fix(secretmanager): specify the project ID and secret name in the secretmanager (#15397) (hashicorp#11015)

[upstream:9222c7bd6e479d7c1b7baa12ad5e2dc579705883]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/15397.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+secretmanager: added project and short name support for secret on `ephemeral_google_secret_manager_secret_version`
+```
+
+```release-note:enhancement
+secretmanager: added project and short name support for secret on `google_secret_manager_secret_version`
+```

google-beta/services/secretmanager/ephemeral_google_secret_manager_secret_version.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
+	"strings"
 
 	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
 	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
@@ -142,12 +143,20 @@ func (p *googleEphemeralSecretManagerSecretVersion) Open(ctx context.Context, re
 	}
 
 	var url string
+	versionID := "latest"
 	if version != "" {
-		url = fmt.Sprintf("%s%s/versions/%s", config.SecretManagerBasePath, secret, version)
-	} else {
-		url = fmt.Sprintf("%s%s/versions/latest", config.SecretManagerBasePath, secret)
+		versionID = version
 	}
 
+	// The secret can be given as a full resource name or just the secret id.
+	fullSecretName := secret
+	if !strings.Contains(secret, "/") {
+		// If no slash is present, assume it's a secret id and construct the full resource name.
+		fullSecretName = fmt.Sprintf("projects/%s/secrets/%s", project, secret)
+	}
+
+	url = fmt.Sprintf("%s%s/versions/%s", config.SecretManagerBasePath, fullSecretName, versionID)
+
 	versionResp, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "GET",

google-beta/services/secretmanager/ephemeral_google_secret_manager_secret_version_test.go

@@ -40,6 +40,7 @@ func TestAccEphemeralSecretManagerSecretVersion_basic(t *testing.T) {
 				Config: testAccEphemeralSecretManagerSecretVersion_basic(secret, secretData),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.default", "secret_data", secretData),
+					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.from_secret_id", "secret_data", secretData),
 				),
 			},
 		},
@@ -62,6 +63,8 @@ func TestAccEphemeralSecretManagerSecretVersion_base64(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.default", "is_secret_data_base64", "true"),
 					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.default", "secret_data", base64.StdEncoding.EncodeToString([]byte(secretData))),
+					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.from_secret_id", "is_secret_data_base64", "true"),
+					resource.TestCheckResourceAttr("data.google_secret_manager_secret_version.from_secret_id", "secret_data", base64.StdEncoding.EncodeToString([]byte(secretData))),
 				),
 			},
 		},
@@ -84,20 +87,36 @@ resource "google_secret_manager_secret_version" "version" {
 }
 
 ephemeral "google_secret_manager_secret_version" "ephemeral" {
-  secret  = google_secret_manager_secret_version.version.secret
+  secret  = google_secret_manager_secret.secret.id
   version = google_secret_manager_secret_version.version.version
 }
 
 resource "google_secret_manager_secret_version" "version_two_based_on_ephemeral" {
-  secret  	             = google_secret_manager_secret_version.version.secret
-  secret_data_wo 		 = ephemeral.google_secret_manager_secret_version.ephemeral.secret_data
+  secret                 = google_secret_manager_secret_version.version.secret
+  secret_data_wo         = ephemeral.google_secret_manager_secret_version.ephemeral.secret_data
   secret_data_wo_version = "1"
 }
 
 data "google_secret_manager_secret_version" "default" {
   secret  = google_secret_manager_secret_version.version_two_based_on_ephemeral.secret
   version = google_secret_manager_secret_version.version_two_based_on_ephemeral.version
 }
+
+ephemeral "google_secret_manager_secret_version" "ephemeral_from_secret_id" {
+  secret  = google_secret_manager_secret.secret.secret_id
+  version = google_secret_manager_secret_version.version.version
+}
+
+resource "google_secret_manager_secret_version" "version_from_secret_id_ephemeral" {
+  secret                 = google_secret_manager_secret_version.version.secret
+  secret_data_wo         = ephemeral.google_secret_manager_secret_version.ephemeral_from_secret_id.secret_data
+  secret_data_wo_version = "2"
+}
+
+data "google_secret_manager_secret_version" "from_secret_id" {
+  secret  = google_secret_manager_secret_version.version_from_secret_id_ephemeral.secret
+  version = google_secret_manager_secret_version.version_from_secret_id_ephemeral.version
+}
 `, secret, secretData)
 }
 
