Merge pull request #895 from timofurrer/feature/validate-group-variable-mask-371

resource/gitlab_group_variable: better error message for invalid masked variable values. Closes #371

Author: timofurrer

internal/provider/resource_gitlab_group_variable.go

@@ -98,7 +98,7 @@ func resourceGitlabGroupVariableCreate(ctx context.Context, d *schema.ResourceDa
 
 	_, _, err := client.GroupVariables.CreateVariable(group, &options, gitlab.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 
 	keyScope := fmt.Sprintf("%s:%s", key, environmentScope)
@@ -137,7 +137,7 @@ func resourceGitlabGroupVariableRead(ctx context.Context, d *schema.ResourceData
 			d.SetId("")
 			return nil
 		}
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 
 	d.Set("key", v.Key)
@@ -178,7 +178,7 @@ func resourceGitlabGroupVariableUpdate(ctx context.Context, d *schema.ResourceDa
 		withEnvironmentScopeFilter(ctx, environmentScope),
 	)
 	if err != nil {
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 	return resourceGitlabGroupVariableRead(ctx, d, meta)
 }
@@ -197,7 +197,7 @@ func resourceGitlabGroupVariableDelete(ctx context.Context, d *schema.ResourceDa
 		withEnvironmentScopeFilter(ctx, environmentScope),
 	)
 	if err != nil {
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 
 	return nil

internal/provider/resource_gitlab_group_variable_test.go

@@ -3,6 +3,7 @@ package provider
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -58,6 +59,49 @@ func TestAccGitlabGroupVariable_basic(t *testing.T) {
 					}),
 				),
 			},
+			// Update the group variable to enable "masked" for a value that does not meet masking requirements, and expect an error with no state change.
+			// ref: https://docs.gitlab.com/ce/ci/variables/README.html#masked-variable-requirements
+			{
+				Config: testAccGitlabGroupVariableUpdateConfigMaskedBad(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.foo", &groupVariable),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariable, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s", rString),
+						EnvironmentScope: "*",
+					}),
+				),
+				ExpectError: regexp.MustCompile(regexp.QuoteMeta(
+					"Invalid value for a masked variable. Check the masked variable requirements: https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements",
+				)),
+			},
+			// Update the group variable to to enable "masked" and meet masking requirements
+			// ref: https://docs.gitlab.com/ce/ci/variables/README.html#masked-variable-requirements
+			{
+				Config: testAccGitlabGroupVariableUpdateConfigMaskedGood(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.foo", &groupVariable),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariable, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s", rString),
+						EnvironmentScope: "*",
+						Masked:           true,
+					}),
+				),
+			},
+			// Update the group variable to toggle the options back
+			{
+				Config: testAccGitlabGroupVariableConfig(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.foo", &groupVariable),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariable, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s", rString),
+						EnvironmentScope: "*",
+						Protected:        false,
+					}),
+				),
+			},
 		},
 	})
 }
@@ -291,3 +335,40 @@ resource "gitlab_group_variable" "b" {
 }
 	`, rString, rString, rString, valueA, scopeA, rString, valueB, scopeB)
 }
+
+func testAccGitlabGroupVariableUpdateConfigMaskedBad(rString string) string {
+	return fmt.Sprintf(`
+resource "gitlab_group" "foo" {
+  name = "foo%v"
+  path = "foo%v"
+}
+
+resource "gitlab_group_variable" "foo" {
+  group = "${gitlab_group.foo.id}"
+  key = "key_%s"
+  value = <<EOF
+value-%s"
+i am multiline
+EOF
+  variable_type = "env_var"
+  masked = true
+}
+	`, rString, rString, rString, rString)
+}
+
+func testAccGitlabGroupVariableUpdateConfigMaskedGood(rString string) string {
+	return fmt.Sprintf(`
+resource "gitlab_group" "foo" {
+  name = "foo%v"
+  path = "foo%v"
+}
+
+resource "gitlab_group_variable" "foo" {
+  group = "${gitlab_group.foo.id}"
+  key = "key_%s"
+  value = "value-%s"
+  variable_type = "env_var"
+  masked = true
+}
+	`, rString, rString, rString, rString)
+}

internal/provider/resource_gitlab_instance_variable.go

@@ -81,7 +81,7 @@ func resourceGitlabInstanceVariableCreate(ctx context.Context, d *schema.Resourc
 
