Skip to content

[datadog_synthetics_global_variable] feat: add write-only value support #3382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dd-mergequeue merged 2 commits into from
Jan 15, 2026
Merged

[datadog_synthetics_global_variable] feat: add write-only value support #3382

dd-mergequeue merged 2 commits into from
Jan 15, 2026

Conversation

@LiuVII
Copy link
Contributor

@LiuVII LiuVII commented Dec 22, 2025
edited by atlassian bot
Loading

Follow-up #3210 to show-case how WO argument can be implemented using some WO helpers.

APIR-2446

Summary

Adds write-only attribute support to datadog_synthetics_global_variable resource for Terraform 1.11+, enabling secure secret handling without state file exposure.

Changes

  • Add value_wo (write-only) and value_wo_version (trigger) attributes alongside existing value
  • Use WriteOnlySecretHandler helpers from fwutils package for secret retrieval logic
  • Support partial updates: secrets only sent to API when version trigger changes
  • Add ValidateConfig to handle mutual exclusion between value/value_wo while allowing neither for FIDO variables
  • Add PreferWriteOnlyAttribute warning for secure variables still using plaintext value

Test Plan

  • TestAccDatadogSyntheticsGlobalVariableWriteOnly_Basic - create with write-only value
  • TestAccDatadogSyntheticsGlobalVariableWriteOnly_Updated - update via version trigger
  • TestAccDatadogSyntheticsGlobalVariableWriteOnlySecure_Basic - secure + write-only
  • Existing FIDO/TOTP/secure tests pass

@LiuVII LiuVII force-pushed the mf/APIR-1590/write-only-poc branch from 42142e3 to 25fe8b0 Compare January 5, 2026 15:36
@LiuVII LiuVII force-pushed the mf/APIR-1590/synthetics-write-only branch 2 times, most recently from 6314d5b to 75163e8 Compare January 5, 2026 15:44
@LiuVII LiuVII force-pushed the mf/APIR-1590/write-only-poc branch from 25fe8b0 to b2a5d4b Compare January 5, 2026 16:08
@LiuVII LiuVII force-pushed the mf/APIR-1590/synthetics-write-only branch from 75163e8 to 8581175 Compare January 5, 2026 16:08
LiuVII
LiuVII commented Jan 5, 2026
View reviewed changes
datadog/fwprovider/resource_datadog_synthetics_global_variable.go
stringvalidator.AlsoRequires(frameworkPath.Expressions{
frameworkPath.MatchRoot(valueConfig.WriteOnlyAttr),
}...),
},
Copy link
Contributor Author

@LiuVII LiuVII Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️ info: we can't use CreateWriteOnlySecretAttributes because of secure conditional, which is unique to this resource

Base automatically changed from mf/APIR-1590/write-only-poc to master January 6, 2026 12:24
@LiuVII LiuVII mentioned this pull request Jan 6, 2026
Closed
@LiuVII LiuVII force-pushed the mf/APIR-1590/synthetics-write-only branch from 8581175 to a0542d7 Compare January 6, 2026 14:26
@LiuVII LiuVII force-pushed the mf/APIR-1590/synthetics-write-only branch from a0542d7 to 4fc53db Compare January 8, 2026 15:02
@LiuVII LiuVII marked this pull request as ready for review January 8, 2026 17:27
@LiuVII LiuVII requested review from a team as code owners January 8, 2026 17:27
@janine-c janine-c self-assigned this Jan 8, 2026
janine-c
janine-c approved these changes Jan 8, 2026
View reviewed changes
@janine-c janine-c removed their assignment Jan 8, 2026
Matt-Cam
Matt-Cam reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@Matt-Cam Matt-Cam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall code LGTM. Two main questions:

1. Testing
Were these changes validated against a locally spun up terraform-provider hitting staging?

2. Why are we doing this?
Does this provide any benefit over the existing secure attribute behavior, which already keeps secret values out of state? It seems like this mainly gives users option to hide from state a non-secure variable? Is this being done because it's best practice or for demonstration purposes?

@LiuVII
Copy link
Contributor Author

LiuVII commented Jan 13, 2026

thank you for the review @Matt-Cam 🙏 about your questions

Were these changes validated against a locally spun up terraform-provider hitting staging?

Validated it locally hitting frog prod org.

