azurerm_container_registry_token_password - Handle gone container registry token and mark this password as gone

internal/services/containers/container_registry_token_password_resource.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
+	"github.com/hashicorp/go-azure-helpers/lang/response"
 	containterregistry_v2021_08_01_preview "github.com/hashicorp/go-azure-sdk/resource-manager/containerregistry/2023-06-01-preview"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/containerregistry/2023-06-01-preview/registries"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/containerregistry/2023-06-01-preview/tokens"
@@ -132,7 +133,7 @@ func (r ContainerRegistryTokenPasswordResource) Create() sdk.ResourceFunc {
 
 			id := parse.NewContainerRegistryTokenPasswordID(tokenId.SubscriptionId, tokenId.ResourceGroupName, tokenId.RegistryName, tokenId.TokenName, "password")
 
-			pwds, err := r.readPassword(ctx, client, *tokenId)
+			pwds, _, err := r.readPassword(ctx, client, *tokenId)
 			if err != nil {
 				return err
 			}
@@ -181,7 +182,10 @@ func (r ContainerRegistryTokenPasswordResource) Read() sdk.ResourceFunc {
 
 			tokenId := tokens.NewTokenID(id.SubscriptionId, id.ResourceGroup, id.RegistryName, id.TokenName)
 
-			pwds, err := r.readPassword(ctx, client, tokenId)
+			pwds, notFound, err := r.readPassword(ctx, client, tokenId)
+			if notFound || (pwds != nil && len(pwds) == 0) {
+				return metadata.MarkAsGone(id)
+			}
 			if err != nil {
 				return err
 			}
@@ -369,35 +373,35 @@ func (r ContainerRegistryTokenPasswordResource) flattenContainerRegistryTokenPas
 	return
 }
 
-func (r ContainerRegistryTokenPasswordResource) readPassword(ctx context.Context, client *containterregistry_v2021_08_01_preview.Client, id tokens.TokenId) ([]tokens.TokenPassword, error) {
+func (r ContainerRegistryTokenPasswordResource) readPassword(ctx context.Context, client *containterregistry_v2021_08_01_preview.Client, id tokens.TokenId) ([]tokens.TokenPassword, bool, error) {
 	existing, err := client.Tokens.Get(ctx, id)
 	if err != nil {
-		return nil, fmt.Errorf("retrieving %s: %+v", id, err)
+		return nil, response.WasNotFound(existing.HttpResponse), fmt.Errorf("retrieving %s: %+v", id, err)
 	}
 	if existing.Model == nil {
-		return nil, fmt.Errorf("checking for presence of existing %s: model is nil", id)
+		return nil, false, fmt.Errorf("checking for presence of existing %s: model is nil", id)
 	}
 
 	if existing.Model.Properties == nil {
-		return nil, fmt.Errorf("checking for presence of existing %s: properties is nil", id)
+		return nil, false, fmt.Errorf("checking for presence of existing %s: properties is nil", id)
 	}
 
 	if existing.Model.Properties.Credentials == nil {
-		return nil, fmt.Errorf("checking for presence of existing %s: credentials is nil", id)
+		return nil, false, fmt.Errorf("checking for presence of existing %s: credentials is nil", id)
 	}
 
 	passwords := existing.Model.Properties.Credentials.Passwords
 	if passwords == nil {
-		return nil, fmt.Errorf("checking for presence of existing %s: passwords is nil", id)
+		return nil, false, fmt.Errorf("checking for presence of existing %s: passwords is nil", id)
 	}
 
-	return *passwords, nil
+	return *passwords, false, nil
 }
 
 func (r ContainerRegistryTokenPasswordResource) generatePassword(ctx context.Context, clients client.Client, id tokens.TokenId, passwords []tokens.TokenPassword) ([]tokens.TokenPassword, error) {
 	var genPasswords []tokens.TokenPassword
 
-	existingPasswords, err := r.readPassword(ctx, clients.ContainerRegistryClient_v2023_06_01_preview, id)
+	existingPasswords, _, err := r.readPassword(ctx, clients.ContainerRegistryClient_v2023_06_01_preview, id)
 	if err != nil {
 		return nil, fmt.Errorf("reading existing passwords: %+v", err)
 	}

internal/services/containers/container_registry_token_password_resource_test.go

@@ -56,7 +56,7 @@ func TestAccContainerRegistryTokenPassword_update(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_container_registry_token_password", "test")
 	r := ContainerRegistryTokenPasswordResource{Expiry: time.Now().Add(time.Hour)}
 
-	data.ResourceTest(t, r, []acceptance.TestStep{
+	data.ResourceTestIgnoreRecreate(t, r, []acceptance.TestStep{
 		{
 			Config: r.basic(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -86,7 +86,7 @@ func TestAccContainerRegistryTokenPassword_updateExpiryReflectNewValue(t *testin
 	data := acceptance.BuildTestData(t, "azurerm_container_registry_token_password", "test")
 	r := ContainerRegistryTokenPasswordResource{}
 
-	data.ResourceTest(t, r, []acceptance.TestStep{
+	data.ResourceTestIgnoreRecreate(t, r, []acceptance.TestStep{
 		{
 			Config: r.expiryReflectValue(data, time.Now().Add(time.Hour).Format(time.RFC3339), "password1"),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -104,6 +104,28 @@ func TestAccContainerRegistryTokenPassword_updateExpiryReflectNewValue(t *testin
 	})
 }
 
+func TestAccContainerRegistryTokenPassword_replace(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_container_registry_token_password", "test")
+	r := ContainerRegistryTokenPasswordResource{Expiry: time.Now().Add(time.Hour)}
+
+	data.ResourceTestIgnoreRecreate(t, r, []acceptance.TestStep{
+		{
+			Config: r.basicWithACRName("acctest1", data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("password1.0.value"),
+		{
+			Config: r.basicWithACRName("acctest2", data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("password1.0.value"),
+	})
+}
+
 func TestAccContainerRegistryTokenPassword_requiresImport(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_container_registry_token_password", "test")
 	r := ContainerRegistryTokenPasswordResource{Expiry: time.Now().Add(time.Hour)}
@@ -249,3 +271,50 @@ resource "azurerm_container_registry_token" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
 }
+
+func (r ContainerRegistryTokenPasswordResource) basicWithACRName(name string, data acceptance.TestData) string {
+	template := r.templateWithACRName(name, data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_container_registry_token_password" "test" {
+  container_registry_token_id = azurerm_container_registry_token.test.id
+  password1 {}
+}
+`, template)
+}
+
+func (r ContainerRegistryTokenPasswordResource) templateWithACRName(name string, data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-acr-%d"
+  location = "%s"
+}
+
+resource "azurerm_container_registry" "test" {
+  name                = "%s%d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  sku                 = "Premium"
+  admin_enabled       = true
+}
+
+# use system wide scope map for tests
+data "azurerm_container_registry_scope_map" "pull_repos" {
+  name                    = "_repositories_pull"
+  container_registry_name = azurerm_container_registry.test.name
+  resource_group_name     = azurerm_container_registry.test.resource_group_name
+}
+
+resource "azurerm_container_registry_token" "test" {
+  name                    = "testtoken-%d"
+  resource_group_name     = azurerm_resource_group.test.name
+  container_registry_name = azurerm_container_registry.test.name
+  scope_map_id            = data.azurerm_container_registry_scope_map.pull_repos.id
+}
+`, data.RandomInteger, data.Locations.Primary, name, data.RandomInteger, data.RandomInteger)
+}