fix: update terraform provider with latest vpc api schema changes (#58)

* fix: update terraform provider with latest vpc api schema changes

* chore: regenerate docs & examples

* fix: handle gRPC errors without details

* chore: fix golangci-lint job

* chore: fix golangci-lint job

* chore: switch tagging job to use PAT

* chore: update documentation

* fix: update security vulnerabilities

* chore: tidy docs

Author: Lucas Stephens

.github/workflows/tag.yaml

@@ -17,6 +17,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0  # ✅ Fetch all commits and tags
+          token: ${{ secrets.GHA_PAT_TAGS }}
 
       - name: Push Tag for Release
         id: push_tag
@@ -35,9 +36,6 @@ jobs:
               exit 0
             else
               echo "Pushing tag $VERSION"
-              git config user.name "github-actions[bot]"
-              git config user.email "github-actions[bot]@users.noreply.github.com"
-              
               # Create and push the tag (auth is already configured)
               git tag "$VERSION"
               git push origin "$VERSION"

.github/workflows/test.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Run linters
         uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v1.64.5
 
   generate:
     runs-on: ubuntu-latest

.golangci.yml

@@ -3,7 +3,6 @@
 # Visit https://golangci-lint.run/ for usage documentation
 # and information on other useful linters
 issues:
-  max-per-linter: 0
   max-same-issues: 0
 
 linters:
@@ -22,7 +21,6 @@ linters:
     - nilerr
     - predeclared
     - staticcheck
-    - tenv
     - unconvert
     - unparam
     - unused

coreweave/cks/resource_cluster.go

@@ -309,47 +309,55 @@ func (r *ClusterResource) Schema(ctx context.Context, req resource.SchemaRequest
 					stringplanmodifier.UseStateForUnknown(),
 				},
 			},
-			"vpc_id": schema.StringAttribute{
-				Required: true,
+			"name": schema.StringAttribute{
+				Required:            true,
+				MarkdownDescription: "The name of the cluster. Must not be longer than 30 characters.",
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
 			"zone": schema.StringAttribute{
-				Required: true,
+				Required:            true,
+				MarkdownDescription: "The Availability Zone in which the cluster is located.",
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
-			"name": schema.StringAttribute{
-				Required: true,
+			"vpc_id": schema.StringAttribute{
+				Required:            true,
+				MarkdownDescription: "The ID of the VPC in which the cluster is located. Must be a VPC in the same Availability Zone as the cluster.",
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
-			"version": schema.StringAttribute{
-				Required: true,
-			},
 			"public": schema.BoolAttribute{
-				Optional: true,
-				Computed: true,
-				Default:  booldefault.StaticBool(false),
+				Optional:            true,
+				Computed:            true,
+				MarkdownDescription: "Whether the cluster's api-server is publicly accessible from the internet.",
+				Default:             booldefault.StaticBool(false),
+			},
+			"version": schema.StringAttribute{
+				Required:            true,
+				MarkdownDescription: "The version of Kubernetes to run on the cluster, in minor version format (e.g. 'v1.32'). Patch versions are automatically applied by CKS as they are released.",
 			},
 			"pod_cidr_name": schema.StringAttribute{
-				Required: true,
+				Required:            true,
+				MarkdownDescription: "The name of the vpc prefix to use as the pod CIDR range. The prefix must exist in the cluster's VPC.",
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
 			"service_cidr_name": schema.StringAttribute{
-				Required: true,
+				Required:            true,
+				MarkdownDescription: "The name of the vpc prefix to use as the service CIDR range. The prefix must exist in the cluster's VPC.",
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
 			"internal_lb_cidr_names": schema.SetAttribute{
-				ElementType: types.StringType,
-				Required:    true,
+				ElementType:         types.StringType,
+				Required:            true,
+				MarkdownDescription: "The names of the vpc prefixes to use as internal load balancer CIDR ranges. Internal load balancers are reachable within the VPC but not accessible from the internet.\nThe prefixes must exist in the cluster's VPC. This field is append-only.",
 				PlanModifiers: []planmodifier.Set{
 					setplanmodifier.RequiresReplaceIf(func(ctx context.Context, req planmodifier.SetRequest, resp *setplanmodifier.RequiresReplaceIfFuncResponse) {
 						// Skip if there's no prior state or if the config is unknown
@@ -393,61 +401,77 @@ func (r *ClusterResource) Schema(ctx context.Context, req resource.SchemaRequest
 				},
 			},
 			"audit_policy": schema.StringAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Audit policy for the cluster. Must be provided as a base64-encoded JSON/YAML string.",
 			},
 			"authn_webhook": schema.SingleNestedAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Authentication webhook configuration for the cluster.",
 				Attributes: map[string]schema.Attribute{
 					"server": schema.StringAttribute{
-						Required: true,
+						Required:            true,
+						MarkdownDescription: "The URL of the webhook server.",
 					},
 					"ca": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The CA certificate for the webhook server. Must be a base64-encoded PEM-encoded certificate.",
 					},
 				},
 			},
 			"authz_webhook": schema.SingleNestedAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Authorization webhook configuration for the cluster.",
 				Attributes: map[string]schema.Attribute{
 					"server": schema.StringAttribute{
-						Required: true,
+						Required:            true,
+						MarkdownDescription: "The URL of the webhook server.",
 					},
 					"ca": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The CA certificate for the webhook server. Must be a base64-encoded PEM-encoded certificate.",
 					},
 				},
 			},
 			"oidc": schema.SingleNestedAttribute{
-				MarkdownDescription: "Kubernetes OIDC Configuration",
+				MarkdownDescription: "OpenID Connect (OIDC) configuration for authentication to the api-server.",
 				Optional:            true,
 				Attributes: map[string]schema.Attribute{
 					"issuer_url": schema.StringAttribute{
-						Required: true,
+						Required:            true,
+						MarkdownDescription: "The URL of the OIDC issuer.",
 					},
 					"client_id": schema.StringAttribute{
-						Required: true,
+						Required:            true,
+						MarkdownDescription: "The client ID for the OIDC client.",
 					},
 					"username_claim": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The claim to use as the username.",
 					},
 					"username_prefix": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The prefix to use for the username.",
 					},
 					"groups_claim": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The claim to use as the groups.",
 					},
 					"groups_prefix": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The prefix to use for the groups.",
 					},
 					"ca": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The CA certificate for the OIDC issuer. Must be a base64-encoded PEM-encoded certificate.",
 					},
 					"required_claim": schema.StringAttribute{
-						Optional: true,
+						Optional:            true,
+						MarkdownDescription: "The claim to require for authentication.",
 					},
 					"signing_algs": schema.SetAttribute{
-						ElementType: types.StringType,
-						Optional:    true,
+						ElementType:         types.StringType,
+						Optional:            true,
+						MarkdownDescription: "A list of signing algorithms that the OpenID Connect discovery endpoint uses.",
 					},
 				},
 			},