Does this provide any benefit over the existing secure attribute behavior, which already keeps secret values out of state? It seems like this mainly gives users option to hide from state a non-secure variable?

Not sure I understand "existing secure attribute behavior, which already keeps secret values out of state" part. The current behavior saves secret to the terraform state file even if the option is secure=true. The only thing we do is masking it from plaintext output with "sensitive".

And so the main benefit of this change is that we are not going to store it in state anymore and we're going to use native terraform framework behavior that ensures this.

@LiuVII LiuVII requested a review from Matt-Cam January 13, 2026 13:21
@Matt-Cam
Copy link
Contributor

Matt-Cam commented Jan 13, 2026
edited
Loading

@LiuVII thanks for the response 🙏🏼

Not sure I understand "existing secure attribute behavior, which already keeps secret values out of state" part. The current behavior saves secret to the terraform state file even if the option is secure=true. The only thing we do is masking it from plaintext output with "sensitive".

And so the main benefit of this change is that we are not going to store it in state anymore and we're going to use native terraform framework behavior that ensures this.

Ahh, okay I didn't realize that we were storing in state even when secure=true. Would it make any sense to simply use the t/f value of secure to determine whether or not to store it in state and avoid the new fields altogether? Note: I'm not saying this is best, but am genuinely asking :)

Matt-Cam
Matt-Cam approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@Matt-Cam Matt-Cam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏼 LGTM with one last question

@LiuVII
Copy link
Contributor Author

LiuVII commented Jan 14, 2026

Would it make any sense to simply use the t/f value of secure to determine whether or not to store it in state and avoid the new fields altogether? Note: I'm not saying this is best, but am genuinely asking :)

The main issue is perpetual drift.

Here's what happens if you don't save value to state when secure=true:

  1. Config says: value = "my-secret"
  2. State says: value = null (because we didn't save it)
  3. Every terraform plan: Terraform sees a difference and proposes an update

This means every single plan would show:

~ resource "datadog_synthetics_global_variable" "example" {
    ~ value = null -> "my-secret"  # forces replacement or update
  }

The user would have to either:

  • Run terraform apply on every plan (annoying, potentially dangerous)
  • Use ignore_changes lifecycle block (defeats the purpose of managing the resource)

Why write-only solves this:
Write-only attributes tell Terraform: "This value is intentionally not stored in state. Don't compare it for drift
detection - just send it on create/update."

@Matt-Cam
Copy link
Contributor

Matt-Cam commented Jan 14, 2026

Would it make any sense to simply use the t/f value of secure to determine whether or not to store it in state and avoid the new fields altogether? Note: I'm not saying this is best, but am genuinely asking :)

The main issue is perpetual drift.

Here's what happens if you don't save value to state when secure=true:

  1. Config says: value = "my-secret"
  2. State says: value = null (because we didn't save it)
  3. Every terraform plan: Terraform sees a difference and proposes an update

This means every single plan would show:

~ resource "datadog_synthetics_global_variable" "example" {
    ~ value = null -> "my-secret"  # forces replacement or update
  }

The user would have to either:

  • Run terraform apply on every plan (annoying, potentially dangerous)
  • Use ignore_changes lifecycle block (defeats the purpose of managing the resource)

Why write-only solves this: Write-only attributes tell Terraform: "This value is intentionally not stored in state. Don't compare it for drift detection - just send it on create/update."

Makes sense, thanks for this! All good on my side 🚀

@LiuVII
Copy link
Contributor Author

LiuVII commented Jan 15, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link

gh-worker-devflow-routing-ef8351 bot commented Jan 15, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-01-15 15:44:14 UTC ℹ️ Start processing command /merge

2026-01-15 15:44:56 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 33m (p90).

2026-01-15 15:57:47 UTC ℹ️ MergeQueue: This merge request was merged

@dd-mergequeue dd-mergequeue bot merged commit 781e469 into master Jan 15, 2026
19 checks passed
@dd-mergequeue dd-mergequeue bot deleted the mf/APIR-1590/synthetics-write-only branch January 15, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janine-c janine-c janine-c approved these changes

@Matt-Cam Matt-Cam Matt-Cam approved these changes

@Supam Supam Supam approved these changes

Assignees

No one assigned

Labels

changelog/improvement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@LiuVII @Matt-Cam @Supam @janine-c