chore: implement review suggestions

Author: alexGNX

examples/data-sources/okms_secret/example_2.tf

@@ -0,0 +1,4 @@
+data "ovh_okms_secret" "latest" {
+	okms_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+	path    = "app/api_credentials"
+}

examples/data-sources/okms_secret/example_3.tf

@@ -0,0 +1,6 @@
+data "ovh_okms_secret" "v3" {
+	okms_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+	path         = "app/api_credentials"
+	version      = 3
+	include_data = true
+}

examples/resources/okms_secret/example_1.tf

@@ -2,26 +2,21 @@ resource "ovh_okms_secret" "example" {
 	okms_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 	path    = "app/api_credentials"
 
-	# Check‑and‑set parameter used only on update (if `cas_required` metadata is set to true) 
-	# to enforce optimistic concurrency control: its value must equal the current secret version (`metadata.current_version`) 
-	# for the update to succeed. Ignored on create.
-	cas = 1
-
 	metadata = {
 		max_versions             = 10         # keep last 10 versions
 		cas_required             = true       # enforce optimistic concurrency control (server will require current secret version on the cas attribute to allow update)
 		deactivate_version_after = "0s"       # keep versions active indefinitely (example)
 		custom_metadata = {
 			environment = "prod"
-			appname     = "helloworld"
+			owner       = "payments-team"
 		}
 	}
 
 	# Initial version (will create version 1)
 	version = {
 		data = jsonencode({
-			api_key    = "mykey"
-			api_secret = "mysecret"
+			api_key    = var.api_key
+			api_secret = var.api_secret
 		})
 	}
 }

examples/resources/okms_secret/example_2.tf

@@ -0,0 +1,19 @@
+resource "ovh_okms_secret" "example" {
+	okms_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+	path    = "app/api_credentials"
+
+	# Ensure no concurrent update happened: set cas to the current version
+	# (metadata.current_version is populated after first apply)
+	cas = ovh_okms_secret.example.metadata.current_version
+
+	metadata = {
+		cas_required = true
+	}
+
+	version = {
+		data = jsonencode({
+			api_key    = var.api_key
+			api_secret = var.new_api_secret  # changed value -> creates new version
+		})
+	}
+}

ovh/data_okms_secret.go

@@ -56,7 +56,7 @@ func (d *okmsSecretDataSource) Read(ctx context.Context, req datasource.ReadRequ
 
 	base := "/v2/okms/resource/" + url.PathEscape(configModel.OkmsId.ValueString()) + "/secret/" + url.PathEscape(configModel.Path.ValueString())
 	versionProvided := !configModel.Version.IsNull() && !configModel.Version.IsUnknown() && configModel.Version.ValueInt64() > 0
-	includeDataRequested := !configModel.IncludeData.IsNull() && !configModel.IncludeData.IsUnknown() && configModel.IncludeData.ValueBool()
+	includeDataRequested := configModel.IncludeData.ValueBool()
 
 	metaEndpoint := base
 	if !versionProvided { // only add includeData for latest case; version endpoint handled separately

ovh/resource_okms_secret.go

@@ -7,8 +7,6 @@ import (
 	"net/url"
 
 	"github.com/hashicorp/terraform-plugin-framework/resource"
-	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
-	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	ovhtypes "github.com/ovh/terraform-provider-ovh/v2/ovh/types"
 )
 
@@ -44,19 +42,7 @@ func (d *okmsSecretResource) Configure(_ context.Context, req resource.Configure
 }
 
 func (d *okmsSecretResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
-	s := OkmsSecretResourceSchema(ctx)
-
-	// Ensure changes to identifying attributes force recreation instead of in-place update.
-	if attr, ok := s.Attributes["okms_id"].(schema.StringAttribute); ok {
-		attr.PlanModifiers = append(attr.PlanModifiers, stringplanmodifier.RequiresReplace())
-		s.Attributes["okms_id"] = attr
-	}
-	if attr, ok := s.Attributes["path"].(schema.StringAttribute); ok {
-		attr.PlanModifiers = append(attr.PlanModifiers, stringplanmodifier.RequiresReplace())
-		s.Attributes["path"] = attr
-	}
-
-	resp.Schema = s
+	resp.Schema = OkmsSecretResourceSchema(ctx)
 }
 
 func (r *okmsSecretResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {

ovh/resource_okms_secret_gen.go

@@ -10,44 +10,54 @@ Retrieves metadata (and optionally the payload) of a secret stored in OVHcloud K
 
 ## Example Usage
 
+Get the latest secret version (metadata only):
+
+{{tffile "examples/data-sources/okms_secret/example_2.tf"}}
+
+Get the latest secret version including its data:
+
 {{tffile "examples/data-sources/okms_secret/example_1.tf"}}
 
+Get a specific version including its payload:
+
+{{tffile "examples/data-sources/okms_secret/example_3.tf"}}
+
 ## Argument Reference
 
 The following arguments are supported:
 
 ### Required
 
-* `okms_id` - (Required) OKMS service ID that owns the secret.
-* `path` - (Required) Secret path (identifier within the OKMS instance).
+- `okms_id` (String) OKMS service ID that owns the secret.
+- `path` (String) Secret path (identifier within the OKMS instance).
 
