Cloudflare worker secret resource

.changelog/2628.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+cloudflare_worker_secret
+```

examples/resources/cloudflare_worker_secret/import.sh

@@ -0,0 +1 @@
+$ terraform import cloudflare_worker_secret.example <account_id>/<script_name>/<secret_name>

examples/resources/cloudflare_worker_secret/resource.tf

@@ -0,0 +1,6 @@
+resource "cloudflare_worker_secret" "my_secret" {
+  account_id  = "f037e56e89293a057740de681ac9abbe"
+  name        = "MY_EXAMPLE_SECRET_TEXT"
+  script_name = "script_1"
+  secret_text = "my_secret_value"
+}

internal/sdkv2provider/import_cloudflare_worker_secret_test.go

@@ -0,0 +1,44 @@
+package sdkv2provider
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccCloudflareWorkerSecret_Import(t *testing.T) {
+	secretName := generateRandomResourceName()
+	resourceName := "cloudflare_worker_secret." + secretName
+	secretText := generateRandomResourceName()
+	workerSecretTestScriptName = generateRandomResourceName()
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckAccount(t)
+		},
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckCloudflareWorkerSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCloudflareWorkerSecretWithWorkerScript(workerSecretTestScriptName, secretName, secretText, accountID),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudflareWorkerSecretExists(workerSecretTestScriptName, secretName, accountID),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportStateId:           fmt.Sprintf("%s/%s/%s", accountID, workerSecretTestScriptName, secretName),
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"secret_text"},
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudflareWorkerSecretExists(workerSecretTestScriptName, secretName, accountID),
+				),
+			},
+		},
+	})
+}

internal/sdkv2provider/provider.go

@@ -289,6 +289,7 @@ func New(version string) func() *schema.Provider {
 				"cloudflare_worker_domain":                                   resourceCloudflareWorkerDomain(),
 				"cloudflare_worker_route":                                    resourceCloudflareWorkerRoute(),
 				"cloudflare_worker_script":                                   resourceCloudflareWorkerScript(),
+				"cloudflare_worker_secret":                                   resourceCloudflareWorkerSecret(),
 				"cloudflare_workers_kv_namespace":                            resourceCloudflareWorkersKVNamespace(),
 				"cloudflare_workers_kv":                                      resourceCloudflareWorkerKV(),
 				"cloudflare_zone_cache_reserve":                              resourceCloudflareZoneCacheReserve(),

internal/sdkv2provider/resource_cloudflare_workers_script.go

@@ -307,8 +307,10 @@ func resourceCloudflareWorkerScriptRead(ctx context.Context, d *schema.ResourceD
 		return diag.FromErr(fmt.Errorf("cannot set plain text bindings (%s): %w", d.Id(), err))
 	}
 
-	if err := d.Set("secret_text_binding", secretTextBindings); err != nil {
-		return diag.FromErr(fmt.Errorf("cannot set secret text bindings (%s): %w", d.Id(), err))
+	if d.HasChange("secret_text_binding") || len(d.Get("secret_text_binding").(*schema.Set).List()) > 0 {
+		if err := d.Set("secret_text_binding", secretTextBindings); err != nil {
+			return diag.FromErr(fmt.Errorf("cannot set secret text bindings (%s): %w", d.Id(), err))
+		}
 	}
 
