Add tags to Secret Manager Secret TagsR2401 (#14408) (#10360)

[upstream:ab5de21a39118626e749a1aa70dc828aab6ebf32]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14408.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+secretmanager: added `tags` field to `google_secret_manager_secret` to allow setting tags for secrets at creation time
+```

google-beta/services/secretmanager/resource_secret_manager_secret.go

@@ -253,6 +253,15 @@ If rotationPeriod is set, 'next_rotation_time' must be set. 'next_rotation_time'
 				},
 				RequiredWith: []string{"topics"},
 			},
+			"tags": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				ForceNew: true,
+				Description: `A map of resource manager tags.
+Resource manager tag keys and values have the same definition as resource manager tags.
+Keys must be in the format tagKeys/{tag_key_id}, and values are in the format tagValues/{tag_value_id}.`,
+				Elem: &schema.Schema{Type: schema.TypeString},
+			},
 			"topics": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -397,6 +406,12 @@ func resourceSecretManagerSecretCreate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("rotation"); !tpgresource.IsEmptyValue(reflect.ValueOf(rotationProp)) && (ok || !reflect.DeepEqual(v, rotationProp)) {
 		obj["rotation"] = rotationProp
 	}
+	tagsProp, err := expandSecretManagerSecretTags(d.Get("tags"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("tags"); !tpgresource.IsEmptyValue(reflect.ValueOf(tagsProp)) && (ok || !reflect.DeepEqual(v, tagsProp)) {
+		obj["tags"] = tagsProp
+	}
 	labelsProp, err := expandSecretManagerSecretEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -1231,6 +1246,17 @@ func expandSecretManagerSecretRotationRotationPeriod(v interface{}, d tpgresourc
 	return v, nil
 }
 
+func expandSecretManagerSecretTags(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
+	if v == nil {
+		return map[string]string{}, nil
+	}
+	m := make(map[string]string)
+	for k, val := range v.(map[string]interface{}) {
+		m[k] = val.(string)
+	}
+	return m, nil
+}
+
 func expandSecretManagerSecretEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

google-beta/services/secretmanager/resource_secret_manager_secret_generated_meta.yaml

@@ -26,6 +26,7 @@ fields:
   - field: 'rotation.rotation_period'
   - field: 'secret_id'
     provider_only: true
+  - field: 'tags'
   - field: 'terraform_labels'
     provider_only: true
   - field: 'topics.name'

google-beta/services/secretmanager/resource_secret_manager_secret_generated_test.go

@@ -49,7 +49,7 @@ func TestAccSecretManagerSecret_secretConfigBasicExample(t *testing.T) {
 				ResourceName:            "google_secret_manager_secret.secret-basic",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "secret_id", "terraform_labels", "ttl"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "secret_id", "tags", "terraform_labels", "ttl"},
 			},
 		},
 	})
@@ -98,7 +98,7 @@ func TestAccSecretManagerSecret_secretWithAnnotationsExample(t *testing.T) {
 				ResourceName:            "google_secret_manager_secret.secret-with-annotations",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "terraform_labels", "ttl"},
+				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "tags", "terraform_labels", "ttl"},
 			},
 		},
 	})
@@ -147,7 +147,7 @@ func TestAccSecretManagerSecret_secretWithVersionDestroyTtlExample(t *testing.T)
 				ResourceName:            "google_secret_manager_secret.secret-with-version-destroy-ttl",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "terraform_labels", "ttl"},
+				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "tags", "terraform_labels", "ttl"},
 			},
 		},
 	})
@@ -187,7 +187,7 @@ func TestAccSecretManagerSecret_secretWithAutomaticCmekExample(t *testing.T) {
 				ResourceName:            "google_secret_manager_secret.secret-with-automatic-cmek",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "terraform_labels", "ttl"},
+				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "tags", "terraform_labels", "ttl"},
 			},
 		},
 	})

google-beta/services/secretmanager/resource_secret_manager_secret_test.go

@@ -507,6 +507,39 @@ func TestAccSecretManagerSecret_DeletionProtection(t *testing.T) {
 	})
 }
 
+func TestAccSecretManagerSecret_tags(t *testing.T) {
+	t.Parallel()
+
+	tagKey := acctest.BootstrapSharedTestOrganizationTagKey(t, "secret_manager_secret-tagkey", map[string]interface{}{})
+
+	context := map[string]interface{}{
+		"org":           envvar.GetTestOrgFromEnv(t),
+		"tagKey":        tagKey,
+		"tagValue":      acctest.BootstrapSharedTestOrganizationTagValue(t, "secret_manager_secret-tagvalue", tagKey),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckSecretManagerSecretDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSecretManagerSecretTags(context),
+			},
+			{
+				ResourceName:            "google_secret_manager_secret.secret-tags",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ttl", "labels", "terraform_labels", "deletion_protection", "tags"},
+			},
+			{
+				Config: testAccSecretManagerSecretTagsDeletionProtection(context),
+			},
+		},
+	})
+}
+
 func testAccSecretManagerSecret_basic(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_secret_manager_secret" "secret-basic" {
@@ -1317,3 +1350,54 @@ resource "google_secret_manager_secret" "secret-deletionprotection" {
 }
 `, context)
 }
+
+func testAccSecretManagerSecretTags(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_secret_manager_secret" "secret-tags" {
+  secret_id = "tf-test-secret-%{random_suffix}"
+  labels = {
+    label = "my-label"
+  }
+  replication {
+    user_managed {
+      replicas {
+        location = "us-central1"
+      }
+      replicas {
+        location = "us-east1"
+      }
+    }
+  }
+  ttl = "3600s"
+  tags = {
+	"%{org}/%{tagKey}" = "%{tagValue}"
+  }
+}
+`, context)
+}
+
+func testAccSecretManagerSecretTagsDeletionProtection(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_secret_manager_secret" "secret-tags" {
+  secret_id = "tf-test-secret-%{random_suffix}"
+  labels = {
+    label = "my-label"
+  }
+  replication {
+    user_managed {
+      replicas {
+        location = "us-central1"
+      }
+      replicas {
+        location = "us-east1"
+      }
+    }
+  }
+  ttl = "3600s"
+  tags = {
+	"%{org}/%{tagKey}" = "%{tagValue}"
+  }
+  deletion_protection = false
+}
+`, context)
+}

website/docs/r/secret_manager_secret.html.markdown

@@ -225,6 +225,12 @@ The following arguments are supported:
   The rotation time and period for a Secret. At `next_rotation_time`, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. `topics` must be set to configure rotation.
   Structure is [documented below](#nested_rotation).
 
+* `tags` -
+  (Optional)
+  A map of resource manager tags.
+  Resource manager tag keys and values have the same definition as resource manager tags.
+  Keys must be in the format tagKeys/{tag_key_id}, and values are in the format tagValues/{tag_value_id}.
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.