@@ -112,28 +131,47 @@ resource "google_secret_manager_secret" "secret" {
 }
 
 resource "google_secret_manager_secret_version" "version" {
-  secret                 = google_secret_manager_secret.secret.id
-  secret_data            = base64encode("%s")
-  is_secret_data_base64  = true
+  secret                = google_secret_manager_secret.secret.id
+  secret_data           = base64encode("%s")
+  is_secret_data_base64 = true
 }
 
 ephemeral "google_secret_manager_secret_version" "ephemeral" {
-  secret  				= google_secret_manager_secret_version.version.secret
-  version 				= google_secret_manager_secret_version.version.version
+  secret                = google_secret_manager_secret.secret.id
+  version               = google_secret_manager_secret_version.version.version
   is_secret_data_base64 = true
 }
 
 resource "google_secret_manager_secret_version" "version_two_based_on_ephemeral" {
-  secret  	             = google_secret_manager_secret_version.version.secret
-  secret_data_wo 		 = ephemeral.google_secret_manager_secret_version.ephemeral.secret_data
+  secret                 = google_secret_manager_secret_version.version.secret
+  secret_data_wo         = ephemeral.google_secret_manager_secret_version.ephemeral.secret_data
   secret_data_wo_version = "1"
   is_secret_data_base64  = true
 }
 
 data "google_secret_manager_secret_version" "default" {
-  secret                 = google_secret_manager_secret_version.version_two_based_on_ephemeral.secret
-  version                = google_secret_manager_secret_version.version_two_based_on_ephemeral.version
+  secret                = google_secret_manager_secret_version.version_two_based_on_ephemeral.secret
+  version               = google_secret_manager_secret_version.version_two_based_on_ephemeral.version
+  is_secret_data_base64 = true
+}
+
+ephemeral "google_secret_manager_secret_version" "ephemeral_from_secret_id" {
+  secret                = google_secret_manager_secret.secret.secret_id
+  version               = google_secret_manager_secret_version.version.version
+  is_secret_data_base64 = true
+}
+
+resource "google_secret_manager_secret_version" "version_from_secret_id_ephemeral" {
+  secret                 = google_secret_manager_secret_version.version.secret
+  secret_data_wo         = ephemeral.google_secret_manager_secret_version.ephemeral_from_secret_id.secret_data
+  secret_data_wo_version = "2"
   is_secret_data_base64  = true
 }
+
+data "google_secret_manager_secret_version" "from_secret_id" {
+  secret                = google_secret_manager_secret_version.version_from_secret_id_ephemeral.secret
+  version               = google_secret_manager_secret_version.version_from_secret_id_ephemeral.version
+  is_secret_data_base64 = true
+}
 `, secret, secretData)
 }

google-beta/services/secretmanager/resource_secret_manager_secret_version.go

@@ -175,6 +175,14 @@ func ResourceSecretManagerSecretVersion() *schema.Resource {
 				Description: `The current state of the SecretVersion.`,
 				Default:     true,
 			},
+			"project": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Optional: true,
+				ForceNew: true,
+				Description: `The ID of the project in which the resource belongs. If it is not provided,
+the provider project is used`,
+			},
 			"create_time": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -253,6 +261,39 @@ func resourceSecretManagerSecretVersionCreate(d *schema.ResourceData, meta inter
 	}
 
 	headers := make(http.Header)
+	secret := d.Get("secret").(string)
+	secretRegex := regexp.MustCompile("^(?:projects/([^/]+)/secrets/)?([^/]+)$")
+
+	parts := secretRegex.FindStringSubmatch(secret)
+	if len(parts) != 2 && len(parts) != 3 {
+		return fmt.Errorf("secret does not fit any of the expected formats `projects/{{project}}/secrets/{{secret}}` or `{{secret}}`. Got: %s", secret)
+	}
+
+	// Add project ID to secret if only its name is provided
+	if parts[1] == "" {
+		project, err := tpgresource.GetProject(d, config)
+		if err != nil {
+			return fmt.Errorf("error fetching project for DomainTrust: %s", err)
+		}
+
+		if err = d.Set("project", project); err != nil {
+			return fmt.Errorf("error updating the project in state: %s", err)
+		}
+
+		if err = d.Set("secret", fmt.Sprintf("projects/%s/secrets/%s", project, parts[2])); err != nil {
+			return fmt.Errorf("error updating the secret with its project ID: %s", err)
+		}
+
+		// Override the url after updating the secret
+		url, err = tpgresource.ReplaceVars(d, config, "{{SecretManagerBasePath}}{{secret}}:addVersion")
+		if err != nil {
+			return err
+		}
+	} else if configProject, hasConfigProject := d.GetOk("project"); hasConfigProject {
+		if configProject != parts[1] {
+			return fmt.Errorf("project %s was supplied on the secret and %s supplied on the config, values conflict", parts[1], configProject)
+		}
+	}
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
 		Config:    config,
 		Method:    "POST",

google-beta/services/secretmanager/resource_secret_manager_secret_version_generated_meta.yaml

@@ -17,6 +17,8 @@ fields:
   - field: 'is_secret_data_base64'
     provider_only: true
   - api_field: 'name'
+  - field: 'project'
+    provider_only: true
   - field: 'secret'
     provider_only: true
   - api_field: 'payload.data'

google-beta/services/secretmanager/resource_secret_manager_secret_version_generated_test.go

