add old attribute names back in to prevent breaking change (#6607) (#4728)

Co-authored-by: megan07 <[email protected]>
Co-authored-by: Pawel Krawczyk <[email protected]>
Co-authored-by: pawel-grz-krawczyk <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>
Co-authored-by: megan07 <[email protected]>
Co-authored-by: Pawel Krawczyk <[email protected]>
Co-authored-by: pawel-grz-krawczyk <[email protected]>

Author: 3 people

.changelog/6607.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+certificatemanager: added public/private PEM fields `pem_certificate` / `pem_private_key` and deprecated `certificate_pem` / `private_key_pem`
+```

google-beta/resource_certificate_manager_certificate.go

@@ -185,21 +185,40 @@ certificates before they expire remains the user's responsibility.`,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"certificate_pem": {
+							Type:       schema.TypeString,
+							Optional:   true,
+							Deprecated: "Deprecated in favor of `pem_certificate`",
+							Description: `**Deprecated** The certificate chain in PEM-encoded form.
+
+Leaf certificate comes first, followed by intermediate ones if any.`,
+							Sensitive:    true,
+							ExactlyOneOf: []string{"self_managed.0.certificate_pem", "self_managed.0.pem_certificate"},
+						},
+						"pem_certificate": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
 							Description: `The certificate chain in PEM-encoded form.
 
 Leaf certificate comes first, followed by intermediate ones if any.`,
-							Sensitive: true,
+							ExactlyOneOf: []string{"self_managed.0.certificate_pem", "self_managed.0.pem_certificate"},
+						},
+						"pem_private_key": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Description:  `The private key of the leaf certificate in PEM-encoded form.`,
+							ExactlyOneOf: []string{"self_managed.0.private_key_pem", "self_managed.0.pem_private_key"},
 						},
 						"private_key_pem": {
-							Type:        schema.TypeString,
-							Required:    true,
-							Description: `The private key of the leaf certificate in PEM-encoded form.`,
-							Sensitive:   true,
+							Type:         schema.TypeString,
+							Optional:     true,
+							Deprecated:   "Deprecated in favor of `pem_private_key`",
+							Description:  `**Deprecated** The private key of the leaf certificate in PEM-encoded form.`,
+							Sensitive:    true,
+							ExactlyOneOf: []string{"self_managed.0.private_key_pem", "self_managed.0.pem_private_key"},
 						},
 					},
 				},
+				Sensitive:    true,
 				ExactlyOneOf: []string{"self_managed", "managed"},
 			},
 			"project": {
@@ -341,9 +360,6 @@ func resourceCertificateManagerCertificateRead(d *schema.ResourceData, meta inte
 	if err := d.Set("scope", flattenCertificateManagerCertificateScope(res["scope"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Certificate: %s", err)
 	}
-	if err := d.Set("self_managed", flattenCertificateManagerCertificateSelfManaged(res["selfManaged"], d, config)); err != nil {
-		return fmt.Errorf("Error reading Certificate: %s", err)
-	}
 	if err := d.Set("managed", flattenCertificateManagerCertificateManaged(res["managed"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Certificate: %s", err)
 	}
@@ -503,29 +519,6 @@ func flattenCertificateManagerCertificateScope(v interface{}, d *schema.Resource
 	return v
 }
 
-func flattenCertificateManagerCertificateSelfManaged(v interface{}, d *schema.ResourceData, config *Config) interface{} {
-	if v == nil {
-		return nil
-	}
-	original := v.(map[string]interface{})
-	if len(original) == 0 {
-		return nil
-	}
-	transformed := make(map[string]interface{})
-	transformed["certificate_pem"] =
-		flattenCertificateManagerCertificateSelfManagedCertificatePem(original["certificatePem"], d, config)
-	transformed["private_key_pem"] =
-		flattenCertificateManagerCertificateSelfManagedPrivateKeyPem(original["privateKeyPem"], d, config)
-	return []interface{}{transformed}
-}
-func flattenCertificateManagerCertificateSelfManagedCertificatePem(v interface{}, d *schema.ResourceData, config *Config) interface{} {
-	return v
-}
-
-func flattenCertificateManagerCertificateSelfManagedPrivateKeyPem(v interface{}, d *schema.ResourceData, config *Config) interface{} {
-	return v
-}
-
 func flattenCertificateManagerCertificateManaged(v interface{}, d *schema.ResourceData, config *Config) interface{} {
 	if v == nil {
 		return nil
@@ -661,6 +654,20 @@ func expandCertificateManagerCertificateSelfManaged(v interface{}, d TerraformRe
 		transformed["privateKeyPem"] = transformedPrivateKeyPem
 	}
 
+	transformedPemCertificate, err := expandCertificateManagerCertificateSelfManagedPemCertificate(original["pem_certificate"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPemCertificate); val.IsValid() && !isEmptyValue(val) {
+		transformed["pemCertificate"] = transformedPemCertificate
+	}
+
+	transformedPemPrivateKey, err := expandCertificateManagerCertificateSelfManagedPemPrivateKey(original["pem_private_key"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPemPrivateKey); val.IsValid() && !isEmptyValue(val) {
+		transformed["pemPrivateKey"] = transformedPemPrivateKey
+	}
+
 	return transformed, nil
 }
 
@@ -672,6 +679,14 @@ func expandCertificateManagerCertificateSelfManagedPrivateKeyPem(v interface{},
 	return v, nil
 }
 
+func expandCertificateManagerCertificateSelfManagedPemCertificate(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandCertificateManagerCertificateSelfManagedPemPrivateKey(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandCertificateManagerCertificateManaged(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {

google-beta/resource_certificate_manager_certificate_generated_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
-func TestAccCertificateManagerCertificate_certificateManagerCertificateBasicExample(t *testing.T) {
+func TestAccCertificateManagerCertificate_certificateManagerSelfManagedCertificateExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
@@ -36,48 +36,29 @@ func TestAccCertificateManagerCertificate_certificateManagerCertificateBasicExam
 		CheckDestroy: testAccCheckCertificateManagerCertificateDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccCertificateManagerCertificate_certificateManagerCertificateBasicExample(context),
+				Config: testAccCertificateManagerCertificate_certificateManagerSelfManagedCertificateExample(context),
 			},
 			{
 				ResourceName:            "google_certificate_manager_certificate.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"name", "managed.0.dns_authorizations"},
+				ImportStateVerifyIgnore: []string{"self_managed", "name"},
 			},
 		},
 	})
 }
 
-func testAccCertificateManagerCertificate_certificateManagerCertificateBasicExample(context map[string]interface{}) string {
+func testAccCertificateManagerCertificate_certificateManagerSelfManagedCertificateExample(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_certificate_manager_certificate" "default" {
-  name        = "tf-test-dns-cert%{random_suffix}"
+  name        = "tf-test-self-managed-cert%{random_suffix}"
   description = "The default cert"
   scope       = "EDGE_CACHE"
-  managed {
-    domains = [
-      google_certificate_manager_dns_authorization.instance.domain,
-      google_certificate_manager_dns_authorization.instance2.domain,
-      ]
-    dns_authorizations = [
-      google_certificate_manager_dns_authorization.instance.id,
-      google_certificate_manager_dns_authorization.instance2.id,
-      ]
+  self_managed {
+    pem_certificate = file("test-fixtures/certificatemanager/cert.pem")
+    pem_private_key = file("test-fixtures/certificatemanager/private-key.pem")
   }
 }
-
-
-resource "google_certificate_manager_dns_authorization" "instance" {
-  name        = "tf-test-dns-auth%{random_suffix}"
-  description = "The default dnss"
-  domain      = "subdomain%{random_suffix}.hashicorptest.com"
-}
-
-resource "google_certificate_manager_dns_authorization" "instance2" {
-  name        = "tf-test-dns-auth2%{random_suffix}"
-  description = "The default dnss"
-  domain      = "subdomain2%{random_suffix}.hashicorptest.com"
-}
 `, context)
 }
 

google-beta/test-fixtures/certificatemanager/cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUDOiCLH9QNMMYnjPZVf4VwO9blsEwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjIwODI0MDg0MDUxWhgPMzAy
+MTEyMjUwODQwNTFaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOT925GG4lKV9HvAHsbecMhGPAqjhVRC26iZ
+UJC8oSWOu95lWJSX5ZhbiF6Nz192wDGV/VAh3Lxj8RYtcn75eDxQKTcKouDld+To
+CGIStPFWbR6rbysLuZqFVEXVOTvp2QIegInfrvnGC4j7Qpic7zrFB9HzJx+0HpeE
+yO4gkdzJfEK/gMmolUgJrKX59o+0+Rj+Jq3EtcQxL1fVBVJSx0NvpoR1eYpnHMr/
+rJKZkUUZ2xE86hrtpiP6OEYQTi00rmf4GnZF5QfGGD0xuoQXtR7Tu+XhKibXIhxc
+D4RzPLX1QS040PXvmMPLDb4YlUQ6V3Rs42JDvkkDwIMXZvn8awIDAQABo1MwUTAd
+BgNVHQ4EFgQURuo1CCZZAUv7xi02f2nC5tRbf18wHwYDVR0jBBgwFoAURuo1CCZZ
+AUv7xi02f2nC5tRbf18wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAqx3tDxurnYr9EUPhF5/LlDPYM+VI7EgrKdRnuIqUlZI0tm3vOGME0te6dBTC
+YLNaHLW3m/4Tm4M2eg0Kpz6CxJfn3109G31dCi0xwzSDHf5TPUWvqIVhq5WRgMIf
+n8KYBlQSmqdJBRztUIQH/UPFnSbxymlS4s5qwDgTH5ag9EEBcnWsQ2LZjKi0eqve
+MaqAvvB+j8RGZzYY4re94bSJI42zIZ6nMWPtXwRuDc30xl/u+E0jWIgWbPwSd6Km
+3wnJnGiU2ezPGq3zEU+Rc39VVIFKQpciNeYuF3neHPJvYOf58qW2Z8s0VH0MR1x3
+3DoO/e30FIr9j+PRD+s5BPKF2A==
+-----END CERTIFICATE-----

google-beta/test-fixtures/certificatemanager/private-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC85P3bkYbiUpX0
+e8Aext5wyEY8CqOFVELbqJlQkLyhJY673mVYlJflmFuIXo3PX3bAMZX9UCHcvGPx
+Fi1yfvl4PFApNwqi4OV35OgIYhK08VZtHqtvKwu5moVURdU5O+nZAh6Aid+u+cYL
+iPtCmJzvOsUH0fMnH7Qel4TI7iCR3Ml8Qr+AyaiVSAmspfn2j7T5GP4mrcS1xDEv
+V9UFUlLHQ2+mhHV5imccyv+skpmRRRnbETzqGu2mI/o4RhBOLTSuZ/gadkXlB8YY
+PTG6hBe1HtO75eEqJtciHFwPhHM8tfVBLTjQ9e+Yw8sNvhiVRDpXdGzjYkO+SQPA
+gxdm+fxrAgMBAAECggEAV4/A24TQpV4KFBw/WSTvnRFBeXinB1mhamhztWR6hCrA
+SPcVPKQY632eRI8sJmpGxl3V/Ogl4khT/cA9jfstEl7G++v/WrRsupCaPLSVnlnX
+KdsTNgOauk1WK9P5PMA4rPcuA4Cl91riQpubeWn8KWsxRWg90i+Ak8PB8lBsOaB1
+QzjigWlrRWSpodaw0MBIMZFDL2BYK8HEr+wyATYIyGvDQc9zCnMQIQIZyEPYepLO
+04Dw17YcjgnoJ5gLAFiTvDrCpTMewud1RQzvW5TAvG2piw34sf3QMGPM7aXNrfuZ
+4ZPC/MwVQgq9Nc+jeDsjApQmJKJ+3a8OdIPU89ArTQKBgQDCpHHQe1RzpHmIx47/
+9N5r+NPBhh8flDYmvgi6zPeBfrAaLWhidS8c7Voa6HwvMxbhryDEvc0YqI3vllfy
+xnRF+DfSryozW0gjrkXDGoOzqOJ3EuQwLSJnyX6La2lmufqsRFazwYJ5sxcjoGHK
+/sbwZkIUj1ejuH44ve+ZJQFfpwKBgQD4cLJrJhqImUDhHZRx9jBvxyeHy/RjmHK6
+70xQVDi9ZqeExHwtoSbolhXKLB1RtBnw+t5Csy7IDNBDsbUg9fXU8KyCTIdmsyws
+bDb5hdKsUF76rkKzlpttiXMRVWGS3CMKWahBpnL3lFB3tdtmskemkBTXVn4VgKAH
+xk9XnZ11nQKBgDbQSJ0FnkrSzscOK984/ko50Kh3NNyXyIgwjBTPFASLwNweXX8c
+sR/cV7usLQy9vnvf7cJ6EQAYt5/5Httnt+bceBwE6EV+N1qVAWBoXx6BOQV/dHN8
+wmun+tMYdJ5RUZ6hwCjvHedX3/RQfjnEdhHNOl6/31Zj5mfkVU0zdqeRAoGAcvIh
+erXMfPr7K6y16+xOCMmKHqhc0F/OZXMmSdxNzEPcqe8GzU3MZLxcJIg4oH7FqdtI
+Tm/86w4Spd9owHFMZlNcXYTu+LNZcsw2u0gRayxcZXuO3OyHySxZEuIAHSTBCZ7l
+3EoY0zfJ6zk249MEl6n+GouoFmbGpBI6z3zbR3kCgYEAlCNZVH4uJrP5beTOZTTR
+VJRk7BXvEC6HsM140YtIN7NHy2GtzrgmmY/ZAFB/hX8Ft4ex2MxbIp3hvxroTqGn
+bfu7uv97NoPQqbjtc3Mz8h2IaXTVDUnWYY5gDu6rM2w+Z75/sWIGiTWrsdYX4ohb
+ujngzJ7Ew7GgKSboj6mtlVM=
+-----END PRIVATE KEY-----

website/docs/r/certificate_manager_certificate.html.markdown

@@ -24,46 +24,27 @@ Certificate represents a HTTP-reachable backend for a Certificate.
 
 
 
-~> **Warning:** All arguments including `self_managed.certificate_pem` and `self_managed.private_key_pem` will be stored in the raw
+~> **Warning:** All arguments including `self_managed`, `self_managed.certificate_pem`, and `self_managed.private_key_pem` will be stored in the raw
 state as plain-text. [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
 
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
-  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_certificate_basic&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_self_managed_certificate&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
-## Example Usage - Certificate Manager Certificate Basic
+## Example Usage - Certificate Manager Self Managed Certificate
 
 
 ```hcl
 resource "google_certificate_manager_certificate" "default" {
-  name        = "dns-cert"
+  name        = "self-managed-cert"
   description = "The default cert"
   scope       = "EDGE_CACHE"
-  managed {
-    domains = [
-      google_certificate_manager_dns_authorization.instance.domain,
-      google_certificate_manager_dns_authorization.instance2.domain,
-      ]
-    dns_authorizations = [
-      google_certificate_manager_dns_authorization.instance.id,
-      google_certificate_manager_dns_authorization.instance2.id,
-      ]
+  self_managed {
+    pem_certificate = file("test-fixtures/certificatemanager/cert.pem")
+    pem_private_key = file("test-fixtures/certificatemanager/private-key.pem")
   }
 }
-
-
-resource "google_certificate_manager_dns_authorization" "instance" {
-  name        = "dns-auth"
-  description = "The default dnss"
-  domain      = "subdomain.hashicorptest.com"
-}
-
-resource "google_certificate_manager_dns_authorization" "instance2" {
-  name        = "dns-auth2"
-  description = "The default dnss"
-  domain      = "subdomain2.hashicorptest.com"
-}
 ```
 
 ## Argument Reference
@@ -103,6 +84,7 @@ The following arguments are supported:
   Certificate data for a SelfManaged Certificate.
   SelfManaged Certificates are uploaded by the user. Updating such
   certificates before they expire remains the user's responsibility.
+  **Note**: This property is sensitive and will not be displayed in the plan.
   Structure is [documented below](#nested_self_managed).
 
 * `managed` -
@@ -119,16 +101,25 @@ The following arguments are supported:
 <a name="nested_self_managed"></a>The `self_managed` block supports:
 
 * `certificate_pem` -
-  (Required)
-  The certificate chain in PEM-encoded form.
+  (Optional, Deprecated)
+  **Deprecated** The certificate chain in PEM-encoded form.
   Leaf certificate comes first, followed by intermediate ones if any.
   **Note**: This property is sensitive and will not be displayed in the plan.
 
 * `private_key_pem` -
-  (Required)
-  The private key of the leaf certificate in PEM-encoded form.
+  (Optional, Deprecated)
+  **Deprecated** The private key of the leaf certificate in PEM-encoded form.
   **Note**: This property is sensitive and will not be displayed in the plan.
 
+* `pem_certificate` -
+  (Optional)
+  The certificate chain in PEM-encoded form.
+  Leaf certificate comes first, followed by intermediate ones if any.
+
+* `pem_private_key` -
+  (Optional)
+  The private key of the leaf certificate in PEM-encoded form.
+
 <a name="nested_managed"></a>The `managed` block supports:
 
 * `domains` -