provider: automatically generate the *_wo and *_wo_version for write-only arguments + compute: added write-only support for shared_secret argument for google_compute_vpn_tunnel resource (#14933) (#10788)

[upstream:e9c7b3bf64eca845688218688261064fbff27f2b]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14933.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: added `shared_secret_wo` and `shared_secret_wo_version` fields for `google_compute_vpn_tunnel` resource, enabling write-only management of the shared secret.
+```

google-beta/services/compute/resource_compute_vpn_tunnel.go

@@ -172,14 +172,6 @@ must be a lowercase letter, and all following characters must
 be a dash, lowercase letter, or digit,
 except the last character, which cannot be a dash.`,
 			},
-			"shared_secret": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
-				Description: `Shared secret used to set the secure session between the Cloud VPN
-gateway and the peer VPN gateway.`,
-				Sensitive: true,
-			},
 			"cipher_suite": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -383,6 +375,32 @@ Only IPv4 is supported.`,
 				DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
 				Description:      `URL of router resource to be used for dynamic routing.`,
 			},
+			"shared_secret": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Description: `Shared secret used to set the secure session between the Cloud VPN
+gateway and the peer VPN gateway.`,
+				Sensitive:    true,
+				ExactlyOneOf: []string{"shared_secret", "shared_secret_wo"},
+			},
+			"shared_secret_wo": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: `Shared secret used to set the secure session between the Cloud VPN
+gateway and the peer VPN gateway.
+ Note: This property is write-only and will not be read from the API. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)`,
+				WriteOnly:    true,
+				ExactlyOneOf: []string{"shared_secret", "shared_secret_wo"},
+				RequiredWith: []string{"shared_secret_wo_version"},
+			},
+			"shared_secret_wo_version": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				Description:  `Triggers update of shared_secret_wo write-only. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)`,
+				RequiredWith: []string{"shared_secret_wo"},
+			},
 			"target_vpn_gateway": {
 				Type:             schema.TypeString,
 				Optional:         true,
@@ -564,6 +582,18 @@ func resourceComputeVpnTunnelCreate(d *schema.ResourceData, meta interface{}) er
 	} else if v, ok := d.GetOkExists("cipher_suite"); !tpgresource.IsEmptyValue(reflect.ValueOf(cipherSuiteProp)) && (ok || !reflect.DeepEqual(v, cipherSuiteProp)) {
 		obj["cipherSuite"] = cipherSuiteProp
 	}
+	sharedSecretWoProp, err := expandComputeVpnTunnelSharedSecretWo(tpgresource.GetRawConfigAttributeAsString(d, "shared_secret_wo"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("shared_secret_wo"); !tpgresource.IsEmptyValue(reflect.ValueOf(sharedSecretWoProp)) && (ok || !reflect.DeepEqual(v, sharedSecretWoProp)) {
+		obj["sharedSecret"] = sharedSecretWoProp
+	}
+	sharedSecretWoVersionProp, err := expandComputeVpnTunnelSharedSecretWoVersion(d.Get("shared_secret_wo_version"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("shared_secret_wo_version"); !tpgresource.IsEmptyValue(reflect.ValueOf(sharedSecretWoVersionProp)) && (ok || !reflect.DeepEqual(v, sharedSecretWoVersionProp)) {
+		obj["sharedSecretWoVersion"] = sharedSecretWoVersionProp
+	}
 	effectiveLabelsProp, err := expandComputeVpnTunnelEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -800,6 +830,9 @@ func resourceComputeVpnTunnelRead(d *schema.ResourceData, meta interface{}) erro
 	if err := d.Set("cipher_suite", flattenComputeVpnTunnelCipherSuite(res["cipherSuite"], d, config)); err != nil {
 		return fmt.Errorf("Error reading VpnTunnel: %s", err)
 	}
+	if err := d.Set("shared_secret_wo_version", flattenComputeVpnTunnelSharedSecretWoVersion(res["sharedSecretWoVersion"], d, config)); err != nil {
+		return fmt.Errorf("Error reading VpnTunnel: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenComputeVpnTunnelTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading VpnTunnel: %s", err)
 	}
@@ -1214,6 +1247,10 @@ func flattenComputeVpnTunnelCipherSuitePhase2Pfs(v interface{}, d *schema.Resour
 	return schema.NewSet(schema.HashString, v.([]interface{}))
 }
 
