Add deletion_protection field to Secret Manager Secret (#14394) (#23480)

[upstream:9bf4df756b3dbdf754d974383513bcbf5a0a8c47]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14394.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+secretmanager: added `deletion_protection` field to `google_secret_manager_secret` resource to make deleting them require an explicit intent. `google_active_directory_domain` resources now cannot be destroyed unless `deletion_protection = false` is set for the resource.
+```

google/services/secretmanager/iam_secret_manager_secret_generated_test.go

@@ -349,6 +349,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_member" "foo" {
@@ -379,6 +380,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 data "google_iam_policy" "foo" {
@@ -423,6 +425,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 data "google_iam_policy" "foo" {
@@ -455,6 +458,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_binding" "foo" {
@@ -485,6 +489,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_binding" "foo" {
@@ -515,6 +520,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_binding" "foo" {
@@ -550,6 +556,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_binding" "foo" {
@@ -605,6 +612,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_member" "foo" {
@@ -640,6 +648,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 resource "google_secret_manager_secret_iam_member" "foo" {
@@ -695,6 +704,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 
 data "google_iam_policy" "foo" {

google/services/secretmanager/resource_secret_manager_secret.go

@@ -328,6 +328,14 @@ the actual destruction happens after this TTL expires.`,
  and default labels configured on the provider.`,
 				Elem: &schema.Schema{Type: schema.TypeString},
 			},
+			"deletion_protection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Description: `Whether Terraform will be prevented from destroying the secret. Defaults to false.
+When the field is set to true in Terraform state, a 'terraform apply'
+or 'terraform destroy' that would delete the secret will fail.`,
+				Default: false,
+			},
 			"project": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -486,6 +494,12 @@ func resourceSecretManagerSecretRead(d *schema.ResourceData, meta interface{}) e
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("SecretManagerSecret %q", d.Id()))
 	}
 
+	// Explicitly set virtual fields to default values if unset
+	if _, ok := d.GetOkExists("deletion_protection"); !ok {
+		if err := d.Set("deletion_protection", false); err != nil {
+			return fmt.Errorf("Error setting deletion_protection: %s", err)
+		}
+	}
 	if err := d.Set("project", project); err != nil {
 		return fmt.Errorf("Error reading Secret: %s", err)
 	}
@@ -725,6 +739,9 @@ func resourceSecretManagerSecretDelete(d *schema.ResourceData, meta interface{})
 	}
 
 	headers := make(http.Header)
+	if d.Get("deletion_protection").(bool) {
+		return fmt.Errorf("cannot destroy secret manager secret without setting deletion_protection=false and running `terraform apply`")
+	}
 
 	log.Printf("[DEBUG] Deleting Secret %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
@@ -762,6 +779,11 @@ func resourceSecretManagerSecretImport(d *schema.ResourceData, meta interface{})
 	}
 	d.SetId(id)
 
+	// Explicitly set virtual fields to default values on import
+	if err := d.Set("deletion_protection", false); err != nil {
+		return nil, fmt.Errorf("Error setting deletion_protection: %s", err)
+	}
+
 	return []*schema.ResourceData{d}, nil
 }
 

google/services/secretmanager/resource_secret_manager_secret_generated_meta.yaml

@@ -9,6 +9,8 @@ api_variant_patterns:
 fields:
   - field: 'annotations'
   - field: 'create_time'
+  - field: 'deletion_protection'
+    provider_only: true
   - field: 'effective_annotations'
     provider_only: true
   - field: 'effective_labels'

google/services/secretmanager/resource_secret_manager_secret_generated_test.go

@@ -49,7 +49,7 @@ func TestAccSecretManagerSecret_secretConfigBasicExample(t *testing.T) {
 				ResourceName:            "google_secret_manager_secret.secret-basic",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "secret_id", "terraform_labels", "ttl"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "secret_id", "terraform_labels", "ttl"},
 			},
 		},
 	})
@@ -74,6 +74,7 @@ resource "google_secret_manager_secret" "secret-basic" {
       }
     }
   }
+  deletion_protection = false
 }
 `, context)
 }