secretmanager: ephemeral support for google_secret_manager_secret_version (#14700)

ramonvermeulen · web-flow · commit 7ebc2a1884c0 · 2025-10-01T16:21:36.000Z
diff --git a/mmv1/third_party/terraform/fwprovider/framework_provider.go.tmpl b/mmv1/third_party/terraform/fwprovider/framework_provider.go.tmpl
@@ -22,12 +22,12 @@ import (
     "github.com/hashicorp/terraform-provider-google/google/fwmodels"
     "github.com/hashicorp/terraform-provider-google/google/services/resourcemanager"
     "github.com/hashicorp/terraform-provider-google/google/services/apigee"
-
+    "github.com/hashicorp/terraform-provider-google/google/services/secretmanager"
     "github.com/hashicorp/terraform-provider-google/version"
     {{- if ne $.TargetVersionName "ga" }}
     "github.com/hashicorp/terraform-provider-google/google/services/firebase"
     {{- end }}
-	"github.com/hashicorp/terraform-provider-google/google/services/storage"
+    "github.com/hashicorp/terraform-provider-google/google/services/storage"
 
     transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
 )
@@ -380,9 +380,10 @@ func (p *FrameworkProvider) Functions(_ context.Context) []func() function.Funct
 // EphemeralResources defines the resources that are of ephemeral type implemented in the provider.
 func (p *FrameworkProvider) EphemeralResources(_ context.Context) []func() ephemeral.EphemeralResource {
 	return []func() ephemeral.EphemeralResource{
-        resourcemanager.GoogleEphemeralServiceAccountAccessToken,
-        resourcemanager.GoogleEphemeralServiceAccountIdToken,
-        resourcemanager.GoogleEphemeralServiceAccountJwt,
-        resourcemanager.GoogleEphemeralServiceAccountKey,
+		resourcemanager.GoogleEphemeralServiceAccountAccessToken,
+		resourcemanager.GoogleEphemeralServiceAccountIdToken,
+		resourcemanager.GoogleEphemeralServiceAccountJwt,
+		resourcemanager.GoogleEphemeralServiceAccountKey,
+		secretmanager.GoogleEphemeralSecretManagerSecretVersion,
 	}
 }
diff --git a/mmv1/third_party/terraform/services/secretmanager/ephemeral_google_secret_manager_secret_version.go b/mmv1/third_party/terraform/services/secretmanager/ephemeral_google_secret_manager_secret_version.go
@@ -0,0 +1,184 @@
+package secretmanager
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+)
+
+var _ ephemeral.EphemeralResource = &googleEphemeralSecretManagerSecretVersion{}
+
+func GoogleEphemeralSecretManagerSecretVersion() ephemeral.EphemeralResource {
+	return &googleEphemeralSecretManagerSecretVersion{}
+}
+
+type googleEphemeralSecretManagerSecretVersion struct {
+	providerConfig *transport_tpg.Config
+}
+
+func (p *googleEphemeralSecretManagerSecretVersion) Metadata(ctx context.Context, req ephemeral.MetadataRequest, resp *ephemeral.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_secret_manager_secret_version"
+}
+
+type ephemeralSecretManagerSecretVersionModel struct {
+	Project            types.String `tfsdk:"project"`
+	Secret             types.String `tfsdk:"secret"`
+	Version            types.String `tfsdk:"version"`
+	IsSecretDataBase64 types.Bool   `tfsdk:"is_secret_data_base64"`
+	SecretData         types.String `tfsdk:"secret_data"`
+	Name               types.String `tfsdk:"name"`
+	CreateTime         types.String `tfsdk:"create_time"`
+	DestroyTime        types.String `tfsdk:"destroy_time"`
+	Enabled            types.Bool   `tfsdk:"enabled"`
+}
+
+func (p *googleEphemeralSecretManagerSecretVersion) Schema(ctx context.Context, req ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
+	resp.Schema.Description = "This ephemeral resource provides access to a Google Secret Manager secret version."
+	resp.Schema.MarkdownDescription = "This ephemeral resource provides access to a Google Secret Manager secret version."
