Convert resourceGithubActionsOrganizationSecret to use StateUpgraders for schema migrations

Signed-off-by: Timo Sand <[email protected]>

Author: deiga

github/migrate_github_actions_organization_secret.go

@@ -1,36 +1,79 @@
 package github
 
 import (
-	"fmt"
+	"context"
 	"log"
 
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
-func resourceGithubActionsOrganizationSecretMigrateState(v int, is *terraform.InstanceState, meta any) (*terraform.InstanceState, error) {
-	switch v {
-	case 0:
-		log.Printf("[INFO] Found GitHub Actions Organization Secret State v0; migrating to v1")
-		return migrateGithubActionsOrganizationSecretStateV0toV1(is)
-	default:
-		return is, fmt.Errorf("unexpected schema version: %d", v)
+func resourceGithubActionsOrganizationSecretResourceV0() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"secret_name": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				Description:      "Name of the secret.",
+				ValidateDiagFunc: validateSecretNameFunc,
+			},
+			"encrypted_value": {
+				Type:             schema.TypeString,
+				ForceNew:         true,
+				Optional:         true,
+				Sensitive:        true,
+				ConflictsWith:    []string{"plaintext_value"},
+				Description:      "Encrypted value of the secret using the GitHub public key in Base64 format.",
+				ValidateDiagFunc: toDiagFunc(validation.StringIsBase64, "encrypted_value"),
+			},
+			"plaintext_value": {
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"encrypted_value"},
+				Description:   "Plaintext value of the secret to be encrypted.",
+			},
+			"visibility": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				ValidateDiagFunc: validateValueFunc([]string{"all", "private", "selected"}),
+				Description:      "Configures the access that repositories have to the organization secret. Must be one of 'all', 'private', or 'selected'. 'selected_repository_ids' is required if set to 'selected'.",
+			},
+			"selected_repository_ids": {
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeInt,
+				},
+				Set:         schema.HashInt,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "An array of repository ids that can access the organization secret.",
+			},
+			"created_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date of 'actions_secret' creation.",
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date of 'actions_secret' update.",
+			},
+		},
 	}
 }
 
-func migrateGithubActionsOrganizationSecretStateV0toV1(is *terraform.InstanceState) (*terraform.InstanceState, error) {
-	if is.Empty() {
-		log.Printf("[DEBUG] Empty InstanceState; nothing to migrate.")
-		return is, nil
-	}
-
-	log.Printf("[DEBUG] GitHub Actions Organization Secret Attributes before migration: %#v", is.Attributes)
-
+func resourceGithubActionsOrganizationSecretInstanceStateUpgradeV0(ctx context.Context, rawState map[string]any, meta any) (map[string]any, error) {
+	log.Printf("[DEBUG] GitHub Actions Organization Secret Attributes before migration: %#v", rawState)
 	// Add the destroy_on_drift field with default value true if it doesn't exist
-	if _, ok := is.Attributes["destroy_on_drift"]; !ok {
-		is.Attributes["destroy_on_drift"] = "true"
+	if _, ok := rawState["destroy_on_drift"]; !ok {
+		rawState["destroy_on_drift"] = true
 	}
 
-	log.Printf("[DEBUG] GitHub Actions Organization Secret Attributes after State Migration: %#v", is.Attributes)
+	log.Printf("[DEBUG] GitHub Actions Organization Secret Attributes after migration: %#v", rawState)
 
-	return is, nil
+	return rawState, nil
 }

github/migrate_github_actions_organization_secret_test.go

@@ -3,67 +3,53 @@ package github
 import (
 	"reflect"
 	"testing"
-
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
-func TestMigrateGithubActionsOrganizationSecretStateV0toV1(t *testing.T) {
-	// Secret without destroy_on_drift should get default value
-	oldAttributes := map[string]string{
+func testResourceGithubActionsOrganizationSecretInstanceStateDataV0() map[string]any {
+	return map[string]any{
 		"id":              "test-secret",
 		"secret_name":     "test-secret",
 		"visibility":      "private",
 		"created_at":      "2023-01-01T00:00:00Z",
 		"updated_at":      "2023-01-01T00:00:00Z",
 		"plaintext_value": "secret-value",
 	}
+}
 
