Merge pull request #790 from rcatolino/dev/rca/fix-okms-cred-update

fix(okms): require replacement of credential on identity_urn change

Author: amstuta

ovh/resource_okms_credential_gen.go

@@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/listplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 )
@@ -111,6 +112,9 @@ func OkmsCredentialResourceSchema(ctx context.Context) schema.Schema {
 			Required:            true,
 			Description:         "List of identity URNs associated with the credential (max 25)",
 			MarkdownDescription: "List of identity URNs associated with the credential (max 25)",
+			PlanModifiers: []planmodifier.List{
+				listplanmodifier.RequiresReplace(),
+			},
 		},
 		"name": schema.StringAttribute{
 			CustomType:          ovhtypes.TfStringType{},

ovh/resource_okms_credential_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 	"github.com/hashicorp/terraform-plugin-testing/statecheck"
 	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
@@ -117,7 +118,7 @@ resource "ovh_okms" "kms" {
 resource "ovh_okms_credential" "cred" {
   okms_id = ovh_okms.kms.id
   name = "%[2]s"
-  identity_urns = ["urn:v1:eu:identity:account:${data.ovh_me.current_account.nichandle}"]
+  identity_urns = ["%[3]s"]
 }
 
 resource "ovh_okms_credential" "credcsr" {
@@ -159,22 +160,45 @@ func getAllCredsChecks(resName string, displayName string, resNameCsr string, di
 func TestAccOkmsCredCreate(t *testing.T) {
 	kmsName := acctest.RandomWithPrefix(test_prefix)
 	credName := acctest.RandomWithPrefix(test_prefix)
+	oldIdUrn := "urn:v1:eu:identity:account:${data.ovh_me.current_account.nichandle}"
+	newIdUrn := "urn:v1:eu:identity:user:badnic-ovh/user1"
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { testAccPreCheckCredentials(t) },
 		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
 		Steps: []resource.TestStep{
 			{
-				Config: fmt.Sprintf(confOkmsCredTest, kmsName, credName),
+				Config: fmt.Sprintf(confOkmsCredTest, kmsName, credName, oldIdUrn),
 				ConfigStateChecks: getAllCredsChecks(
 					"ovh_okms_credential.cred",
 					credName,
 					"ovh_okms_credential.credcsr",
 					credName+"csr"),
 			},
+			{
+				// Test update
+				Config: fmt.Sprintf(confOkmsCredTest, kmsName, credName, newIdUrn),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectNonEmptyPlan(),
+						plancheck.ExpectResourceAction(
+							"ovh_okms_credential.cred",
+							plancheck.ResourceActionReplace),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"ovh_okms_credential.cred",
+						tfjsonpath.New("identity_urns"),
+						knownvalue.ListExact([]knownvalue.Check{
+							knownvalue.StringExact(newIdUrn),
+						}),
+					),
+				},
+			},
 			{
 				// Test datasource
-				Config: fmt.Sprintf(confOkmsCredTest+confOkmsDatasourceTest, kmsName, credName),
+				Config: fmt.Sprintf(confOkmsCredTest+confOkmsDatasourceTest, kmsName, credName, newIdUrn),
 				ConfigStateChecks: append(
 					kmsCredDatasourceChecks("ovh_okms_credential.cred", "data.ovh_okms_credential.data_cred"),
 					kmsCredDatasourceChecks("ovh_okms_credential.credcsr", "data.ovh_okms_credential.data_credcsr")...,