+
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			// Arguments
+			"project": schema.StringAttribute{
+				Description: "The project to get the secret version for. If it is not provided, the provider project is used.",
+				Optional:    true,
+				Computed:    true,
+			},
+			"secret": schema.StringAttribute{
+				Description: "The secret to get the secret version for.",
+				Required:    true,
+			},
+			"version": schema.StringAttribute{
+				Description: "The version of the secret to get. If it is not provided, the latest version is retrieved.",
+				Optional:    true,
+			},
+			"is_secret_data_base64": schema.BoolAttribute{
+				Description: "If true, the secret data returned will not get base64 decoded. Defaults to false.",
+				Optional:    true,
+			},
+			// Attributes
+			"secret_data": schema.StringAttribute{
+				Description: "The secret data. No larger than 64KiB.",
+				Computed:    true,
+				Sensitive:   true,
+			},
+			"name": schema.StringAttribute{
+				Description: "The resource name of the SecretVersion. Format: `projects/{{project}}/secrets/{{secret_id}}/versions/{{version}}`.",
+				Computed:    true,
+			},
+			"create_time": schema.StringAttribute{
+				Description: "The time at which the Secret was created.",
+				Computed:    true,
+			},
+			"destroy_time": schema.StringAttribute{
+				Description: "The time at which the Secret was destroyed. Only present if state is DESTROYED.",
+				Computed:    true,
+			},
+			"enabled": schema.BoolAttribute{
+				Description: "True if the current state of the SecretVersion is enabled.",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+func (p *googleEphemeralSecretManagerSecretVersion) Configure(ctx context.Context, req ephemeral.ConfigureRequest, resp *ephemeral.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	pd, ok := req.ProviderData.(*transport_tpg.Config)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			fmt.Sprintf("Expected *transport_tpg.Config, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	// Required for accessing userAgent and passing as an argument into a util function
+	p.providerConfig = pd
+}
+
+func (p *googleEphemeralSecretManagerSecretVersion) Open(ctx context.Context, req ephemeral.OpenRequest, resp *ephemeral.OpenResponse) {
+	var data ephemeralSecretManagerSecretVersionModel
+
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	config := p.providerConfig
+	userAgent := p.providerConfig.UserAgent
+
+	secret := data.Secret.ValueString()
+	project := data.Project.ValueString()
+	version := data.Version.ValueString()
+
+	if project == "" {
+		project = config.Project
+	}
+
+	var url string
+	if version != "" {
+		url = fmt.Sprintf("%s%s/versions/%s", config.SecretManagerBasePath, secret, version)
+	} else {
+		url = fmt.Sprintf("%s%s/versions/latest", config.SecretManagerBasePath, secret)
+	}
+
+	versionResp, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "GET",
+		Project:   project,
+		RawURL:    url,
+		UserAgent: userAgent,
+	})
+	if err != nil {
+		resp.Diagnostics.AddError("Error retrieving secret version", err.Error())
+		return
+	}
+
+	accessURL := fmt.Sprintf("%s%s:access", config.SecretManagerBasePath, versionResp["name"])
+	accessResp, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "GET",
+		Project:   project,
+		RawURL:    accessURL,
+		UserAgent: userAgent,
+	})
+	if err != nil {
+		resp.Diagnostics.AddError("Error accessing secret data", err.Error())
+		return
+	}
+
+	// This check seems counterintuitive, but read docs on the `google_secret_manager_secret_version` resource.
+	// It states: "If set to 'true', the secret data is expected to be base64-encoded string and would be sent as is."
+	payload := accessResp["payload"].(map[string]interface{})
+	payloadData := payload["data"].(string)
+	if !data.IsSecretDataBase64.ValueBool() {
+		decoded, err := base64.StdEncoding.DecodeString(payload["data"].(string))
+		if err != nil {
+			resp.Diagnostics.AddError("Error decoding secret data", err.Error())
+			return
+		}
+		payloadData = string(decoded)
+	}
+
+	data.SecretData = types.StringValue(payloadData)
+	data.Name = types.StringValue(versionResp["name"].(string))
+	data.CreateTime = types.StringValue(versionResp["createTime"].(string))
+	data.Project = types.StringValue(project)
+	data.Enabled = types.BoolValue(true)
+
+	if destroyTime, ok := versionResp["destroyTime"]; ok {
+		data.DestroyTime = types.StringValue(destroyTime.(string))
+	}
+
+	resp.Diagnostics.Append(resp.Result.Set(ctx, data)...)
