Update google_bigquery_table schema change detection to take into account presence of row access policy (#15028) (#24284)

[upstream:ca38991aa9a6cff767e5f256cb5aee2ffc9c9513]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/15028.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+bigquery: updated the schema change detection for `google_bigquery_table` to take into account presence of row access policy
+```

google/services/bigquery/resource_bigquery_table.go

@@ -287,9 +287,38 @@ func bigQueryTableNormalizePolicyTags(val interface{}) interface{} {
 	return val
 }
 
+func bigQueryTableHasRowAccessPolicy(config *transport_tpg.Config, project, datasetId, tableId string) (bool, error) {
+	url := fmt.Sprintf("https://bigquery.googleapis.com/bigquery/v2/projects/%s/datasets/%s/tables/%s/rowAccessPolicies", project, datasetId, tableId)
+	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "GET",
+		RawURL:    url,
+		UserAgent: config.UserAgent,
+	})
+
+	if err != nil {
+		return false, err
+	}
+
+	if policies, ok := res["rowAccessPolicies"]; ok {
+		if policiesList, ok := policies.([]interface{}); ok && len(policiesList) > 0 {
+			log.Printf("[INFO] Table has row access policies, schema change detected dropped columns and will force the table to recreate.")
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func bigQueryTableHasRowAccessPolicyFunc(config *transport_tpg.Config, project, datasetId, tableId string) func() (bool, error) {
+	return func() (bool, error) {
+		return bigQueryTableHasRowAccessPolicy(config, project, datasetId, tableId)
+	}
+}
+
 // Compares two existing schema implementations and decides if
 // it is changeable.. pairs with a force new on not changeable
-func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTable bool, topLevel bool) (bool, error) {
+func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTable bool, topLevel bool, hasRowAccessPolicyFunc func() (bool, error)) (bool, error) {
 	switch old.(type) {
 	case []interface{}:
 		arrayOld := old.([]interface{})
@@ -330,7 +359,7 @@ func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTab
 				continue
 			}
 
-			isChangable, err := resourceBigQueryTableSchemaIsChangeable(mapOld[key], mapNew[key], isExternalTable, false)
+			isChangable, err := resourceBigQueryTableSchemaIsChangeable(mapOld[key], mapNew[key], isExternalTable, false, hasRowAccessPolicyFunc)
 			if err != nil || !isChangable {
 				return false, err
 			} else if isChangable && topLevel {
@@ -341,7 +370,18 @@ func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTab
 		// in-place column dropping alongside column additions is not allowed
 		// as of now because user intention can be ambiguous (e.g. column renaming)
 		newColumns := len(arrayNew) - sameNameColumns
-		return (droppedColumns == 0) || (newColumns == 0), nil
+		isSchemaChangeable := (droppedColumns == 0) || (newColumns == 0)
+		if isSchemaChangeable && topLevel {
+			hasRowAccessPolicy, err := hasRowAccessPolicyFunc()
+			if err != nil {
+				// Default behavior when we can't get row access policies data.
+				return isSchemaChangeable, nil
+			}
+			if hasRowAccessPolicy {
+				isSchemaChangeable = false
+			}
+		}
+		return isSchemaChangeable, nil
 	case map[string]interface{}:
 		objectOld := old.(map[string]interface{})
 		objectNew, ok := new.(map[string]interface{})
@@ -387,7 +427,7 @@ func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTab
 					return false, nil
 				}
 			case "fields":
-				return resourceBigQueryTableSchemaIsChangeable(valOld, valNew, isExternalTable, false)
+				return resourceBigQueryTableSchemaIsChangeable(valOld, valNew, isExternalTable, false, hasRowAccessPolicyFunc)
 
 				// other parameters: description, policyTags and
 				// policyTags.names[] are changeable
@@ -404,7 +444,7 @@ func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTab
 	}
 }
 
