Migrate Azure Service Principal to Framework (#168)

* Migrate Azure Service Principal resource to Framework

* Set scope to be Optional

* Use docs generation for Vault Approle

docs/data-sources/credential_vault_approle.md

@@ -1,32 +1,41 @@
-# jenkins_credential_vault_approle Data Source
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "jenkins_credential_vault_approle Data Source - terraform-provider-jenkins"
+subcategory: ""
+description: |-
+  Get the attributes of a vault approle credential within Jenkins.
+---
 
-Get the attributes of a Vault AppRole credential within Jenkins.
+# jenkins_credential_vault_approle (Data Source)
 
-~> The Jenkins installation that uses this resource is expected to have the [Hashicorp Vault Plugin](https://plugins.jenkins.io/hashicorp-vault-plugin/) installed in their system.
+Get the attributes of a vault approle credential within Jenkins.
 
 ## Example Usage
 
-```hcl
+```terraform
 data "jenkins_credential_vault_approle" "example" {
-  name        = "job-name"
+  name   = "name"
+  folder = jenkins_folder.example.id
 }
 ```
 
-## Argument Reference
+<!-- schema generated by tfplugindocs -->
+## Schema
 
-The following arguments are supported:
+### Required
 
-* `name` - (Required) The name of the resource being read.
-* `domain` - (Optional) The domain store to place the credentials into. If not set will default to the global credentials store.
-* `folder` - (Optional) The folder namespace containing this resource.
+- `name` (String) The name of the resource being read.
 
-## Attribute Reference
+### Optional
 
-In addition to all arguments above, the following attributes are exported:
+- `domain` (String) The domain store containing this resource.
+- `folder` (String) The folder namespace containing this resource.
 
-* `id` - The full canonical job path, E.G. `/job/job-name`.
-* `description` - A human readable description of the credentials being stored.
-* `scope` - The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM".
-* `namespace` - The Vault namespace of the approle credential.
-* `path` - The unique name of the approle auth backend. Defaults to `approle`.
-* `role_id` - The role_id to be associated with the credentials.
+### Read-Only
+
+- `description` (String) A human readable description of the credentials being stored.
+- `id` (String) The full canonical job path, e.g. `/job/job-name`
+- `namespace` (String) The Vault namespace of the approle credential.
+- `path` (String) The unique name of the approle auth backend.
+- `role_id` (String) The role_id associated with the credentials.
+- `scope` (String) The visibility of the credentials to Jenkins agents. This will be either "GLOBAL" or "SYSTEM".

docs/resources/credential_azure_service_principal.md

@@ -1,4 +1,14 @@
-# resource_jenkins_credential_azure_service_principal Resource
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "jenkins_credential_azure_service_principal Resource - terraform-provider-jenkins"
+subcategory: ""
+description: |-
+  Manages an Azure Service Principal credential within Jenkins. This credential may then be referenced within jobs that are created.
+  ~> The "client_secret" property may leave plain-text secret id in your state file. If using the property to manage the secret id in Terraform, ensure that your state file is properly secured and encrypted at rest.
+  ~> The Jenkins installation that uses this resource is expected to have the Azure Credentials Plugin https://plugins.jenkins.io/azure-credentials/ installed in their system.
+---
+
+# jenkins_credential_azure_service_principal (Resource)
 
 Manages an Azure Service Principal credential within Jenkins. This credential may then be referenced within jobs that are created.
 
@@ -8,36 +18,40 @@ Manages an Azure Service Principal credential within Jenkins. This credential ma
 
 ## Example Usage
 
-```hcl
-resource jenkins_credential_azure_service_principal foo {
-    name = "example-secret"
-    subscription_id = "01234567-89ab-cdef-0123-456789abcdef"
-    client_id = "abcdef01-2345-6789-0123-456789abcdef"
-    client_secret = "super-secret"
-    tenant = "01234567-89ab-cdef-abcd-456789abcdef"
+```terraform
+resource "jenkins_credential_azure_service_principal" "foo" {
+  name            = "example-secret"
+  subscription_id = "01234567-89ab-cdef-0123-456789abcdef"
+  client_id       = "abcdef01-2345-6789-0123-456789abcdef"
+  client_secret   = "super-secret"
+  tenant          = "01234567-89ab-cdef-abcd-456789abcdef"
 }
 ```
 
