From 03d7bcaa08e88ba400be54c52ee0079882725b3b Mon Sep 17 00:00:00 2001 From: Greg Thole Date: Wed, 6 Jun 2018 16:57:48 -0400 Subject: [PATCH 1/4] Only set aws_codebuild_webhook secret on create --- aws/resource_aws_codebuild_webhook.go | 6 ++++-- website/docs/r/codebuild_webhook.html.markdown | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_codebuild_webhook.go b/aws/resource_aws_codebuild_webhook.go index da015882f583..574d5f22a0d8 100644 --- a/aws/resource_aws_codebuild_webhook.go +++ b/aws/resource_aws_codebuild_webhook.go @@ -48,7 +48,7 @@ func resourceAwsCodeBuildWebhook() *schema.Resource { func resourceAwsCodeBuildWebhookCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).codebuildconn - _, err := conn.CreateWebhook(&codebuild.CreateWebhookInput{ + resp, err := conn.CreateWebhook(&codebuild.CreateWebhookInput{ ProjectName: aws.String(d.Get("project_name").(string)), BranchFilter: aws.String(d.Get("branch_filter").(string)), }) @@ -56,6 +56,8 @@ func resourceAwsCodeBuildWebhookCreate(d *schema.ResourceData, meta interface{}) return err } + // Secret is only returned on create, so capture it at the start + d.Set("secret", resp.Webhook.Secret) d.SetId(d.Get("project_name").(string)) return resourceAwsCodeBuildWebhookRead(d, meta) @@ -84,8 +86,8 @@ func resourceAwsCodeBuildWebhookRead(d *schema.ResourceData, meta interface{}) e d.Set("branch_filter", project.Webhook.BranchFilter) d.Set("payload_url", project.Webhook.PayloadUrl) d.Set("project_name", project.Name) - d.Set("secret", project.Webhook.Secret) d.Set("url", project.Webhook.Url) + // The secret is never returned after creation, so don't set it here return nil } diff --git a/website/docs/r/codebuild_webhook.html.markdown b/website/docs/r/codebuild_webhook.html.markdown index e62820137ef2..d477ecafd5c0 100644 --- a/website/docs/r/codebuild_webhook.html.markdown +++ b/website/docs/r/codebuild_webhook.html.markdown @@ -62,6 +62,8 @@ In addition to all arguments above, the following attributes are exported: * `secret` - The secret token of the associated repository. Not returned for all source types. * `url` - The URL to the webhook. +~> **Note:** The `secret` and `url` attributes are only set on resource creation, so if the secret is manually rotated, terraform will not pick up the change on subsequent runs. In that case, the webhook resource should be tainted and re-created to get the secret back in sync. + ## Import CodeBuild Webhooks can be imported using the CodeBuild Project name, e.g. From 9bef2d6e3849733294bbfe7701de6b6e0b0ba43e Mon Sep 17 00:00:00 2001 From: Greg Thole Date: Thu, 7 Jun 2018 10:31:23 -0400 Subject: [PATCH 2/4] Set secret to be sensitive --- aws/resource_aws_codebuild_webhook.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_codebuild_webhook.go b/aws/resource_aws_codebuild_webhook.go index 574d5f22a0d8..5cd9c6001a36 100644 --- a/aws/resource_aws_codebuild_webhook.go +++ b/aws/resource_aws_codebuild_webhook.go @@ -34,8 +34,9 @@ func resourceAwsCodeBuildWebhook() *schema.Resource { Computed: true, }, "secret": { - Type: schema.TypeString, - Computed: true, + Type: schema.TypeString, + Computed: true, + Sensitive: true, }, "url": { Type: schema.TypeString, From bdf75ccbb06b349dad770950e47732c5e3c81107 Mon Sep 17 00:00:00 2001 From: Greg Thole Date: Thu, 7 Jun 2018 10:32:47 -0400 Subject: [PATCH 3/4] Update tests --- aws/resource_aws_codebuild_webhook_test.go | 27 ++++++++++--------- .../docs/r/codebuild_webhook.html.markdown | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/aws/resource_aws_codebuild_webhook_test.go b/aws/resource_aws_codebuild_webhook_test.go index bac817211106..f500521a7b9c 100644 --- a/aws/resource_aws_codebuild_webhook_test.go +++ b/aws/resource_aws_codebuild_webhook_test.go @@ -29,15 +29,15 @@ func TestAccAWSCodeBuildWebhook_GitHub(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "branch_filter", ""), resource.TestCheckResourceAttr(resourceName, "project_name", rName), resource.TestMatchResourceAttr(resourceName, "payload_url", regexp.MustCompile(`^https://`)), - // Checking secret value can be flakey, we may need to wait for its generation - // resource.TestMatchResourceAttr(resourceName, "secret", regexp.MustCompile(`.