Add path to invoke update without determining changed CRN data, add validator for name of secrets

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.mod|go.sum|.*.map|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-10-17T18:07:42Z",
+  "generated_at": "2023-10-18T18:46:12Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -792,23 +792,23 @@
         "hashed_secret": "1f614c2eb6b3da22d89bd1b9fd47d7cb7c8fc670",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3248,
+        "line_number": 3250,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7abfce65b8504403afc25c9790f358d513dfbcc6",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3261,
+        "line_number": 3263,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0c2d85bf9a9b1579b16f220a4ea8c3d62b2e24b1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3302,
+        "line_number": 3304,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -2772,7 +2772,17 @@
         "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 373,
+        "line_number": 403,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "ibm/service/kubernetes/resource_ibm_container_ingress_secret_opaque_test.go": [
+      {
+        "hashed_secret": "5df29b80b97dab81130058ac9af4a9b9d1c091b4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 247,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -2782,7 +2792,17 @@
         "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 267,
+        "line_number": 292,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "ibm/service/kubernetes/resource_ibm_container_ingress_secret_tls_test.go": [
+      {
+        "hashed_secret": "5df29b80b97dab81130058ac9af4a9b9d1c091b4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 216,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -2920,7 +2940,7 @@
         "hashed_secret": "83747cea2b26d7652ed39218ddcdb1461c570535",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 95,
+        "line_number": 94,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -3088,15 +3108,15 @@
         "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 231,
+        "line_number": 235,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 410,
+        "line_number": 414,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -3244,7 +3264,7 @@
         "hashed_secret": "347cd9c53ff77d41a7b22aa56c7b4efaf54658e3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 46,
+        "line_number": 48,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -3616,7 +3636,7 @@
         "hashed_secret": "4d55af37dbbb6a42088d917caa1ca25428ec42c9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 788,
+        "line_number": 849,
         "type": "Secret Keyword",
         "verified_result": null
       }

ibm/service/kubernetes/resource_ibm_container_ingress_secret_opaque.go

@@ -45,6 +45,9 @@ func ResourceIBMContainerIngressSecretOpaque() *schema.Resource {
 				Required:    true,
 				Description: "Secret name",
 				ForceNew:    true,
+				ValidateFunc: validate.InvokeValidator(
+					"ibm_container_ingress_secret_opaque",
+					"secret_name"),
 			},
 			"secret_namespace": {
 				Type:        schema.TypeString,
@@ -73,6 +76,16 @@ func ResourceIBMContainerIngressSecretOpaque() *schema.Resource {
 				Computed:    true,
 				Description: "Status of the secret",
 			},
+			"update_secret": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Description: "Updates secret from secrets manager if value is changed (increment each usage)",
+			},
+			"last_updated_timestamp": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Timestamp secret was last updated",
+			},
 			"fields": {
 				Type:        schema.TypeSet,
 				Required:    true,
@@ -122,6 +135,16 @@ func ResourceIBMContainerIngressSecretOpaqueValidator() *validate.ResourceValida
 			CloudDataType:              "cluster",
 			CloudDataRange:             []string{"resolved_to:id"}})
 
+	validateSchema = append(validateSchema, validate.ValidateSchema{
+		Identifier:                 "secret_name",
+		ValidateFunctionIdentifier: validate.ValidateRegexpLen,
+		Type:                       validate.TypeString,
+		Required:                   true,
+		Regexp:                     `^([a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$`,
+		MinValueLength:             1,
+		MaxValueLength:             63,
+	})
+
 	iBMContainerIngressInstanceValidator := validate.ResourceValidator{ResourceName: "ibm_container_ingress_secret_opaque", Schema: validateSchema}
 	return &iBMContainerIngressInstanceValidator
 }
@@ -205,6 +228,7 @@ func resourceIBMContainerIngressSecretOpaqueRead(d *schema.ResourceData, meta in
 	d.Set("persistence", ingressSecretConfig.Persistence)
 	d.Set("user_managed", ingressSecretConfig.UserManaged)
 	d.Set("status", ingressSecretConfig.Status)
+	d.Set("last_updated_timestamp", ingressSecretConfig.LastUpdatedTimestamp)
 
 	if len(ingressSecretConfig.Fields) > 0 {
 		d.Set("fields", flex.FlattenOpaqueSecret(ingressSecretConfig.Fields))
@@ -261,6 +285,7 @@ func resourceIBMContainerIngressSecretOpaqueUpdate(d *schema.ResourceData, meta
 		Namespace: secretNamespace,
 	}
 
+	ingressAPI := ingressClient.Ingresses()
 	if d.HasChange("fields") {
 		oldList, newList := d.GetChange("fields")
 
@@ -276,7 +301,6 @@ func resourceIBMContainerIngressSecretOpaqueUpdate(d *schema.ResourceData, meta
 		remove := os.Difference(ns).List()
 		add := ns.Difference(os).List()
 
