Added purge_on_delete attribute for real deleting of delegate token after revoke (#1329)

* Added purge_on_delete attribute for real deleting of delegate token after revoke of token

* Added purge_on_delete attribute for real deleting of delegate token after revoke

---------

Co-authored-by: Ritek <ritek.rounak@harness.io>

Author: senthilhns

internal/service/platform/delegate_token/resource_delegateToken.go

@@ -21,7 +21,7 @@ func ResourceDelegateToken() *schema.Resource {
 		ReadContext:   resourceDelegateTokenRead,
 		CreateContext: resourceDelegateTokenCreate,
 		UpdateContext: resourceDelegateTokenRevoke,
-		DeleteContext: resourceDelegateTokenRevoke,
+		DeleteContext: resourceDelegateTokenDestroy,
 		Importer:      helpers.MultiLevelResourceImporter,
 
 		Schema: map[string]*schema.Schema{
@@ -81,6 +81,11 @@ func ResourceDelegateToken() *schema.Resource {
 				Optional:    true,
 				Computed:    true,
 			},
+			"purge_on_delete": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		},
 	}
 
@@ -164,6 +169,44 @@ func resourceDelegateTokenRevoke(ctx context.Context, d *schema.ResourceData, me
 
 }
 
+func resourceDelegateTokenDestroy(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	dg := resourceDelegateTokenRevoke(ctx, d, meta)
+	if dg != nil {
+		return dg
+	}
+
+	purgeAndDelete := d.Get("purge_on_delete").(bool)
+	if purgeAndDelete {
+		return resourceDelegateTokenDelete(ctx, d, meta)
+	}
+
+	log.Printf("resourceDelegateTokenDelete delegatetoken delete: completed successfully")
+	d.SetId("")
+	return nil
+}
+
+func resourceDelegateTokenDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	c, ctx := meta.(*internal.Session).GetPlatformClientWithContext(ctx)
+
+	delegateToken := buildDelegateToken(d)
+	httpResp, err := c.DelegateTokenResourceApi.DeleteCgDelegateToken(ctx, c.AccountId, delegateToken.Name, &nextgen.DelegateTokenResourceApiDeleteCgDelegateTokenOpts{
+		OrgIdentifier:     helpers.BuildField(d, "org_id"),
+		ProjectIdentifier: helpers.BuildField(d, "project_id"),
+	})
+	if err != nil {
+		if httpResp != nil && httpResp.StatusCode == http.StatusNotFound {
+			log.Printf("resourceDelegateTokenDelete delegatetoken delete (delete step): token not found; treating as deleted")
+			d.SetId("")
+			return nil
+		}
+		return helpers.HandleApiError(err, d, httpResp)
+	}
+
+	log.Printf("resourceDelegateTokenDelete delegatetoken delete: completed successfully")
+	d.SetId("")
+	return nil
+}
+
 func buildDelegateToken(d *schema.ResourceData) *nextgen.DelegateTokenDetails {
 	delegateToken := &nextgen.DelegateTokenDetails{}
 

internal/service/platform/delegate_token/resource_delegateToken_test.go

@@ -1,8 +1,10 @@
 package delegatetoken_test
 
 import (
+	"errors"
 	"fmt"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/antihax/optional"
@@ -11,6 +13,7 @@ import (
 	"github.com/harness/terraform-provider-harness/internal/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"net/http"
 )
 
 func TestAccResourceDelegateToken(t *testing.T) {
@@ -337,9 +340,124 @@ func testDelegateTokenDestroy(resourceName string) resource.TestCheckFunc {
 	}
 }
 