 	_, _, err := client.InstanceVariables.CreateVariable(&options, gitlab.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 
 	d.SetId(key)
@@ -103,7 +103,7 @@ func resourceGitlabInstanceVariableRead(ctx context.Context, d *schema.ResourceD
 			d.SetId("")
 			return nil
 		}
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 
 	d.Set("key", v.Key)
@@ -133,7 +133,7 @@ func resourceGitlabInstanceVariableUpdate(ctx context.Context, d *schema.Resourc
 
 	_, _, err := client.InstanceVariables.UpdateVariable(key, options, gitlab.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 	return resourceGitlabInstanceVariableRead(ctx, d, meta)
 }
@@ -145,7 +145,7 @@ func resourceGitlabInstanceVariableDelete(ctx context.Context, d *schema.Resourc
 
 	_, err := client.InstanceVariables.RemoveVariable(key, gitlab.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		return augmentVariableClientError(d, err)
 	}
 
 	return nil

internal/provider/resource_gitlab_instance_variable_test.go

@@ -2,6 +2,7 @@ package provider
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -54,6 +55,46 @@ func TestAccGitlabInstanceVariable_basic(t *testing.T) {
 					}),
 				),
 			},
+			// Update the instance variable to enable "masked" for a value that does not meet masking requirements, and expect an error with no state change.
+			// ref: https://docs.gitlab.com/ce/ci/variables/README.html#masked-variable-requirements
+			{
+				Config: testAccGitlabInstanceVariableUpdateConfigMaskedBad(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabInstanceVariableExists("gitlab_instance_variable.foo", &instanceVariable),
+					testAccCheckGitlabInstanceVariableAttributes(&instanceVariable, &testAccGitlabInstanceVariableExpectedAttributes{
+						Key:   fmt.Sprintf("key_%s", rString),
+						Value: fmt.Sprintf("value-%s", rString),
+					}),
+				),
+				ExpectError: regexp.MustCompile(regexp.QuoteMeta(
+					"Invalid value for a masked variable. Check the masked variable requirements: https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements",
+				)),
+			},
+			// Update the instance variable to to enable "masked" and meet masking requirements
+			// ref: https://docs.gitlab.com/ce/ci/variables/README.html#masked-variable-requirements
+			{
+				Config: testAccGitlabInstanceVariableUpdateConfigMaskedGood(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabInstanceVariableExists("gitlab_instance_variable.foo", &instanceVariable),
+					testAccCheckGitlabInstanceVariableAttributes(&instanceVariable, &testAccGitlabInstanceVariableExpectedAttributes{
+						Key:    fmt.Sprintf("key_%s", rString),
+						Value:  fmt.Sprintf("value-%s", rString),
+						Masked: true,
+					}),
+				),
+			},
+			// Update the instance variable to toggle the options back
+			{
+				Config: testAccGitlabInstanceVariableConfig(rString),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabInstanceVariableExists("gitlab_instance_variable.foo", &instanceVariable),
+					testAccCheckGitlabInstanceVariableAttributes(&instanceVariable, &testAccGitlabInstanceVariableExpectedAttributes{
+						Key:       fmt.Sprintf("key_%s", rString),
+						Value:     fmt.Sprintf("value-%s", rString),
+						Protected: false,
+					}),
+				),
+			},
 		},
 	})
 }
@@ -129,3 +170,26 @@ resource "gitlab_instance_variable" "foo" {
 }
 	`, rString, rString)
 }
+
+func testAccGitlabInstanceVariableUpdateConfigMaskedBad(rString string) string {
+	return fmt.Sprintf(`
+resource "gitlab_instance_variable" "foo" {
+  key = "key_%s"
+  value = <<EOF
+value-%s"
+i am multiline
+EOF
+  masked = true
+}
+	`, rString, rString)
+}
+
+func testAccGitlabInstanceVariableUpdateConfigMaskedGood(rString string) string {
+	return fmt.Sprintf(`
+resource "gitlab_instance_variable" "foo" {
+  key = "key_%s"
+  value = "value-%s"
+  masked = true
+}
+	`, rString, rString)
+}

internal/provider/resource_gitlab_project_variable.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"log"
-	"net/http"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -107,7 +106,7 @@ func resourceGitlabProjectVariableCreate(ctx context.Context, d *schema.Resource
 