-func resourceBigQueryTableSchemaCustomizeDiffFunc(d tpgresource.TerraformResourceDiff) error {
+func resourceBigQueryTableSchemaCustomizeDiffFunc(d tpgresource.TerraformResourceDiff, hasRowAccessPolicyFunc func() (bool, error)) error {
 	if _, hasSchema := d.GetOk("schema"); hasSchema {
 		oldSchema, newSchema := d.GetChange("schema")
 		oldSchemaText := oldSchema.(string)
@@ -427,7 +467,7 @@ func resourceBigQueryTableSchemaCustomizeDiffFunc(d tpgresource.TerraformResourc
 			log.Printf("[DEBUG] unable to unmarshal json customized diff - %v", err)
 		}
 		_, isExternalTable := d.GetOk("external_data_configuration")
-		isChangeable, err := resourceBigQueryTableSchemaIsChangeable(old, new, isExternalTable, true)
+		isChangeable, err := resourceBigQueryTableSchemaIsChangeable(old, new, isExternalTable, true, hasRowAccessPolicyFunc)
 		if err != nil {
 			return err
 		}
@@ -442,7 +482,15 @@ func resourceBigQueryTableSchemaCustomizeDiffFunc(d tpgresource.TerraformResourc
 }
 
 func resourceBigQueryTableSchemaCustomizeDiff(_ context.Context, d *schema.ResourceDiff, meta interface{}) error {
-	return resourceBigQueryTableSchemaCustomizeDiffFunc(d)
+	config := meta.(*transport_tpg.Config)
+	project, err := tpgresource.GetProjectFromDiff(d, config)
+	if err != nil {
+		return err
+	}
+	datasetId := d.Get("dataset_id").(string)
+	tableId := d.Get("table_id").(string)
+	hasRowAccessPolicyFunc := bigQueryTableHasRowAccessPolicyFunc(config, project, datasetId, tableId)
+	return resourceBigQueryTableSchemaCustomizeDiffFunc(d, hasRowAccessPolicyFunc)
 }
 
 func validateBigQueryTableSchema(v interface{}, k string) (warnings []string, errs []error) {

google/services/bigquery/resource_bigquery_table_internal_test.go

@@ -420,13 +420,6 @@ func (testcase *testUnitBigQueryDataTableJSONChangeableTestCase) check(t *testin
 	if err := json.Unmarshal([]byte(testcase.jsonNew), &new); err != nil {
 		t.Fatalf("unable to unmarshal json - %v", err)
 	}
-	changeable, err := resourceBigQueryTableSchemaIsChangeable(old, new, testcase.isExternalTable, true)
-	if err != nil {
-		t.Errorf("%s failed unexpectedly: %s", testcase.name, err)
-	}
-	if changeable != testcase.changeable {
-		t.Errorf("expected changeable result of %v but got %v for testcase %s", testcase.changeable, changeable, testcase.name)
-	}
 
 	d := &tpgresource.ResourceDiffMock{
 		Before: map[string]interface{}{},
@@ -441,7 +434,19 @@ func (testcase *testUnitBigQueryDataTableJSONChangeableTestCase) check(t *testin
 		d.After["external_data_configuration"] = ""
 	}
 
-	err = resourceBigQueryTableSchemaCustomizeDiffFunc(d)
+	hasRowAccessPolicyFunc := func() (bool, error) {
+		return false, nil
+	}
+
+	changeable, err := resourceBigQueryTableSchemaIsChangeable(old, new, testcase.isExternalTable, true, hasRowAccessPolicyFunc)
+	if err != nil {
+		t.Errorf("%s failed unexpectedly: %s", testcase.name, err)
+	}
+	if changeable != testcase.changeable {
+		t.Errorf("expected changeable result of %v but got %v for testcase %s", testcase.changeable, changeable, testcase.name)
+	}
+
+	err = resourceBigQueryTableSchemaCustomizeDiffFunc(d, hasRowAccessPolicyFunc)
 	if err != nil {
 		t.Errorf("error on testcase %s - %v", testcase.name, err)
 	}

google/services/bigquery/resource_bigquery_table_test.go

@@ -18,14 +18,13 @@ package bigquery_test
 
 import (
 	"fmt"
-	"regexp"
-	"strings"
-	"testing"
-
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 	"github.com/hashicorp/terraform-provider-google/google/envvar"
+	"regexp"
+	"strings"
+	"testing"
 )
 
