Added write-only fields for webhook and added tests (#742)

marko-kos · web-flow · commit 118476d6e6db · 2026-02-10T16:55:11.000+01:00
diff --git a/docs/resources/webhook.md b/docs/resources/webhook.md
@@ -28,10 +28,14 @@ resource "spacelift_webhook" "webhook" {
 
 ### Optional
 
+> **NOTE**: [Write-only arguments](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) are supported in Terraform 1.11 and later.
+
 - `enabled` (Boolean) enables or disables sending webhooks. Defaults to `true`.
 - `module_id` (String) ID of the module which triggers the webhooks
 - `retry_on_failure` (Boolean) whether to retry the webhook in case of failure. Defaults to `false`.
-- `secret` (String, Sensitive) secret used to sign each POST request so you're able to verify that the request comes from us. Defaults to an empty value. Note that once it's created, it will be just an empty string in the state due to security reasons.
+- `secret` (String, Sensitive, Deprecated) secret used to sign each POST request so you're able to verify that the request comes from us. Defaults to an empty value. Note that once it's created, it will be just an empty string in the state due to security reasons.
+- `secret_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) `secret_wo` used to sign each POST request so you're able to verify that the request comes from us. Defaults to an empty value. The secret_wo is not stored in the state. Modify secret_wo_version to trigger an update. This field requires Terraform/OpenTofu 1.11+.
+- `secret_wo_version` (String) Used together with secret_wo to trigger an update to the secret. Increment this value when an update to secret_wo is required. This field requires Terraform/OpenTofu 1.11+.
 - `stack_id` (String) ID of the stack which triggers the webhooks
 
 ### Read-Only
diff --git a/spacelift/resource_webhook.go b/spacelift/resource_webhook.go
@@ -78,8 +78,28 @@ func resourceWebhook() *schema.Resource {
 				Sensitive:        true,
 				ForceNew:         true,
 				Default:          "",
+				Deprecated:       "`secret` is deprecated. Please use secret_wo in combination with secret_wo_version",
 				DiffSuppressFunc: ignoreOnceCreated,
+				ConflictsWith:    []string{"secret_wo", "secret_wo_version"},
 			},
+			"secret_wo": {
+				Type:          schema.TypeString,
+				Description:   "`secret_wo` used to sign each POST request so you're able to verify that the request comes from us. Defaults to an empty value. The secret_wo is not stored in the state. Modify secret_wo_version to trigger an update. This field requires Terraform/OpenTofu 1.11+.",
+				Sensitive:     true,
+				Optional:      true,
+				WriteOnly:     true,
+				ConflictsWith: []string{"secret"},
+				RequiredWith:  []string{"secret_wo_version"},
+			},
+			"secret_wo_version": {
+				Type:          schema.TypeString,
+				Description:   "Used together with secret_wo to trigger an update to the secret. Increment this value when an update to secret_wo is required. This field requires Terraform/OpenTofu 1.11+.",
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"secret"},
+				RequiredWith:  []string{"secret_wo"},
+			},
+
 			"stack_id": {
 				Type:        schema.TypeString,
 				Description: "ID of the stack which triggers the webhooks",
@@ -96,6 +116,11 @@ func resourceWebhook() *schema.Resource {
 }
 
 func resourceWebhookCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	secret, diags := internal.ExtractWriteOnlyField("secret", "secret_wo", "secret_wo_version", d)
+	if diags != nil {
+		return diags
+	}
+
 	var mutation struct {
 		WebhooksIntegration struct {
 			ID      string `graphql:"id"`
@@ -106,7 +131,7 @@ func resourceWebhookCreate(ctx context.Context, d *schema.ResourceData, meta int
 	input := structs.WebhooksIntegrationInput{
 		Enabled:  graphql.Boolean(d.Get("enabled").(bool)),
 		Endpoint: graphql.String(d.Get("endpoint").(string)),
-		Secret:   graphql.String(d.Get("secret").(string)),
+		Secret:   graphql.String(secret),
 	}
 
 	if retryOnFailure, ok := d.GetOk("retry_on_failure"); ok {
diff --git a/spacelift/resource_webhook_test.go b/spacelift/resource_webhook_test.go
@@ -90,4 +90,48 @@ func TestWebhookResource(t *testing.T) {
 			},
 		})
 	})
+
+	t.Run("with a stack and write-only values", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+		config := func(endpoint string) string {
+			return fmt.Sprintf(`
+				resource "spacelift_stack" "test" {
+					branch     = "master"
+					repository = "demo"
+					name       = "Test stack %s"
+				}
+
+				resource "spacelift_webhook" "test" {
+					stack_id          = spacelift_stack.test.id
+					endpoint          = "%s"
+					secret_wo         = "very-very-secret"
+					secret_wo_version = 1
+					retry_on_failure  = false
+				}
+			`, randomID, endpoint)
+		}
+
+		testSteps(t, []resource.TestStep{
+			{
+				Config: config("https://bacon.org"),
+				Check: Resource(
+					resourceName,
+					Attribute("id", IsNotEmpty()),
+					Attribute("endpoint", Equals("https://bacon.org")),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateIdPrefix:     fmt.Sprintf("stack/test-stack-%s/", randomID),
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"secret", "secret_wo_version"},
+			},
+			{
+				Config: config("https://cabbage.org"),
+				Check:  Resource(resourceName, Attribute("endpoint", Equals("https://cabbage.org"))),
+			},
+		})
+	})
 }
