Config Generation: Generate resources with sensitive attributes (#1715)

* Config Generation: Generate resources with sensitive attributes
This is a fairly complex one but it's the last missing piece to full config generation

The `terraform plan -generate-config-out` command is overly aggressive in redacting sensitive values

Whenever a child attribute of a block is sensitive, the whole block is redacted, meaning that the generated resources are invalid if the block was required

In this PR:
- Add listers for `grafana_user` and `grafana_contact_point`
- Replace nulled sensitive attributes with a placeholder (example: `password` in `grafana_user`_)
- Generate "sensitive" blocks by making all attribute non-sensitive. This is a bit hacky but it's integrated well enough and I haven't found a better way (tried lots of things)

* Fix integration test

* Fix lint

Author: julienduchesne

internal/resources/grafana/resource_alerting_contact_point.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/go-openapi/runtime"
+	goapi "github.com/grafana/grafana-openapi-client-go/client"
 	"github.com/grafana/grafana-openapi-client-go/client/provisioning"
 	"github.com/grafana/grafana-openapi-client-go/models"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -103,48 +104,37 @@ This resource requires Grafana 9.1.0 or later.
 		"grafana_contact_point",
 		orgResourceIDString("name"),
 		resource,
-	)
+	).WithLister(listerFunctionOrgResource(listContactPoints))
 }
 
-// TODO: Fix contact points lister. Terraform doesn't read any of the sensitive fields (or their container)
-// It outputs an empty `email {}` block for example, which is not valid.
-// func listContactPoints(ctx context.Context, client *goapi.GrafanaHTTPAPI, data *ListerData) ([]string, error) {
-// 	orgIDs, err := data.OrgIDs(client)
-// 	if err != nil {
-// 		return nil, err
-// 	}
-
-// 	idMap := map[string]bool{}
-// 	for _, orgID := range orgIDs {
-// 		client = client.Clone().WithOrgID(orgID)
-
-// 		// Retry if the API returns 500 because it may be that the alertmanager is not ready in the org yet.
-// 		// The alertmanager is provisioned asynchronously when the org is created.
-// 		if err := retry.RetryContext(ctx, 2*time.Minute, func() *retry.RetryError {
-// 			resp, err := client.Provisioning.GetContactpoints(provisioning.NewGetContactpointsParams())
-// 			if err != nil {
-// 				if orgID > 1 && (err.(*runtime.APIError).IsCode(500) || err.(*runtime.APIError).IsCode(403)) {
-// 					return retry.RetryableError(err)
-// 				}
-// 				return retry.NonRetryableError(err)
-// 			}
-
-// 			for _, contactPoint := range resp.Payload {
-// 				idMap[MakeOrgResourceID(orgID, contactPoint.Name)] = true
-// 			}
-// 			return nil
-// 		}); err != nil {
-// 			return nil, err
-// 		}
-// 	}
-
-// 	var ids []string
-// 	for id := range idMap {
-// 		ids = append(ids, id)
-// 	}
-
-// 	return ids, nil
-// }
+func listContactPoints(ctx context.Context, client *goapi.GrafanaHTTPAPI, orgID int64) ([]string, error) {
+	idMap := map[string]bool{}
+	// Retry if the API returns 500 because it may be that the alertmanager is not ready in the org yet.
+	// The alertmanager is provisioned asynchronously when the org is created.
+	if err := retry.RetryContext(ctx, 2*time.Minute, func() *retry.RetryError {
+		resp, err := client.Provisioning.GetContactpoints(provisioning.NewGetContactpointsParams())
+		if err != nil {
+			if orgID > 1 && (err.(*runtime.APIError).IsCode(500) || err.(*runtime.APIError).IsCode(403)) {
+				return retry.RetryableError(err)
+			}
+			return retry.NonRetryableError(err)
+		}
+
+		for _, contactPoint := range resp.Payload {
+			idMap[MakeOrgResourceID(orgID, contactPoint.Name)] = true
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	var ids []string
+	for id := range idMap {
+		ids = append(ids, id)
+	}
+
+	return ids, nil
+}
 
 func readContactPoint(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, orgID, name := OAPIClientFromExistingOrgResource(meta, data.Id())

internal/resources/grafana/resource_user.go

@@ -5,6 +5,8 @@ import (
 	"strconv"
 	"strings"
 
+	goapi "github.com/grafana/grafana-openapi-client-go/client"
+	"github.com/grafana/grafana-openapi-client-go/client/users"
 	"github.com/grafana/grafana-openapi-client-go/models"
 	"github.com/grafana/terraform-provider-grafana/v3/internal/common"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -75,34 +77,32 @@ You must use basic auth.
 		"grafana_user",
 		resourceUserID,
 		schema,
-	)
-	// ).WithLister(listerFunction(listUsers))
+	).WithLister(listerFunction(listUsers))
 }
 