-	newState, err := migrateGithubActionsOrganizationSecretStateV0toV1(&terraform.InstanceState{
-		ID:         "test-secret",
-		Attributes: oldAttributes,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expectedAttributes := map[string]string{
-		"id":               "test-secret",
-		"secret_name":      "test-secret",
-		"visibility":       "private",
-		"created_at":       "2023-01-01T00:00:00Z",
-		"updated_at":       "2023-01-01T00:00:00Z",
-		"plaintext_value":  "secret-value",
-		"destroy_on_drift": "true",
-	}
-	if !reflect.DeepEqual(newState.Attributes, expectedAttributes) {
-		t.Fatalf("Expected attributes:\n%#v\n\nGiven:\n%#v\n",
-			expectedAttributes, newState.Attributes)
-	}
+func testResourceGithubActionsOrganizationSecretInstanceStateDataV0_WithDrift() map[string]any {
+	v0 := testResourceGithubActionsOrganizationSecretInstanceStateDataV0()
+	v0["destroy_on_drift"] = false
+	return v0
+}
 
-	// Secret with existing destroy_on_drift should be preserved
-	oldAttributesWithDrift := map[string]string{
-		"id":               "test-secret",
-		"secret_name":      "test-secret",
-		"visibility":       "private",
-		"destroy_on_drift": "false",
-	}
+func testResourceGithubActionsOrganizationSecretInstanceStateDataV1() map[string]any {
+	v0 := testResourceGithubActionsOrganizationSecretInstanceStateDataV0()
+	v0["destroy_on_drift"] = true
+	return v0
+}
 
-	newState2, err := migrateGithubActionsOrganizationSecretStateV0toV1(&terraform.InstanceState{
-		ID:         "test-secret",
-		Attributes: oldAttributesWithDrift,
+func TestGithub_MigrateActionsOrganizationSecretStateV0toV1(t *testing.T) {
+	t.Run("without destroy_on_drift", func(t *testing.T) {
+		expected := testResourceGithubActionsOrganizationSecretInstanceStateDataV1()
+		actual, err := resourceGithubActionsOrganizationSecretInstanceStateUpgradeV0(t.Context(), testResourceGithubActionsOrganizationSecretInstanceStateDataV0(), nil)
+		if err != nil {
+			t.Fatalf("error migrating state: %s", err)
+		}
+
+		if !reflect.DeepEqual(expected, actual) {
+			t.Fatalf("\n\nexpected:\n\n%#v\n\ngot:\n\n%#v\n\n", expected, actual)
+		}
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
 
-	expectedAttributesWithDrift := map[string]string{
-		"id":               "test-secret",
-		"secret_name":      "test-secret",
-		"visibility":       "private",
-		"destroy_on_drift": "false",
-	}
-	if !reflect.DeepEqual(newState2.Attributes, expectedAttributesWithDrift) {
-		t.Fatalf("Expected attributes:\n%#v\n\nGiven:\n%#v\n",
-			expectedAttributesWithDrift, newState2.Attributes)
-	}
+	t.Run("with destroy_on_drift", func(t *testing.T) {
+		expected := testResourceGithubActionsOrganizationSecretInstanceStateDataV0_WithDrift()
+		actual, err := resourceGithubActionsOrganizationSecretInstanceStateUpgradeV0(t.Context(), testResourceGithubActionsOrganizationSecretInstanceStateDataV0_WithDrift(), nil)
+		if err != nil {
+			t.Fatalf("error migrating state: %s", err)
+		}
+
+		if !reflect.DeepEqual(expected, actual) {
+			t.Fatalf("\n\nexpected:\n\n%#v\n\ngot:\n\n%#v\n\n", expected, actual)
+		}
+	})
 }

github/resource_github_actions_organization_secret.go

@@ -33,7 +33,13 @@ func resourceGithubActionsOrganizationSecret() *schema.Resource {
 		// Schema migration added in v6.7.1 to handle the addition of destroy_on_drift field
 		// Resources created before v6.7.0 need the field populated with default value
 		SchemaVersion: 1,
-		MigrateState:  resourceGithubActionsOrganizationSecretMigrateState,
+		StateUpgraders: []schema.StateUpgrader{
+			{
+				Type:    resourceGithubActionsOrganizationSecretResourceV0().CoreConfigSchema().ImpliedType(),
+				Upgrade: resourceGithubActionsOrganizationSecretInstanceStateUpgradeV0,
+				Version: 0,
+			},
+		},
 
 		Schema: map[string]*schema.Schema{
 			"secret_name": {