Updates how we handle secrets to address provider config issues

nickfloyd · nickfloyd · commit 1ae026cc24e0 · 2025-11-17T14:05:24.000-06:00
diff --git a/github/resource_github_actions_organization_secret.go b/github/resource_github_actions_organization_secret.go
@@ -59,8 +59,8 @@ func resourceGithubActionsOrganizationSecret() *schema.Resource {
 			"visibility": {
 				Type:             schema.TypeString,
 				Required:         true,
-				ValidateDiagFunc: validateValueFunc([]string{"all", "private", "selected"}),
 				ForceNew:         true,
+				ValidateDiagFunc: validateValueFunc([]string{"all", "private", "selected"}),
 				Description:      "Configures the access that repositories have to the organization secret. Must be one of 'all', 'private', or 'selected'. 'selected_repository_ids' is required if set to 'selected'.",
 			},
 			"selected_repository_ids": {
@@ -218,10 +218,10 @@ func resourceGithubActionsOrganizationSecretRead(d *schema.ResourceData, meta in
 	// previously.
 	destroyOnDrift := d.Get("destroy_on_drift").(bool)
 	storedUpdatedAt, hasStoredUpdatedAt := d.GetOk("updated_at")
-	
+
 	if hasStoredUpdatedAt && storedUpdatedAt != secret.UpdatedAt.String() {
 		log.Printf("[INFO] The secret %s has been externally updated in GitHub", d.Id())
-		
+
 		if destroyOnDrift {
 			// Original behavior: mark for recreation
 			d.SetId("")
diff --git a/github/resource_github_actions_organization_secret_test.go b/github/resource_github_actions_organization_secret_test.go
@@ -190,7 +190,7 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 	t.Run("destroyOnDrift false clears sensitive values instead of recreating", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsOrganizationSecret().Schema, map[string]interface{}{
 			"secret_name":      "test-secret",
 			"plaintext_value":  "original-value",
@@ -204,7 +204,7 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 		// Simulate drift detection logic when destroy_on_drift is false
 		destroyOnDrift := d.Get("destroy_on_drift").(bool)
 		storedUpdatedAt, hasStoredUpdatedAt := d.GetOk("updated_at")
-		
+
 		if hasStoredUpdatedAt && storedUpdatedAt != newTimestamp {
 			if destroyOnDrift {
 				// Would clear ID for recreation
@@ -240,20 +240,20 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 	t.Run("destroyOnDrift true still recreates resource on drift", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsOrganizationSecret().Schema, map[string]interface{}{
 			"secret_name":      "test-secret",
 			"plaintext_value":  "original-value",
 			"visibility":       "private",
-			"destroy_on_drift": true,  // Explicitly set to true
+			"destroy_on_drift": true, // Explicitly set to true
 			"updated_at":       originalTimestamp,
 		})
 		d.SetId("test-secret")
 
 		// Simulate drift detection logic when destroy_on_drift is true
 		destroyOnDrift := d.Get("destroy_on_drift").(bool)
 		storedUpdatedAt, hasStoredUpdatedAt := d.GetOk("updated_at")
-		
+
 		if hasStoredUpdatedAt && storedUpdatedAt != newTimestamp {
 			if destroyOnDrift {
 				// Should clear ID for recreation (original behavior)
@@ -262,7 +262,7 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 			}
 		}
 
-		// Should have cleared the ID for recreation when destroy_on_drift=true  
+		// Should have cleared the ID for recreation when destroy_on_drift=true
 		if d.Id() != "" {
 			t.Error("Expected ID to be cleared for recreation when destroy_on_drift=true, but it was preserved")
 		}
@@ -278,7 +278,7 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 
 	t.Run("default destroy_on_drift is true", func(t *testing.T) {
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsOrganizationSecret().Schema, map[string]interface{}{
-			"secret_name":     "test-secret", 
+			"secret_name":     "test-secret",
 			"plaintext_value": "test-value",
 			"visibility":      "private",
 			// destroy_on_drift not set, should default to true
diff --git a/github/resource_github_actions_secret.go b/github/resource_github_actions_secret.go
@@ -17,7 +17,6 @@ func resourceGithubActionsSecret() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGithubActionsSecretCreateOrUpdate,
 		Read:   resourceGithubActionsSecretRead,
-		Update: resourceGithubActionsSecretCreateOrUpdate,
 		Delete: resourceGithubActionsSecretDelete,
 		Importer: &schema.ResourceImporter{
 			State: resourceGithubActionsSecretImport,
@@ -187,7 +186,7 @@ func resourceGithubActionsSecretRead(d *schema.ResourceData, meta interface{}) e
 		if err = d.Set("plaintext_value", d.Get("plaintext_value")); err != nil {
 			return err
 		}
-	}	// Always update the timestamp to prevent repeated drift detection
+	} // Always update the timestamp to prevent repeated drift detection
 	if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
 		return err
 	}
diff --git a/github/resource_github_actions_secret_test.go b/github/resource_github_actions_secret_test.go
@@ -298,7 +298,7 @@ func TestAccGithubActionsSecret(t *testing.T) {
 
 	t.Run("respects destroy_on_drift setting", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
-		
+
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
 				name = "tf-acc-test-%s"
@@ -368,11 +368,11 @@ func TestAccGithubActionsSecret(t *testing.T) {
 