 	if err := d.Set("webassembly_binding", webAssemblyBindings); err != nil {

internal/sdkv2provider/resource_cloudflare_workers_secret.go

@@ -0,0 +1,116 @@
+package sdkv2provider
+
+import (
+	"context"
+	"fmt"
+	"github.com/MakeNowJust/heredoc/v2"
+	cloudflare "github.com/cloudflare/cloudflare-go"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/pkg/errors"
+	"strings"
+)
+
+func resourceCloudflareWorkerSecret() *schema.Resource {
+	return &schema.Resource{
+		Schema:        resourceCloudflareWorkerSecretSchema(),
+		CreateContext: resourceCloudflareWorkerSecretCreate,
+		ReadContext:   resourceCloudflareWorkerSecretRead,
+		UpdateContext: resourceCloudflareWorkerSecretCreate,
+		DeleteContext: resourceCloudflareWorkerSecretDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceCloudflareWorkerSecretImport,
+		},
+		Description: heredoc.Doc("Provides a Cloudflare Worker secret resource."),
+	}
+}
+
+func resourceCloudflareWorkerSecretRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*cloudflare.API)
+	accountID := d.Get(consts.AccountIDSchemaKey).(string)
+	secrets, err := client.ListWorkersSecrets(ctx, cloudflare.AccountIdentifier(accountID), cloudflare.ListWorkersSecretsParams{
+		ScriptName: d.Get("script_name").(string),
+	})
+	if err != nil {
+		return diag.FromErr(errors.Wrap(err, fmt.Sprintf("Error listing worker secrets")))
+	}
+
+	for _, secret := range secrets.Result {
+		tflog.Info(ctx, fmt.Sprintf("Found secret %s", secret.Name))
+		if secret.Name == d.Get("name") {
+			return nil
+		}
+	}
+
+	return diag.Errorf(fmt.Sprintf("worker secret %s not found for script %s", d.Get("name"), d.Get("script_name")))
+}
+
+func resourceCloudflareWorkerSecretCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*cloudflare.API)
+	accountID := d.Get(consts.AccountIDSchemaKey).(string)
+	scriptName := d.Get("script_name").(string)
+	name := d.Get("name").(string)
+	secretText := d.Get("secret_text").(string)
+
+	params := cloudflare.SetWorkersSecretParams{
+		Secret: &cloudflare.WorkersPutSecretRequest{
+			Name: name,
+			Text: secretText,
+			Type: cloudflare.WorkerSecretTextBindingType,
+		},
+		ScriptName: scriptName,
+	}
+
+	_, err := client.SetWorkersSecret(ctx, cloudflare.AccountIdentifier(accountID), params)
+	if err != nil {
+		return diag.FromErr(errors.Wrap(err, "error creating worker secret"))
+	}
+
+	d.SetId(stringChecksum(fmt.Sprintf("%s/%s/%s", accountID, scriptName, name)))
+
+	tflog.Info(ctx, fmt.Sprintf("Created Cloudflare Workers secret with ID: %s", d.Id()))
+
+	return resourceCloudflareWorkerSecretRead(ctx, d, meta)
+}
+
+func resourceCloudflareWorkerSecretDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*cloudflare.API)
+	accountID := d.Get(consts.AccountIDSchemaKey).(string)
+	scriptName := d.Get("script_name").(string)
+	name := d.Get("name").(string)
+
+	params := cloudflare.DeleteWorkersSecretParams{
+		SecretName: name,
+		ScriptName: scriptName,
+	}
+
+	tflog.Info(ctx, fmt.Sprintf("Deleting Cloudflare Workers secret with id: %s", d.Id()))
+
+	_, err := client.DeleteWorkersSecret(ctx, cloudflare.AccountIdentifier(accountID), params)
+	if err != nil {
+		return diag.FromErr(errors.Wrap(err, "error deleting worker secret"))
+	}
+
+	return nil
+}
+
+func resourceCloudflareWorkerSecretImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	attributes := strings.SplitN(d.Id(), "/", 3)
+
+	if len(attributes) != 3 {
+		return []*schema.ResourceData{nil}, fmt.Errorf(`invalid id (%q) specified, should be in format "accountID/scriptName/secretName"`, d.Id())
+	}
+
+	accountID, scriptName, secretName := attributes[0], attributes[1], attributes[2]
+
+	d.SetId(stringChecksum(fmt.Sprintf("%s/%s/%s", accountID, scriptName, secretName)))
+	d.Set("name", secretName)
+	d.Set(consts.AccountIDSchemaKey, accountID)
+	d.Set("script_name", scriptName)
+
+	resourceCloudflareWorkerSecretRead(ctx, d, meta)
+
+	return []*schema.ResourceData{d}, nil
+}