+func flattenComputeVpnTunnelSharedSecretWoVersion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return d.Get("shared_secret_wo_version")
+}
+
 func flattenComputeVpnTunnelTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -1474,6 +1511,14 @@ func expandComputeVpnTunnelCipherSuitePhase2Pfs(v interface{}, d tpgresource.Ter
 	return v, nil
 }
 
+func expandComputeVpnTunnelSharedSecretWo(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandComputeVpnTunnelSharedSecretWoVersion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandComputeVpnTunnelEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

google-beta/services/compute/resource_compute_vpn_tunnel_generated_meta.yaml

@@ -31,6 +31,10 @@ fields:
   - field: 'router'
   - field: 'shared_secret'
   - field: 'shared_secret_hash'
+  - field: 'shared_secret_wo'
+    api_field: 'shared_secret'
+  - field: 'shared_secret_wo_version'
+    provider_only: true
   - field: 'target_vpn_gateway'
   - field: 'terraform_labels'
     provider_only: true

google-beta/services/compute/resource_compute_vpn_tunnel_generated_test.go

@@ -49,7 +49,7 @@ func TestAccComputeVpnTunnel_vpnTunnelBasicExample(t *testing.T) {
 				ResourceName:            "google_compute_vpn_tunnel.tunnel1",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"labels", "peer_external_gateway", "peer_gcp_gateway", "region", "router", "shared_secret", "target_vpn_gateway", "terraform_labels", "vpn_gateway"},
+				ImportStateVerifyIgnore: []string{"labels", "peer_external_gateway", "peer_gcp_gateway", "region", "router", "shared_secret", "shared_secret_wo", "target_vpn_gateway", "terraform_labels", "vpn_gateway"},
 			},
 		},
 	})
@@ -141,7 +141,7 @@ func TestAccComputeVpnTunnel_vpnTunnelCipherSuiteExample(t *testing.T) {
 				ResourceName:            "google_compute_vpn_tunnel.tunnel1",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"labels", "peer_external_gateway", "peer_gcp_gateway", "region", "router", "shared_secret", "target_vpn_gateway", "terraform_labels", "vpn_gateway"},
+				ImportStateVerifyIgnore: []string{"labels", "peer_external_gateway", "peer_gcp_gateway", "region", "router", "shared_secret", "shared_secret_wo", "target_vpn_gateway", "terraform_labels", "vpn_gateway"},
 			},
 		},
 	})

google-beta/services/compute/resource_compute_vpn_tunnel_test.go

@@ -21,13 +21,15 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest"
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar"
 )
 
 func TestAccComputeVpnTunnel_regionFromGateway(t *testing.T) {
 	t.Parallel()
 	region := "us-central1"
+	suffix := acctest.RandString(t, 10)
 	if envvar.GetTestRegionFromEnv() == region {
 		// Make sure we choose a region that isn't the provider default
 		// in order to test getting the region from the gateway and not the
@@ -41,7 +43,7 @@ func TestAccComputeVpnTunnel_regionFromGateway(t *testing.T) {
 		CheckDestroy:             testAccCheckComputeVpnTunnelDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeVpnTunnel_regionFromGateway(acctest.RandString(t, 10), region),
+				Config: testAccComputeVpnTunnel_regionFromGateway(suffix, region),
 			},
 			{
 				ResourceName:            "google_compute_vpn_tunnel.foobar",
@@ -56,14 +58,60 @@ func TestAccComputeVpnTunnel_regionFromGateway(t *testing.T) {
 func TestAccComputeVpnTunnel_router(t *testing.T) {
 	t.Parallel()
 
