Add ephemeral google_client_config resource (#15099)

Author: busser

mmv1/third_party/terraform/fwprovider/data_source_provider_config_plugin_framework.go

@@ -230,11 +230,7 @@ func (d *GoogleProviderConfigPluginFrameworkDataSource) Read(ctx context.Context
 	data.RequestReason = types.StringValue(d.providerConfig.RequestReason)
 	data.RequestTimeout = types.StringValue(d.providerConfig.RequestTimeout.String())
 
-	lbs := make(map[string]attr.Value, len(d.providerConfig.DefaultLabels))
-	for k, v := range d.providerConfig.DefaultLabels {
-		lbs[k] = types.StringValue(v)
-	}
-	labels, di := types.MapValueFrom(ctx, types.StringType, lbs)
+	labels, di := types.MapValueFrom(ctx, types.StringType, d.providerConfig.DefaultLabels)
 	if di.HasError() {
 		resp.Diagnostics.Append(di...)
 	}

mmv1/third_party/terraform/fwprovider/framework_provider.go.tmpl

@@ -380,6 +380,7 @@ func (p *FrameworkProvider) Functions(_ context.Context) []func() function.Funct
 // EphemeralResources defines the resources that are of ephemeral type implemented in the provider.
 func (p *FrameworkProvider) EphemeralResources(_ context.Context) []func() ephemeral.EphemeralResource {
 	return []func() ephemeral.EphemeralResource{
+        resourcemanager.GoogleEphemeralClientConfig,
 		resourcemanager.GoogleEphemeralServiceAccountAccessToken,
 		resourcemanager.GoogleEphemeralServiceAccountIdToken,
 		resourcemanager.GoogleEphemeralServiceAccountJwt,

mmv1/third_party/terraform/services/resourcemanager/data_source_google_client_config.go

@@ -123,14 +123,7 @@ func (d *GoogleClientConfigDataSource) Read(ctx context.Context, req datasource.
 	data.Region = types.StringValue(d.providerConfig.Region)
 	data.Zone = types.StringValue(d.providerConfig.Zone)
 
-	// Convert default labels from SDK type system to plugin-framework data type
-	m := map[string]*string{}
-	for k, v := range d.providerConfig.DefaultLabels {
-		// m[k] = types.StringValue(v)
-		val := v
-		m[k] = &val
-	}
-	dls, diags := types.MapValueFrom(ctx, types.StringType, m)
+	dls, diags := types.MapValueFrom(ctx, types.StringType, d.providerConfig.DefaultLabels)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return

mmv1/third_party/terraform/services/resourcemanager/ephemeral_google_client_config.go

