Convert resourceGithubActionsSecret to use StateUpgraders for schema migrations

deiga · deiga · commit cfa6d0eba1d7 · 2026-01-08T22:18:48.000+02:00
Signed-off-by: Timo Sand &lt;timo.sand@f-secure.com&gt;
diff --git a/github/migrate_github_actions_secret.go b/github/migrate_github_actions_secret.go
@@ -1,36 +1,66 @@
 package github
 
 import (
-	"fmt"
+	"context"
 	"log"
 
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-func resourceGithubActionsSecretMigrateState(v int, is *terraform.InstanceState, meta any) (*terraform.InstanceState, error) {
-	switch v {
-	case 0:
-		log.Printf("[INFO] Found GitHub Actions Secret State v0; migrating to v1")
-		return migrateGithubActionsSecretStateV0toV1(is)
-	default:
-		return is, fmt.Errorf("unexpected schema version: %d", v)
+func resourceGithubActionsSecretResourceV0() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"repository": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Name of the repository.",
+			},
+			"secret_name": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				Description:      "Name of the secret.",
+				ValidateDiagFunc: validateSecretNameFunc,
+			},
+			"encrypted_value": {
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"plaintext_value"},
+				Description:   "Encrypted value of the secret using the GitHub public key in Base64 format.",
+			},
+			"plaintext_value": {
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"encrypted_value"},
+				Description:   "Plaintext value of the secret to be encrypted.",
+			},
+			"created_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date of 'actions_secret' creation.",
+			},
+			"updated_at": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Date of 'actions_secret' update.",
+			},
+		},
 	}
 }
 
-func migrateGithubActionsSecretStateV0toV1(is *terraform.InstanceState) (*terraform.InstanceState, error) {
-	if is.Empty() {
-		log.Printf("[DEBUG] Empty InstanceState; nothing to migrate.")
-		return is, nil
-	}
-
-	log.Printf("[DEBUG] GitHub Actions Secret Attributes before migration: %#v", is.Attributes)
-
+func resourceGithubActionsSecretInstanceStateUpgradeV0(ctx context.Context, rawState map[string]any, meta any) (map[string]any, error) {
+	log.Printf("[DEBUG] GitHub Actions Secret State before migration: %#v", rawState)
 	// Add the destroy_on_drift field with default value true if it doesn't exist
-	if _, ok := is.Attributes["destroy_on_drift"]; !ok {
-		is.Attributes["destroy_on_drift"] = "true"
+	if _, ok := rawState["destroy_on_drift"]; !ok {
+		rawState["destroy_on_drift"] = true
 	}
 
-	log.Printf("[DEBUG] GitHub Actions Secret Attributes after State Migration: %#v", is.Attributes)
+	log.Printf("[DEBUG] GitHub Actions Secret State after migration: %#v", rawState)
 
-	return is, nil
+	return rawState, nil
 }
diff --git a/github/migrate_github_actions_secret_test.go b/github/migrate_github_actions_secret_test.go
@@ -3,67 +3,53 @@ package github
 import (
 	"reflect"
 	"testing"
-
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
-func TestMigrateGithubActionsSecretStateV0toV1(t *testing.T) {
-	// Secret without destroy_on_drift should get default value
-	oldAttributes := map[string]string{
+func testResourceGithubActionsSecretInstanceStateDataV0() map[string]any {
+	return map[string]any{
 		"id":              "test-secret",
 		"repository":      "test-repo",
 		"secret_name":     "test-secret",
 		"created_at":      "2023-01-01T00:00:00Z",
 		"updated_at":      "2023-01-01T00:00:00Z",
 		"plaintext_value": "secret-value",
 	}
+}
 