+	suffix := acctest.RandString(t, 10)
 	router := fmt.Sprintf("tf-test-tunnel-%s", acctest.RandString(t, 10))
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		CheckDestroy:             testAccCheckComputeVpnTunnelDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeVpnTunnelRouter(acctest.RandString(t, 10), router),
+				Config: testAccComputeVpnTunnelRouter(suffix, router),
+			},
+			{
+				ResourceName:            "google_compute_vpn_tunnel.foobar",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"shared_secret", "detailed_status"},
+			},
+		},
+	})
+}
+
+func TestAccComputeVpnTunnel_routerWithSharedSecretWo_update(t *testing.T) {
+	t.Parallel()
+
+	router := fmt.Sprintf("tf-test-tunnel-%s", acctest.RandString(t, 10))
+	suffix := acctest.RandString(t, 10)
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeVpnTunnelDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeVpnTunnelRouterWithSharedSecretWo(suffix, router),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("google_compute_vpn_tunnel.foobar", "shared_secret_wo"),
+					resource.TestCheckResourceAttr("google_compute_vpn_tunnel.foobar", "shared_secret_wo_version", "1"),
+				),
+			},
+			{
+				ResourceName:            "google_compute_vpn_tunnel.foobar",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"shared_secret", "detailed_status"},
+			},
+			{
+				Config: testAccComputeVpnTunnelRouterWithSharedSecretWo_update(suffix, router),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_compute_vpn_tunnel.foobar", plancheck.ResourceActionDestroyBeforeCreate),
+					},
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("google_compute_vpn_tunnel.foobar", "shared_secret_wo"),
+					resource.TestCheckResourceAttr("google_compute_vpn_tunnel.foobar", "shared_secret_wo_version", "2"),
+				),
 			},
 			{
 				ResourceName:            "google_compute_vpn_tunnel.foobar",
@@ -78,13 +126,14 @@ func TestAccComputeVpnTunnel_router(t *testing.T) {
 func TestAccComputeVpnTunnel_defaultTrafficSelectors(t *testing.T) {
 	t.Parallel()
 
+	suffix := acctest.RandString(t, 10)
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		CheckDestroy:             testAccCheckComputeVpnTunnelDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeVpnTunnelDefaultTrafficSelectors(acctest.RandString(t, 10)),
+				Config: testAccComputeVpnTunnelDefaultTrafficSelectors(suffix),
 			},
 			{
 				ResourceName:            "google_compute_vpn_tunnel.foobar",
@@ -217,6 +266,122 @@ resource "google_compute_vpn_tunnel" "foobar" {
 `, suffix, router)
 }
 
