hashicorp · modular-magician · Feb 14, 2026 · Feb 14, 2026
@@ -0,0 +1,3 @@
+```release-note:enhancement
+sql: added `server_certificate_rotation_mode` field to `google_sql_database_instance` resource (revert)
+```
@@ -104,7 +104,6 @@ var (
 		"settings.0.ip_configuration.0.ssl_mode",
 		"settings.0.ip_configuration.0.server_ca_mode",
 		"settings.0.ip_configuration.0.server_ca_pool",
-		"settings.0.ip_configuration.0.server_certificate_rotation_mode",
 		"settings.0.ip_configuration.0.custom_subject_alternative_names",
 	}
 
@@ -697,14 +696,6 @@ API (for read pools, effective_availability_type may differ from availability_ty
 										Description:  `The resource name of the server CA pool for an instance with "CUSTOMER_MANAGED_CAS_CA" as the "server_ca_mode".`,
 										AtLeastOneOf: ipConfigurationKeys,
 									},
-									"server_certificate_rotation_mode": {
-										Type:             schema.TypeString,
-										Optional:         true,
-										ValidateFunc:     validation.StringInSlice([]string{"NO_AUTOMATIC_ROTATION", "AUTOMATIC_ROTATION_DURING_MAINTENANCE"}, false),
-										Description:      `Settings for how the server certificate gets rotated.`,
-										AtLeastOneOf:     ipConfigurationKeys,
-										DiffSuppressFunc: serverCertificateRotationModeDiffSuppress,
-									},
 									"custom_subject_alternative_names": {
 										Type:     schema.TypeSet,
 										Optional: true,
@@ -1880,7 +1871,6 @@ func expandIpConfiguration(configured []interface{}, databaseVersion string) *sq
 		SslMode:                                 _ipConfiguration["ssl_mode"].(string),
 		ServerCaMode:                            _ipConfiguration["server_ca_mode"].(string),
 		ServerCaPool:                            _ipConfiguration["server_ca_pool"].(string),
-		ServerCertificateRotationMode:           _ipConfiguration["server_certificate_rotation_mode"].(string),
 		CustomSubjectAlternativeNames:           tpgresource.ConvertStringArr(_ipConfiguration["custom_subject_alternative_names"].(*schema.Set).List()),
 	}
 }
@@ -2723,15 +2713,6 @@ func databaseVersionDiffSuppress(_, oldVersion, newVersion string, _ *schema.Res
 	return false
 }
 
-func serverCertificateRotationModeDiffSuppress(_, oldMode, newMode string, _ *schema.ResourceData) bool {
-	// If the value is not set in the configuration (new is empty)
-	// and the API returns the default UNSPECIFIED value, suppress the diff.
-	if newMode == "" && oldMode == "SERVER_CERTIFICATE_ROTATION_MODE_UNSPECIFIED" {
-		return true
-	}
-	return false
-}
-
 func resourceSqlDatabaseInstanceDelete(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*transport_tpg.Config)
 	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
@@ -3106,7 +3087,6 @@ func flattenIpConfiguration(ipConfiguration *sqladmin.IpConfiguration, d *schema
 		"ssl_mode":                         ipConfiguration.SslMode,
 		"server_ca_mode":                   ipConfiguration.ServerCaMode,
 		"server_ca_pool":                   ipConfiguration.ServerCaPool,
-		"server_certificate_rotation_mode": ipConfiguration.ServerCertificateRotationMode,
 		"custom_subject_alternative_names": ipConfiguration.CustomSubjectAlternativeNames,
 	}
 

@@ -157,7 +157,6 @@ fields:
   - api_field: 'settings.ipConfiguration.pscConfig.pscEnabled'
   - api_field: 'settings.ipConfiguration.serverCaMode'
   - api_field: 'settings.ipConfiguration.serverCaPool'
-  - api_field: 'settings.ipConfiguration.serverCertificateRotationMode'
   - api_field: 'settings.ipConfiguration.sslMode'
   - api_field: 'settings.locationPreference.followGaeApplication'
   - api_field: 'settings.locationPreference.secondaryZone'

@@ -3879,7 +3879,6 @@ func TestAccSqlDatabaseInstance_useInternalCaByDefault(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_INTERNAL_CA"),
 					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_pool", ""),
-					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_certificate_rotation_mode", "SERVER_CERTIFICATE_ROTATION_MODE_UNSPECIFIED"),
 				),
 			},
 			{
@@ -3909,7 +3908,6 @@ func TestAccSqlDatabaseInstance_useCasBasedServerCa(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_CAS_CA"),
 					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_pool", ""),
-					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_certificate_rotation_mode", "SERVER_CERTIFICATE_ROTATION_MODE_UNSPECIFIED"),
 					resource.TestCheckResourceAttr(resourceName, "dns_names.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "dns_names.0.connection_type", "PUBLIC"),
 					resource.TestCheckResourceAttr(resourceName, "dns_names.0.dns_scope", "INSTANCE"),
@@ -3925,36 +3923,6 @@ func TestAccSqlDatabaseInstance_useCasBasedServerCa(t *testing.T) {
 	})
 }
 