 func TestAccBigQueryTable_Basic(t *testing.T) {
@@ -1819,7 +1818,74 @@ func TestAccBigQueryTable_invalidSchemas(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryTable_schemaColumnDropWithRowAccessPolicy(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_id": envvar.GetTestProjectFromEnv(),
+		"dataset_id": fmt.Sprintf("tf_test_dataset_%s", acctest.RandString(t, 10)),
+		"table_id":   fmt.Sprintf("tf_test_table_%s", acctest.RandString(t, 10)),
+		"policy_id":  fmt.Sprintf("tf_test_policy_%s", acctest.RandString(t, 10)),
+	}
+
+	var tableCreationTime string
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryTableDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryTableWithSchemaAndRowAccessPolicy(context),
+				Check: resource.ComposeTestCheckFunc(
+					// Store the creationTime of the original table
+					func(s *terraform.State) error {
+						rs, ok := s.RootModule().Resources["google_bigquery_table.test"]
+						if !ok {
+							return fmt.Errorf("Not found: google_bigquery_table.test")
+						}
+						tableCreationTime = rs.Primary.Attributes["creation_time"]
+						return nil
+					},
+				),
+			},
+			{
+				ResourceName:            "google_bigquery_table.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection", "ignore_auto_generated_schema", "generated_schema_columns"},
+			},
+			{
+				Config: testAccBigQueryTableWithSchemaColumnDroppedAndRowAccessPolicy(context), // Change column to trigger ForceNew
+				Check: resource.ComposeTestCheckFunc(
+					// Verify that creationTime has changed, implying that the table was recreated.
+					func(s *terraform.State) error {
+						rs, ok := s.RootModule().Resources["google_bigquery_table.test"]
+						if !ok {
+							return fmt.Errorf("Not found: google_bigquery_table.test")
+						}
+						newTimeCreated := rs.Primary.Attributes["creation_time"]
+						if newTimeCreated == tableCreationTime {
+							return fmt.Errorf("creationTime should have changed on recreation, but it's still %s", newTimeCreated)
+						}
+						return nil
+					},
+				),
+				ExpectNonEmptyPlan: true,
+			},
+			{
+				ResourceName:            "google_bigquery_table.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection", "ignore_auto_generated_schema", "generated_schema_columns"},
+			},
+		},
+	})
+}
+
 func TestAccBigQueryTable_schemaWithRequiredFieldAndView(t *testing.T) {
+	t.Parallel()
+
 	datasetID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
 	tableID := fmt.Sprintf("tf_test_%s", acctest.RandString(t, 10))
 
@@ -4688,6 +4754,100 @@ resource "google_bigquery_table" "test" {
 `, datasetID, tableID, schema)
 }
 
+func testAccBigQueryTableWithSchemaAndRowAccessPolicy(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_bigquery_dataset" "test" {
+  dataset_id = "%{dataset_id}"
+}
+
+resource "google_bigquery_table" "test" {
+  deletion_protection = false
+  dataset_id = google_bigquery_dataset.test.dataset_id
+  table_id   = "%{table_id}"
+
+  schema = <<EOF
+[
+  {
+    "name": "user_id",
+    "type": "STRING",
+    "mode": "REQUIRED",
+    "description": "Unique identifier for the user"
+  },
+  {
+    "name": "email",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "User's email address"
+  },
+  {
+    "name": "region",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "User's assigned region"
+  }
+]
+EOF
+}
+
+resource "google_bigquery_row_access_policy" "test" {
+  dataset_id = google_bigquery_table.test.dataset_id
+  table_id   = google_bigquery_table.test.table_id
+  policy_id  = "%{policy_id}"
+
+  grantees = [
+    "group:[email protected]"
+  ]
+  filter_predicate = "email = SESSION_USER()"
+
+  depends_on = [google_bigquery_table.test]
+}
+`, context)
+}
+
+func testAccBigQueryTableWithSchemaColumnDroppedAndRowAccessPolicy(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_bigquery_dataset" "test" {
+  dataset_id = "%{dataset_id}"
+}
+
+resource "google_bigquery_table" "test" {
+  deletion_protection = false
+  dataset_id = google_bigquery_dataset.test.dataset_id
+  table_id   = "%{table_id}"
+
+  schema = <<EOF
+[
+  {
+    "name": "user_id",
+    "type": "STRING",
+    "mode": "REQUIRED",
+    "description": "Unique identifier for the user"
+  },
+  {
+    "name": "email",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "User's email address"
+  }
+]
+EOF
+}
+
+resource "google_bigquery_row_access_policy" "test" {
+  dataset_id = google_bigquery_table.test.dataset_id
+  table_id   = google_bigquery_table.test.table_id
+  policy_id  = "%{policy_id}"
+
+  grantees = [
+    "group:[email protected]"
+  ]
+  filter_predicate = "email = SESSION_USER()"
+
+  depends_on = [google_bigquery_table.test]
+}
+`, context)
+}
+
 func testAccBigQueryTableWithReplicationInfoAndView(datasetID, tableID string) string {
 	return fmt.Sprintf(`
 resource "google_bigquery_dataset" "test" {