fix: POC for handling obfusctated secrets in meshPlatform Azure Type

CU-86c63jkw8
#64

Author: j0g3sc

docs/data-sources/platform.md

@@ -10,6 +10,8 @@ description: |-
 
 Represents a meshStack platform.
 
+Note that it is not possible to retrieve sensitive fields with this data source. They will be obfuscated by the backend API.
+
 ## Example Usage
 
 ```terraform

internal/provider/platform_resource.go

@@ -350,8 +350,6 @@ func openShiftPlatformSchema() schema.Attribute {
 	}
 }
 
-// TODO review done until here
-
 func aksReplicationConfigSchema() schema.Attribute {
 	return schema.SingleNestedAttribute{
 		MarkdownDescription: "Replication configuration for AKS (optional, but required for replication)",
@@ -812,8 +810,6 @@ func azureReplicationConfigSchema() schema.Attribute {
 	}
 }
 
-// TODO continue here.
-
 func azureRgReplicationConfigSchema() schema.Attribute {
 	return schema.SingleNestedAttribute{
 		MarkdownDescription: "Azure Resource Group-specific replication configuration for the platform.",
@@ -1155,6 +1151,8 @@ func (r *platformResource) Create(ctx context.Context, req resource.CreateReques
 		return
 	}
 
+	handleObfuscatedSecrets(&createdPlatform.Spec.Config, &platform.Spec.Config, resp.Diagnostics)
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, createdPlatform)...)
 }
 
@@ -1163,7 +1161,7 @@ func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, r
 	var uuid string
 	resp.Diagnostics.Append(req.State.GetAttribute(ctx, path.Root("metadata").AtName("uuid"), &uuid)...)
 
-	platform, err := r.client.ReadPlatform(uuid)
+	readPlatform, err := r.client.ReadPlatform(uuid)
 	if err != nil {
 		resp.Diagnostics.AddError(
 			fmt.Sprintf("Could not read platform with UUID '%s'", uuid),
@@ -1172,14 +1170,17 @@ func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, r
 		return
 	}
 
-	if platform == nil {
+	if readPlatform == nil {
 		// The platform was deleted outside of Terraform, so we remove it from the state
 		resp.State.RemoveResource(ctx)
 		return
 	}
 
-	// client data maps directly to the schema so we just need to set the state
-	resp.Diagnostics.Append(resp.State.Set(ctx, platform)...)
+	statePlatformSpec := client.MeshPlatformSpec{}
+	req.State.GetAttribute(ctx, path.Root("spec"), &statePlatformSpec)
+	handleObfuscatedSecrets(&readPlatform.Spec.Config, &statePlatformSpec.Config, resp.Diagnostics)
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, readPlatform)...)
 }
 
 func (r *platformResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
@@ -1220,6 +1221,8 @@ func (r *platformResource) Update(ctx context.Context, req resource.UpdateReques
 		return
 	}
 
+	handleObfuscatedSecrets(&updatedPlatform.Spec.Config, &platform.Spec.Config, resp.Diagnostics)
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, updatedPlatform)...)
 }
 

internal/provider/platform_resource_obfuscationhandling.go

@@ -0,0 +1,42 @@
+package provider
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/meshcloud/terraform-provider-meshstack/client"
+)
+
+// TODO This is a WIP POC implementation for one secret within Azure Type only.
+
+// This function is necessary to handle obfuscated secrets for meshPlatforms.
+// The meshPlatform API won't return secrets in plain text, but obfuscated values.
+// As a result we keep those from the plan/state and re-apply them to the object read from the API.
+//
+// MUST NOT PASS ANY NIL VALUES
+// MUST PASS compatible types
+func handleObfuscatedSecrets(obfuscated *client.PlatformConfig, plain *client.PlatformConfig, d diag.Diagnostics) {
+	if obfuscated == nil || plain == nil || obfuscated.Type != plain.Type {
+		d.AddError(
+			"Internal Error",
+			"Could not handle obfuscated secrets due to invalid input parameters.",
+		)
+		return
+	}
+
+	switch obfuscated.Type {
+
+	case "azure":
+		if obfuscated.Azure != nil && obfuscated.Azure.Replication != nil && plain.Azure != nil && plain.Azure.Replication != nil {
+			// replication SP
+			if obfuscated.Azure.Replication.ServicePrincipal != nil && plain.Azure.Replication.ServicePrincipal != nil {
+				obfuscated.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret
+			}
+			// replication provisioning customer agreement SP
+			if obfuscated.Azure.Replication.Provisioning.CustomerAgreement != nil && plain.Azure.Replication.Provisioning.CustomerAgreement != nil {
+				if obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal != nil && plain.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal != nil {
+					obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret
+				}
+			}
+
+		}
+	}
+}