Adds google_apigee_developer_app resource and enhance google_apigee_api_product scopes to be order-insensitive (#15336)

Co-authored-by: Luca Prete <[email protected]>

Author: LucaPrete

mmv1/products/apigee/ApiProduct.yaml

@@ -154,6 +154,7 @@ properties:
       Comma-separated list of OAuth scopes that are validated at runtime. Apigee validates that the scopes in any access token presented match the scopes defined in the OAuth policy associated with the API product.
     item_type:
       type: String
+    custom_flatten: 'templates/terraform/custom_flatten/apigee_api_product_scopes.go.tmpl'
 
   - name: "quota"
     type: String

mmv1/products/apigee/DeveloperApp.yaml

@@ -0,0 +1,240 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: "DeveloperApp"
+description: |
+  Creates an app associated with a developer.
+  This API associates the developer app with the specified API product
+  and auto-generates an API key for the app to use in calls to API proxies
+  inside that API product.
+references:
+  guides:
+    "Creating a developer": "https://cloud.google.com/apigee/docs/api-platform/publish/creating-apps-surface-your-api"
+  api: "https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.developers.apps"
+docs:
+base_url: "{{org_id}}/developers/{{developer_email}}/apps"
+self_link: "{{org_id}}/developers/{{developer_email}}/apps/{{name}}"
+update_mask: false
+update_verb: "PUT"
+import_format:
+  - "{{org_id}}/developers/{{developer_email}}/apps/{{name}}"
+custom_code:
+  decoder: "templates/terraform/decoders/apigee_developer_app.go.tmpl"
+  custom_import: "templates/terraform/custom_import/apigee_developer_app.go.tmpl"
+examples:
+  - name: "apigee_developer_app_basic"
+    primary_resource_id: "apigee_developer_app"
+    vars:
+      api_product_name: "sample-api"
+      developer_app_name: "sample-app"
+      developer_email: "[email protected]"
+      instance_name: "instance"
+    exclude_test: true
+  - name: "apigee_developer_app_basic_test"
+    primary_resource_id: "apigee_developer_app"
+    vars:
+      api_product_name: "sample-api"
+      developer_app_name: "sample-app"
+      developer_email: "[email protected]"
+      instance_name: "instance"
+      project_name: "prj"
+    test_env_vars:
+      org_id: "ORG_ID"
+      billing_account: "BILLING_ACCT"
+    skip_vcr: true
+    external_providers: ["time"]
+parameters:
+  - name: "orgId"
+    type: String
+    description: |
+      The Apigee Organization associated with the Apigee instance,
+      in the format `organizations/{{org_name}}`.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: "developer_email"
+    type: String
+    description: |
+      Email address of the developer.
+      This value is used to uniquely identify the developer in Apigee hybrid.
+      Note that the email address has to be in lowercase only.
+    url_param_only: true
+    required: true
+    immutable: true
+properties:
+  - name: "name"
+    type: String
+    description: |
+      Name of the developer app.
+    required: true
+  - name: "appFamily"
+    type: String
+    description: |
+      Developer app family.
+    immutable: true
+    default_from_api: true
+  - name: "callbackUrl"
+    type: String
+    description: |
+      Callback URL used by OAuth 2.0 authorization servers to communicate
+      authorization codes back to developer apps.
+    required: true
+  - name: "keyExpiresIn"
+    type: String
+    description: |
+      Expiration time, in milliseconds, for the consumer key that is generated
+      for the developer app. If not set or left to the default value of -1,
+      the API key never expires. The expiration time can't be updated after it is set.
+    default_value: "-1"
+    immutable: true
+  - name: "apiProducts"
+    type: Array
+    description: |
+      List of API products associated with the developer app.
+    item_type:
+      type: String
+    is_set: true
+  - name: "scopes"
+    type: Array
+
+    description: |
+      Scopes to apply to the developer app.
+      The specified scopes must already exist for the API product that
+      you associate with the developer app.
+    item_type:
+      type: String
+    is_set: true
+  - name: "developerId"
+    type: String
+    description: |
+      ID of the developer.
+    output: true
+  - name: "status"
+    type: String
+    description: |
+      Status of the credential. Valid values include approved or revoked.
+    # This can be set but it needs to be updated through other APIs.
+    immutable: true
+    default_from_api: true
+  - name: "attributes"
+    type: Array
+    description: |
+      Developer attributes (name/value pairs). The custom attribute limit is 18.
+    item_type:
+      type: NestedObject
+      properties:
+        - name: "name"
+          type: String
+          description: |
+            Key of the attribute
+        - name: "value"
+          type: String
+          description: |
+            Value of the attribute
+  - name: "appId"
+    type: String
+    description: |
+      ID of the developer app. This ID is not user specified but is
+      automatically generated on app creation. appId is a UUID.
+    output: true
+  - name: "createdAt"
+    type: String
+    description: |
+      Time at which the developer was created in milliseconds since epoch.
+    output: true
+  - name: "lastModifiedAt"
+    type: String
+    description: |
+      Time at which the developer was last modified in milliseconds since epoch.
+    output: true
+  - name: "credentials"
+    type: Array
+    description: |
+      Output only. Set of credentials for the developer app consisting of
+      the consumer key/secret pairs associated with the API products.
+    output: true
+    item_type:
+      type: NestedObject
+      properties:
+        - name: "consumerKey"
+          type: String
+          description: |
+            Consumer key.
+          output: true
+        - name: "consumerSecret"
+          type: String
+          description: |
+            Secret key.
+          sensitive: true
+          output: true
+        - name: "expiresAt"
+          type: String
+          description: |
+            Time the credential will expire in milliseconds since epoch.
+          output: true
+        - name: "issuedAt"
+          type: String
+          description: |
+            Time the credential was issued in milliseconds since epoch.
+          output: true
+        - name: "status"
+          type: String
+          description: |
+            Status of the credential. Valid values include approved or revoked.
+          output: true
+        - name: "scopes"
+          type: Array
+          description: |
+            List of scopes to apply to the app.
+            Specified scopes must already exist on the API product that
+            you associate with the app.
+          item_type:
+            type: String
+          output: true
+        - name: "apiProducts"
+          type: Array
+          description: |
+            List of API products this credential can be used for.
+          output: true
+          item_type:
+            type: NestedObject
+            properties:
+              - name: "apiproduct"
+                type: String
+                description: |
+                  Name of the API product.
+                output: true
+              - name: "status"
+                type: String
+                description: |
+                  Status of the API product. Valid values are approved or revoked.
+                output: true
+        - name: "attributes"
+          type: Array
+          description: |
+            Developer attributes (name/value pairs). The custom attribute limit is 18.
+          output: true
+          item_type:
+            type: NestedObject
+            properties:
+              - name: "name"
+                type: String
+                description: |
+                  Key of the attribute
+                output: true
+              - name: "value"
+                type: String
+                description: |
+                  Value of the attribute
+                output: true

