`ephemerals resources`: `req.Private.GetKey` returns empty string in `Close()`

[BBBmau]

Module version

v1.16.1

Relevant provider source code

func (p *googleEphemeralServiceAccountKey) Close(ctx context.Context, req ephemeral.CloseRequest, resp *ephemeral.CloseResponse) {
	serviceAccountKeyName, err := req.Private.GetKey(ctx, "name")
	fmt.Printf("[DEBUG] Deleting Service Account Key %q\n", serviceAccountKeyName)
	if err != nil {
		resp.Diagnostics.AddError(
			"Error getting private key",
			fmt.Sprintf("Error getting private key: %s", err),
		)
		return
	}
	deletion, _ := p.providerConfig.NewIamClient(p.providerConfig.UserAgent).Projects.ServiceAccounts.Keys.Delete(string(serviceAccountKeyName)).Do()
	if deletion != nil {
		resp.Diagnostics.AddError(
			"Error deleting Service Account Key",
			fmt.Sprintf("Error deleting Service Account Key %q: %s", string(serviceAccountKeyName), err),
		)
		return
	}
}

Terraform Configuration Files

func testAccEphemeralServiceAccountKey_publicKey(account, name string) string {
	return fmt.Sprintf(`
resource "google_service_account" "acceptance" {
  account_id   = "%s"
  display_name = "%s"
}

ephemeral "google_service_account_key" "key" {
  service_account_id            = google_service_account.acceptance.email
  public_key    = filebase64("test-fixtures/public_key.pem")
}
`, account, name)
}

Debug Output

Expected Behavior

2025/11/04 13:51:06 [DEBUG] Retry Transport: Returning after 1 attempts
[DEBUG] Deleting Service Account Key ""
[DEBUG] Deleting Service Account Key ""
[DEBUG] Deleting Service Account Key ""
[DEBUG] Deleting Service Account Key ""
[DEBUG] Deleting Service Account Key ""
[DEBUG] Deleting Service Account Key ""
--- PASS: TestAccEphemeralServiceAccountKey_basic (34.44s)
PASS
ok      github.com/hashicorp/terraform-provider-google/google/services/resourcemanager  35.988s

Actual Behavior

we should be seeing the service account key name shown in debug log

Steps to Reproduce

1. git clone https://github.com/BBBmau/magic-modules/
2. git switch ephemeral-close-bug
3. `envchain GCLOUD make testacc TEST=./google/services/resourcemanager TESTARGS='-run=TestAccEphemeralServiceAccountKey_basic' assuming you have envchain installed (required to have gcloud envvars set)

References

This issue comes from working on:

• serviceAccountKey: add Close() in ephemeral to support private_data attribute GoogleCloudPlatform/magic-modules#15476
  which would introduce Close() to allow for the private_key to be returned, an attribute that previously wasn't supported because of not including Close() in the initial implementation

[austinvalle]

Hey @BBBmau 👋🏻 , I took a quick glance at the ephemeral resource and I don't see any setting of the name field to private data, which should occur in the Open method.

Private data isn't the same as state data, so anything in state that you need in Close should get set explicitly to resp.Private during Open. Here is a code example: https://developer.hashicorp.com/terraform/plugin/framework/ephemeral-resources/close#define-close-method

[BBBmau]

this was helpful! Closing since this resolved my issue 😄