+`)), + resource.TestCheckResourceAttr(resourceName, "secret", ""), resource.TestMatchResourceAttr(resourceName, "url", regexp.MustCompile(`^https://`)), ), }, { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"secret"}, }, }, }) @@ -60,15 +60,15 @@ func TestAccAWSCodeBuildWebhook_GitHubEnterprise(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "branch_filter", ""), resource.TestCheckResourceAttr(resourceName, "project_name", rName), resource.TestMatchResourceAttr(resourceName, "payload_url", regexp.MustCompile(`^https://`)), - // Checking secret value can be flakey, we may need to wait for its generation - // resource.TestMatchResourceAttr(resourceName, "secret", regexp.MustCompile(`.+`)), + resource.TestMatchResourceAttr(resourceName, "secret", regexp.MustCompile(`.+`)), resource.TestCheckResourceAttr(resourceName, "url", ""), ), }, { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"secret"}, }, }, }) @@ -99,9 +99,10 @@ func TestAccAWSCodeBuildWebhook_BranchFilter(t *testing.T) { ), }, { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"secret"}, }, }, }) diff --git a/website/docs/r/codebuild_webhook.html.markdown b/website/docs/r/codebuild_webhook.html.markdown index d477ecafd5c0..9c7509741393 100644 --- a/website/docs/r/codebuild_webhook.html.markdown +++ b/website/docs/r/codebuild_webhook.html.markdown @@ -62,7 +62,7 @@ In addition to all arguments above, the following attributes are exported: * `secret` - The secret token of the associated repository. Not returned for all source types. * `url` - The URL to the webhook. -~> **Note:** The `secret` and `url` attributes are only set on resource creation, so if the secret is manually rotated, terraform will not pick up the change on subsequent runs. In that case, the webhook resource should be tainted and re-created to get the secret back in sync. +~> **Note:** The `secret` attribute is only set on resource creation, so if the secret is manually rotated, terraform will not pick up the change on subsequent runs. In that case, the webhook resource should be tainted and re-created to get the secret back in sync. ## Import From d9a7a9038fc279102a9a6b3fb7c0c1f25fcb2e1b Mon Sep 17 00:00:00 2001 From: Greg Thole Date: Thu, 7 Jun 2018 11:20:43 -0400 Subject: [PATCH 4/4] Add update step to codebuild_webhook GHE test --- aws/resource_aws_codebuild_webhook_test.go | 28 ++++++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/aws/resource_aws_codebuild_webhook_test.go b/aws/resource_aws_codebuild_webhook_test.go index f500521a7b9c..4af84743f01a 100644 --- a/aws/resource_aws_codebuild_webhook_test.go +++ b/aws/resource_aws_codebuild_webhook_test.go @@ -54,10 +54,27 @@ func TestAccAWSCodeBuildWebhook_GitHubEnterprise(t *testing.T) { CheckDestroy: testAccCheckAWSCodeBuildWebhookDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSCodeBuildWebhookConfig_GitHubEnterprise(rName), + Config: testAccAWSCodeBuildWebhookConfig_GitHubEnterprise(rName, "dev"), Check: resource.ComposeTestCheckFunc( testAccCheckAWSCodeBuildWebhookExists(resourceName, &webhook), - resource.TestCheckResourceAttr(resourceName, "branch_filter", ""), + resource.TestCheckResourceAttr(resourceName, "branch_filter", "dev"), + resource.TestCheckResourceAttr(resourceName, "project_name", rName), + resource.TestMatchResourceAttr(resourceName, "payload_url", regexp.MustCompile(`^https://`)), + resource.TestMatchResourceAttr(resourceName, "secret", regexp.MustCompile(`.+`)), + resource.TestCheckResourceAttr(resourceName, "url", ""), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"secret"}, + }, + { + Config: testAccAWSCodeBuildWebhookConfig_GitHubEnterprise(rName, "master"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSCodeBuildWebhookExists(resourceName, &webhook), + resource.TestCheckResourceAttr(resourceName, "branch_filter", "master"), resource.TestCheckResourceAttr(resourceName, "project_name", rName), resource.TestMatchResourceAttr(resourceName, "payload_url", regexp.MustCompile(`^https://`)), resource.TestMatchResourceAttr(resourceName, "secret", regexp.MustCompile(`.+`)), @@ -180,7 +197,7 @@ resource "aws_codebuild_webhook" "test" { `) } -func testAccAWSCodeBuildWebhookConfig_GitHubEnterprise(rName string) string { +func testAccAWSCodeBuildWebhookConfig_GitHubEnterprise(rName string, branchFilter string) string { return testAccAWSCodeBuildProjectConfig_Base_ServiceRole(rName) + fmt.Sprintf(` resource "aws_codebuild_project" "test" { name = "%s" @@ -203,9 +220,10 @@ resource "aws_codebuild_project" "test" { } resource "aws_codebuild_webhook" "test" { - project_name = "${aws_codebuild_project.test.name}" + project_name = "${aws_codebuild_project.test.name}" + branch_filter = "%s" } -`, rName) +`, rName, branchFilter) } func testAccAWSCodeBuildWebhookConfig_BranchFilter(rName, branchFilter string) string {