 	_, _, err := client.ProjectVariables.CreateVariable(project, &options, gitlab.WithContext(ctx))
 	if err != nil {
-		return augmentProjectVariableClientError(d, err)
+		return augmentVariableClientError(d, err)
 	}
 
 	d.SetId(id)
@@ -149,7 +148,7 @@ func resourceGitlabProjectVariableRead(ctx context.Context, d *schema.ResourceDa
 			d.SetId("")
 			return nil
 		}
-		return augmentProjectVariableClientError(d, err)
+		return augmentVariableClientError(d, err)
 	}
 
 	d.Set("key", v.Key)
@@ -184,7 +183,7 @@ func resourceGitlabProjectVariableUpdate(ctx context.Context, d *schema.Resource
 
 	_, _, err := client.ProjectVariables.UpdateVariable(project, key, options, withEnvironmentScopeFilter(ctx, environmentScope))
 	if err != nil {
-		return augmentProjectVariableClientError(d, err)
+		return augmentVariableClientError(d, err)
 	}
 
 	return resourceGitlabProjectVariableRead(ctx, d, meta)
@@ -202,30 +201,7 @@ func resourceGitlabProjectVariableDelete(ctx context.Context, d *schema.Resource
 	// destroying or updating scoped variables.
 	// ref: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/39209
 	_, err := client.ProjectVariables.RemoveVariable(project, key, nil, withEnvironmentScopeFilter(ctx, environmentScope))
-	return augmentProjectVariableClientError(d, err)
-}
-
-func augmentProjectVariableClientError(d *schema.ResourceData, err error) diag.Diagnostics {
-	// Masked values will commonly error due to their strict requirements, and the error message from the GitLab API is not very informative,
-	// so we return a custom error message in this case.
-	if d.Get("masked").(bool) && isInvalidValueError(err) {
-		log.Printf("[ERROR] %v", err)
-		return diag.Errorf("Invalid value for a masked variable. Check the masked variable requirements: https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements")
-	}
-
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	return nil
-}
-
-func isInvalidValueError(err error) bool {
-	var httpErr *gitlab.ErrorResponse
-	return errors.As(err, &httpErr) &&
-		httpErr.Response.StatusCode == http.StatusBadRequest &&
-		strings.Contains(httpErr.Message, "value") &&
-		strings.Contains(httpErr.Message, "invalid")
+	return augmentVariableClientError(d, err)
 }
 
 var errProjectVariableNotExist = errors.New("project variable does not exist")

internal/provider/variable_helpers.go

@@ -0,0 +1,35 @@
+package provider
+
+import (
+	"errors"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/xanzy/go-gitlab"
+)
+
+func augmentVariableClientError(d *schema.ResourceData, err error) diag.Diagnostics {
+	// Masked values will commonly error due to their strict requirements, and the error message from the GitLab API is not very informative,
+	// so we return a custom error message in this case.
+	if d.Get("masked").(bool) && isInvalidValueError(err) {
+		log.Printf("[ERROR] %v", err)
+		return diag.Errorf("Invalid value for a masked variable. Check the masked variable requirements: https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements")
+	}
+
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func isInvalidValueError(err error) bool {
+	var httpErr *gitlab.ErrorResponse
+	return errors.As(err, &httpErr) &&
+		httpErr.Response.StatusCode == http.StatusBadRequest &&
+		strings.Contains(httpErr.Message, "value") &&
+		strings.Contains(httpErr.Message, "invalid")
+}