-		ingressAPI := ingressClient.Ingresses()
 		if len(remove) > 0 {
 			actualSecret, err := ingressAPI.GetIngressSecret(cluster, secretName, secretNamespace)
 			if err != nil {
@@ -342,8 +366,13 @@ func resourceIBMContainerIngressSecretOpaqueUpdate(d *schema.ResourceData, meta
 				return err
 			}
 		}
+	} else if d.HasChange("update_secret") {
+		// user wants to force an upstream secret update from secrets manager onto kube cluster w/out changing crn
+		_, err = ingressAPI.UpdateIngressSecret(params)
+		if err != nil {
+			return err
+		}
 	}
-
 	return resourceIBMContainerIngressSecretOpaqueRead(d, meta)
 }
 

ibm/service/kubernetes/resource_ibm_container_ingress_secret_opaque_test.go

@@ -5,6 +5,7 @@ package kubernetes_test
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -70,7 +71,124 @@ func TestAccIBMContainerIngressSecretOpaque_Basic(t *testing.T) {
 				ResourceName:            "ibm_container_ingress_secret_opaque.secret",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"region", "issuer_name"},
+				ImportStateVerifyIgnore: []string{"region", "issuer_name", "update_secret"},
+			},
+		},
+	})
+}
+
+func TestAccIBMContainerIngressSecretOpaque_InvalidName(t *testing.T) {
+	secretName := fmt.Sprintf(")-tf-container-ingress-secret-name-opaque-%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMContainerIngressSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCheckIBMContainerIngressSecretOpaqueBasic(secretName),
+				ExpectError: regexp.MustCompile(".*should match regexp"),
+			},
+		},
+	})
+}
+
+func TestAccIBMContainerIngressSecretOpaque_ForceUpdate(t *testing.T) {
+	secretName := fmt.Sprintf("tf-container-ingress-secret-name-opaque-update-%d", acctest.RandIntRange(10, 100))
+
+	var originalTS string
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMContainerIngressSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMContainerIngressSecretOpaqueForceUpdateCreate(secretName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "cluster", acc.ClusterName),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "secret_name", secretName),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "secret_namespace", "ibm-cert-store"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "persistence", "true"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "type", "Opaque"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "fields.#", "1"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "user_managed", "true"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "status", "created"),
+					resource.TestCheckResourceAttrWith("ibm_container_ingress_secret_opaque.secret", "last_updated_timestamp", func(value string) error {
+						originalTS = value
+						return nil
+					}),
+				),
+			},
+			{
+				Config: testAccCheckIBMContainerIngressSecretOpaqueForceUpdate(secretName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "cluster", acc.ClusterName),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "secret_name", secretName),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "secret_namespace", "ibm-cert-store"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "persistence", "true"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "type", "Opaque"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "fields.#", "1"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "user_managed", "true"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "status", "created"),
+					resource.TestCheckResourceAttrWith("ibm_container_ingress_secret_opaque.secret", "last_updated_timestamp", func(value string) error {
+						if originalTS == value {
+							return fmt.Errorf("error timestamp not changed, indicates update didnt go through. original: %s, actual: %s", originalTS, value)
+						}
+						originalTS = value // check if another update will execute without a change to `update_secret`
+						return nil
+					}),
+				),
+			},
+			{
+				Config:             testAccCheckIBMContainerIngressSecretOpaqueForceUpdate(secretName),
+				ExpectNonEmptyPlan: false,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "cluster", acc.ClusterName),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "secret_name", secretName),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "secret_namespace", "ibm-cert-store"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "persistence", "true"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "type", "Opaque"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "fields.#", "1"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "user_managed", "true"),
+					resource.TestCheckResourceAttr(
+						"ibm_container_ingress_secret_opaque.secret", "status", "created"),
+					resource.TestCheckResourceAttrWith("ibm_container_ingress_secret_opaque.secret", "last_updated_timestamp", func(value string) error {
+						if originalTS != value {
+							return fmt.Errorf("error timestamp has changed, indicates update was called again even though no modification of fields. exptected: %s, actual: %s", originalTS, value)
+						}
+						return nil
+					}),
+				),
+			},
+			{
+				ResourceName:            "ibm_container_ingress_secret_opaque.secret",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"region", "issuer_name", "update_secret"},
 			},
 		},
 	})
@@ -134,3 +252,30 @@ resource "ibm_container_ingress_secret_opaque" "secret" {
   }
 }`, secretName, "ibm-cert-store", acc.ClusterName, true, acc.SecretCRN)
 }
+
+func testAccCheckIBMContainerIngressSecretOpaqueForceUpdateCreate(secretName string) string {
+	return fmt.Sprintf(`
+resource "ibm_container_ingress_secret_opaque" "secret" {
+  secret_name = "%s"
+  secret_namespace = "%s"
+  cluster  = "%s"
+  persistence = "%t"
+  fields {
+	crn = "%s"
+  }
+}`, secretName, "ibm-cert-store", acc.ClusterName, true, acc.SecretCRN)
+}
+
+func testAccCheckIBMContainerIngressSecretOpaqueForceUpdate(secretName string) string {
+	return fmt.Sprintf(`
+resource "ibm_container_ingress_secret_opaque" "secret" {
+  secret_name = "%s"
+  secret_namespace = "%s"
+  cluster  = "%s"
+  persistence = "%t"
+  update_secret = "%d"
+  fields {
+	crn = "%s"
+  }
+}`, secretName, "ibm-cert-store", acc.ClusterName, true, 1, acc.SecretCRN)
+}