 // Unit tests for drift detection behavior
 func TestGithubActionsSecretDriftDetection(t *testing.T) {
-	
+
 	t.Run("destroyOnDrift true causes recreation on timestamp mismatch", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsSecret().Schema, map[string]interface{}{
 			"repository":       "test-repo",
 			"secret_name":      "test-secret",
@@ -397,9 +397,9 @@ func TestGithubActionsSecretDriftDetection(t *testing.T) {
 	t.Run("destroyOnDrift false clears sensitive values instead of recreating", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsSecret().Schema, map[string]interface{}{
-			"repository":       "test-repo", 
+			"repository":       "test-repo",
 			"secret_name":      "test-secret",
 			"plaintext_value":  "original-value",
 			"encrypted_value":  "original-encrypted",
@@ -411,7 +411,7 @@ func TestGithubActionsSecretDriftDetection(t *testing.T) {
 		// Simulate drift detection logic when destroy_on_drift is false
 		destroyOnDrift := d.Get("destroy_on_drift").(bool)
 		storedUpdatedAt, hasStoredUpdatedAt := d.GetOk("updated_at")
-		
+
 		if hasStoredUpdatedAt && storedUpdatedAt != newTimestamp {
 			if destroyOnDrift {
 				// Would clear ID for recreation
@@ -447,20 +447,20 @@ func TestGithubActionsSecretDriftDetection(t *testing.T) {
 	t.Run("destroyOnDrift true still recreates resource on drift", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsSecret().Schema, map[string]interface{}{
-			"repository":       "test-repo", 
+			"repository":       "test-repo",
 			"secret_name":      "test-secret",
 			"plaintext_value":  "original-value",
-			"destroy_on_drift": true,  // Explicitly set to true
+			"destroy_on_drift": true, // Explicitly set to true
 			"updated_at":       originalTimestamp,
 		})
 		d.SetId("test-secret")
 
 		// Simulate drift detection logic when destroy_on_drift is true
 		destroyOnDrift := d.Get("destroy_on_drift").(bool)
 		storedUpdatedAt, hasStoredUpdatedAt := d.GetOk("updated_at")
-		
+
 		if hasStoredUpdatedAt && storedUpdatedAt != newTimestamp {
 			if destroyOnDrift {
 				// Should clear ID for recreation (original behavior)
@@ -469,7 +469,7 @@ func TestGithubActionsSecretDriftDetection(t *testing.T) {
 			}
 		}
 
-		// Should have cleared the ID for recreation when destroy_on_drift=true  
+		// Should have cleared the ID for recreation when destroy_on_drift=true
 		if d.Id() != "" {
 			t.Error("Expected ID to be cleared for recreation when destroy_on_drift=true, but it was preserved")
 		}
@@ -478,7 +478,7 @@ func TestGithubActionsSecretDriftDetection(t *testing.T) {
 	t.Run("default destroy_on_drift is true", func(t *testing.T) {
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsSecret().Schema, map[string]interface{}{
 			"repository":      "test-repo",
-			"secret_name":     "test-secret", 
+			"secret_name":     "test-secret",
 			"plaintext_value": "test-value",
 			// destroy_on_drift not set, should default to true
 		})
@@ -491,10 +491,10 @@ func TestGithubActionsSecretDriftDetection(t *testing.T) {
 