 ### Optional
 
-* `version` - (Optional) Specific version to retrieve. If omitted, the latest (current) version is selected.
-* `include_data` - (Optional) If true, retrieves the secret payload (`data` attribute). Defaults to false. When false only metadata is returned.
+- `version` (Number) Specific version to retrieve. If omitted, the latest (current) version is selected.
+- `include_data` (Boolean) If true, retrieves the secret payload (`data` attribute). Defaults to false. When false only metadata is returned.
 
-## Attributes Reference
+## Attributes Reference (Read-Only)
 
 In addition to the arguments above, the following attributes are exported:
 
-* `version` - The resolved version number (requested or current latest).
-* `data` - (Sensitive) Raw JSON secret payload (present only if `include_data` is true).
-* `metadata` - (Block) Secret metadata:
-  * `cas_required` - (Boolean)
-  * `created_at` - (String)
-  * `updated_at` - (String)
-  * `current_version` - (Number)
-  * `oldest_version` - (Number)
-  * `max_versions` - (Number)
-  * `deactivate_version_after` - (String)
-  * `custom_metadata` - (Map of String)
-* `iam` - (Block) IAM resource metadata:
-  * `display_name` - (String)
-  * `id` - (String)
-  * `tags` - (Map of String)
-  * `urn` - (String)
+- `version` (Number) The resolved version number (requested or current latest).
+- `data` (String, Sensitive) Raw JSON secret payload (present only if `include_data` is true).
+- `metadata` (Block) Secret metadata:
+  - `cas_required` (Boolean)
+  - `created_at` (String)
+  - `updated_at` (String)
+  - `current_version` (Number)
+  - `oldest_version` (Number)
+  - `max_versions` (Number)
+  - `deactivate_version_after` (String)
+  - `custom_metadata` (Map of String)
+- `iam` (Block) IAM resource metadata:
+  - `display_name` (String)
+  - `id` (String)
+  - `tags` (Map of String)
+  - `urn` (String)
 
 ## Behavior & Notes
 
-* The `data` attribute retains the raw JSON returned by the API. Use `jsondecode()` to work with individual keys.
-* Changing only `include_data` (true -> false) will cause the `data` attribute to become null in subsequent refreshes (state no longer holds the payload).
+- The `data` attribute retains the raw JSON returned by the API. Use `jsondecode()` to work with individual keys.
+- Changing only `include_data` (true -> false) will cause the `data` attribute to become null in subsequent refreshes (state no longer holds the payload).

templates/data-sources/okms_secret.md.tmpl

@@ -2,70 +2,80 @@
 subcategory : "Key Management Service (KMS)"
 ---
 
-# ovh_okms_secret
+# ovh_okms_secret (Resource)
 
 Manages a secret stored in OVHcloud KMS.
 
 > WARNING: `version.data` is marked **Sensitive** but still ends up in the state file. To mitigate that, it is recommended to protect your state with encryption and access controls. Avoid committing it to source control.
 
 ## Example Usage
 
+Create a secret whose value is a JSON object. Use `jsonencode()` to produce a deterministic JSON string (ordering/whitespace) to minimize diffs.
+
 {{tffile "examples/resources/okms_secret/example_1.tf"}}
 
+# Reading a field from the secret version data:
+
+{{tffile "examples/data-sources/okms_secret/example_1.tf"}}
+
+Updating the secret (new version) while enforcing optimistic concurrency control using CAS:
+
+{{tffile "examples/resources/okms_secret/example_2.tf"}}
+
 ## Argument Reference
 
 The following arguments are supported:
 
 ### Required
 
-* `okms_id` - (Required) ID of the OKMS service to create the secret in.
-* `path` - (Required, Forces new resource) Secret path (acts as the secret identifier within the OKMS instance). Immutable after creation.
-* `version` - (Required) Block defining the secret version to create/update. See Version Block below. (On updates providing a new `version.data` creates a new version.)
+- `okms_id` (String) ID of the OKMS service to create the secret in.
+- `path` (String) Secret path (acts as the secret identifier within the OKMS instance). Immutable after creation.
+- `version` (Block) Definition of the version to create/update. See Version Block below. (On updates providing a new `version.data` creates a new version.)
 
