Merge pull request #1872 from cloudflare/refresh-not-replace-tokens

.changelog/1872.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_service_token: updates internals to allow in place refreshing instead of full replacement based on the `expires_at` and `min_days_for_renewal` values
+```

internal/provider/resource_cloudflare_access_service_tokens.go

@@ -9,7 +9,6 @@ import (
 	"github.com/MakeNowJust/heredoc/v2"
 	"github.com/cloudflare/cloudflare-go"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -23,38 +22,13 @@ func resourceCloudflareAccessServiceToken() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: resourceCloudflareAccessServiceTokenImport,
 		},
-
-		CustomizeDiff: customdiff.ComputedIf("expires_at", resourceCloudflareAccessServiceTokenExpireDiff),
 		Description: heredoc.Doc(`
 			Access Service Tokens are used for service-to-service communication
 			when an application is behind Cloudflare Access.
 		`),
 	}
 }
 
-func resourceCloudflareAccessServiceTokenExpireDiff(ctx context.Context, d *schema.ResourceDiff, meta interface{}) bool {
-	mindays := d.Get("min_days_for_renewal").(int)
-	if mindays > 0 {
-		expires_at := d.Get("expires_at").(string)
-
-		if expires_at != "" {
-			expected_expiration_date, _ := time.Parse(time.RFC3339, expires_at)
-
-			expiration_date := time.Now().Add(time.Duration(mindays) * 24 * time.Hour)
-
-			if expiration_date.After(expected_expiration_date) {
-				err := d.SetNewComputed("client_secret")
-				if err != nil {
-					return false
-				}
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
 func resourceCloudflareAccessServiceTokenRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*cloudflare.API)
 
@@ -77,6 +51,35 @@ func resourceCloudflareAccessServiceTokenRead(ctx context.Context, d *schema.Res
 	}
 	for _, token := range serviceTokens {
 		if token.ID == d.Id() {
+			zoneID := d.Get("zone_id").(string)
+			accountID := d.Get("account_id").(string)
+			mindays := d.Get("min_days_for_renewal").(int)
+			if mindays > 0 {
+				expires_at := d.Get("expires_at").(string)
+
+				if expires_at != "" {
+					expected_expiration_date, _ := time.Parse(time.RFC3339, expires_at)
+
+					expiration_date := time.Now().Add(time.Duration(mindays) * 24 * time.Hour)
+
+					if expiration_date.After(expected_expiration_date) {
+						var refreshedToken cloudflare.AccessServiceTokenRefreshResponse
+						var err error
+
+						if accountID != "" {
+							refreshedToken, err = client.RefreshAccessServiceToken(ctx, cloudflare.AccountIdentifier(accountID), d.Id())
+						} else {
+							refreshedToken, err = client.RefreshAccessServiceToken(ctx, cloudflare.ZoneIdentifier(zoneID), d.Id())
+						}
+
+						if err != nil {
+							return diag.FromErr(fmt.Errorf("failed to automatically refresh token %q: %w", d.Id(), err))
+						}
+
+						token.ExpiresAt = refreshedToken.ExpiresAt
+					}
+				}
+			}
 			d.Set("name", token.Name)
 			d.Set("client_id", token.ClientID)
 			d.Set("expires_at", token.ExpiresAt.Format(time.RFC3339))

internal/provider/schema_cloudflare_access_service_tokens.go

@@ -37,14 +37,13 @@ func resourceCloudflareAccessServiceTokenSchema() map[string]*schema.Schema {
 		"expires_at": {
 			Type:        schema.TypeString,
 			Computed:    true,
-			ForceNew:    true,
 			Description: "Date when the token expires",
 		},
 		"min_days_for_renewal": {
 			Type:        schema.TypeInt,
 			Optional:    true,
 			Default:     0,
-			Description: "Regenerates the token if terraform is run within the specified amount of days before expiration",
+			Description: "Refresh the token if terraform is run within the specified amount of days before expiration",
 		},
 	}
 }