AlloyDB Cluster custom diff to check initial user & password set on create (#15596) (#10999) (#11000)

slevenick · modular-magician · web-flow · commit ef9d05e7b6ec · 2025-11-04T12:01:19.000-05:00
[upstream:10e9eab203085d9483e7edaf1271186040ee3a60]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
Co-authored-by: The Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/15596.txt b/.changelog/15596.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+alloydb: marked `initial_user.password` as required on create of new `google_alloydb_cluster` resources
+```
diff --git a/google-beta/services/alloydb/resource_alloydb_cluster.go b/google-beta/services/alloydb/resource_alloydb_cluster.go
@@ -35,6 +35,18 @@ import (
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/verify"
 )
 
+func alloydbClusterCustomizeDiff(_ context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+	_, nType := diff.GetChange("cluster_type")
+	// Only check on new resource creation for primary clusters
+	if diff.Id() == "" && nType == "PRIMARY" {
+		_, n := diff.GetChange("initial_user.0.password")
+		if n == "" {
+			return fmt.Errorf("New AlloyDB Clusters must have initial_user.password specified")
+		}
+	}
+	return nil
+}
+
 func ResourceAlloydbCluster() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAlloydbClusterCreate,
@@ -53,6 +65,7 @@ func ResourceAlloydbCluster() *schema.Resource {
 		},
 
 		CustomizeDiff: customdiff.All(
+			alloydbClusterCustomizeDiff,
 			tpgresource.SetLabelsDiff,
 			tpgresource.SetAnnotationsDiff,
 			tpgresource.DefaultProviderProject,
@@ -304,7 +317,7 @@ Note: Changing this field to a higer version results in upgrading the AlloyDB cl
 			"initial_user": {
 				Type:        schema.TypeList,
 				Optional:    true,
-				Description: `Initial user to setup during cluster creation.`,
+				Description: `Initial user to setup during cluster creation. This must be set for all new Clusters.`,
 				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
diff --git a/google-beta/services/alloydb/resource_alloydb_cluster_test.go b/google-beta/services/alloydb/resource_alloydb_cluster_test.go
@@ -309,7 +309,7 @@ func TestAccAlloydbCluster_addAutomatedBackupPolicyAndInitialUser(t *testing.T)
 		CheckDestroy:             testAccCheckAlloydbClusterDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAlloydbCluster_withoutInitialUserAndAutomatedBackupPolicy(context),
+				Config: testAccAlloydbCluster_withoutAutomatedBackupPolicy(context),
 			},
 			{
 				ResourceName:            "google_alloydb_cluster.default",
@@ -359,7 +359,7 @@ func TestAccAlloydbCluster_deleteAutomatedBackupPolicyAndInitialUser(t *testing.
 				ImportStateVerifyIgnore: []string{"deletion_protection", "initial_user", "cluster_id", "location"},
 			},
 			{
-				Config: testAccAlloydbCluster_withoutInitialUserAndAutomatedBackupPolicy(context),
+				Config: testAccAlloydbCluster_withoutAutomatedBackupPolicy(context),
 			},
 			{
 				ResourceName:            "google_alloydb_cluster.default",
@@ -460,7 +460,7 @@ resource "google_compute_network" "default" {
 `, context)
 }
 
-func testAccAlloydbCluster_withoutInitialUserAndAutomatedBackupPolicy(context map[string]interface{}) string {
+func testAccAlloydbCluster_withoutAutomatedBackupPolicy(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_alloydb_cluster" "default" {
   cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
@@ -1765,3 +1765,71 @@ func TestAccAlloydbCluster_standardClusterUpdateFailure(t *testing.T) {
 		},
 	})
 }
+
+// Ensures cluster throws expected errors for not specifying initial user on create
+func TestAccAlloydbCluster_withoutInitialUserFailure(t *testing.T) {
+	t.Parallel()
+	errorPattern := `New AlloyDB Clusters must have initial_user.password specified`
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckAlloydbClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccAlloydbCluster_withoutInitialUser(context),
+				ExpectError: regexp.MustCompile(errorPattern),
+			},
+		},
+	})
+}
+
+// Ensures cluster update does not throw errors for not specifying initial user after create
+func TestAccAlloydbCluster_withoutInitialUserUpdate(t *testing.T) {
+	t.Parallel()
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckAlloydbClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAlloydbCluster_alloydbClusterBasicExample(context),
+			},
+			{
+				Config: testAccAlloydbCluster_withoutInitialUser(context),
+			},
+		},
+	})
+}
+
+func testAccAlloydbCluster_withoutInitialUser(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_alloydb_cluster" "default" {
+  cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
+  location   = "us-central1"
+  network_config {
+    network = google_compute_network.default.id
+  }
+
+  deletion_protection = false
+
+  lifecycle {
+    prevent_destroy = false
+  }  
+}
+
+data "google_project" "project" {
+}
+
+resource "google_compute_network" "default" {
+  name = "tf-test-alloydb-cluster%{random_suffix}"
+}
+`, context)
+}
diff --git a/google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go b/google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go
@@ -233,6 +233,10 @@ resource "google_alloydb_cluster" "secondary" {
     network = data.google_compute_network.default.id
   }
 
+  initial_user {
+    password = "tf-test-alloydb-cluster%{random_suffix}"
+  }
+
   continuous_backup_config {
     enabled = false
   }
@@ -310,6 +314,10 @@ resource "google_alloydb_cluster" "secondary" {
   }
   cluster_type = "PRIMARY"
 
+  initial_user {
+    password = "tf-test-alloydb-cluster%{random_suffix}"
+  }
+
   continuous_backup_config {
     enabled = false
   }
diff --git a/website/docs/r/alloydb_cluster.html.markdown b/website/docs/r/alloydb_cluster.html.markdown
@@ -429,7 +429,7 @@ The following arguments are supported:
 
 * `initial_user` -
   (Optional)
-  Initial user to setup during cluster creation.
+  Initial user to setup during cluster creation. This must be set for all new Clusters.
   Structure is [documented below](#nested_initial_user).
 
 * `restore_backup_source` -

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:breaking-change
	`2`	+alloydb: marked `initial_user.password` as required on create of new `google_alloydb_cluster` resources
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -233,6 +233,10 @@ resource "google_alloydb_cluster" "secondary" {`
`233`	`233`	`network = data.google_compute_network.default.id`
`234`	`234`	`}`
`235`	`235`
	`236`	`+ initial_user {`
	`237`	`+ password = "tf-test-alloydb-cluster%{random_suffix}"`
	`238`	`+ }`
	`239`	`+`
`236`	`240`	`continuous_backup_config {`
`237`	`241`	`enabled = false`
`238`	`242`	`}`
`@@ -310,6 +314,10 @@ resource "google_alloydb_cluster" "secondary" {`
`310`	`314`	`}`
`311`	`315`	`cluster_type = "PRIMARY"`
`312`	`316`
	`317`	`+ initial_user {`
	`318`	`+ password = "tf-test-alloydb-cluster%{random_suffix}"`
	`319`	`+ }`
	`320`	`+`
`313`	`321`	`continuous_backup_config {`
`314`	`322`	`enabled = false`
`315`	`323`	`}`