From afef3a5e60cc9c0f17115be6cef4d92518790a86 Mon Sep 17 00:00:00 2001
From: Petro Protsakh <p.protsakh@scalr.com>
Date: Wed, 4 Sep 2024 17:02:54 +0300
Subject: [PATCH] SCALRCORE-32209 Provider > Variables: force new when changing
 some attributes of a sensitive variable (#346)

* SCALRCORE-32209 scalr_variable: force new when changing `key`, `sensitive` attribute of a sensitive variable

* SCALRCORE-32209 Update changelog
---
 CHANGELOG.md                          |  5 ++++
 scalr/resource_scalr_variable.go      | 33 ++++++++++++++++-----------
 scalr/resource_scalr_variable_test.go | 28 -----------------------
 3 files changed, 25 insertions(+), 41 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8423320e..b89b504b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - `scalr_workspace`: new attribute `type` ([#345](https://github.com/Scalr/terraform-provider-scalr/pull/345))
 
+### Changed
+
+- `scalr_variable`: force resource recreation when changing `key` or `sensitive` attribute value
+of a sensitive variable ([#346](https://github.com/Scalr/terraform-provider-scalr/pull/346))
+
 ## [2.0.0] - 2024-08-15
 
 ### Removed
diff --git a/scalr/resource_scalr_variable.go b/scalr/resource_scalr_variable.go
index 407b64ef..e45b7c2d 100644
--- a/scalr/resource_scalr_variable.go
+++ b/scalr/resource_scalr_variable.go
@@ -3,14 +3,14 @@ package scalr
 import (
 	"context"
 	"errors"
-	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"log"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/scalr/go-scalr"
+
+	"log"
 )
 
 func resourceScalrVariable() *schema.Resource {
@@ -21,16 +21,23 @@ func resourceScalrVariable() *schema.Resource {
 		UpdateContext: resourceScalrVariableUpdate,
 		DeleteContext: resourceScalrVariableDelete,
 		CustomizeDiff: customdiff.All(
-			func(ctx context.Context, d *schema.ResourceDiff, meta interface{}) error {
-				// Reject change for key if variable is sensitive
-				oldValue, newValue := d.GetChange("key")
-				sensitive := d.Get("sensitive")
-
-				if sensitive.(bool) && (oldValue.(string) != "" && oldValue.(string) != newValue.(string)) {
-					return fmt.Errorf("Error changing 'key' attribute for variable %s: immutable for sensitive variable", d.Id())
-				}
-				return nil
-			},
+			customdiff.ForceNewIf(
+				"key",
+				func(ctx context.Context, d *schema.ResourceDiff, meta any) bool {
+					// Force new when updating the `key` value of a sensitive variable.
+					// To do this we check the `sensitive` value before the change,
+					// as it might be changed in new configuration as well.
+					oldSens, _ := d.GetChange("sensitive")
+					return oldSens.(bool)
+				},
+			),
+			customdiff.ForceNewIfChange(
+				"sensitive",
+				func(ctx context.Context, old, new, meta any) bool {
+					// Force new when updating the `sensitive` value from true to false.
+					return old.(bool)
+				},
+			),
 		),
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
diff --git a/scalr/resource_scalr_variable_test.go b/scalr/resource_scalr_variable_test.go
index c61dd764..125212f2 100644
--- a/scalr/resource_scalr_variable_test.go
+++ b/scalr/resource_scalr_variable_test.go
@@ -2,7 +2,6 @@ package scalr
 
 import (
 	"fmt"
-	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -170,17 +169,6 @@ func TestAccScalrVariable_update(t *testing.T) {
 						"scalr_variable.test", "description", "updated"),
 				),
 			},
-
-			// Test change key attribute for sensitive variable
-			{
-				Config: testAccScalrVariableOnWorkspaceScopeUpdateSensitivity(rInt),
-			},
-
-			{
-				Config:      testAccScalrVariableOnWorkspaceScopeUpdateSensitivity(rInt + 1),
-				ExpectError: regexp.MustCompile("Error changing 'key' attribute for variable var-[a-z0-9]+: immutable for sensitive variable"),
-				PlanOnly:    true,
-			},
 		},
 	})
 }
@@ -448,19 +436,3 @@ resource scalr_variable test {
   description    = "updated"
 }`, rInt, defaultAccount)
 }
-
-func testAccScalrVariableOnWorkspaceScopeUpdateSensitivity(rInt int) string {
-	return fmt.Sprintf(baseForUpdate+`
-resource scalr_variable test {
-  key            = "var_on_ws_updated_%[1]d"
-  value          = "updated"
-  category       = "terraform"
-  hcl            = true
-  force          = true
-  final          = true
-  sensitive      = true
-  account_id     = "%[2]s"
-  environment_id = scalr_environment.test.id
-  workspace_id   = scalr_workspace.test.id
-}`, rInt, defaultAccount)
-}