sql: write-only argument for root_password in google_sql_database_instance (#15393)

Author: ramonvermeulen

mmv1/third_party/terraform/services/sql/resource_sql_database_instance.go.tmpl

@@ -993,19 +993,33 @@ API (for read pools, effective_availability_type may differ from availability_ty
 				Description:      `The MySQL, PostgreSQL or SQL Server (beta) version to use. Supported values include MYSQL_5_6, MYSQL_5_7, MYSQL_8_0, MYSQL_8_4, POSTGRES_9_6, POSTGRES_10, POSTGRES_11, POSTGRES_12, POSTGRES_13, POSTGRES_14, POSTGRES_15, POSTGRES_16, POSTGRES_17, SQLSERVER_2017_STANDARD, SQLSERVER_2017_ENTERPRISE, SQLSERVER_2017_EXPRESS, SQLSERVER_2017_WEB. Database Version Policies includes an up-to-date reference of supported versions.`,
 				DiffSuppressFunc: databaseVersionDiffSuppress,
 			},
-
 			"encryption_key_name": {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
 				ForceNew: true,
 			},
-
 			"root_password": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Sensitive:   true,
 				Description: `Initial root password. Required for MS SQL Server.`,
+				ConflictsWith:  []string{"root_password_wo"},
+			},
+			"root_password_wo": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: `Initial root password. Required for MS SQL Server.
+				Note: This property is write-only and will not be read from the API. For more info see [updating write-only arguments](/docs/providers/google/guides/using_write_only_arguments.html#updating-write-only-arguments)`,
+				WriteOnly:    true,
+				ConflictsWith:  []string{"root_password"},
+				RequiredWith: []string{"root_password_wo_version"},
+			},
+			"root_password_wo_version": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  `Triggers update of root_password_wo write-only. For more info see [updating write-only arguments](/docs/providers/google/guides/using_write_only_arguments.html#updating-write-only-arguments)`,
+				RequiredWith: []string{"root_password_wo"},
 			},
 			"ip_address": {
 				Type:     schema.TypeList,
@@ -1516,8 +1530,12 @@ func resourceSqlDatabaseInstanceCreate(d *schema.ResourceData, meta interface{})
 	if _, ok := d.GetOk("node_count"); ok {
 		instance.NodeCount = int64(d.Get("node_count").(int))
 	}
-
-	instance.RootPassword = d.Get("root_password").(string)
+  
+	if _, ok := d.GetOk("root_password_wo_version"); ok {
+		instance.RootPassword = tpgresource.GetRawConfigAttributeAsString(d, "root_password_wo")
+	} else if _, ok := d.GetOk("root_password"); ok {
+		instance.RootPassword = d.Get("root_password").(string)
+	}
 
 	// Modifying a replica during Create can cause problems if the master is
 	// modified at the same time. Lock the master until we're done in order
@@ -2354,8 +2372,14 @@ func resourceSqlDatabaseInstanceUpdate(d *schema.ResourceData, meta interface{})
 
 	// Check if the root_password is being updated, because updating root_password is an atomic operation and can not be
 	// performed with other fields, we first update root password before updating the rest of the fields.
-	if d.HasChange("root_password") {
-		oldPwd, newPwd := d.GetChange("root_password")
+	if d.HasChange("root_password") || d.HasChange("root_password_wo_version") {
+		var oldPwd, newPwd interface{}
+		if d.HasChange("root_password_wo_version") {
+			oldPwd = ""
+			newPwd = tpgresource.GetRawConfigAttributeAsString(d, "root_password_wo")
+		} else {
+			oldPwd, newPwd = d.GetChange("root_password")
+		}
 		password := newPwd.(string)
 		dv := d.Get("database_version").(string)
 		name := ""

mmv1/third_party/terraform/services/sql/resource_sql_database_instance_test.go.tmpl

@@ -124,6 +124,50 @@ func TestAccSqlDatabaseInstance_basicMSSQL(t *testing.T) {
 	})
 }
 
+func TestAccSqlDatabaseInstance_basicMSSQL_passwordWo(t *testing.T) {
+	t.Parallel()
+
+	databaseName := "tf-test-" + acctest.RandString(t, 10)
+	rootPassword := acctest.RandString(t, 15)
+	updatedRootPassword := acctest.RandString(t, 15)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccSqlDatabaseInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(
+					testGoogleSqlDatabaseInstance_basic_mssql_wo_password, databaseName, rootPassword),
+				Check:  resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("google_sql_database_instance.instance", "root_password_wo"),
+					resource.TestCheckResourceAttr("google_sql_database_instance.instance", "root_password_wo_version", "1"),
+				),
+			},
+			{
+				ResourceName:            "google_sql_database_instance.instance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"root_password", "deletion_protection"},
+			},
+			{
+				Config: fmt.Sprintf(
+					testGoogleSqlDatabaseInstance_basic_mssql_wo_password_update, databaseName, updatedRootPassword),
+				Check:  resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("google_sql_database_instance.instance", "root_password_wo"),
+					resource.TestCheckResourceAttr("google_sql_database_instance.instance", "root_password_wo_version", "2"),
+				),
+			},
+			{
+				ResourceName:            "google_sql_database_instance.instance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"root_password", "deletion_protection"},
+			},
+		},
+	})
+}
+
 func TestAccSqlDatabaseInstance_dontDeleteDefaultUserOnReplica(t *testing.T) {
 	t.Skip("https://github.com/hashicorp/terraform-provider-google/issues/20975")
 	t.Parallel()
@@ -4166,6 +4210,34 @@ resource "google_sql_database_instance" "instance" {
 }
 `
 
+var testGoogleSqlDatabaseInstance_basic_mssql_wo_password = `
+resource "google_sql_database_instance" "instance" {
+  name                     = "%s"
+  database_version         = "SQLSERVER_2019_STANDARD"
+  root_password_wo         = "%s"
+  root_password_wo_version = "1"
+  deletion_protection      = false
+  settings {
+    tier = "db-custom-1-3840"
+    collation = "Polish_CI_AS"
+  }
+}
+`
+
+var testGoogleSqlDatabaseInstance_basic_mssql_wo_password_update = `
+resource "google_sql_database_instance" "instance" {
+  name                     = "%s"
+  database_version         = "SQLSERVER_2019_STANDARD"
+  root_password_wo         = "%s"
+  root_password_wo_version = "2"
+  deletion_protection      = false
+  settings {
+    tier = "db-custom-1-3840"
+    collation = "Polish_CI_AS"
+  }
+}
+`
+
 var testGoogleSqlDatabaseInstance_update_mssql = `
 resource "google_sql_database_instance" "instance" {
   name                = "%s"

mmv1/third_party/terraform/website/docs/r/sql_database_instance.html.markdown

@@ -313,6 +313,12 @@ includes an up-to-date reference of supported versions.
 
 * `root_password` - (Optional) Initial root password. Can be updated. Required for MS SQL Server.
 
+* `root_password_wo` - (Optional) Initial root password. Can be updated. Required for MS SQL Server. **Note**: This property is write-only and will not be read from the API.
+
+  ~> **Note:** One of `root_password` or `root_password_wo` can only be set.
+
+* `root_password_wo_version` - Triggers update of `root_password_wo` write-only. Increment this value when an update to `root_password_wo` is needed. For more info see [updating write-only arguments](/docs/providers/google/guides/using_write_only_arguments.html#updating-write-only-arguments)
+
 * `encryption_key_name` - (Optional)
     The full path to the encryption key used for the CMEK disk encryption.  Setting
     up disk encryption currently requires manual steps outside of Terraform.