Fix issue with google_compute_backend_service IAP client secret @ update (#2978)

/cc @rileykarson
2024-07-01 07:42:40 +00:00 · 2019-02-01 10:57:45 -08:00 · 2019-02-01 10:57:45 -08:00 · e5a1c5f997
commit e5a1c5f997
parent 3d43932a49
4 changed files with 29 additions and 19 deletions
--- a/google/resource_compute_backend_service.go
+++ b/google/resource_compute_backend_service.go
@ -1,7 +1,6 @@
 package google

 import (
-	"crypto/sha256"
 	"errors"
 	"fmt"
 	"log"
@ -53,12 +52,11 @@ func resourceComputeBackendService() *schema.Resource {
 							Type:      schema.TypeString,
 							Required:  true,
 							Sensitive: true,
-							DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
-								if old == fmt.Sprintf("%x", sha256.Sum256([]byte(new))) {
-									return true
-								}
-								return false
-							},
+						},
+						"oauth2_client_secret_sha256": {
+							Type:      schema.TypeString,
+							Computed:  true,
+							Sensitive: true,
 						},
 					},
 				},
@ -321,7 +319,7 @@ func resourceComputeBackendServiceRead(d *schema.ResourceData, meta interface{})
 	d.Set("self_link", ConvertSelfLinkToV1(service.SelfLink))
 	d.Set("backend", flattenBackends(service.Backends))
 	d.Set("connection_draining_timeout_sec", service.ConnectionDraining.DrainingTimeoutSec)
-	d.Set("iap", flattenIap(service.Iap))
+	d.Set("iap", flattenIap(d, service.Iap))
 	d.Set("project", project)
 	guardedHealthChecks := make([]string, len(service.HealthChecks))
 	for i, v := range service.HealthChecks {
@ -423,18 +421,17 @@ func expandIap(configured []interface{}) *computeBeta.BackendServiceIAP {
 	}
 }

-func flattenIap(iap *computeBeta.BackendServiceIAP) []map[string]interface{} {
+func flattenIap(d *schema.ResourceData, iap *computeBeta.BackendServiceIAP) []map[string]interface{} {
 	result := make([]map[string]interface{}, 0, 1)
 	if iap == nil || !iap.Enabled {
 		return result
 	}

-	result = append(result, map[string]interface{}{
-		"oauth2_client_id":     iap.Oauth2ClientId,
-		"oauth2_client_secret": iap.Oauth2ClientSecretSha256,
+	return append(result, map[string]interface{}{
+		"oauth2_client_id":            iap.Oauth2ClientId,
+		"oauth2_client_secret":        d.Get("iap.0.oauth2_client_secret"),
+		"oauth2_client_secret_sha256": iap.Oauth2ClientSecretSha256,
 	})
-
-	return result
 }

 func expandBackends(configured []interface{}) ([]*computeBeta.Backend, error) {
--- a/google/resource_compute_backend_service_test.go
+++ b/google/resource_compute_backend_service_test.go
@ -111,14 +111,15 @@ func TestAccComputeBackendService_withBackendAndIAP(t *testing.T) {
 				Config: testAccComputeBackendService_withBackendAndIAP(
 					serviceName, igName, itName, checkName, 10),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckComputeBackendServiceExistsWithIAP(
-						"google_compute_backend_service.lipsum", &svc),
+					testAccCheckComputeBackendServiceExistsWithIAP("google_compute_backend_service.lipsum", &svc),
+					resource.TestCheckResourceAttr("google_compute_backend_service.lipsum", "iap.0.oauth2_client_secret", "test"),
 				),
 			},
 			{
-				ResourceName:      "google_compute_backend_service.lipsum",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_compute_backend_service.lipsum",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
 			},
 			{
 				Config: testAccComputeBackendService_withBackend(
--- a/website/docs/r/compute_backend_service.html.markdown
+++ b/website/docs/r/compute_backend_service.html.markdown
@ -179,12 +179,16 @@ The `iap` block supports:
 * `oauth2_client_id` - (Required) The client ID for use with OAuth 2.0.

 * `oauth2_client_secret` - (Required) The client secret for use with OAuth 2.0.
+Out of band changes to this field will not be detected by Terraform, and it may
+perform spurious no-op updates when imported, or upgraded from pre-`2.0.0`.

 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are
 exported:

+* `iap.0.oauth2_client_secret_sha256` - The SHA256 hash of the OAuth 2.0 client secret value.
+
 * `fingerprint` - The fingerprint of the backend service.

 * `self_link` - The URI of the created resource.
--- a/website/docs/version_2_upgrade.html.markdown
+++ b/website/docs/version_2_upgrade.html.markdown
@ -289,6 +289,14 @@ for more details.

 Use the [`google-beta` provider](#google-beta-provider) to set this field.

+### `iap` may cause spurious updates
+
+Due to technical limitations around how Terraform can diff fields, you may see a
+spurious update where the client secret in your config replaces an incorrect
+value that was recorded in state, the SHA256 hash of the secret's value.
+
+You may also encounter the same behaviour on import.
+
 ## Resource: `google_compute_disk`

 ### `disk_encryption_key_raw` and `disk_encryption_key_sha256` have been removed.