From acca2f493e8e54fd67050509200a42bc09625592 Mon Sep 17 00:00:00 2001 From: Robert Savu Date: Thu, 9 Jul 2026 14:34:12 +0200 Subject: [PATCH 1/2] feat(dremio): stop returning client secret on get dremio Treviously the get dremio and list dremio endpoints were returning the full IDP config, including the client secret. The client secert should be known by the IDP and the instance itself and not be returned by "routine" get/list requests. --- go.mod | 2 +- go.sum | 4 ++-- .../internal/services/dremio/instance/resource.go | 8 ++++---- .../services/dremio/instance/resource_test.go | 14 ++++++-------- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 942312854..a07c66633 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/stackitcloud/stackit-sdk-go/services/cdn v1.18.0 github.com/stackitcloud/stackit-sdk-go/services/certificates v1.8.0 github.com/stackitcloud/stackit-sdk-go/services/dns v0.21.0 - github.com/stackitcloud/stackit-sdk-go/services/dremio v0.3.0 + github.com/stackitcloud/stackit-sdk-go/services/dremio v0.4.0 github.com/stackitcloud/stackit-sdk-go/services/edge v0.12.0 github.com/stackitcloud/stackit-sdk-go/services/git v0.14.0 github.com/stackitcloud/stackit-sdk-go/services/iaas v1.12.0 diff --git a/go.sum b/go.sum index bca7caf55..269a85eab 100644 --- a/go.sum +++ b/go.sum @@ -680,8 +680,8 @@ github.com/stackitcloud/stackit-sdk-go/services/certificates v1.8.0 h1:bINitVHAy github.com/stackitcloud/stackit-sdk-go/services/certificates v1.8.0/go.mod h1:eJpB3/pukz+KzVPVHQ4g3DVtQkxGga18VbFBhq9ugdY= github.com/stackitcloud/stackit-sdk-go/services/dns v0.21.0 h1:ZVkptfVCAqpaPWkE+WIopM9XdzqgbVcwmX5L1jZqqx8= github.com/stackitcloud/stackit-sdk-go/services/dns v0.21.0/go.mod h1:FiYSv3D9rzgEVzi8Mpq5oYZBosrasa5uUYqVdEIbM1U= -github.com/stackitcloud/stackit-sdk-go/services/dremio v0.3.0 h1:LKreLAR425+EMYbKrPIAzeoTEQlDF8EpIMTVBpOhjmA= -github.com/stackitcloud/stackit-sdk-go/services/dremio v0.3.0/go.mod h1:iMoiM8fM1mXC1Nz8FBiiQ08Yh+0C3yN0GPCdAbOlRXo= +github.com/stackitcloud/stackit-sdk-go/services/dremio v0.4.0 h1:kAWRUptc9g6lA9XCgB4Fw8oQYOhDuV0mp+eZhpiyJ+Y= +github.com/stackitcloud/stackit-sdk-go/services/dremio v0.4.0/go.mod h1:iMoiM8fM1mXC1Nz8FBiiQ08Yh+0C3yN0GPCdAbOlRXo= github.com/stackitcloud/stackit-sdk-go/services/edge v0.12.0 h1:qPhNo5m0K9ZKMnUx7e23fmvBmhOCxIFRzobwFhSHWUY= github.com/stackitcloud/stackit-sdk-go/services/edge v0.12.0/go.mod h1:Ylse6gqGJtsd5TVmvha+hoLd1QQHLKvhY5dO15+q5kg= github.com/stackitcloud/stackit-sdk-go/services/git v0.14.0 h1:VZBneGprCmHqckcSMPs3puBlK8rBpLMtYKmBktwdoVE= diff --git a/stackit/internal/services/dremio/instance/resource.go b/stackit/internal/services/dremio/instance/resource.go index aa51dc4a7..85f09b0c2 100644 --- a/stackit/internal/services/dremio/instance/resource.go +++ b/stackit/internal/services/dremio/instance/resource.go @@ -717,7 +717,7 @@ func mapAuthentication(instanceResp *dremioSdk.DremioResponse, model *Model) err authModel.AzureAD = &AzureADModel{ AuthorityUrl: types.StringValue(azureADResp.AuthorityUrl), ClientId: types.StringValue(azureADResp.ClientId), - ClientSecret: types.StringValue(azureADResp.ClientSecret), + ClientSecret: types.StringNull(), RedirectUrl: types.StringPointerValue(azureADResp.RedirectUrl), } } @@ -727,7 +727,7 @@ func