Skip to content
Open
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changelog/76.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:enhancement
resource/mailgun_smtp_credential: Add write-only `password_wo` and `password_wo_version` arguments. The secret is never stored in Terraform state; increment the version to rotate. Requires Terraform CLI >= 1.11.
```

```release-note:deprecation
resource/mailgun_smtp_credential: The `password` argument is deprecated in favor of `password_wo`/`password_wo_version` and will be removed in a future major release.
```
31 changes: 30 additions & 1 deletion docs/resources/smtp_credential.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,33 @@ resource "mailgun_smtp_credential" "app" {
output "smtp_full_login" {
value = mailgun_smtp_credential.app.full_login
}

# Write-only password (recommended). Requires Terraform CLI >= 1.11.
# The secret is never written to Terraform state. Bump password_wo_version to rotate.
resource "random_password" "smtp" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "random_password" "smtp" {
ephemeral "random_password" "smtp" {

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block is generated from the example file, so it now shows the ephemeral resource after make generate (fc26208).

length = 24
special = false
}

resource "mailgun_smtp_credential" "app_wo" {
domain = "mail.example.com"
login = "app-mailer-wo"
password_wo = random_password.smtp.result
password_wo_version = 1
}
```

## Write-Only Password

The `password_wo` and `password_wo_version` arguments provide a write-only credential workflow that keeps the secret out of Terraform state entirely:

- Requires Terraform CLI >= 1.11.
- The value of `password_wo` is never stored in state or shown in plan output.
- Rotate the password by changing `password_wo` and incrementing `password_wo_version`.
- Credentials imported with `terraform import` have no password in state; use `password_wo` + `password_wo_version` to set one and enable future rotation.

The legacy `password` argument is deprecated and will be removed in a future major release.

<!-- schema generated by tfplugindocs -->
## Schema

Expand All @@ -35,7 +60,11 @@ output "smtp_full_login" {

### Optional

- `password` (String, Sensitive) The password for SMTP authentication. This is write-only and cannot be read back from the API. Set this when creating a credential or when rotating the password of an imported credential. Leave it unset to keep the existing password of an imported credential.
> **NOTE**: [Write-only arguments](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) are supported in Terraform 1.11 and later.

- `password` (String, Sensitive, Deprecated) The password for SMTP authentication. This is write-only and cannot be read back from the API. Set this when creating a credential or when rotating the password of an imported credential. Leave it unset to keep the existing password of an imported credential.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `password` (String, Sensitive, Deprecated) The password for SMTP authentication. This is write-only and cannot be read back from the API. Set this when creating a credential or when rotating the password of an imported credential. Leave it unset to keep the existing password of an imported credential.
- `password` (String, Sensitive, Deprecated) The password for SMTP authentication. This is write-only and cannot be read back from the API. Set this when creating credentials or when rotating the password. Leave it unset to maintain the existing password during import.

Some suggestion on the text, highly optional

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied (at the schema Description source, then regenerated). fc26208.

- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for SMTP authentication. The value is never stored in Terraform state. Set it together with password_wo_version and increment the version to rotate the password. Requires Terraform CLI >= 1.11.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for SMTP authentication. The value is never stored in Terraform state. Set it together with password_wo_version and increment the version to rotate the password. Requires Terraform CLI >= 1.11.
- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for SMTP authentication. The value is never stored in Terraform state. Always set it together with password_wo_version.

I think we can skip the password version specifics since we have a dedicated entry below

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trimmed the version/CLI specifics from the password_wo description since password_wo_version has its own entry. fc26208.

- `password_wo_version` (Number) Version counter for password_wo. Increment this value to rotate the write-only password. Required when password_wo is set.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `password_wo_version` (Number) Version counter for password_wo. Increment this value to rotate the write-only password. Required when password_wo is set.
- `password_wo_version` (Number) Version counter for password_wo. Increment this value to rotate the write-only password. **Required** when password_wo is set.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bolded Required on password_wo_version. fc26208.


### Read-Only

Expand Down
14 changes: 14 additions & 0 deletions examples/resources/mailgun_smtp_credential/resource.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,17 @@ resource "mailgun_smtp_credential" "app" {
output "smtp_full_login" {
value = mailgun_smtp_credential.app.full_login
}

# Write-only password (recommended). Requires Terraform CLI >= 1.11.
# The secret is never written to Terraform state. Bump password_wo_version to rotate.
resource "random_password" "smtp" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "random_password" "smtp" {
ephemeral "random_password" "smtp" {

Since the only destination of this is a wo field, we should use an ephemeral resources for random_password as well.