-// TODO: Fix issues with password
-// func listUsers(ctx context.Context, client *goapi.GrafanaHTTPAPI, data *ListerData) ([]string, error) {
-// 	var ids []string
-// 	var page int64 = 1
-// 	for {
-// 		params := users.NewSearchUsersParams().WithPage(&page)
-// 		resp, err := client.Users.SearchUsers(params)
-// 		if err != nil {
-// 			return nil, err
-// 		}
-
-// 		for _, user := range resp.Payload {
-// 			ids = append(ids, strconv.FormatInt(user.ID, 10))
-// 		}
-
-// 		if len(resp.Payload) == 0 {
-// 			break
-// 		}
-
-// 		page++
-// 	}
-
-// 	return ids, nil
-// }
+func listUsers(ctx context.Context, client *goapi.GrafanaHTTPAPI, data *ListerData) ([]string, error) {
+	var ids []string
+	var page int64 = 1
+	for {
+		params := users.NewSearchUsersParams().WithPage(&page)
+		resp, err := client.Users.SearchUsers(params)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, user := range resp.Payload {
+			ids = append(ids, strconv.FormatInt(user.ID, 10))
+		}
+
+		if len(resp.Payload) == 0 {
+			break
+		}
+
+		page++
+	}
+
+	return ids, nil
+}
 
 func CreateUser(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, err := OAPIGlobalClient(meta)

internal/testutils/provider.go

@@ -2,6 +2,7 @@ package testutils
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -50,7 +51,11 @@ var (
 			configureResp, err := server.ConfigureProvider(context.Background(), &tfprotov5.ConfigureProviderRequest{Config: &testDynamicValue})
 			if err != nil || len(configureResp.Diagnostics) > 0 {
 				if err == nil {
-					err = fmt.Errorf("provider configuration failed: %v", configureResp.Diagnostics)
+					errs := []error{}
+					for _, diag := range configureResp.Diagnostics {
+						errs = append(errs, fmt.Errorf("%s %s: %s", diag.Severity, diag.Summary, diag.Detail))
+					}
+					err = errors.Join(errs...)
 				}
 				return nil, fmt.Errorf("failed to configure provider: %v", err)
 			}

pkg/generate/generate.go

@@ -14,6 +14,7 @@ import (
 	"github.com/grafana/terraform-provider-grafana/v3/internal/common"
 	"github.com/grafana/terraform-provider-grafana/v3/pkg/generate/postprocessing"
 	"github.com/grafana/terraform-provider-grafana/v3/pkg/generate/utils"
+	"github.com/grafana/terraform-provider-grafana/v3/pkg/provider"
 	"github.com/hashicorp/hcl/v2/hclwrite"
 	"github.com/hashicorp/terraform-exec/tfexec"
 	"github.com/zclconf/go-cty/cty"
@@ -95,6 +96,14 @@ func Generate(ctx context.Context, cfg *Config) GenerationResult {
 		return failuref("failed to create output directory %s: %s", cfg.OutputDir, err)
 	}
 
+	// Enable "unsensitive" mode for the provider
+	os.Setenv(provider.EnableGenerateEnvVar, "true")
+	defer os.Unsetenv(provider.EnableGenerateEnvVar)
+	if err := os.WriteFile(filepath.Join(cfg.OutputDir, provider.EnableGenerateMarkerFile), []byte("unsensitive!"), 0600); err != nil {
+		return failuref("failed to write marker file: %w", err)
+	}
+	defer os.Remove(filepath.Join(cfg.OutputDir, provider.EnableGenerateMarkerFile))
+
 	// Generate provider installation block
 	providerBlock := hclwrite.NewBlock("terraform", nil)
 	requiredProvidersBlock := hclwrite.NewBlock("required_providers", nil)
@@ -104,7 +113,7 @@ func Generate(ctx context.Context, cfg *Config) GenerationResult {
 	}))
 	providerBlock.Body().AppendBlock(requiredProvidersBlock)
 	if err := writeBlocks(filepath.Join(cfg.OutputDir, "provider.tf"), providerBlock); err != nil {
-		log.Fatal(err)
+		return failure(err)
 	}
 
 	tf, err := setupTerraform(cfg)
@@ -304,7 +313,7 @@ func generateImportBlocks(ctx context.Context, client *common.Client, listerData
 		return failure(err)
 	}
 	_, err = cfg.Terraform.Plan(ctx, tfexec.GenerateConfigOut(generatedFilename("resources.tf")))
-	if err != nil {
+	if err != nil && !strings.Contains(err.Error(), "Missing required argument") {
 		// If resources.tf was created and is not empty, return the error as a "non-critical" error
 		if stat, statErr := os.Stat(generatedFilename("resources.tf")); statErr == nil && stat.Size() > 0 {
 			returnResult.Errors = append(returnResult.Errors, NonCriticalGenerationFailure{err})
@@ -313,6 +322,10 @@ func generateImportBlocks(ctx context.Context, client *common.Client, listerData
 		}
 	}
 