coreweave/cks/resource_cluster_test.go

@@ -45,14 +45,15 @@ func TestClusterSchema(t *testing.T) {
 }
 
 func TestClusterResource(t *testing.T) {
+	t.Parallel()
 	randomInt := rand.IntN(100)
 	clusterName := fmt.Sprintf("test-acc-cks-cluster-%x", randomInt)
 	resourceName := fmt.Sprintf("test_acc_cks_cluster_%x", randomInt)
 	fullResourceName := fmt.Sprintf("coreweave_cks_cluster.%s", resourceName)
 	vpc := &networking.VpcResourceModel{
-		Name:         types.StringValue(clusterName),
-		Zone:         types.StringValue("US-EAST-04A"),
-		HostPrefixes: types.SetValueMust(types.StringType, []attr.Value{types.StringValue("10.16.192.0/18")}),
+		Name:       types.StringValue(clusterName),
+		Zone:       types.StringValue("US-EAST-04A"),
+		HostPrefix: types.StringValue("10.16.192.0/18"),
 		VpcPrefixes: []networking.VpcPrefixResourceModel{
 			{
 				Name:  types.StringValue("pod cidr"),

coreweave/client.go

@@ -66,7 +66,10 @@ func HandleAPIError(ctx context.Context, err error, diagnostics *diag.Diagnostic
 						violation.Type+": "+violation.Description,
 					)
 				}
+				break
 			}
+
+			diagnostics.AddError(connectErr.Error(), connectErr.Message())
 		}
 
 	case connect.CodeInvalidArgument:
@@ -83,7 +86,10 @@ func HandleAPIError(ctx context.Context, err error, diagnostics *diag.Diagnostic
 						field.Field+": "+field.Description,
 					)
 				}
+				break
 			}
+
+			diagnostics.AddError(connectErr.Error(), connectErr.Message())
 		}
 
 	case connect.CodeUnauthenticated:
@@ -112,7 +118,10 @@ func HandleAPIError(ctx context.Context, err error, diagnostics *diag.Diagnostic
 						violation.Subject+": "+violation.Description,
 					)
 				}
+				break
 			}
+
+			diagnostics.AddError(connectErr.Error(), connectErr.Message())
 		}
 
 	default:
@@ -126,4 +135,9 @@ func HandleAPIError(ctx context.Context, err error, diagnostics *diag.Diagnostic
 			"An unexpected error occurred. Please check the provider logs for more details.",
 		)
 	}
+
+	// safeguard for any buggy case statements
+	if !diagnostics.HasError() {
+		diagnostics.AddError(connectErr.Error(), connectErr.Message())
+	}
 }