fix: finalizer additions

* Add existing finalizers when updating an application
* Filter out non-user configured finalizers from tf state

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>

Author: blakepettersson

argocd/resource_argocd_application.go

@@ -10,12 +10,13 @@ import (
 
 	"github.com/argoproj-labs/terraform-provider-argocd/internal/features"
 	"github.com/argoproj-labs/terraform-provider-argocd/internal/provider"
-	applicationClient "github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
-	application "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/gitops-engine/pkg/health"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	applicationClient "github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
+	application "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 func resourceArgoCDApplication() *schema.Resource {
@@ -305,6 +306,20 @@ func resourceArgoCDApplicationUpdate(ctx context.Context, d *schema.ResourceData
 		}
 	}
 
+	// Check if resource is being deleted to prevent updates during deletion
+	if apps.Items[0].DeletionTimestamp != nil {
+		return []diag.Diagnostic{
+			{
+				Severity: diag.Error,
+				Summary:  fmt.Sprintf("cannot update application %s: resource is being deleted", objectMeta.Name),
+				Detail:   "The application has a deletion timestamp and is in the process of being deleted. Updates are not allowed during deletion.",
+			},
+		}
+	}
+
+	// Use safer metadata expansion that preserves system finalizers
+	objectMeta = expandMetadataForUpdate(d, apps.Items[0].ObjectMeta)
+
 	validate := d.Get("validate").(bool)
 	if _, err = si.ApplicationClient.Update(ctx, &applicationClient.ApplicationUpdateRequest{
 		Application: &application.Application{

argocd/structure_metadata.go

@@ -35,13 +35,48 @@ func expandMetadata(d *schema.ResourceData) (meta meta.ObjectMeta) {
 	return meta
 }
 
+// expandMetadataForUpdate safely expands metadata for updates, merging user-configured
+// finalizers with existing system finalizers to prevent accidental removal
+func expandMetadataForUpdate(d *schema.ResourceData, existingMeta meta.ObjectMeta) (meta meta.ObjectMeta) {
+	meta = expandMetadata(d)
+
+	// Merge finalizers: keep existing system finalizers, add/update user finalizers
+	if len(existingMeta.Finalizers) > 0 {
+		userFinalizers := make(map[string]bool)
+		for _, f := range meta.Finalizers {
+			userFinalizers[f] = true
+		}
+
+		// Start with existing finalizers
+		merged := make([]string, 0, len(existingMeta.Finalizers)+len(meta.Finalizers))
+		for _, existing := range existingMeta.Finalizers {
+			if userFinalizers[existing] {
+				// User explicitly configured this finalizer, keep it
+				merged = append(merged, existing)
+				delete(userFinalizers, existing)
+			} else {
+				// System finalizer not configured by user, preserve it
+				merged = append(merged, existing)
+			}
+		}
+
+		// Add any new user finalizers
+		for finalizer := range userFinalizers {
+			merged = append(merged, finalizer)
+		}
+
+		meta.Finalizers = merged
+	}
+
+	return meta
+}
+
 func flattenMetadata(meta meta.ObjectMeta, d *schema.ResourceData) []interface{} {
 	m := map[string]interface{}{
 		"generation":       meta.Generation,
 		"name":             meta.Name,
 		"namespace":        meta.Namespace,
 		"resource_version": meta.ResourceVersion,
-		"finalizers":       meta.Finalizers,
 		"uid":              fmt.Sprintf("%v", meta.UID),
 	}
 
@@ -51,6 +86,9 @@ func flattenMetadata(meta meta.ObjectMeta, d *schema.ResourceData) []interface{}
 	labels := d.Get("metadata.0.labels").(map[string]interface{})
 	m["labels"] = metadataRemoveInternalKeys(meta.Labels, labels)
 
+	finalizers := d.Get("metadata.0.finalizers").([]interface{})
+	m["finalizers"] = metadataFilterFinalizers(meta.Finalizers, finalizers)
+
 	return []interface{}{m}
 }
 
@@ -72,3 +110,21 @@ func metadataIsInternalKey(annotationKey string) bool {
 
 	return strings.HasSuffix(u.Hostname(), "kubernetes.io") || annotationKey == "notified.notifications.argoproj.io"
 }
+
+func metadataFilterFinalizers(apiFinalizers []string, configuredFinalizers []interface{}) []string {
+	configured := make(map[string]bool)
+	for _, v := range configuredFinalizers {
+		if s, ok := v.(string); ok {
+			configured[s] = true
+		}
+	}
+
+	result := make([]string, 0)
+	for _, finalizer := range apiFinalizers {
+		// Only include finalizers that were explicitly configured by the user
+		if configured[finalizer] {
+			result = append(result, finalizer)
+		}
+	}
+	return result
+}

argocd/structure_metadata_test.go

@@ -3,6 +3,8 @@ package argocd
 import (
 	"fmt"
 	"testing"
+
+	"github.com/stretchr/testify/require"
 )
 
 func TestMetadataIsInternalKey(t *testing.T) {
@@ -35,3 +37,59 @@ func TestMetadataIsInternalKey(t *testing.T) {
 		})
 	}
 }
+
+func TestMetadataFilterFinalizers(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name                 string
+		apiFinalizers        []string
+		configuredFinalizers []interface{}
+		expected             []string
+	}{
+		{
+			name:                 "empty lists",
+			apiFinalizers:        []string{},
+			configuredFinalizers: []interface{}{},
+			expected:             []string{},
+		},
+		{
+			name:                 "no configured finalizers",
+			apiFinalizers:        []string{"system.finalizer", "user.finalizer"},
+			configuredFinalizers: []interface{}{},
+			expected:             []string{},
+		},
+		{
+			name:                 "only configured finalizers returned",
+			apiFinalizers:        []string{"system.finalizer", "user.finalizer", "another.user.finalizer"},
+			configuredFinalizers: []interface{}{"user.finalizer", "another.user.finalizer"},
+			expected:             []string{"user.finalizer", "another.user.finalizer"},
+		},
+		{
+			name:                 "configured finalizer not in API response",
+			apiFinalizers:        []string{"system.finalizer"},
+			configuredFinalizers: []interface{}{"user.finalizer"},
+			expected:             []string{},
+		},
+		{
+			name:                 "mixed scenario - system and user finalizers",
+			apiFinalizers:        []string{"resources.argoproj.io/finalizer", "user.custom/finalizer", "kubernetes.io/finalizer"},
+			configuredFinalizers: []interface{}{"user.custom/finalizer"},
+			expected:             []string{"user.custom/finalizer"},
+		},
+		{
+			name:                 "invalid type in configured finalizers",
+			apiFinalizers:        []string{"system.finalizer", "user.finalizer"},
+			configuredFinalizers: []interface{}{"user.finalizer", 123, nil},
+			expected:             []string{"user.finalizer"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			result := metadataFilterFinalizers(tc.apiFinalizers, tc.configuredFinalizers)
+			require.Equal(t, tc.expected, result)
+		})
+	}
+}