+	if err := postprocessing.ReplaceNullSensitiveAttributes(generatedFilename("resources.tf")); err != nil {
+		return failure(err)
+	}
+
 	if err := removeOrphanedImports(generatedFilename("imports.tf"), generatedFilename("resources.tf")); err != nil {
 		return failure(err)
 	}

pkg/generate/postprocessing/postprocessing_test.go

@@ -0,0 +1,35 @@
+package postprocessing
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func postprocessingTest(t *testing.T, testFile string, fn func(fpath string)) {
+	t.Helper()
+
+	t.Run(testFile, func(t *testing.T) {
+		goldenFilepath := strings.Replace(testFile, ".tf", ".golden.tf", 1)
+
+		// Copy the file to a temporary location
+		tmpFilepath := filepath.Join(t.TempDir(), filepath.Base(testFile))
+		file, err := os.ReadFile(testFile)
+		require.NoError(t, err)
+		require.NoError(t, os.WriteFile(tmpFilepath, file, 0600))
+
+		// Run the postprocessing function
+		fn(tmpFilepath)
+
+		// Compare the file with the golden file
+		got, err := os.ReadFile(tmpFilepath)
+		require.NoError(t, err)
+		want, err := os.ReadFile(goldenFilepath)
+		require.NoError(t, err)
+
+		require.Equal(t, string(want), string(got))
+	})
+}

pkg/generate/postprocessing/replace_null_sensitive.go

@@ -0,0 +1,46 @@
+package postprocessing
+
+import (
+	"log"
+
+	"github.com/grafana/terraform-provider-grafana/v3/internal/common"
+	"github.com/grafana/terraform-provider-grafana/v3/pkg/provider"
+	"github.com/hashicorp/hcl/v2/hclwrite"
+	"github.com/zclconf/go-cty/cty"
+)
+
+func ReplaceNullSensitiveAttributes(fpath string) error {
+	providerResources := map[string]*common.Resource{}
+	for _, r := range provider.Resources() {
+		providerResources[r.Name] = r
+	}
+
+	return postprocessFile(fpath, func(file *hclwrite.File) error {
+		for _, block := range file.Body().Blocks() {
+			if block.Type() != "resource" {
+				continue
+			}
+
+			resourceType := block.Labels()[0]
+			resourceInfo := providerResources[resourceType]
+			resourceSchema := resourceInfo.Schema
+			if resourceSchema == nil {
+				// Plugin Framework schema not implemented because we have no resources with sensitive attributes in it yet
+				log.Printf("resource %s doesn't use the legacy SDK", resourceType)
+				continue
+			}
+
+			for key := range block.Body().Attributes() {
+				attrSchema := resourceSchema.Schema[key]
+				if attrSchema == nil {
+					// Attribute not found in schema
+					continue
+				}
+				if attrSchema.Sensitive && attrSchema.Required {
+					block.Body().SetAttributeValue(key, cty.StringVal("SENSITIVE_VALUE_TO_REPLACE"))
+				}
+			}
+		}
+		return nil
+	})
+}

pkg/generate/postprocessing/replace_null_sensitive_test.go

@@ -0,0 +1,13 @@
+package postprocessing
+
+import "testing"
+
+func TestReplaceNullSensitiveAttributes(t *testing.T) {
+	for _, testFile := range []string{
+		"testdata/replace-user-password.tf",
+	} {
+		postprocessingTest(t, testFile, func(fpath string) {
+			ReplaceNullSensitiveAttributes(fpath)
+		})
+	}
+}

pkg/generate/postprocessing/testdata/replace-user-password.golden.tf

@@ -0,0 +1,8 @@
+# __generated__ by Terraform
+resource "grafana_user" "_1" {
+  email    = "admin@localhost"
+  is_admin = true
+  login    = "admin"
+  name     = null
+  password = "SENSITIVE_VALUE_TO_REPLACE"
+}

pkg/generate/postprocessing/testdata/replace-user-password.tf

@@ -0,0 +1,8 @@
+# __generated__ by Terraform
+resource "grafana_user" "_1" {
+  email    = "admin@localhost"
+  is_admin = true
+  login    = "admin"
+  name     = null
+  password = null
+}

pkg/generate/terraform.go

@@ -74,7 +74,7 @@ func setupTerraform(cfg *Config) (*tfexec.Terraform, error) {
 
 	err = tf.Init(context.Background(), initOptions...)
 	if err != nil {
-		return nil, fmt.Errorf("error running Init: %s", err)
+		return nil, fmt.Errorf("error running Init: %w", err)
 	}
 
 	return tf, nil

pkg/generate/testdata/generate/alerting-in-org/imports.tf

@@ -1,3 +1,18 @@
+import {
+  to = grafana_contact_point._1_email_receiver
+  id = "1:email receiver"
+}
+
+import {
+  to = grafana_contact_point._2_email_receiver
+  id = "2:email receiver"
+}
+
+import {
+  to = grafana_contact_point._2_my-contact-point
+  id = "2:my-contact-point"
+}
+
 import {
   to = grafana_folder._2_alert-rule-folder
   id = "2:alert-rule-folder"