@@ -0,0 +1,135 @@
+package resourcemanager
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+)
+
+// Ensure the ephemeral resource satisfies the expected interfaces.
+var (
+	_ ephemeral.EphemeralResource              = &GoogleClientConfigEphemeralResource{}
+	_ ephemeral.EphemeralResourceWithConfigure = &GoogleClientConfigEphemeralResource{}
+)
+
+func GoogleEphemeralClientConfig() ephemeral.EphemeralResource {
+	return &GoogleClientConfigEphemeralResource{}
+}
+
+type GoogleClientConfigEphemeralResource struct {
+	providerConfig *transport_tpg.Config
+}
+
+type GoogleClientConfigEphemeralModel struct {
+	// Id could/should be removed in future as it's not necessary in the plugin framework
+	// https://github.com/hashicorp/terraform-plugin-testing/issues/84
+	Id            types.String `tfsdk:"id"`
+	Project       types.String `tfsdk:"project"`
+	Region        types.String `tfsdk:"region"`
+	Zone          types.String `tfsdk:"zone"`
+	AccessToken   types.String `tfsdk:"access_token"`
+	DefaultLabels types.Map    `tfsdk:"default_labels"`
+}
+
+func (e *GoogleClientConfigEphemeralResource) Metadata(ctx context.Context, req ephemeral.MetadataRequest, resp *ephemeral.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_client_config"
+}
+
+func (e *GoogleClientConfigEphemeralResource) Schema(ctx context.Context, req ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
+
+	resp.Schema = schema.Schema{
+
+		Description:         "Use this ephemeral resource to access the configuration of the Google Cloud provider.",
+		MarkdownDescription: "Use this ephemeral resource to access the configuration of the Google Cloud provider.",
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Computed:            true,
+				Description:         "The ID of this ephemeral resource in Terraform state. It is created in a projects/{{project}}/regions/{{region}}/zones/{{zone}} format and is NOT used by the ephemeral resource in requests to Google APIs.",
+				MarkdownDescription: "The ID of this ephemeral resource in Terraform state. It is created in a projects/{{project}}/regions/{{region}}/zones/{{zone}} format and is NOT used by the ephemeral resource in requests to Google APIs.",
+			},
+			"project": schema.StringAttribute{
+				Description:         "The ID of the project to apply any resources to.",
+				MarkdownDescription: "The ID of the project to apply any resources to.",
+				Computed:            true,
+			},
+			"region": schema.StringAttribute{
+				Description:         "The region to operate under.",
+				MarkdownDescription: "The region to operate under.",
+				Computed:            true,
+			},
+			"zone": schema.StringAttribute{
+				Description:         "The zone to operate under.",
+				MarkdownDescription: "The zone to operate under.",
+				Computed:            true,
+			},
+			"access_token": schema.StringAttribute{
+				Description:         "The OAuth2 access token used by the client to authenticate against the Google Cloud API.",
+				MarkdownDescription: "The OAuth2 access token used by the client to authenticate against the Google Cloud API.",
+				Computed:            true,
+				Sensitive:           true,
+			},
+			"default_labels": schema.MapAttribute{
+				Description:         "The default labels configured on the provider.",
+				MarkdownDescription: "The default labels configured on the provider.",
+				Computed:            true,
+				ElementType:         types.StringType,
+			},
+		},
+	}
+}
+
+func (e *GoogleClientConfigEphemeralResource) Configure(ctx context.Context, req ephemeral.ConfigureRequest, resp *ephemeral.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	p, ok := req.ProviderData.(*transport_tpg.Config)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Ephemeral Resource Configure Type",
+			fmt.Sprintf("Expected *transport_tpg.Config, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	// Required for accessing project, region, zone and tokenSource
+	e.providerConfig = p
+}
+
+func (e *GoogleClientConfigEphemeralResource) Open(ctx context.Context, req ephemeral.OpenRequest, resp *ephemeral.OpenResponse) {
+	var data GoogleClientConfigEphemeralModel
+
+	// Read Terraform configuration data into the model
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	data.Id = types.StringValue(fmt.Sprintf("projects/%s/regions/%s/zones/%s", e.providerConfig.Project, e.providerConfig.Region, e.providerConfig.Zone))
+	data.Project = types.StringValue(e.providerConfig.Project)
+	data.Region = types.StringValue(e.providerConfig.Region)
+	data.Zone = types.StringValue(e.providerConfig.Zone)
+
+	dls, diags := types.MapValueFrom(ctx, types.StringType, e.providerConfig.DefaultLabels)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	data.DefaultLabels = dls
+
+	token, err := e.providerConfig.TokenSource.Token()
+	if err != nil {
+		resp.Diagnostics.AddError("Error setting access_token", err.Error())
+		return
+	}
+	data.AccessToken = types.StringValue(token.AccessToken)
+
+	// Save data into ephemeral resource result
+	resp.Diagnostics.Append(resp.Result.Set(ctx, &data)...)
+}

mmv1/third_party/terraform/services/resourcemanager/ephemeral_google_client_config_test.go