 ### Optional
 
-* `cas` - (Optional) Check‑and‑set parameter used only on update (if `cas_required` metadata is set to true) to enforce optimistic concurrency control: its value must equal the current secret version (`metadata.current_version`) for the update to succeed. Ignored on create.
-* `metadata` - (Optional) Block of secret metadata configuration (subset of fields are user-settable). See Metadata Block below.
+- `cas` (Number) Check‑and‑set parameter used only on update (if `cas_required` metadata is set to true) to enforce optimistic concurrency control: its value must equal the current secret version (`metadata.current_version`) for the update to succeed. Ignored on create.
+- `metadata` (Block) Secret metadata configuration (subset of fields are user-settable). See Metadata Block below.
 
 ### Metadata Block
 
 User configurable attributes inside `metadata`:
 
-* `cas_required` - (Optional) If true, the server enforces optimistic concurrency control by requiring the `cas` parameter to match the current version number on every write (update) request.
-* `custom_metadata` - (Optional) Map of arbitrary key/value metadata.
-* `deactivate_version_after` - (Optional) Duration (e.g. `"24h"`) after which a version is deactivated. `"0s"` (default) means never automatically deactivate.
-* `max_versions` - (Optional) Number of versions to retain (default 10). Older versions beyond this limit are pruned.
+- `cas_required` (Boolean) If true, the server will enforce optimistic concurrency control by requiring the `cas` parameter to match the current version number on every write (update) request.
+- `custom_metadata` (Map of String) Arbitrary key/value metadata.
+- `deactivate_version_after` (String) Duration (e.g. `"24h"`) after which a version is deactivated. `"0s"` (default) means never automatically deactivate.
+- `max_versions` (Number) Number of versions to retain (default 10). Older versions beyond this limit are pruned.
 
 Computed (read‑only) metadata attributes:
 
-* `created_at` - Creation timestamp of the secret.
-* `updated_at` - Last update timestamp.
-* `current_version` - Current (latest) version number.
-* `oldest_version` - Oldest retained version number.
+- `created_at` (String) Creation timestamp of the secret.
+- `updated_at` (String) Last update timestamp.
+- `current_version` (Number) Current (latest) version number.
+- `oldest_version` (Number) Oldest retained version number.
 
 ### Version Block
 
 Required attribute:
 
-* `data` - (Required, Sensitive) Secret payload. Commonly set with `jsonencode(...)` so that Terraform comparisons are stable. Any valid JSON (object, array, string, number, bool) is accepted. Changing `data` creates a new secret version.
+- `data` (String, Sensitive) Secret payload. Commonly set with `jsonencode(...)` so that Terraform comparisons are stable. Any valid JSON (object, array, string, number, bool) is accepted. Changing `data` creates a new secret version.
 
 Computed (read‑only) attributes:
 
-* `id` - Version number.
-* `created_at` - Version creation timestamp.
-* `deactivated_at` - Deactivation timestamp if the version was deactivated.
-* `state` - Version state (e.g. `ACTIVE`).
+- `id` (Number) Version number.
+- `created_at` (String) Version creation timestamp.
+- `deactivated_at` (String) Deactivation timestamp if the version was deactivated.
+- `state` (String) Version state (e.g. `ACTIVE`).
 
-## Attributes Reference
+## Attributes Reference (Read-Only)
 
 In addition to arguments above, the following attributes are exported:
 
-* `iam` - (Block) IAM metadata: `display_name`, `id`, `tags`, `urn`.
-* `metadata.*` - Computed fields as listed above.
-* `version.*` - Computed fields as listed above.
+- `iam` (Block) IAM metadata: `display_name`, `id`, `tags`, `urn`.
+- `metadata.*` computed fields as listed above.
+- `version.*` computed fields as listed above.
 
 ## Behavior & Notes
 
-* Updating with a new `version.data` performs an API PUT that creates a new version; the previous version remains (subject to `max_versions`).
-* If `cas_required` is true, all write operations must include a correct `cas` query parameter (the expected current version number). Set `cas = ovh_okms_secret.example.metadata.current_version` to enforce optimistic concurrency. A mismatch causes the API to reject the update (preventing overwriting unseen changes).
-* `cas` is ignored on create (no existing version).
+- Updating with a new `version.data` performs an API PUT that creates a new version; the previous version remains (subject to `max_versions`).
+- If `cas_required` is true, all write operations must include a correct `cas` query parameter (the expected current version number). Set `cas = ovh_okms_secret.example.metadata.current_version` to enforce optimistic concurrency. A mismatch causes the API to reject the update (preventing overwriting unseen changes).
+- `cas` is ignored on create (no existing version).