-	newState, err := migrateGithubActionsSecretStateV0toV1(&terraform.InstanceState{
-		ID:         "test-secret",
-		Attributes: oldAttributes,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expectedAttributes := map[string]string{
-		"id":               "test-secret",
-		"repository":       "test-repo",
-		"secret_name":      "test-secret",
-		"created_at":       "2023-01-01T00:00:00Z",
-		"updated_at":       "2023-01-01T00:00:00Z",
-		"plaintext_value":  "secret-value",
-		"destroy_on_drift": "true",
-	}
-	if !reflect.DeepEqual(newState.Attributes, expectedAttributes) {
-		t.Fatalf("Expected attributes:\n%#v\n\nGiven:\n%#v\n",
-			expectedAttributes, newState.Attributes)
-	}
+func testResourceGithubActionsSecretInstanceStateDataV0_WithDrift() map[string]any {
+	v0 := testResourceGithubActionsSecretInstanceStateDataV0()
+	v0["destroy_on_drift"] = false
+	return v0
+}
 
-	// Secret with existing destroy_on_drift should be preserved
-	oldAttributesWithDrift := map[string]string{
-		"id":               "test-secret",
-		"repository":       "test-repo",
-		"secret_name":      "test-secret",
-		"destroy_on_drift": "false",
-	}
+func testResourceGithubActionsSecretInstanceStateDataV1() map[string]any {
+	v0 := testResourceGithubActionsSecretInstanceStateDataV0()
+	v0["destroy_on_drift"] = true
+	return v0
+}
 
-	newState2, err := migrateGithubActionsSecretStateV0toV1(&terraform.InstanceState{
-		ID:         "test-secret",
-		Attributes: oldAttributesWithDrift,
+func TestGithub_MigrateActionsSecretStateV0toV1(t *testing.T) {
+	t.Run("without destroy_on_drift", func(t *testing.T) {
+		expected := testResourceGithubActionsSecretInstanceStateDataV1()
+		actual, err := resourceGithubActionsSecretInstanceStateUpgradeV0(t.Context(), testResourceGithubActionsSecretInstanceStateDataV0(), nil)
+		if err != nil {
+			t.Fatalf("error migrating state: %s", err)
+		}
+
+		if !reflect.DeepEqual(expected, actual) {
+			t.Fatalf("\n\nexpected:\n\n%#v\n\ngot:\n\n%#v\n\n", expected, actual)
+		}
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
 
-	expectedAttributesWithDrift := map[string]string{
-		"id":               "test-secret",
-		"repository":       "test-repo",
-		"secret_name":      "test-secret",
-		"destroy_on_drift": "false",
-	}
-	if !reflect.DeepEqual(newState2.Attributes, expectedAttributesWithDrift) {
-		t.Fatalf("Expected attributes:\n%#v\n\nGiven:\n%#v\n",
-			expectedAttributesWithDrift, newState2.Attributes)
-	}
+	t.Run("with destroy_on_drift", func(t *testing.T) {
+		expected := testResourceGithubActionsSecretInstanceStateDataV0_WithDrift()
+		actual, err := resourceGithubActionsSecretInstanceStateUpgradeV0(t.Context(), testResourceGithubActionsSecretInstanceStateDataV0_WithDrift(), nil)
+		if err != nil {
+			t.Fatalf("error migrating state: %s", err)
+		}
+
+		if !reflect.DeepEqual(expected, actual) {
+			t.Fatalf("\n\nexpected:\n\n%#v\n\ngot:\n\n%#v\n\n", expected, actual)
+		}
+	})
 }
diff --git a/github/resource_github_actions_secret.go b/github/resource_github_actions_secret.go
@@ -26,7 +26,13 @@ func resourceGithubActionsSecret() *schema.Resource {
 		// Schema migration added to handle the addition of destroy_on_drift field
 		// Resources created before this field was added need it populated with default value
 		SchemaVersion: 1,
-		MigrateState:  resourceGithubActionsSecretMigrateState,
+		StateUpgraders: []schema.StateUpgrader{
+			{
+				Type:    resourceGithubActionsSecretResourceV0().CoreConfigSchema().ImpliedType(),
+				Upgrade: resourceGithubActionsSecretInstanceStateUpgradeV0,
+				Version: 0,
+			},
+		},
 
 		Schema: map[string]*schema.Schema{
 			"repository": {
