Handle email casing in google_bigquery_dataset access (#15792)

Author: wj-chen

mmv1/products/bigquery/Dataset.yaml

@@ -142,6 +142,8 @@ properties:
         - name: 'groupByEmail'
           type: String
           description: An email address of a Google Group to grant access to.
+          custom_expand: 'templates/terraform/custom_expand/string_to_lower_case.go.tmpl'
+          custom_flatten: 'templates/terraform/custom_flatten/string_to_lower_case.go.tmpl'
         - name: 'role'
           type: String
           description: |
@@ -168,6 +170,8 @@ properties:
           description: |
             An email address of a user to grant access to. For example:
             [email protected]
+          custom_expand: 'templates/terraform/custom_expand/string_to_lower_case.go.tmpl'
+          custom_flatten: 'templates/terraform/custom_flatten/string_to_lower_case.go.tmpl'
         - name: 'view'
           type: NestedObject
           description: |

mmv1/templates/terraform/constants/bigquery_dataset.go.tmpl

@@ -32,8 +32,10 @@ func validateDefaultTableExpirationMs(v interface{}, k string) (ws []string, err
 
 {{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
 // bigqueryDatasetAccessHash is a custom hash function for the access block.
-// It normalizes the 'role' field before hashing, treating legacy roles
-// and their modern IAM equivalents as the same.
+// It normalizes
+// 1) the 'role' field before hashing, treating legacy roles
+// and their modern IAM equivalents as the same,
+// 2) the 'user_by_email' and 'group_by_email' fields to be case-insensitive.
 func resourceBigqueryDatasetAccessHash(v interface{}) int {
 	m, ok := v.(map[string]interface{})
 	if !ok {
@@ -45,6 +47,14 @@ func resourceBigqueryDatasetAccessHash(v interface{}) int {
 		copy[k] = val
 	}
 
+	// Normalize user_by_email and group_by_email to be case-insensitive
+	if email, ok := copy["user_by_email"].(string); ok && email != "" {
+		copy["user_by_email"] = strings.ToLower(email)
+	}
+	if email, ok := copy["group_by_email"].(string); ok && email != "" {
+		copy["group_by_email"] = strings.ToLower(email)
+	}
+
 	// Normalize the role if it exists and matches a legacy role.
 	if role, ok := copy["role"].(string); ok {
 		if newRole, ok := bigqueryDatasetAccessPrimitiveToRoleMap[role]; ok {

mmv1/third_party/terraform/services/bigquery/resource_bigquery_dataset_test.go

@@ -4,15 +4,14 @@ package bigquery_test
 
 import (
 	"fmt"
-	"regexp"
-	"strings"
-	"testing"
-
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 	"github.com/hashicorp/terraform-provider-google/google/envvar"
 	"google.golang.org/api/bigquery/v2"
+	"regexp"
+	"strings"
+	"testing"
 )
 
 func TestAccBigQueryDataset_basic(t *testing.T) {
@@ -319,6 +318,52 @@ func TestAccBigQueryDataset_access(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryDataset_accessMixedCase_userByEmail(t *testing.T) {
+	t.Parallel()
+
+	datasetID := fmt.Sprintf("tf_test_access_%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryDatasetDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDataset_accessMixedCase(datasetID, "user_by_email", "[email protected]"),
+			},
+			{
+				ResourceName:            "google_bigquery_dataset.access_test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func TestAccBigQueryDataset_accessMixedCase_groupByEmail(t *testing.T) {
+	t.Parallel()
+
+	datasetID := fmt.Sprintf("tf_test_access_%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryDatasetDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDataset_accessMixedCase(datasetID, "group_by_email", "[email protected]"),
+			},
+			{
+				ResourceName:            "google_bigquery_dataset.access_test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
 func TestAccBigQueryDataset_regionalLocation(t *testing.T) {
 	t.Parallel()
 
@@ -839,6 +884,19 @@ resource "google_bigquery_dataset" "access_test" {
 `, otherDatasetID, otherTableID, datasetID)
 }
 
+func testAccBigQueryDataset_accessMixedCase(datasetID, accessType, email string) string {
+	return fmt.Sprintf(`
+resource "google_bigquery_dataset" "access_test" {
+  dataset_id = "%s"
+
+  access {
+    role   = "OWNER"
+    %s = "%s"
+  }
+}
+`, datasetID, accessType, email)
+}
+
 func testAccBigQueryDataset_cmek(pid, datasetID, kmsKey string) string {
 	return fmt.Sprintf(`
 data "google_project" "project" {