 	t.Run("no drift when timestamps match", func(t *testing.T) {
 		timestamp := "2023-01-01T00:00:00Z"
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsSecret().Schema, map[string]interface{}{
 			"repository":       "test-repo",
-			"secret_name":      "test-secret", 
+			"secret_name":      "test-secret",
 			"plaintext_value":  "test-value",
 			"destroy_on_drift": true,
 			"updated_at":       timestamp,
@@ -556,43 +556,43 @@ func TestGithubActionsSecretIssue964Solution(t *testing.T) {
 	t.Run("solve issue 964 - prevent recreation when GUI changes secret", func(t *testing.T) {
 		// This test demonstrates the fix for:
 		// https://github.com/integrations/terraform-provider-github/issues/964
-		
+
 		// Scenario: User creates secret with Terraform, then updates value via GitHub GUI
 		// Expected: With destroy_on_drift=false, Terraform should not recreate the secret
-		
+
 		d := schema.TestResourceDataRaw(t, resourceGithubActionsSecret().Schema, map[string]interface{}{
 			"repository":       "my-repo",
-			"secret_name":      "WORKFLOW_PAT", 
+			"secret_name":      "WORKFLOW_PAT",
 			"plaintext_value":  "CHANGE_ME", // Initial placeholder value
-			"destroy_on_drift": false,        // KEY FIX: Prevents recreation
+			"destroy_on_drift": false,       // KEY FIX: Prevents recreation
 		})
 		d.SetId("WORKFLOW_PAT")
-		
+
 		// Set initial timestamp
 		originalTime := "2023-01-01T00:00:00Z"
 		d.Set("updated_at", originalTime)
-		
+
 		// Simulate: User changes secret value via GitHub GUI
-		// This changes the updated_at timestamp  
+		// This changes the updated_at timestamp
 		newTime := "2023-01-01T12:00:00Z" // Later timestamp = external change
-		
+
 		// Test the read function behavior - this is what happens during terraform plan/apply
 		destroyOnDrift := d.Get("destroy_on_drift").(bool) // false
 		if updatedAt, ok := d.GetOk("updated_at"); ok && !destroyOnDrift && updatedAt != newTime {
 			// With destroy_on_drift=false, we update timestamp but don't clear ID
 			d.Set("updated_at", newTime)
 		}
-		
+
 		// RESULT: Secret should NOT be marked for recreation
 		if d.Id() == "" {
 			t.Error("ISSUE #964 NOT FIXED: Secret was marked for recreation despite destroy_on_drift=false")
 		}
-		
+
 		// RESULT: Timestamp should be updated to acknowledge the change
 		if d.Get("updated_at").(string) != newTime {
 			t.Error("Expected timestamp to be updated to acknowledge external change")
 		}
-		
+
 		t.Logf("SUCCESS: Issue #964 solved - secret with destroy_on_drift=false does not get recreated on external changes")
 	})
 }
diff --git a/github/resource_github_codespaces_organization_secret.go b/github/resource_github_codespaces_organization_secret.go
@@ -16,7 +16,6 @@ func resourceGithubCodespacesOrganizationSecret() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGithubCodespacesOrganizationSecretCreateOrUpdate,
 		Read:   resourceGithubCodespacesOrganizationSecretRead,
-		Update: resourceGithubCodespacesOrganizationSecretCreateOrUpdate,
 		Delete: resourceGithubCodespacesOrganizationSecretDelete,
 		Importer: &schema.ResourceImporter{
 			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
@@ -66,6 +65,7 @@ func resourceGithubCodespacesOrganizationSecret() *schema.Resource {
 				},
 				Set:         schema.HashInt,
 				Optional:    true,
+				ForceNew:    true,
 				Description: "An array of repository ids that can access the organization secret.",
 			},
 			"created_at": {
diff --git a/github/resource_github_codespaces_user_secret.go b/github/resource_github_codespaces_user_secret.go
@@ -15,7 +15,6 @@ func resourceGithubCodespacesUserSecret() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGithubCodespacesUserSecretCreateOrUpdate,
 		Read:   resourceGithubCodespacesUserSecretRead,
-		Update: resourceGithubCodespacesUserSecretCreateOrUpdate,
 		Delete: resourceGithubCodespacesUserSecretDelete,
 		Importer: &schema.ResourceImporter{
 			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
@@ -58,6 +57,7 @@ func resourceGithubCodespacesUserSecret() *schema.Resource {
 				},
 				Set:         schema.HashInt,
 				Optional:    true,
+				ForceNew:    true,
 				Description: "An array of repository ids that can access the user secret.",
 			},
 			"created_at": {
diff --git a/github/resource_github_dependabot_organization_secret.go b/github/resource_github_dependabot_organization_secret.go
@@ -16,7 +16,6 @@ func resourceGithubDependabotOrganizationSecret() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGithubDependabotOrganizationSecretCreateOrUpdate,
 		Read:   resourceGithubDependabotOrganizationSecretRead,
-		Update: resourceGithubDependabotOrganizationSecretCreateOrUpdate,
 		Delete: resourceGithubDependabotOrganizationSecretDelete,
 		Importer: &schema.ResourceImporter{
 			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
@@ -66,6 +65,7 @@ func resourceGithubDependabotOrganizationSecret() *schema.Resource {
 				},
 				Set:         schema.HashInt,
 				Optional:    true,
+				ForceNew:    true,
 				Description: "An array of repository ids that can access the organization secret.",
 			},
 			"created_at": {