mmv1/templates/terraform/custom_flatten/apigee_api_product_scopes.go.tmpl

@@ -0,0 +1,38 @@
+{{/*
+    The license inside this block applies to this file
+    Copyright 2025 Google Inc.
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/ -}}
+func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+    rawConfigValue := d.Get("scopes")
+    // Convert config value to []string
+    configValue, err := tpgresource.InterfaceSliceToStringSlice(rawConfigValue)
+    if err != nil {
+        log.Printf("[ERROR] Failed to convert config value: %s", err)
+        return v
+    }
+    sortedConfigValue := append([]string{}, configValue...)
+    sort.Strings(sortedConfigValue)
+
+    // Convert v to []string
+    apiValue, err := tpgresource.InterfaceSliceToStringSlice(v)
+    if err != nil {
+        log.Printf("[ERROR] Failed to convert API value: %s", err)
+        return v
+    }
+    sortedApiValue := append([]string{}, apiValue...)
+    sort.Strings(sortedApiValue)
+
+    if (slices.Equal(sortedApiValue, sortedConfigValue)) {
+        return configValue
+    }
+
+    return apiValue
+}

mmv1/templates/terraform/custom_import/apigee_developer_app.go.tmpl

@@ -0,0 +1,15 @@
+config := meta.(*transport_tpg.Config)
+
+importFormat := "(?P<org_id>organizations/[^/]+)/developers/(?P<developer_email>[^/]+)/apps/(?P<name>.+)"
+
+if err := tpgresource.ParseImportId([]string{importFormat}, d, config); err != nil {
+	return nil, err
+}
+
+id, err := tpgresource.ReplaceVars(d, config, "{{ "{{" }}org_id{{ "}}" }}/developers/{{ "{{" }}developer_email{{ "}}" }}/apps/{{ "{{" }}name{{ "}}" }}")
+if err != nil {
+	return nil, fmt.Errorf("Error constructing id: %s", err)
+}
+d.SetId(id)
+
+return []*schema.ResourceData{d}, nil

mmv1/templates/terraform/decoders/apigee_developer_app.go.tmpl

@@ -0,0 +1,45 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2025 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+if obj, ok := res["credentials"]; ok {
+	if credList, ok := obj.([]interface{}); ok && len(credList) > 0 {
+		if cred, ok := credList[0].(map[string]interface{}); ok {
+			// Decode expiresAt
+			res["keyExpiresIn"] = cred["expiresAt"]
+
+			// Decode scopes
+			res["scopes"] = cred["scopes"]
+
+			// Decode api_products
+			if apiProductsObj, productsOk := cred["apiProducts"]; productsOk {
+				if apiProductList, listOk := apiProductsObj.([]interface{}); listOk {
+					var flattenedProducts []interface{}
+					for _, productObj := range apiProductList {
+						if productMap, mapOk := productObj.(map[string]interface{}); mapOk {
+							if productName, nameOk := productMap["apiproduct"].(string); nameOk {
+								flattenedProducts = append(flattenedProducts, productName)
+							}
+						}
+					}
+					res["apiProducts"] = flattenedProducts
+				}
+			}
+
+			delete(res, "credentials")
+		} else {
+			return nil, fmt.Errorf("Unable to decode the first element of the credentials array.")
+		}
+	} else {
+		return nil, fmt.Errorf("Unable to decode credentials block from API response, expected a non-empty array.")
+	}
+}
+return res, nil

mmv1/templates/terraform/examples/apigee_api_product_with_attributes.tf.tmpl

@@ -47,9 +47,11 @@ resource "google_apigee_api_product" "full_api_product" {
   quota_counter_scope = "PROXY"
 
   environments = ["dev", "hom"]
+
+  # Set them in reverse order to test set
   scopes = [
-    "read:weather",
     "write:reports"
+    "read:weather",
   ]
 
   attributes {