+}
diff --git a/mmv1/third_party/terraform/services/secretmanager/ephemeral_google_secret_manager_secret_version_test.go b/mmv1/third_party/terraform/services/secretmanager/ephemeral_google_secret_manager_secret_version_test.go
@@ -0,0 +1,123 @@
+package secretmanager_test
+
+import (
+	"encoding/base64"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+)
+
+func TestAccEphemeralSecretManagerSecretVersion_basic(t *testing.T) {
+	t.Parallel()
+	acctest.SkipIfVcr(t)
+
+	secret := "tf-test-secret-" + acctest.RandString(t, 10)
+	secretData := "secret-data"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEphemeralSecretManagerSecretVersion_basic(secret, secretData),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.default", "secret_data", secretData),
+				),
+			},
+		},
+	})
+}
+
+func TestAccEphemeralSecretManagerSecretVersion_base64(t *testing.T) {
+	t.Parallel()
+	acctest.SkipIfVcr(t)
+
+	secret := "tf-test-secret-" + acctest.RandString(t, 10)
+	secretData := "secret-data"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEphemeralSecretManagerSecretVersion_base64(secret, secretData),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.default", "is_secret_data_base64", "true"),
+					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.default", "secret_data", base64.StdEncoding.EncodeToString([]byte(secretData))),
+				),
+			},
+		},
+	})
+}
+
+func testAccEphemeralSecretManagerSecretVersion_basic(secret, secretData string) string {
+	return fmt.Sprintf(`
+resource "google_secret_manager_secret" "secret" {
+  secret_id = "%s"
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "version" {
+  secret      = google_secret_manager_secret.secret.id
+  secret_data = "%s"
+}
+
+ephemeral "google_secret_manager_secret_version" "ephemeral" {
+  secret  = google_secret_manager_secret_version.version.secret
+  version = google_secret_manager_secret_version.version.version
+}
+
+resource "google_secret_manager_secret_version" "version_two_based_on_ephemeral" {
+  secret  	             = google_secret_manager_secret_version.version.secret
+  secret_data_wo 		 = ephemeral.google_secret_manager_secret_version.ephemeral.secret_data
+  secret_data_wo_version = "1"
+}
+
+data "google_secret_manager_secret_version" "default" {
+  secret  = google_secret_manager_secret_version.version_two_based_on_ephemeral.secret
+  version = google_secret_manager_secret_version.version_two_based_on_ephemeral.version
+}
+`, secret, secretData)
+}
+
+func testAccEphemeralSecretManagerSecretVersion_base64(secret, secretData string) string {
+	return fmt.Sprintf(`
+resource "google_secret_manager_secret" "secret" {
+  secret_id = "%s"
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "version" {
+  secret                 = google_secret_manager_secret.secret.id
+  secret_data            = base64encode("%s")
+  is_secret_data_base64  = true
+}
+
+ephemeral "google_secret_manager_secret_version" "ephemeral" {
+  secret  				= google_secret_manager_secret_version.version.secret
+  version 				= google_secret_manager_secret_version.version.version
+  is_secret_data_base64 = true
+}
+
+resource "google_secret_manager_secret_version" "version_two_based_on_ephemeral" {
+  secret  	             = google_secret_manager_secret_version.version.secret
+  secret_data_wo 		 = ephemeral.google_secret_manager_secret_version.ephemeral.secret_data
+  secret_data_wo_version = "1"
+  is_secret_data_base64  = true
+}
+
+data "google_secret_manager_secret_version" "default" {
+  secret                 = google_secret_manager_secret_version.version_two_based_on_ephemeral.secret
+  version                = google_secret_manager_secret_version.version_two_based_on_ephemeral.version
+  is_secret_data_base64  = true
+}
+`, secret, secretData)
+}
diff --git a/mmv1/third_party/terraform/website/docs/ephemeral-resources/secret_manager_secret_version.html.markdown b/mmv1/third_party/terraform/website/docs/ephemeral-resources/secret_manager_secret_version.html.markdown
