Standardized required_with behavior for write-only fields (#14941) (#24083)

modular-magician · web-flow · commit a1a5c41512ca · 2025-08-21T16:17:15.000-07:00
[upstream:7b15bdcb5ac006445419f2ec4a7fcd4b7291fdd6]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/14941.txt b/.changelog/14941.txt
@@ -0,0 +1,11 @@
+```release-note:breaking-change
+sql: on `google_sql_user`, made `password_wo_version` required when `password_wo` is set
+```
+
+```release-note:breaking-change
+secretmanager: on `google_secret_manager_secret_version`, made `secret_data_wo` and `secret_data_wo_version` both required when one is set
+```
+
+```release-note:breaking-change
+monitoring: on `google_monitoring_uptime_check_config`, made it required to set exactly one of `http_check.auth_info.password` and `http_check.auth_info.password_wo`
+```
diff --git a/google/services/bigquerydatatransfer/resource_bigquery_data_transfer_config.go b/google/services/bigquerydatatransfer/resource_bigquery_data_transfer_config.go
@@ -301,6 +301,7 @@ to a different credential configuration in the config will require an apply to u
 							WriteOnly:     true,
 							ConflictsWith: []string{"sensitive_params.0.secret_access_key"},
 							AtLeastOneOf:  []string{"sensitive_params.0.secret_access_key_wo", "sensitive_params.0.secret_access_key"},
+							RequiredWith:  []string{"sensitive_params.0.secret_access_key_wo_version"},
 						},
 						"secret_access_key_wo_version": {
 							Type:         schema.TypeInt,
diff --git a/google/services/monitoring/resource_monitoring_uptime_check_config.go b/google/services/monitoring/resource_monitoring_uptime_check_config.go
@@ -176,14 +176,14 @@ func ResourceMonitoringUptimeCheckConfig() *schema.Resource {
 										Optional:     true,
 										Description:  `The password to authenticate.`,
 										Sensitive:    true,
-										ExactlyOneOf: []string{},
+										ExactlyOneOf: []string{"http_check.0.auth_info.0.password_wo", "http_check.0.auth_info.0.password"},
 									},
 									"password_wo": {
 										Type:         schema.TypeString,
 										Optional:     true,
 										Description:  `The password to authenticate.`,
 										WriteOnly:    true,
-										ExactlyOneOf: []string{},
+										ExactlyOneOf: []string{"http_check.0.auth_info.0.password_wo", "http_check.0.auth_info.0.password"},
 										RequiredWith: []string{"http_check.0.auth_info.0.password_wo_version"},
 									},
 									"password_wo_version": {
diff --git a/google/services/secretmanager/resource_secret_manager_secret_version.go b/google/services/secretmanager/resource_secret_manager_secret_version.go
@@ -90,28 +90,29 @@ func ResourceSecretManagerSecretVersion() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"secret_data_wo_version": {
-				Type:        schema.TypeInt,
-				Optional:    true,
-				ForceNew:    true,
-				Description: `Triggers update of secret data write-only. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)`,
-				Default:     0,
-			},
 			"secret_data": {
 				Type:          schema.TypeString,
 				Optional:      true,
 				ForceNew:      true,
 				Description:   `The secret data. Must be no larger than 64KiB.`,
 				Sensitive:     true,
-				ConflictsWith: []string{},
+				ConflictsWith: []string{"secret_data_wo"},
 			},
 			"secret_data_wo": {
 				Type:          schema.TypeString,
 				Optional:      true,
 				Description:   `The secret data. Must be no larger than 64KiB. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)`,
 				WriteOnly:     true,
 				ConflictsWith: []string{"secret_data"},
-				RequiredWith:  []string{},
+				RequiredWith:  []string{"secret_data_wo_version"},
+			},
+			"secret_data_wo_version": {
+				Type:         schema.TypeInt,
+				Optional:     true,
+				ForceNew:     true,
+				Description:  `Triggers update of secret data write-only. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)`,
+				Default:      0,
+				RequiredWith: []string{"secret_data_wo"},
 			},
 
 			"secret": {
diff --git a/google/services/sql/resource_sql_user.go b/google/services/sql/resource_sql_user.go
@@ -119,6 +119,7 @@ func ResourceSqlUser() *schema.Resource {
 				Optional:      true,
 				WriteOnly:     true,
 				ConflictsWith: []string{"password"},
+				RequiredWith:  []string{"password_wo_version"},
 				Description: `The password for the user. Can be updated. For Postgres instances this is a Required field, unless type is set to
 				either CLOUD_IAM_USER or CLOUD_IAM_SERVICE_ACCOUNT.`,
 			},
diff --git a/google/services/sql/resource_sql_user_test.go b/google/services/sql/resource_sql_user_test.go
@@ -455,6 +455,7 @@ resource "google_sql_user" "user1" {
   instance = google_sql_database_instance.instance.name
   host     = "gmail.com"
   password_wo = "%s"
+  password_wo_version = 1
 }
 `, instance, password)
 }
@@ -476,7 +477,7 @@ resource "google_sql_user" "user1" {
   instance = google_sql_database_instance.instance.name
   host     = "gmail.com"
   password_wo = "%s"
-  password_wo_version = 1
+  password_wo_version = 2
 }
 `, instance, password)
 }
diff --git a/website/docs/guides/version_7_upgrade.html.markdown b/website/docs/guides/version_7_upgrade.html.markdown
@@ -231,6 +231,12 @@ Remove `description` from your configuration after upgrade.
 
 Remove `post_startup_script_config` from your configuration after upgrade.
 
+## Resource: `google_monitoring_uptime_check_config`
+
+### Exactly one of `http_check.auth_info.password` and `http_check.auth_info.password_wo` must be set
+
+At least one must be set, and setting both would make it unclear which was being used.
+
 ## Resource: `google_network_services_lb_traffic_extension`
 
 ### `load_balancing_scheme` is now required
@@ -263,6 +269,18 @@ Remove `service_config.service` from your configuration after upgrade.
 
 Remove `template.containers.depends_on` from your configuration after upgrade.
 
+## Resource: `google_secret_manager_secret_version`
+
+### `secret_data_wo` and `secret_data_wo_version` must be set together
+
+This standardizes the behavior of write-only fields across the provider and makes it easier to remember to update the fields together.
+
+## Resource: `google_sql_user`
+
+### `password_wo_version` is now required when `password_wo` is set
+
+This standardizes the behavior of write-only fields across the provider and makes it easier to remember to update the fields together.
+
 ## Resource: `google_vertex_ai_endpoint`
 
 ### `enable_secure_private_service_connect` is removed as it is not available in the GA version of the API, only in the beta version.

Original file line number	Diff line number	Diff line change
`@@ -455,6 +455,7 @@ resource "google_sql_user" "user1" {`
`455`	`455`	`instance = google_sql_database_instance.instance.name`
`456`	`456`	`host = "gmail.com"`
`457`	`457`	`password_wo = "%s"`
	`458`	`+ password_wo_version = 1`
`458`	`459`	`}`
`459`	`460`	`, instance, password)
`460`	`461`	`}`
`@@ -476,7 +477,7 @@ resource "google_sql_user" "user1" {`
`476`	`477`	`instance = google_sql_database_instance.instance.name`
`477`	`478`	`host = "gmail.com"`
`478`	`479`	`password_wo = "%s"`
`479`		`- password_wo_version = 1`
	`480`	`+ password_wo_version = 2`
`480`	`481`	`}`
`481`	`482`	`, instance, password)
`482`	`483`	`}`