-## Argument Reference
-
-The following arguments are supported:
-
-* `name` - (Required) The name of the credentials being created. This maps to the ID property within Jenkins, and cannot be changed once set.
-* `domain` - (Optional) The domain store to place the credentials into. If not set will default to the global credentials store.
-* `folder` - (Optional) The folder namespace to store the credentials in. If not set will default to global Jenkins credentials.
-* `scope` - (Optional) The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".
-* `description` - (Optional) A human readable description of the credentials being stored.
-* `subscription_id` - (Required) The Azure subscription id mapped to the Azure Service Principal.
-* `client_id` - (Required) The client id (application id) of the Azure Service Principal.
-* `client_secret` - (Optional) The client secret of the Azure Service Principal. Cannot be used with `certificate_id`. Has to be specified, if `certificate_id` is not specified.
-* `certificate_id` - (Optional) The certificate reference of the Azure Service Principal, pointing to a Jenkins certificate credential. Cannot be used with `client_secret`. Has to be specified, if `client_secret` is not specified.
-* `tenant` - (Required) The Azure Tenant ID of the Azure Service Principal.
-* `azure_environment_name` - (Optional) The Azure Cloud enviroment name. Allowed values are "Azure", "Azure China", "Azure Germany", "Azure US Government".
-* `service_management_url` - (Optional) Override the Azure management endpoint URL for the selected Azure environment.
-* `authentication_endpoint` - (Optional) Override the Azure Active Directory endpoint for the selected Azure environment.
-* `resource_manager_endpoint` - (Optional) Override the Azure resource manager endpoint URL for the selected Azure environment.
-* `graph_endpoint` - (Optional) Override the Azure graph endpoint URL for the selected Azure environment.
-
-## Attribute Reference
-
-All arguments above are exported.
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `client_id` (String) The client id (application id) of the Azure Service Principal.
+- `name` (String) The name of the credentials being created. This maps to the ID property within Jenkins, and cannot be changed once set.
+- `subscription_id` (String) The Azure subscription id mapped to the Azure Service Principal.
+- `tenant` (String) The Azure Tenant ID of the Azure Service Principal.
+
+### Optional
+
+- `authentication_endpoint` (String) Override the Azure Active Directory endpoint for the selected Azure environment.
+- `azure_environment_name` (String) The Azure Cloud enviroment name. Allowed values are "Azure", "Azure China", "Azure Germany", "Azure US Government".
+- `certificate_id` (String, Sensitive) The certificate reference of the Azure Service Principal, pointing to a Jenkins certificate credential. Cannot be used with `client_secret`. Has to be specified, if `client_secret` is not specified.
+- `client_secret` (String, Sensitive) The client secret of the Azure Service Principal. Cannot be used with `certificate_id`. Has to be specified, if `certificate_id` is not specified.
+- `description` (String) A human readable description of the credentials being stored.
+- `domain` (String) The domain store to place the credentials into. If not set will default to the global credentials store.
+- `folder` (String) The folder namespace to store the credentials in. If not set will default to global Jenkins credentials.
+- `graph_endpoint` (String) Override the Azure graph endpoint URL for the selected Azure environment.
+- `resource_manager_endpoint` (String) Override the Azure resource manager endpoint URL for the selected Azure environment.
+- `scope` (String) The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".
+- `service_management_url` (String) Override the Azure management endpoint URL for the selected Azure environment.
+
+### Read-Only
+
+- `id` (String) The full canonical job path, e.g. `/job/job-name`

docs/resources/credential_username.md

@@ -38,8 +38,8 @@ resource "jenkins_credential_username" "example" {
 - `domain` (String) The domain store to place the credentials into. If not set will default to the global credentials store.
 - `folder` (String) The folder namespace to store the credentials in. If not set will default to global Jenkins credentials.
 - `password` (String, Sensitive) The password to be associated with the credentials. If empty then the password property will become unmanaged and expected to be set manually within Jenkins. If set then the password will be updated only upon changes -- if the password is set manually within Jenkins then it will not reconcile this drift until the next time the password property is changed.
+- `scope` (String) The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".
 
 ### Read-Only
 
 - `id` (String) The full canonical job path, e.g. `/job/job-name`
-- `scope` (String) The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".

docs/resources/credential_vault_approle.md

@@ -41,9 +41,9 @@ resource "jenkins_credential_vault_approle" "example" {
 - `folder` (String) The folder namespace to store the credentials in. If not set will default to global Jenkins credentials.
 - `namespace` (String) The Vault namespace of the approle credential.
 - `path` (String) The unique name of the approle auth backend. Defaults to `approle`.
+- `scope` (String) The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".
 - `secret_id` (String, Sensitive) The secret_id to be associated with the credentials. If empty then the secret_id property will become unmanaged and expected to be set manually within Jenkins. If set then the secret_id will be updated only upon changes -- if the secret_id is set manually within Jenkins then it will not reconcile this drift until the next time the secret_id property is changed.
 
