx, response, &resp.Diagnostics)
 	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
 }
@@ -528,6 +529,7 @@ func (r *ImportListResource) Read(ctx context.Context, req resource.ReadRequest,
 	// this is needed because of many empty fields are unknown in both plan and read
 	var state ImportList
 
+	state.writeSensitive(importList)
 	state.write(ctx, response, &resp.Diagnostics)
 	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
 }
@@ -557,6 +559,7 @@ func (r *ImportListResource) Update(ctx context.Context, req resource.UpdateRequ
 	// this is needed because of many empty fields are unknown in both plan and read
 	var state ImportList
 
+	state.writeSensitive(importList)
 	state.write(ctx, response, &resp.Diagnostics)
 	resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
 }
@@ -631,3 +634,10 @@ func (i *ImportList) read(ctx context.Context, diags *diag.Diagnostics) *radarr.
 
 	return list
 }
+
+// writeSensitive copy sensitive data from another resource.
+func (i *ImportList) writeSensitive(importList *ImportList) {
+	if !importList.APIKey.IsUnknown() {
+		i.APIKey = importList.APIKey
+	}
+}

internal/provider/import_list_resource_test.go

@@ -43,9 +43,10 @@ func TestAccImportListResource(t *testing.T) {
 			},
 			// ImportState testing
 			{
-				ResourceName:      "radarr_import_list.test",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "radarr_import_list.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"api_key"},
 			},
 			// Delete testing automatically occurs in TestCase
 		},