AlloyDB Cluster custom diff to check initial user & password set on create (#15596)

Author: slevenick

mmv1/products/alloydb/Cluster.yaml

@@ -59,6 +59,9 @@ custom_code:
   pre_create: 'templates/terraform/pre_create/alloydb_cluster.go.tmpl'
   pre_update: 'templates/terraform/pre_update/alloydb_cluster.go.tmpl'
   pre_delete: 'templates/terraform/pre_delete/alloydb_cluster.go.tmpl'
+  constants: 'templates/terraform/constants/alloydb_cluster.go.tmpl'
+custom_diff:
+  - 'alloydbClusterCustomizeDiff'
 # Skipping the sweeper because we need to force-delete clusters.
 exclude_sweeper: true
 include_in_tgc_next_DO_NOT_USE: true
@@ -321,7 +324,7 @@ properties:
   - name: 'initialUser'
     type: NestedObject
     description: |
-      Initial user to setup during cluster creation.
+      Initial user to setup during cluster creation. This must be set for all new Clusters.
     ignore_read: true
     custom_flatten: 'templates/terraform/custom_flatten/alloydb_cluster_input_user_flatten.go.tmpl'
     properties:

mmv1/templates/terraform/constants/alloydb_cluster.go.tmpl

@@ -0,0 +1,11 @@
+func alloydbClusterCustomizeDiff(_ context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+    _, nType := diff.GetChange("cluster_type")
+    // Only check on new resource creation for primary clusters
+    if diff.Id() == "" && nType == "PRIMARY" {
+        _, n := diff.GetChange("initial_user.0.password")
+        if n == "" {
+            return fmt.Errorf("New AlloyDB Clusters must have initial_user.password specified")
+        }
+    }
+    return nil
+}

mmv1/third_party/terraform/services/alloydb/resource_alloydb_cluster_test.go

@@ -293,7 +293,7 @@ func TestAccAlloydbCluster_addAutomatedBackupPolicyAndInitialUser(t *testing.T)
 		CheckDestroy:             testAccCheckAlloydbClusterDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAlloydbCluster_withoutInitialUserAndAutomatedBackupPolicy(context),
+				Config: testAccAlloydbCluster_withoutAutomatedBackupPolicy(context),
 			},
 			{
 				ResourceName:            "google_alloydb_cluster.default",
@@ -343,7 +343,7 @@ func TestAccAlloydbCluster_deleteAutomatedBackupPolicyAndInitialUser(t *testing.
 				ImportStateVerifyIgnore: []string{"deletion_protection", "initial_user", "cluster_id", "location"},
 			},
 			{
-				Config: testAccAlloydbCluster_withoutInitialUserAndAutomatedBackupPolicy(context),
+				Config: testAccAlloydbCluster_withoutAutomatedBackupPolicy(context),
 			},
 			{
 				ResourceName:            "google_alloydb_cluster.default",
@@ -444,7 +444,7 @@ resource "google_compute_network" "default" {
 `, context)
 }
 
-func testAccAlloydbCluster_withoutInitialUserAndAutomatedBackupPolicy(context map[string]interface{}) string {
+func testAccAlloydbCluster_withoutAutomatedBackupPolicy(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_alloydb_cluster" "default" {
   cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
@@ -1749,3 +1749,71 @@ func TestAccAlloydbCluster_standardClusterUpdateFailure(t *testing.T) {
 		},
 	})
 }
+
+// Ensures cluster throws expected errors for not specifying initial user on create
+func TestAccAlloydbCluster_withoutInitialUserFailure(t *testing.T) {
+	t.Parallel()
+	errorPattern := `New AlloyDB Clusters must have initial_user.password specified`
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckAlloydbClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccAlloydbCluster_withoutInitialUser(context),
+				ExpectError: regexp.MustCompile(errorPattern),
+			},
+		},
+	})
+}
+
+// Ensures cluster update does not throw errors for not specifying initial user after create
+func TestAccAlloydbCluster_withoutInitialUserUpdate(t *testing.T) {
+	t.Parallel()
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckAlloydbClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAlloydbCluster_alloydbClusterBasicExample(context),
+			},
+			{
+				Config: testAccAlloydbCluster_withoutInitialUser(context),
+			},
+		},
+	})
+}
+
+func testAccAlloydbCluster_withoutInitialUser(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_alloydb_cluster" "default" {
+  cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
+  location   = "us-central1"
+  network_config {
+    network = google_compute_network.default.id
+  }
+
+  deletion_protection = false
+
+  lifecycle {
+    prevent_destroy = false
+  }  
+}
+
+data "google_project" "project" {
+}
+
+resource "google_compute_network" "default" {
+  name = "tf-test-alloydb-cluster%{random_suffix}"
+}
+`, context)
+}

mmv1/third_party/terraform/services/alloydb/resource_alloydb_secondary_cluster_test.go

@@ -217,6 +217,10 @@ resource "google_alloydb_cluster" "secondary" {
     network = data.google_compute_network.default.id
   }
 
+  initial_user {
+    password = "tf-test-alloydb-cluster%{random_suffix}"
+  }
+
   continuous_backup_config {
     enabled = false
   }
@@ -294,6 +298,10 @@ resource "google_alloydb_cluster" "secondary" {
   }
   cluster_type = "PRIMARY"
 
+  initial_user {
+    password = "tf-test-alloydb-cluster%{random_suffix}"
+  }
+
   continuous_backup_config {
     enabled = false
   }