 ### Read-Only
 
 - `id` (String) The full canonical job path, e.g. `/job/job-name`
-- `scope` (String) The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".

examples/resources/jenkins_credential_azure_service_principal/resource.tf

@@ -0,0 +1,7 @@
+resource "jenkins_credential_azure_service_principal" "foo" {
+  name            = "example-secret"
+  subscription_id = "01234567-89ab-cdef-0123-456789abcdef"
+  client_id       = "abcdef01-2345-6789-0123-456789abcdef"
+  client_secret   = "super-secret"
+  tenant          = "01234567-89ab-cdef-abcd-456789abcdef"
+}

integration/credentials/credentials_azure_service_principal.tf

@@ -1,9 +1,14 @@
-   resource "jenkins_credential_azure_service_principal" "azure_service_principal_test_credential" {
-    name = "bla"
-    folder = jenkins_folder.example.id
-    description = "blabla"
-    subscription_id = "123"
-    client_id = "123"
-    client_secret = "super-secret"
-    tenant = "456"
+resource "jenkins_credential_azure_service_principal" "azure_service_principal_test_credential" {
+  name            = "bla"
+  folder          = jenkins_folder.example.id
+  description     = "blabla"
+  subscription_id = "123"
+  client_id       = "123"
+  client_secret   = "super-secret"
+  tenant          = "456"
+}
+
+output "azure_service_principal" {
+  value     = jenkins_credential_azure_service_principal.azure_service_principal_test_credential
+  sensitive = true
 }

integration/main.tftest.hcl

@@ -54,6 +54,10 @@ run "credentials" {
     random = random
   }
 
+  assert {
+    condition     = output.azure_service_principal.client_id == "123"
+    error_message = "${nonsensitive(output.azure_service_principal.client_id)} did not contain expected \"123\" value"
+  }
   assert {
     condition     = output.username.username == jenkins_credential_username.global.username
     error_message = "${output.username.username} data value did not match resource value"

jenkins/provider.go

@@ -50,13 +50,12 @@ func Provider() *schema.Provider {
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
-			"jenkins_credential_secret_file":             resourceJenkinsCredentialSecretFile(),
-			"jenkins_credential_secret_text":             resourceJenkinsCredentialSecretText(),
-			"jenkins_credential_ssh":                     resourceJenkinsCredentialSSH(),
-			"jenkins_folder":                             resourceJenkinsFolder(),
-			"jenkins_job":                                resourceJenkinsJob(),
-			"jenkins_credential_azure_service_principal": resourceJenkinsCredentialAzureServicePrincipal(),
-			"jenkins_view":                               resourceJenkinsView(),
+			"jenkins_credential_secret_file": resourceJenkinsCredentialSecretFile(),
+			"jenkins_credential_secret_text": resourceJenkinsCredentialSecretText(),
+			"jenkins_credential_ssh":         resourceJenkinsCredentialSSH(),
+			"jenkins_folder":                 resourceJenkinsFolder(),
+			"jenkins_job":                    resourceJenkinsJob(),
+			"jenkins_view":                   resourceJenkinsView(),
 		},
 
 		ConfigureContextFunc: configureProvider,

jenkins/provider_framework.go

@@ -130,6 +130,7 @@ func (p *JenkinsProvider) DataSources(ctx context.Context) []func() datasource.D
 // Resources satisfies the provider.Provider interface for JenkinsProvider.
 func (p *JenkinsProvider) Resources(ctx context.Context) []func() resource.Resource {
 	return []func() resource.Resource{
+		newCredentialAzureServicePrincipalResource,
 		newCredentialUsernameResource,
 		newCredentialVaultAppRoleResource,
 	}

jenkins/resource.go

@@ -90,6 +90,7 @@ func (r *resourceHelper) schemaCredential(s map[string]schema.Attribute) map[str
 	}
 	s["scope"] = schema.StringAttribute{
 		MarkdownDescription: `The visibility of the credentials to Jenkins agents. This must be set to either "GLOBAL" or "SYSTEM". If not set will default to "GLOBAL".`,
+		Optional:            true,
 		Computed:            true,
 		Default:             stringdefault.StaticString("GLOBAL"),
 		Validators: []validator.String{