@@ -69,7 +69,7 @@ func TestAccSecretManagerSecretVersion_secretVersionBasicExample(t *testing.T) {
 				ResourceName:            "google_secret_manager_secret_version.secret-version-basic",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"secret"},
+				ImportStateVerifyIgnore: []string{"project", "secret"},
 			},
 		},
 	})
@@ -117,7 +117,7 @@ func TestAccSecretManagerSecretVersion_secretVersionBasicWriteOnlyExample(t *tes
 				ResourceName:            "google_secret_manager_secret_version.secret-version-basic-write-only",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"secret"},
+				ImportStateVerifyIgnore: []string{"project", "secret"},
 			},
 		},
 	})
@@ -165,7 +165,7 @@ func TestAccSecretManagerSecretVersion_secretVersionDeletionPolicyAbandonExample
 				ResourceName:            "google_secret_manager_secret_version.secret-version-deletion-policy",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"deletion_policy", "secret"},
+				ImportStateVerifyIgnore: []string{"deletion_policy", "project", "secret"},
 			},
 		},
 	})
@@ -213,7 +213,7 @@ func TestAccSecretManagerSecretVersion_secretVersionDeletionPolicyDisableExample
 				ResourceName:            "google_secret_manager_secret_version.secret-version-deletion-policy",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"deletion_policy", "secret"},
+				ImportStateVerifyIgnore: []string{"deletion_policy", "project", "secret"},
 			},
 		},
 	})
@@ -262,7 +262,7 @@ func TestAccSecretManagerSecretVersion_secretVersionWithBase64StringSecretDataEx
 				ResourceName:            "google_secret_manager_secret_version.secret-version-base64",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"is_secret_data_base64", "secret"},
+				ImportStateVerifyIgnore: []string{"is_secret_data_base64", "project", "secret"},
 			},
 		},
 	})
@@ -311,7 +311,7 @@ func TestAccSecretManagerSecretVersion_secretVersionWithBase64StringSecretDataWr
 				ResourceName:            "google_secret_manager_secret_version.secret-version-base64-write-only",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"is_secret_data_base64", "secret"},
+				ImportStateVerifyIgnore: []string{"is_secret_data_base64", "project", "secret"},
 			},
 		},
 	})

google-beta/services/secretmanager/resource_secret_manager_secret_version_test.go

@@ -42,7 +42,7 @@ func TestAccSecretManagerSecretVersion_update(t *testing.T) {
 				ResourceName:            "google_secret_manager_secret_version.secret-version-basic",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version"},
+				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version", "project"},
 			},
 			{
 				Config: testAccSecretManagerSecretVersion_disable(context),
@@ -53,16 +53,41 @@ func TestAccSecretManagerSecretVersion_update(t *testing.T) {
 				ImportStateVerify: true,
 				// at this point the secret data is disabled and so reading the data on import will
 				// give an empty string
-				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version"},
+				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version", "project"},
 			},
 			{
-				Config: testAccSecretManagerSecretVersion_basic(context),
+				Config: testAccSecretManagerSecretVersion_byName(context),
+			},
+			{
+				ResourceName:            "google_secret_manager_secret_version.secret-version-basic",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version", "project"},
+			},
+		},
+	})
+}
+
+func TestAccSecretManagerSecretVersion_byName(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckSecretManagerSecretVersionDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSecretManagerSecretVersion_byName(context),
 			},
 			{
 				ResourceName:            "google_secret_manager_secret_version.secret-version-basic",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version"},
+				ImportStateVerifyIgnore: []string{"secret_data", "secret_data_wo_version", "project", "secret"},
 			},
 		},
 	})
@@ -86,7 +111,7 @@ resource "google_secret_manager_secret_version" "secret-version-basic" {
   secret = google_secret_manager_secret.secret-basic.name
 
   secret_data = "my-tf-test-secret%{random_suffix}"
-  enabled = true
+  enabled     = true
 }
 `, context)
 }
@@ -109,7 +134,32 @@ resource "google_secret_manager_secret_version" "secret-version-basic" {
   secret = google_secret_manager_secret.secret-basic.name
 
   secret_data = "my-tf-test-secret%{random_suffix}"
-  enabled = false
+  enabled     = false
+}
+`, context)
+}
+
+func testAccSecretManagerSecretVersion_byName(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_secret_manager_secret" "secret-basic" {
+  secret_id = "tf-test-secret-version-%{random_suffix}"
+
+  labels = {
+    label = "my-label"
+  }
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "secret-version-basic" {
+  secret = "tf-test-secret-version-%{random_suffix}"
+
+  secret_data = "my-tf-test-secret%{random_suffix}"
+  enabled     = true
+
+	depends_on = [google_secret_manager_secret.secret-basic]
 }
 `, context)
 }

website/docs/r/secret_manager_secret_version.html.markdown

@@ -236,6 +236,11 @@ The following arguments are supported:
   (Optional)
   Triggers update of secret data write-only. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
 
+* `project` -
+  (Optional)
+  The ID of the project in which the resource belongs. If it is not provided,
+  the provider project is used
+
 * `deletion_policy` - (Optional) The deletion policy for the secret version. Setting `ABANDON` allows the resource
 to be abandoned rather than deleted. Setting `DISABLE` allows the resource to be
 disabled rather than deleted. Default is `DELETE`. Possible values are: