Add support for managed_server_ca to google_redis_cluster resource (#14172) (#23223)

modular-magician · web-flow · commit 293810e41bf0 · 2025-06-10T09:37:23.000-07:00
[upstream:9a878056ebd7c8ce44ed7cb281d2af3cc3d1f7dd]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/14172.txt b/.changelog/14172.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+redis: added `managed_server_ca` to `google_redis_cluster` resource
+```
diff --git a/google/services/redis/resource_redis_cluster.go b/google/services/redis/resource_redis_cluster.go
@@ -625,6 +625,32 @@ resolution and up to nine fractional digits.`,
 					},
 				},
 			},
+			"managed_server_ca": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: `Cluster's Certificate Authority. This field will only be populated if Redis Cluster's transit_encryption_mode is TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"ca_certs": {
+							Type:        schema.TypeList,
+							Computed:    true,
+							Description: `The PEM encoded CA certificate chains for redis managed server authentication`,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"certificates": {
+										Type:        schema.TypeList,
+										Computed:    true,
+										Description: `The certificates that form the CA chain, from leaf to root order`,
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			"precise_size_gb": {
 				Type:        schema.TypeFloat,
 				Computed:    true,
@@ -942,6 +968,18 @@ func resourceRedisClusterRead(d *schema.ResourceData, meta interface{}) error {
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("RedisCluster %q", d.Id()))
 	}
 
+	res, err = resourceRedisClusterDecoder(d, meta, res)
+	if err != nil {
+		return err
+	}
+
+	if res == nil {
+		// Decoding the object has resulted in it being gone. It may be marked deleted
+		log.Printf("[DEBUG] Removing RedisCluster because it no longer exists.")
+		d.SetId("")
+		return nil
+	}
+
 	if err := d.Set("project", project); err != nil {
 		return fmt.Errorf("Error reading Cluster: %s", err)
 	}
@@ -1026,6 +1064,9 @@ func resourceRedisClusterRead(d *schema.ResourceData, meta interface{}) error {
 	if err := d.Set("kms_key", flattenRedisClusterKmsKey(res["kmsKey"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Cluster: %s", err)
 	}
+	if err := d.Set("managed_server_ca", flattenRedisClusterManagedServerCa(res["managedServerCa"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Cluster: %s", err)
+	}
 
 	return nil
 }
@@ -2034,6 +2075,41 @@ func flattenRedisClusterKmsKey(v interface{}, d *schema.ResourceData, config *tr
 	return v
 }
 
+func flattenRedisClusterManagedServerCa(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["ca_certs"] =
+		flattenRedisClusterManagedServerCaCaCerts(original["caCerts"], d, config)
+	return []interface{}{transformed}
+}
+func flattenRedisClusterManagedServerCaCaCerts(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed = append(transformed, map[string]interface{}{
+			"certificates": flattenRedisClusterManagedServerCaCaCertsCertificates(original["certificates"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenRedisClusterManagedServerCaCaCertsCertificates(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandRedisClusterGcsSource(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -2733,3 +2809,54 @@ func resourceRedisClusterEncoder(d *schema.ResourceData, meta interface{}, obj m
 
 	return obj, nil
 }
+
+func resourceRedisClusterDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
+	// Such custom code is necessary as the Cluster's certificate authority has to be retrieved via a dedicated
+	// getCertificateAuthority API.
+	// See https://cloud.google.com/memorystore/docs/cluster/reference/rest/v1/projects.locations.clusters/getCertificateAuthority#http-request
+	// for details about this API.
+	config := meta.(*transport_tpg.Config)
+
+	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	if err != nil {
+		return nil, err
+	}
+
+	// Only clusters with TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION mode have certificate authority set
+	if v, ok := res["transitEncryptionMode"].(string); !ok || v != "TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION" {
+		return res, nil
+	}
+
+	url, err := tpgresource.ReplaceVars(d, config, "{{RedisBasePath}}projects/{{project}}/locations/{{region}}/clusters/{{name}}/certificateAuthority")
+	if err != nil {
+		return nil, err
+	}
+
+	billingProject := ""
+
+	project, err := tpgresource.GetProject(d, config)
+	if err != nil {
+		return nil, fmt.Errorf("Error fetching project for Cluster: %s", err)
+	}
+
+	billingProject = project
+
+	// err == nil indicates that the billing_project value was found
+	if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+
+	certificateAuthority, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "GET",
+		Project:   billingProject,
+		RawURL:    url,
+		UserAgent: userAgent,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("Error reading certificateAuthority: %s", err)
+	}
+
+	res["managedServerCa"] = certificateAuthority["managedServerCa"]
+	return res, nil
+}
diff --git a/google/services/redis/resource_redis_cluster_generated_meta.yaml b/google/services/redis/resource_redis_cluster_generated_meta.yaml
@@ -38,6 +38,7 @@ fields:
   - field: 'maintenance_schedule.schedule_deadline_time'
   - field: 'maintenance_schedule.start_time'
   - field: 'managed_backup_source.backup'
+  - field: 'managed_server_ca.ca_certs.certificates'
   - field: 'name'
     provider_only: true
   - field: 'node_type'
diff --git a/google/services/redis/resource_redis_cluster_test.go b/google/services/redis/resource_redis_cluster_test.go
@@ -1266,3 +1266,94 @@ func createRedisClusterResourceConfig(params *ClusterParams, isSecondaryCluster
 		crossClusterReplicationConfigBlock,
 		dependsOnBlock)
 }
+
+func TestAccRedisCluster_redisClusterTlsEnabled(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"deletion_protection_enabled": false,
+		"random_suffix":               acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckRedisClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccRedisCluster_redisClusterTlsEnabled(context),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("google_redis_cluster.cluster-tls", "managed_server_ca.0.ca_certs.0.certificates.0"),
+				),
+			},
+			{
+				ResourceName:            "google_redis_cluster.cluster-tls",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"gcs_source", "managed_backup_source", "name", "psc_configs", "region"},
+			},
+		},
+	})
+}
+
+func testAccRedisCluster_redisClusterTlsEnabled(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_redis_cluster" "cluster-tls" {
+  name           = "tf-test-tls-cluster%{random_suffix}"
+  shard_count    = 3
+  psc_configs {
+    network = google_compute_network.consumer_net.id
+  }
+  region = "us-central1"
+  replica_count = 1
+  node_type = "REDIS_SHARED_CORE_NANO"
+  transit_encryption_mode = "TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION"
+  authorization_mode = "AUTH_MODE_DISABLED"
+  redis_configs = {
+    maxmemory-policy	= "volatile-ttl"
+  }
+  deletion_protection_enabled = %{deletion_protection_enabled}
+
+  zone_distribution_config {
+    mode = "MULTI_ZONE"
+  }
+  maintenance_policy {
+    weekly_maintenance_window {
+      day = "MONDAY"
+      start_time {
+        hours = 1
+        minutes = 0
+        seconds = 0
+        nanos = 0
+      }
+    }
+  }
+  depends_on = [
+    google_network_connectivity_service_connection_policy.default
+  ]
+}
+
+resource "google_network_connectivity_service_connection_policy" "default" {
+  name = "tf-test-my-policy%{random_suffix}"
+  location = "us-central1"
+  service_class = "gcp-memorystore-redis"
+  description   = "my basic service connection policy"
+  network = google_compute_network.consumer_net.id
+  psc_config {
+    subnetworks = [google_compute_subnetwork.consumer_subnet.id]
+  }
+}
+
+resource "google_compute_subnetwork" "consumer_subnet" {
+  name          = "tf-test-my-subnet%{random_suffix}"
+  ip_cidr_range = "10.0.0.248/29"
+  region        = "us-central1"
+  network       = google_compute_network.consumer_net.id
+}
+
+resource "google_compute_network" "consumer_net" {
+  name                    = "tf-test-my-network%{random_suffix}"
+  auto_create_subnetworks = false
+}
+`, context)
+}
diff --git a/website/docs/r/redis_cluster.html.markdown b/website/docs/r/redis_cluster.html.markdown
@@ -1014,6 +1014,10 @@ In addition to the arguments listed above, the following computed attributes are
   Service attachment details to configure Psc connections.
   Structure is [documented below](#nested_psc_service_attachments).
 
+* `managed_server_ca` -
+  Cluster's Certificate Authority. This field will only be populated if Redis Cluster's transit_encryption_mode is TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION
+  Structure is [documented below](#nested_managed_server_ca).
+
 
 <a name="nested_discovery_endpoints"></a>The `discovery_endpoints` block contains:
 
@@ -1111,6 +1115,20 @@ In addition to the arguments listed above, the following computed attributes are
   (Output)
   Type of a PSC connection targeting this service attachment.
 
+<a name="nested_managed_server_ca"></a>The `managed_server_ca` block contains:
+
+* `ca_certs` -
+  (Output)
+  The PEM encoded CA certificate chains for redis managed server authentication
+  Structure is [documented below](#nested_managed_server_ca_ca_certs).
+
+
+<a name="nested_managed_server_ca_ca_certs"></a>The `ca_certs` block contains:
+
+* `certificates` -
+  (Output)
+  The certificates that form the CA chain, from leaf to root order
+
 ## Timeouts
 
 This resource provides the following

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+redis: added `managed_server_ca` to `google_redis_cluster` resource
	`3`	+```