mapAuthentication(instanceResp *dremioSdk.DremioResponse, model *Model) err oauthModel := &OAuthModel{ AuthorityUrl: types.StringValue(oauthResp.AuthorityUrl), ClientId: types.StringValue(oauthResp.ClientId), - ClientSecret: types.StringValue(oauthResp.ClientSecret), + ClientSecret: types.StringNull(), Scope: types.StringPointerValue(oauthResp.Scope), RedirectUrl: types.StringPointerValue(oauthResp.RedirectUrl), JwtClaims: &JwtClaimsModel{ @@ -827,7 +827,7 @@ func parseAuthentication(model *Model) (*dremioSdk.Authentication, error) { oAuthPayload := &dremioSdk.Oauth{ AuthorityUrl: model.Authentication.OAuth.AuthorityUrl.ValueString(), ClientId: model.Authentication.OAuth.ClientId.ValueString(), - ClientSecret: model.Authentication.OAuth.ClientSecret.ValueString(), + ClientSecret: model.Authentication.OAuth.ClientSecret.ValueStringPointer(), JwtClaims: dremioSdk.OauthJwtClaims{ UserName: model.Authentication.OAuth.JwtClaims.UserName.ValueString(), }, @@ -852,7 +852,7 @@ func parseAuthentication(model *Model) (*dremioSdk.Authentication, error) { azureAdPayload := &dremioSdk.Azuread{ AuthorityUrl: model.Authentication.AzureAD.AuthorityUrl.ValueString(), ClientId: model.Authentication.AzureAD.ClientId.ValueString(), - ClientSecret: model.Authentication.AzureAD.ClientSecret.ValueString(), + ClientSecret: model.Authentication.AzureAD.ClientSecret.ValueStringPointer(), RedirectUrl: model.Authentication.AzureAD.RedirectUrl.ValueStringPointer(), } return &dremioSdk.Authentication{ diff --git a/stackit/internal/services/dremio/instance/resource_test.go b/stackit/internal/services/dremio/instance/resource_test.go index a295afcc8..7b03b80dd 100644 --- a/stackit/internal/services/dremio/instance/resource_test.go +++ b/stackit/internal/services/dremio/instance/resource_test.go @@ -36,13 +36,11 @@ func TestMapFields(t *testing.T) { Azuread: &dremioSdk.Azuread{ AuthorityUrl: "azure-authority", ClientId: "azure-client", - ClientSecret: "azure-secret", RedirectUrl: utils.Ptr("azure-redirect"), }, Oauth: &dremioSdk.Oauth{ AuthorityUrl: "oauth-authority", ClientId: "oauth-client", - ClientSecret: "oauth-secret", JwtClaims: dremioSdk.OauthJwtClaims{ UserName: "oauth-username", }, @@ -77,13 +75,13 @@ func TestMapFields(t *testing.T) { AzureAD: &AzureADModel{ AuthorityUrl: types.StringValue("azure-authority"), ClientId: types.StringValue("azure-client"), - ClientSecret: types.StringValue("azure-secret"), + ClientSecret: types.StringNull(), RedirectUrl: types.StringValue("azure-redirect"), }, OAuth: &OAuthModel{ AuthorityUrl: types.StringValue("oauth-authority"), ClientId: types.StringValue("oauth-client"), - ClientSecret: types.StringValue("oauth-secret"), + ClientSecret: types.StringNull(), JwtClaims: &JwtClaimsModel{ UserName: types.StringValue("oauth-username"), }, @@ -207,7 +205,7 @@ func TestToCreatePayload(t *testing.T) { Oauth: &dremioSdk.Oauth{ AuthorityUrl: "oauth-authority", ClientId: "oauth-client", - ClientSecret: "oauth-secret", + ClientSecret: utils.Ptr("oauth-secret"), JwtClaims: dremioSdk.OauthJwtClaims{ UserName: "oauth-username", }, @@ -247,7 +245,7 @@ func TestToCreatePayload(t *testing.T) { Azuread: &dremioSdk.Azuread{ AuthorityUrl: "azure-authority", ClientId: "azure-client", - ClientSecret: "azure-secret", + ClientSecret: utils.Ptr("azure-secret"), RedirectUrl: utils.Ptr("azure-redirect"), }, Type: dremioSdk.AUTHENTICATIONTYPE_AZUREAD, @@ -424,7 +422,7 @@ func TestToUpdatePayload(t *testing.T) { Oauth: &dremioSdk.Oauth{ AuthorityUrl: "oauth-authority", ClientId: "oauth-client", - ClientSecret: "oauth-secret", + ClientSecret: utils.Ptr("oauth-secret"), JwtClaims: dremioSdk.OauthJwtClaims{ UserName: "oauth-username", }, @@ -464,7 +462,7 @@ func TestToUpdatePayload(t *testing.T) { Azuread: &dremioSdk.Azuread{ AuthorityUrl: "azure-authority", ClientId: "azure-client", - ClientSecret: "azure-secret", + ClientSecret: utils.Ptr("azure-secret"), RedirectUrl: utils.Ptr("azure-redirect"), }, Type: dremioSdk.AUTHENTICATIONTYPE_AZUREAD, From 697bc476f1625b7bf2a48bb019f06735eef2a6a5 Mon Sep 17 00:00:00 2001 From: Robert Savu Date: Fri, 10 Jul 2026 17:58:25 +0200 Subject: [PATCH 2/2] fix(dremio): resolve runtime validation failure for oauth/azuread client_secret - Fixes the runtime validation failure where apply fails with inconsistent values for sensitive attribute under the authentication block. --- .../services/dremio/dremio_acc_test.go | 14 +++--- .../services/dremio/instance/resource.go | 45 ++++++++++--------- 2 files changed, 33 insertions(+), 26 deletions(-) diff --git a/stackit/internal/services/dremio/dremio_acc_test.go b/stackit/internal/services/dremio/dremio_acc_test.go index 339a51fb9..c2660ea7b 100644 --- a/stackit/internal/services/dremio/dremio_acc_test.go +++ b/stackit/internal/services/dremio/dremio_acc_test.go @@ -26,11 +26,15 @@ var resourceDremioInstanceMin string //go:embed testdata/resource-max.tf var resourceDremioInstanceMax string -const dremioInstanceResource = "stackit_dremio_instance.example" -const dremioInstanceDataResource = "data.stackit_dremio_instance.example" +const ( + dremioInstanceResource = "stackit_dremio_instance.example" + dremioInstanceDataResource = "data.stackit_dremio_instance.example" +) -const dremioUserResource = "stackit_dremio_user.example" -const dremioUserDataResource = "data.stackit_dremio_user.example" +const ( + dremioUserResource = "stackit_dremio_user.example" + dremioUserDataResource = "data.stackit_dremio_user.example" +) var testDremioConfigVarsMin = config.Variables{ "project_id": config.StringVariable(testutil.ProjectId), @@ -285,7 +289,6 @@ func TestAccDremioInstanceMax(t *testing.T) { resource.TestCheckResourceAttr(dremioInstanceResource, "authentication.oauth.authority_url", testutil.ConvertConfigVariable(testDremioConfigVarsMax["authentication_oauth_authority_url"])), resource.TestCheckResourceAttr(dremioInstanceResource, "authentication.oauth.client_id", testutil.ConvertConfigVariable(testDremioConfigVarsMax["authentication_oauth_client_id"])), - resource.TestCheckResourceAttr(dremioInstanceResource, "authentication.oauth.client_secret", testutil.ConvertConfigVariable(testDremioConfigVarsMax["authentication_oauth_client_secret"])), resource.TestCheckResourceAttrSet(dremioInstanceResource, "authentication.oauth.redirect_url"), resource.TestCheckResourceAttr(dremioInstanceResource, "authentication.oauth.jwt_claims.user_name", testutil.ConvertConfigVariable(testDremioConfigVarsMax["authentication_oauth_client_jwt_claims_user_name"])), resource.TestCheckResourceAttr(dremioInstanceResource, "authentication.oauth.scope", testutil.ConvertConfigVariable(testDremioConfigVarsMax["authentication_oauth_scope"])), @@ -432,6 +435,7 @@ func TestAccDremioInstanceMax(t *testing.T) { return fmt.Sprintf("%s,%s,%s", testutil.ProjectId, testutil.Region, instanceId), nil }, + ImportStateVerifyIgnore: []string{"authentication.oauth.client_secret"}, }, { ConfigVariables: testDremioConfigVarsMax, diff --git a/stackit/internal/services/dremio/instance/resource.go b/stackit/internal/services/dremio/instance/resource.go index 85f09b0c2..c6f484c6c 100644 --- a/stackit/internal/services/dremio/instance/resource.go +++ b/stackit/internal/services/dremio/instance/resource.go @@ -708,33 +708,39 @@ func mapAuthentication(instanceResp *dremioSdk.DremioResponse, model *Model) err return fmt.Errorf("model input is nil") } - authModel := AuthenticationModel{ - Type: types.StringValue(string(instanceResp.Authentication.Type)), + if model.Authentication == nil { + model.Authentication = new(AuthenticationModel) } + model.Authentication.Type = types.StringValue(string(instanceResp.Authentication.Type)) + if instanceResp.Authentication.Azuread != nil { - azureADResp := instanceResp.Authentication.Azuread - authModel.AzureAD = &AzureADModel{ - AuthorityUrl: types.StringValue(azureADResp.AuthorityUrl), - ClientId: types.StringValue(azureADResp.ClientId), - ClientSecret: types.StringNull(), - RedirectUrl: types.StringPointerValue(azureADResp.RedirectUrl), + if model.Authentication.AzureAD == nil { + model.Authentication.AzureAD = new(AzureADModel) } + + azureADResp := instanceResp.Authentication.Azuread + azureADModel := model.Authentication.AzureAD + + azureADModel.AuthorityUrl = types.StringValue(azureADResp.AuthorityUrl) + azureADModel.ClientId = types.StringValue(azureADResp.ClientId) + azureADModel.RedirectUrl = types.StringValue(*azureADResp.RedirectUrl) } if instanceResp.Authentication.Oauth != nil { - oauthResp := instanceResp.Authentication.Oauth - oauthModel := &OAuthModel{ - AuthorityUrl: types.StringValue(oauthResp.AuthorityUrl), - ClientId: types.StringValue(oauthResp.ClientId), - ClientSecret: types.StringNull(), - Scope: types.StringPointerValue(oauthResp.Scope), - RedirectUrl: types.StringPointerValue(oauthResp.RedirectUrl), - JwtClaims: &JwtClaimsModel{ - UserName: types.StringValue(oauthResp.JwtClaims.UserName), - }, + if model.Authentication.OAuth == nil { + model.Authentication.OAuth = new(OAuthModel) } + oauthResp := instanceResp.Authentication.Oauth + oauthModel := model.Authentication.OAuth + + oauthModel.AuthorityUrl = types.StringValue(oauthResp.AuthorityUrl) + oauthModel.ClientId = types.StringValue(oauthResp.ClientId) + oauthModel.Scope = types.StringPointerValue(oauthResp.Scope) + oauthModel.RedirectUrl = types.StringPointerValue(oauthResp.RedirectUrl) + oauthModel.JwtClaims = &JwtClaimsModel{UserName: types.StringValue(oauthResp.JwtClaims.UserName)} + if len(oauthResp.Parameters) > 0 { var params []AuthParameterModel for _, p := range oauthResp.Parameters { @@ -746,11 +752,8 @@ func mapAuthentication(instanceResp *dremioSdk.DremioResponse, model *Model) err oauthModel.Parameters = params } - authModel.OAuth = oauthModel } - model.Authentication = &authModel - return nil }