From 91c41e4f04a4707f929b336c97bdc0c3a12e3fa4 Mon Sep 17 00:00:00 2001
From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Wed, 31 Aug 2022 15:43:20 +1000
Subject: [PATCH 1/2] resource/cloudflare_access_service_token: allow in place
 refreshing

Access Service Tokens are now refreshable and can be expiry extended in
place instead of recreation.
---
 .changelog/1872.txt                           |  3 +
 ...source_cloudflare_access_service_tokens.go | 55 ++++++++++---------
 ...schema_cloudflare_access_service_tokens.go |  3 +-
 3 files changed, 33 insertions(+), 28 deletions(-)
 create mode 100644 .changelog/1872.txt

diff --git a/.changelog/1872.txt b/.changelog/1872.txt
new file mode 100644
index 0000000000..4048821830
--- /dev/null
+++ b/.changelog/1872.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_service_token: allow in place refreshing
+```
diff --git a/internal/provider/resource_cloudflare_access_service_tokens.go b/internal/provider/resource_cloudflare_access_service_tokens.go
index 3dc72a036a..4c5b791293 100644
--- a/internal/provider/resource_cloudflare_access_service_tokens.go
+++ b/internal/provider/resource_cloudflare_access_service_tokens.go
@@ -9,7 +9,6 @@ import (
 	"github.com/MakeNowJust/heredoc/v2"
 	"github.com/cloudflare/cloudflare-go"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -23,8 +22,6 @@ func resourceCloudflareAccessServiceToken() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: resourceCloudflareAccessServiceTokenImport,
 		},
-
-		CustomizeDiff: customdiff.ComputedIf("expires_at", resourceCloudflareAccessServiceTokenExpireDiff),
 		Description: heredoc.Doc(`
 			Access Service Tokens are used for service-to-service communication
 			when an application is behind Cloudflare Access.
@@ -32,29 +29,6 @@ func resourceCloudflareAccessServiceToken() *schema.Resource {
 	}
 }
 
-func resourceCloudflareAccessServiceTokenExpireDiff(ctx context.Context, d *schema.ResourceDiff, meta interface{}) bool {
-	mindays := d.Get("min_days_for_renewal").(int)
-	if mindays > 0 {
-		expires_at := d.Get("expires_at").(string)
-
-		if expires_at != "" {
-			expected_expiration_date, _ := time.Parse(time.RFC3339, expires_at)
-
-			expiration_date := time.Now().Add(time.Duration(mindays) * 24 * time.Hour)
-
-			if expiration_date.After(expected_expiration_date) {
-				err := d.SetNewComputed("client_secret")
-				if err != nil {
-					return false
-				}
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
 func resourceCloudflareAccessServiceTokenRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*cloudflare.API)
 
@@ -77,6 +51,35 @@ func resourceCloudflareAccessServiceTokenRead(ctx context.Context, d *schema.Res
 	}
 	for _, token := range serviceTokens {
 		if token.ID == d.Id() {
+			zoneID := d.Get("zone_id").(string)
+			accountID := d.Get("account_id").(string)
+			mindays := d.Get("min_days_for_renewal").(int)
+			if mindays > 0 {
+				expires_at := d.Get("expires_at").(string)
+
+				if expires_at != "" {
+					expected_expiration_date, _ := time.Parse(time.RFC3339, expires_at)
+
+					expiration_date := time.Now().Add(time.Duration(mindays) * 24 * time.Hour)
+
+					if expiration_date.After(expected_expiration_date) {
+						var refreshedToken cloudflare.AccessServiceTokenRefreshResponse
+						var err error
+
+						if accountID != "" {
+							refreshedToken, err = client.RefreshAccessServiceToken(ctx, cloudflare.AccountIdentifier(accountID), d.Id())
+						} else {
+							refreshedToken, err = client.RefreshAccessServiceToken(ctx, cloudflare.ZoneIdentifier(zoneID), d.Id())
+						}
+
+						if err != nil {
+							return diag.FromErr(fmt.Errorf("failed to automatically refresh token %q: %w", d.Id(), err))
+						}
+
+						token.ExpiresAt = refreshedToken.ExpiresAt
+					}
+				}
+			}
 			d.Set("name", token.Name)
 			d.Set("client_id", token.ClientID)
 			d.Set("expires_at", token.ExpiresAt.Format(time.RFC3339))
diff --git a/internal/provider/schema_cloudflare_access_service_tokens.go b/internal/provider/schema_cloudflare_access_service_tokens.go
index 96ccb6ea27..2ce7ba6745 100644
--- a/internal/provider/schema_cloudflare_access_service_tokens.go
+++ b/internal/provider/schema_cloudflare_access_service_tokens.go
@@ -37,14 +37,13 @@ func resourceCloudflareAccessServiceTokenSchema() map[string]*schema.Schema {
 		"expires_at": {
 			Type:        schema.TypeString,
 			Computed:    true,
-			ForceNew:    true,
 			Description: "Date when the token expires",
 		},
 		"min_days_for_renewal": {
 			Type:        schema.TypeInt,
 			Optional:    true,
 			Default:     0,
-			Description: "Regenerates the token if terraform is run within the specified amount of days before expiration",
+			Description: "Refresh the token if terraform is run within the specified amount of days before expiration",
 		},
 	}
 }

From 302969ffce1810ee19c267d032a0f695c063538d Mon Sep 17 00:00:00 2001
From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Thu, 1 Sep 2022 11:37:21 +1000
Subject: [PATCH 2/2] expand on refresh updates

---
 .changelog/1872.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changelog/1872.txt b/.changelog/1872.txt
index 4048821830..ad810ea00f 100644
--- a/.changelog/1872.txt
+++ b/.changelog/1872.txt
@@ -1,3 +1,3 @@
 ```release-note:enhancement
-resource/cloudflare_access_service_token: allow in place refreshing
+resource/cloudflare_access_service_token: updates internals to allow in place refreshing instead of full replacement based on the `expires_at` and `min_days_for_renewal` values
 ```