+func testAccComputeVpnTunnelRouterWithSharedSecretWo(suffix, router string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "foobar" {
+  name                    = "tf-test-%[1]s"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "foobar" {
+  name          = "tf-test-subnetwork-%[1]s"
+  network       = google_compute_network.foobar.self_link
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+}
+
+resource "google_compute_address" "foobar" {
+  name   = "tf-test-%[1]s"
+  region = google_compute_subnetwork.foobar.region
+}
+
+resource "google_compute_ha_vpn_gateway" "foobar" {
+  name    = "tf-test-%[1]s"
+  network = google_compute_network.foobar.self_link
+  region  = google_compute_subnetwork.foobar.region
+}
+
+resource "google_compute_external_vpn_gateway" "external_gateway" {
+  name            = "external-gateway-%[1]s"
+  redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
+  description     = "An externally managed VPN gateway"
+  interface {
+    id         = 0
+    ip_address = "8.8.8.8"
+  }
+}
+
+resource "google_compute_router" "foobar" {
+  name    = "%[2]s"
+  region  = google_compute_subnetwork.foobar.region
+  network = google_compute_network.foobar.self_link
+  bgp {
+    asn = 64514
+  }
+}
+
+resource "google_compute_vpn_tunnel" "foobar" {
+  name                            = "tf-test-%[1]s"
+  region                          = google_compute_subnetwork.foobar.region
+  vpn_gateway                     = google_compute_ha_vpn_gateway.foobar.id
+  peer_external_gateway           = google_compute_external_vpn_gateway.external_gateway.id
+  peer_external_gateway_interface = 0  
+  shared_secret_wo                = "I am write only, and should not be written to state"
+  shared_secret_wo_version        = 1
+  router                          = google_compute_router.foobar.self_link
+  vpn_gateway_interface           = 0  
+}
+`, suffix, router)
+}
+
+func testAccComputeVpnTunnelRouterWithSharedSecretWo_update(suffix, router string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "foobar" {
+  name                    = "tf-test-%[1]s"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "foobar" {
+  name          = "tf-test-subnetwork-%[1]s"
+  network       = google_compute_network.foobar.self_link
+  ip_cidr_range = "10.0.0.0/16"
+  region        = "us-central1"
+}
+
+resource "google_compute_address" "foobar" {
+  name   = "tf-test-%[1]s"
+  region = google_compute_subnetwork.foobar.region
+}
+
+resource "google_compute_ha_vpn_gateway" "foobar" {
+  name    = "tf-test-%[1]s"
+  network = google_compute_network.foobar.self_link
+  region  = google_compute_subnetwork.foobar.region
+}
+
+resource "google_compute_external_vpn_gateway" "external_gateway" {
+  name            = "external-gateway-%[1]s"
+  redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
+  description     = "An externally managed VPN gateway"
+  interface {
+    id         = 0
+    ip_address = "8.8.8.8"
+  }
+}
+
+resource "google_compute_router" "foobar" {
+  name    = "%[2]s"
+  region  = google_compute_subnetwork.foobar.region
+  network = google_compute_network.foobar.self_link
+  bgp {
+    asn = 64514
+  }
+}
+
+resource "google_compute_vpn_tunnel" "foobar" {
+  name                            = "tf-test-%[1]s"
+  region                          = google_compute_subnetwork.foobar.region
+  vpn_gateway                     = google_compute_ha_vpn_gateway.foobar.id
+  peer_external_gateway           = google_compute_external_vpn_gateway.external_gateway.id
+  peer_external_gateway_interface = 0  
+  shared_secret_wo                = "This is another secret, but still write only"
+  shared_secret_wo_version        = 2
+  router                          = google_compute_router.foobar.self_link
+  vpn_gateway_interface           = 0  
+}
+`, suffix, router)
+}
+
 func testAccComputeVpnTunnelDefaultTrafficSelectors(suffix string) string {
 	return fmt.Sprintf(`
 resource "google_compute_network" "foobar" {

google-beta/tpgresource/utils.go

@@ -928,3 +928,33 @@ func ReducedPrefixedUniqueId(prefix string) string {
 	date := uniqueId[2:8]
 	return prefix + date + counter
 }
+
+// GetRawConfigAttributeAsString retrieves an attribute directly from the raw config
+// This is useful for retrieving values that are not directly accessible via the
+// standard schema.ResourceData.Get method, such as write-only attributes.
+func GetRawConfigAttributeAsString(d *schema.ResourceData, key string) string {
+	// see https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/write-only-arguments#retrieving-write-only-values
+	parts := strings.Split(key, ".")
+
+	var path cty.Path
+	if len(parts) > 0 {
+		path = cty.GetAttrPath(parts[0])
+	}
+
+	for i := 1; i < len(parts); i++ {
+		part := parts[i]
+
+		if index, err := strconv.Atoi(part); err == nil {
+			path = path.IndexInt(index)
+		} else {
+			path = path.GetAttr(part)
+		}
+	}
+
+	woCty, diags := d.GetRawConfigAt(path)
+	if len(diags) == 0 && !woCty.IsNull() && woCty.Type().Equals(cty.String) {
+		return woCty.AsString()
+	}
+
+	return ""
+}