🔗 docs reference

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. Switched the example to an ephemeral "random_password" and updated the reference to ephemeral.random_password.smtp.result so the generated secret never lands in state. Done in fc26208.

length = 24
special = false
}

resource "mailgun_smtp_credential" "app_wo" {
domain = "mail.example.com"
login = "app-mailer-wo"
password_wo = random_password.smtp.result
password_wo_version = 1
}
138 changes: 138 additions & 0 deletions internal/provider/smtp_credentials/helpers_internal_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
// Copyright Hack The Box 2025, 2026
// SPDX-License-Identifier: MPL-2.0

package smtp_credentials

import (
"testing"

"github.com/hashicorp/terraform-plugin-framework/types"
)

func TestPasswordForCreate(t *testing.T) {
tests := []struct {
name string
passwordWO types.String
legacy types.String
wantPass string
wantOK bool
}{
{"write-only preferred", types.StringValue("wo-secret"), types.StringValue("legacy"), "wo-secret", true},
{"legacy when no wo", types.StringNull(), types.StringValue("legacy"), "legacy", true},
{"neither set", types.StringNull(), types.StringNull(), "", false},
{"legacy unknown ignored", types.StringNull(), types.StringUnknown(), "", false},
{"wo unknown falls back to legacy", types.StringUnknown(), types.StringValue("legacy"), "legacy", true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotPass, gotOK := passwordForCreate(tt.passwordWO, tt.legacy)
if gotPass != tt.wantPass || gotOK != tt.wantOK {
t.Errorf("passwordForCreate() = (%q, %v), want (%q, %v)", gotPass, gotOK, tt.wantPass, tt.wantOK)
}
})
}
}

func TestWriteOnlyRotationRequested(t *testing.T) {
tests := []struct {
name string
plan types.Int64
state types.Int64
want bool
}{
{"version bumped", types.Int64Value(2), types.Int64Value(1), true},
{"version unchanged", types.Int64Value(1), types.Int64Value(1), false},
{"first set from null state", types.Int64Value(1), types.Int64Null(), true},
{"no version in plan", types.Int64Null(), types.Int64Null(), false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := writeOnlyRotationRequested(tt.plan, tt.state); got != tt.want {
t.Errorf("writeOnlyRotationRequested() = %v, want %v", got, tt.want)
}
})
}
}

func TestResolveUpdatePassword(t *testing.T) {
tests := []struct {
name string
passwordWO types.String
planPW types.String
planVersion types.Int64
stateVersion types.Int64
wantPW string
wantRotate bool
wantErr string
}{
{
name: "write-only with version bump rotates",
passwordWO: types.StringValue("wo-secret"),
planPW: types.StringNull(),
planVersion: types.Int64Value(2),
stateVersion: types.Int64Value(1),
wantPW: "wo-secret",
wantRotate: true,
wantErr: "",
},
{
name: "write-only without version bump skips rotation",
passwordWO: types.StringValue("wo-secret"),
planPW: types.StringNull(),
planVersion: types.Int64Value(1),
stateVersion: types.Int64Value(1),
wantPW: "",
wantRotate: false,
wantErr: "",
},
{
name: "legacy null preserves imported state",
passwordWO: types.StringNull(),
planPW: types.StringNull(),
planVersion: types.Int64Null(),
stateVersion: types.Int64Null(),
wantPW: "",
wantRotate: false,
wantErr: "",
},
{
name: "legacy empty string is an error",
passwordWO: types.StringNull(),
planPW: types.StringValue(""),
planVersion: types.Int64Null(),
stateVersion: types.Int64Null(),
wantPW: "",
wantRotate: false,
wantErr: "Invalid Password",
},
{
name: "legacy non-empty rotates",
passwordWO: types.StringNull(),
planPW: types.StringValue("newpass"),
planVersion: types.Int64Null(),
stateVersion: types.Int64Null(),
wantPW: "newpass",
wantRotate: true,
wantErr: "",
},
{
name: "write-only unknown falls through to legacy",
passwordWO: types.StringUnknown(),
planPW: types.StringValue("legacy"),
planVersion: types.Int64Null(),
stateVersion: types.Int64Null(),
wantPW: "legacy",
wantRotate: true,
wantErr: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotPW, gotRotate, gotErr := resolveUpdatePassword(tt.passwordWO, tt.planPW, tt.planVersion, tt.stateVersion)
if gotPW != tt.wantPW || gotRotate != tt.wantRotate || gotErr != tt.wantErr {
t.Errorf("resolveUpdatePassword() = (%q, %v, %q), want (%q, %v, %q)",
gotPW, gotRotate, gotErr, tt.wantPW, tt.wantRotate, tt.wantErr)
}
})
}
}
Loading