@@ -0,0 +1,110 @@
+package resourcemanager_test
+
+import (
+	"regexp"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+)
+
+func TestAccEphemeralGoogleClientConfig_basic(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				// Note: For ephemeral resources, we can't directly check attributes
+				// since they don't persist in state. Instead, we verify the configuration
+				// compiles and runs without error.
+				Config: testAccCheckEphemeralGoogleClientConfig_basic,
+			},
+		},
+	})
+}
+
+func TestAccEphemeralGoogleClientConfig_omitLocation(t *testing.T) {
+	t.Setenv("GOOGLE_REGION", "")
+	t.Setenv("GOOGLE_ZONE", "")
+
+	resource.Test(t, resource.TestCase{
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				// Note: For ephemeral resources, we can't directly check attributes
+				// since they don't persist in state. Instead, we verify the configuration
+				// compiles and runs without error.
+				Config: testAccCheckEphemeralGoogleClientConfig_basic,
+			},
+		},
+	})
+}
+
+func TestAccEphemeralGoogleClientConfig_invalidCredentials(t *testing.T) {
+	badCreds := acctest.GenerateFakeCredentialsJson("test")
+	t.Setenv("GOOGLE_CREDENTIALS", badCreds)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCheckEphemeralGoogleClientConfig_basic,
+				ExpectError: regexp.MustCompile("Error setting access_token"),
+			},
+		},
+	})
+}
+
+func TestAccEphemeralGoogleClientConfig_usedInProvider(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckEphemeralGoogleClientConfig_usedInProvider,
+				Check: resource.ComposeTestCheckFunc(
+					// Verify that the ephemeral resource can be used to configure a provider
+					// and that the provider works correctly
+					resource.TestCheckResourceAttrSet("data.google_client_openid_userinfo.me", "email"),
+				),
+			},
+		},
+	})
+}
+
+const testAccCheckEphemeralGoogleClientConfig_basic = `
+provider "google" {
+  default_labels = {
+    default_key = "default_value"
+  }
+}
+
+ephemeral "google_client_config" "current" { }
+`
+
+const testAccCheckEphemeralGoogleClientConfig_usedInProvider = `
+provider "google" {
+  default_labels = {
+    default_key = "default_value"
+  }
+}
+
+ephemeral "google_client_config" "current" { }
+
+provider "google" {
+  alias        = "ephemeral_configured"
+  access_token = ephemeral.google_client_config.current.access_token
+  project      = ephemeral.google_client_config.current.project
+  region       = ephemeral.google_client_config.current.region
+  zone         = ephemeral.google_client_config.current.zone
+}
+
+data "google_client_openid_userinfo" "me" {
+  provider = google.ephemeral_configured
+}
+`

mmv1/third_party/terraform/website/docs/ephemeral-resources/client_config.html.markdown

@@ -0,0 +1,97 @@
+---
+subcategory: "Cloud Platform"
+description: |-
+  Get information about the configuration of the Google Cloud provider.
+---
+
+# google_client_config
+
+Use this ephemeral resource to access the configuration of the Google Cloud provider.
+
+Unlike the `google_client_config` data source, this ephemeral resource does not persist sensitive credentials in Terraform's state, making it ideal for scenarios where you need to access provider configuration without storing sensitive data.
+
+## Example Usage
+
+```tf
+ephemeral "google_client_config" "current" {
+}
+
+output "project" {
+  value = ephemeral.google_client_config.current.project
+}
+```
+
+## Example Usage: Configure provider with ephemeral credentials
+
+```tf
+provider "google" {
+  default_labels = {
+    environment = "production"
+  }
+}
+
+ephemeral "google_client_config" "current" {
+}
+
+provider "google" {
+  alias        = "ephemeral_configured"
+  access_token = ephemeral.google_client_config.current.access_token
+  project      = ephemeral.google_client_config.current.project
+  region       = ephemeral.google_client_config.current.region
+  zone         = ephemeral.google_client_config.current.zone
+}
+
+data "google_client_openid_userinfo" "me" {
+  provider = google.ephemeral_configured
+}
+```
+
+## Example Usage: Configure Kubernetes provider with ephemeral OAuth2 access token
+
+```tf
+ephemeral "google_client_config" "default" {
+}
+
+data "google_container_cluster" "my_cluster" {
+  name = "my-cluster"
+  zone = "us-east1-a"
+}
+
+provider "kubernetes" {
+  host  = "https://${data.google_container_cluster.my_cluster.endpoint}"
+  token = ephemeral.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(
+    data.google_container_cluster.my_cluster.master_auth[0].cluster_ca_certificate,
+  )
+}
+```
+
+## Argument Reference
+
+There are no arguments available for this ephemeral resource.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `project` - The ID of the project to apply any resources to.
+
+* `region` - The region to operate under.
+
+* `zone` - The zone to operate under.
+
+* `access_token` - The OAuth2 access token used by the client to authenticate against the Google Cloud API.
+
+* `default_labels` - The default labels configured on the provider.
+
+* `id` - The ID of this ephemeral resource in Terraform state. It is created in a projects/{{project}}/regions/{{region}}/zones/{{zone}} format and is NOT used by the ephemeral resource in requests to Google APIs.
+
+## Benefits over Data Source
+
+The main advantage of using this ephemeral resource over the `google_client_config` data source is that sensitive credentials (like `access_token`) are not persisted in Terraform's state file. This is particularly important when:
+
+- Using remote state backends where state files might be accessible to multiple users
+- Working with sensitive credentials that should not be stored persistently
+- Implementing security best practices for credential management
+
+The ephemeral resource provides the same functionality as the data source but with improved security characteristics for credential handling.