-func TestAccSqlDatabaseInstance_setServerCertRotationMode(t *testing.T) {
-	t.Parallel()
-
-	databaseName := "tf-test-" + acctest.RandString(t, 10)
-	resourceName := "google_sql_database_instance.instance"
-	rotationMode := "AUTOMATIC_ROTATION_DURING_MAINTENANCE"
-
-	acctest.VcrTest(t, resource.TestCase{
-		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
-		CheckDestroy:             testAccSqlDatabaseInstanceDestroyProducer(t),
-
-		Steps: []resource.TestStep{
-			{
-				Config: testGoogleSqlDatabaseInstance_setServerCertRotationMode(databaseName, rotationMode),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_certificate_rotation_mode", rotationMode),
-					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_CAS_CA"),
-				),
-			},
-			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"deletion_protection"},
-			},
-		},
-	})
-}
-
 func TestAccSqlDatabaseInstance_useCustomSubjectAlternateName(t *testing.T) {
 	t.Parallel()
 
@@ -4671,7 +4639,6 @@ resource "google_sql_database_instance" "instance" {
 		ipv4_enabled    = "true"
 		server_ca_mode  = "CUSTOMER_MANAGED_CAS_CA"
 		server_ca_pool  = google_privateca_ca_pool.customer_ca_pool.id
-		server_certificate_rotation_mode = "AUTOMATIC_ROTATION_DURING_MAINTENANCE"
 		custom_subject_alternative_names = ["%{customSan}"]
 	}
   }
@@ -4760,10 +4727,9 @@ resource "google_sql_database_instance" "instance" {
   settings {
 	tier = "db-f1-micro"
 	ip_configuration {
-		ipv4_enabled                     = "true"
-		server_ca_mode                   = "CUSTOMER_MANAGED_CAS_CA"
-		server_ca_pool                   = google_privateca_ca_pool.customer_ca_pool.id
-		server_certificate_rotation_mode = "AUTOMATIC_ROTATION_DURING_MAINTENANCE"
+		ipv4_enabled    = "true"
+		server_ca_mode  = "CUSTOMER_MANAGED_CAS_CA"
+		server_ca_pool  = google_privateca_ca_pool.customer_ca_pool.id
 	}
   }
 
@@ -4790,25 +4756,6 @@ resource "google_sql_database_instance" "instance" {
 `, databaseName, serverCaMode)
 }
 
-func testGoogleSqlDatabaseInstance_setServerCertRotationMode(databaseName, rotationMode string) string {
-	return fmt.Sprintf(`
-resource "google_sql_database_instance" "instance" {
-  name                = "%s"
-  region              = "us-central1"
-  database_version    = "POSTGRES_15"
-  deletion_protection = false
-  settings {
-    tier = "db-f1-micro"
-    ip_configuration {
-      ipv4_enabled    = "true"
-      server_ca_mode  = "GOOGLE_MANAGED_CAS_CA"
-      server_certificate_rotation_mode = "%s"
-    }
-  }
-}
-`, databaseName, rotationMode)
-}
-
 func testGoogleSqlDatabaseInstance_setSslOptionsForPostgreSQL(databaseName string, databaseVersion string, sslMode string) string {
 	return fmt.Sprintf(`
 resource "google_sql_database_instance" "instance" {

@@ -548,8 +548,6 @@ This setting can be updated, but it cannot be removed after it is set.
 
 * `server_ca_pool` - (Optional) The resource name of the server CA pool for an instance with `CUSTOMER_MANAGED_CAS_CA` as the `server_ca_mode`.
 
-* `server_certificate_rotation_mode` - (Optional) Controls the automatic server certificate rotation feature. Supported values are `NO_AUTOMATIC_ROTATION`and `AUTOMATIC_ROTATION_DURING_MAINTENANCE`. `AUTOMATIC_ROTATION_DURING_MAINTENANCE` can only be set if `server_ca_mode` is either `GOOGLE_MANAGED_CAS_CA` or `CUSTOMER_MANAGED_CAS_CA`. See [API reference doc](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration) for details.
-
 * `custom_subject_alternative_names` - (Optional) The custom subject alternative names for an instance with `CUSTOMER_MANAGED_CAS_CA` as the `server_ca_mode`.
 
 * `allocated_ip_range` - (Optional) The name of the allocated ip range for the private ip CloudSQL instance. For example: "google-managed-services-default". If set, the instance ip will be created in the allocated range. The range name must comply with [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035). Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?.