+// check actual deletion
+func testDelegateTokenPurged(resourceName string) resource.TestCheckFunc {
+	return func(state *terraform.State) error {
+		httpResp, err := testAccGetResourceDelegateTokenForDestroy(resourceName, state)
+		if err != nil {
+			return err
+		}
+		if httpResp == nil {
+			return fmt.Errorf("Token is not revoked : %s", resourceName)
+		}
+		if strings.Contains(httpResp.Status, "200") {
+			return nil
+		}
+		return fmt.Errorf("Token is not revoked : %s", resourceName)
+	}
+}
+
+// check if token is revoked
+func testDelegateTokenRevoked(resourceName string) resource.TestCheckFunc {
+	return func(state *terraform.State) error {
+		_, err := testAccGetResourceDelegateTokenForDestroy(resourceName, state)
+		if err != nil {
+			if strings.Contains(err.Error(), "404") {
+				return nil
+			}
+		}
+		return fmt.Errorf("Token is not revoked : %s", resourceName)
+	}
+}
+
 func buildField(r *terraform.ResourceState, field string) optional.String {
 	if attr, ok := r.Primary.Attributes[field]; ok {
 		return optional.NewString(attr)
 	}
 	return optional.EmptyString()
 }
+
+// test for purge_on_delete
+func TestAccResourceDelegateTokenAccountAndProjectLevel(t *testing.T) {
+	orgID := fmt.Sprintf("o%s", utils.RandStringBytes(5))
+	projectID := fmt.Sprintf("p%s", utils.RandStringBytes(5))
+	accountID := os.Getenv("HARNESS_ACCOUNT_ID")
+
+	accountLevelTokenName := fmt.Sprintf("acctok-%s", utils.RandStringBytes(5))
+	projectLevelTokenName := fmt.Sprintf("projtok-%s", utils.RandStringBytes(5))
+
+	accountLevelResourceName := "harness_platform_delegatetoken.account_level"
+	projectLevelResourceName := "harness_platform_delegatetoken.project_level"
+
+	resource.UnitTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.TestAccPreCheck(t) },
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy: resource.ComposeTestCheckFunc(
+			testDelegateTokenPurged(accountLevelResourceName),
+			testDelegateTokenRevoked(projectLevelResourceName),
+		),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceDelegateTokenAccountAndProjectLevel(orgID, projectID, accountID, accountLevelTokenName, projectLevelTokenName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(accountLevelResourceName, "name", accountLevelTokenName),
+					resource.TestCheckResourceAttr(accountLevelResourceName, "token_status", "ACTIVE"),
+					resource.TestCheckResourceAttr(accountLevelResourceName, "purge_on_delete", "true"),
+					resource.TestCheckResourceAttr(projectLevelResourceName, "name", projectLevelTokenName),
+					resource.TestCheckResourceAttr(projectLevelResourceName, "token_status", "ACTIVE"),
+				),
+			},
+		},
+	})
+}
+
+func testAccResourceDelegateTokenAccountAndProjectLevel(orgID string, projectID string, accountID string, accountLevelTokenName string, projectLevelTokenName string) string {
+	return fmt.Sprintf(`
+		resource "harness_platform_organization" "test" {
+			identifier = "%[1]s"
+			name       = "%[1]s"
+		}
+
+		resource "harness_platform_project" "test" {
+			identifier = "%[2]s"
+			name       = "%[2]s"
+			org_id     = harness_platform_organization.test.id
+			color      = "#472848"
+		}
+
+		resource "harness_platform_delegatetoken" "account_level" {
+			name             = "%[4]s"
+			account_id        = "%[3]s"
+			purge_on_delete  = true
+		}
+
+		resource "harness_platform_delegatetoken" "project_level" {
+			name       = "%[5]s"
+			account_id  = "%[3]s"
+			org_id      = harness_platform_organization.test.id
+			project_id  = harness_platform_project.test.id
+		}
+	`, orgID, projectID, accountID, accountLevelTokenName, projectLevelTokenName)
+}
+
+func testAccGetResourceDelegateTokenForDestroy(resourceName string, state *terraform.State) (*http.Response, error) {
+	rm := state.RootModule()
+	if rm == nil {
+		return nil, errors.New("root module nil")
+	}
+	r, ok := rm.Resources[resourceName]
+	if !ok || r == nil {
+		return nil, errors.New("resource not found")
+	}
+
+	c, ctx := acctest.TestAccGetPlatformClientWithContext()
+
+	_, httpResp, err := c.DelegateTokenResourceApi.GetCgDelegateTokens(ctx, c.AccountId, &nextgen.DelegateTokenResourceApiGetCgDelegateTokensOpts{
+		OrgIdentifier:     buildField(r, "org_id"),
+		ProjectIdentifier: buildField(r, "project_id"),
+		Name:              buildField(r, "name"),
+		Status:            optional.EmptyString(),
+	})
+
+	return httpResp, err
+}