internal/sdkv2provider/resource_cloudflare_workers_secret_test.go

@@ -0,0 +1,104 @@
+package sdkv2provider
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/cloudflare/cloudflare-go"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+)
+
+const scriptContentForSecret = `addEventListener('fetch', event => {event.respondWith(new Response('test 1'))});`
+
+var workerSecretTestScriptName string
+
+func TestAccCloudflareWorkerSecret_Basic(t *testing.T) {
+	t.Parallel()
+
+	name := generateRandomResourceName()
+	secretText := generateRandomResourceName()
+	workerSecretTestScriptName = generateRandomResourceName()
+	accountId := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckAccount(t)
+		},
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckCloudflareWorkerSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCloudflareWorkerSecretWithWorkerScript(workerSecretTestScriptName, name, secretText, accountId),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudflareWorkerSecretExists(workerSecretTestScriptName, name, accountId),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckCloudflareWorkerSecretDestroy(s *terraform.State) error {
+	accountId := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "cloudflare_worker_secret" {
+			continue
+		}
+
+		client := testAccProvider.Meta().(*cloudflare.API)
+		params := cloudflare.ListWorkersSecretsParams{
+			ScriptName: rs.Primary.Attributes["script_name"],
+		}
+
+		secretResponse, err := client.ListWorkersSecrets(context.Background(), cloudflare.AccountIdentifier(accountId), params)
+
+		if err == nil {
+			return fmt.Errorf("worker secret with name %s still exists against Worker Script %s", secretResponse.Result[0].Name, params.ScriptName)
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckCloudflareWorkerSecretWithWorkerScript(scriptName string, name string, secretText string, accountId string) string {
+	return fmt.Sprintf(`
+	resource "cloudflare_worker_script" "%[2]s" {
+		account_id = "%[4]s"
+		name       = "%[1]s"
+		content    = "%[5]s"
+	}
+
+	resource "cloudflare_worker_secret" "%[2]s" {
+		account_id  = "%[4]s"
+		script_name = cloudflare_worker_script.%[2]s.name
+		name 		= "%[2]s"
+		secret_text	= "%[3]s"
+	}`, scriptName, name, secretText, accountId, scriptContentForSecret)
+}
+
+func testAccCheckCloudflareWorkerSecretExists(scriptName string, name string, accountId string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client := testAccProvider.Meta().(*cloudflare.API)
+		params := cloudflare.ListWorkersSecretsParams{
+			ScriptName: scriptName,
+		}
+
+		secretResponse, err := client.ListWorkersSecrets(context.Background(), cloudflare.AccountIdentifier(accountId), params)
+
+		if err != nil {
+			return err
+		}
+
+		for _, secret := range secretResponse.Result {
+			if secret.Name == name {
+				return nil
+			}
+		}
+
+		return fmt.Errorf("worker secret with name %s not found against Worker Script %s", name, scriptName)
+	}
+}

internal/sdkv2provider/schema_cloudflare_workers_secret.go

@@ -0,0 +1,34 @@
+package sdkv2provider
+
+import (
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceCloudflareWorkerSecretSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		consts.AccountIDSchemaKey: {
+			Description: consts.AccountIDSchemaDescription,
+			Type:        schema.TypeString,
+			Required:    true,
+		},
+		"script_name": {
+			Type:        schema.TypeString,
+			ForceNew:    true,
+			Required:    true,
+			Description: "The name of the Worker script to associate the secret with.",
+		},
+		"name": {
+			Type:        schema.TypeString,
+			ForceNew:    true,
+			Required:    true,
+			Description: "The name of the Worker secret.",
+		},
+		"secret_text": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Sensitive:   true,
+			Description: "The text of the Worker secret, this cannot be read back after creation and is stored encrypted .",
+		},
+	}
+}