Add support for regional secret version resource google_secret_manager_regional_secret_version (#11699)

Author: abheda-crest

mmv1/products/secretmanagerregional/RegionalSecretVersion.yaml

@@ -0,0 +1,161 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Resource
+name: RegionalSecretVersion
+base_url: '{{name}}'
+self_link: '{{name}}'
+create_url: '{{secret}}:addVersion'
+delete_url: '{{name}}:destroy'
+delete_verb: :POST
+description: |
+  A regional secret version resource.
+# Sweeper skipped as this resource has customized deletion.
+skip_sweeper: true
+import_format:
+  ['projects/{{%project}}/locations/{{%location}}/secrets/{{%secret_id}}/versions/{{%version}}']
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_version_basic'
+    primary_resource_id: 'regional_secret_version_basic'
+    vars:
+      secret_id: 'secret-version'
+      data: 'secret-data'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_version_with_base64_data'
+    primary_resource_id: 'regional_secret_version_base64'
+    vars:
+      secret_id: 'secret-version'
+      data: 'secret-data.pfx'
+    test_vars_overrides:
+      data: '"./test-fixtures/binary-file.pfx"'
+    ignore_read_extra:
+      - 'is_secret_data_base64'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_version_disabled'
+    primary_resource_id: 'regional_secret_version_disabled'
+    vars:
+      secret_id: 'secret-version'
+      data: 'secret-data'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_version_deletion_policy_abandon'
+    primary_resource_id: 'regional_secret_version_deletion_policy'
+    vars:
+      secret_id: 'secret-version'
+      data: 'secret-data'
+    ignore_read_extra:
+      - 'deletion_policy'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_version_deletion_policy_disable'
+    primary_resource_id: 'regional_secret_version_deletion_policy'
+    vars:
+      secret_id: 'secret-version'
+      data: 'secret-data'
+    ignore_read_extra:
+      - 'deletion_policy'
+custom_code: !ruby/object:Provider::Terraform::CustomCode
+  post_create: templates/terraform/post_create/regional_secret_version.go.erb
+  decoder: templates/terraform/decoders/treat_destroyed_state_as_gone.erb
+  pre_delete: templates/terraform/pre_delete/regional_secret_version_deletion_policy.go.erb
+  pre_read: templates/terraform/pre_read/secret_manager_regional_secret_version.go.erb
+  pre_create: templates/terraform/pre_create/secret_manager_regional_secret_version.go.erb
+  extra_schema_entry: templates/terraform/extra_schema_entry/secret_version_is_secret_data_base64.go.erb
+  custom_update: templates/terraform/custom_update/regional_secret_version.go.erb
+  custom_import: templates/terraform/custom_import/regional_secret_version.go.erb
+docs: !ruby/object:Provider::Terraform::Docs
+  optional_properties: |
+    * `is_secret_data_base64` - (Optional) If set to 'true', the secret data is expected to be base64-encoded string and would be sent as is.
+virtual_fields:
+  - !ruby/object:Api::Type::String
+    name: deletion_policy
+    description: |
+      The deletion policy for the regional secret version. Setting `ABANDON` allows the resource
+      to be abandoned rather than deleted. Setting `DISABLE` allows the resource to be
+      disabled rather than deleted. Default is `DELETE`. Possible values are:
+        * DELETE
+        * DISABLE
+        * ABANDON
+    default_value: DELETE
+parameters:
+  - !ruby/object:Api::Type::ResourceRef
+    name: secret
+    url_param_only: true
+    resource: RegionalSecret
+    imports: name
+    required: true
+    immutable: true
+    description: |
+      Secret Manager regional secret resource.
+  - !ruby/object:Api::Type::String
+    name: location
+    url_param_only: true
+    output: true
+    description: |
+      Location of Secret Manager regional secret resource.
+properties:
+  - !ruby/object:Api::Type::String
+    name: name
+    output: true
+    description: |
+      The resource name of the regional secret version. Format:
+      `projects/{{project}}/locations/{{location}}/secrets/{{secret_id}}/versions/{{version}}`
+  - !ruby/object:Api::Type::String
+    name: createTime
+    output: true
+    description: |
+      The time at which the regional secret version was created.
+  - !ruby/object:Api::Type::String
+    name: destroyTime
+    output: true
+    description: |
+      The time at which the regional secret version was destroyed. Only present if state is DESTROYED.
+  - !ruby/object:Api::Type::NestedObject
+    name: customerManagedEncryption
+    output: true
+    description: |
+      The customer-managed encryption configuration of the regional secret.
+    properties:
+      - !ruby/object:Api::Type::String
+        name: kmsKeyVersionName
+        output: true
+        description: |
+          The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.
+  - !ruby/object:Api::Type::String
+    name: version
+    output: true
+    description: |
+      The version of the Regional Secret.
+    custom_flatten: templates/terraform/custom_flatten/regional_secret_version_version.go.erb
+  - !ruby/object:Api::Type::Boolean
+    name: enabled
+    api_name: state
+    default_value: true
+    description: |
+      The current state of the regional secret version.
+    custom_flatten: templates/terraform/custom_flatten/secret_version_enable.go.erb
+    custom_expand: templates/terraform/custom_expand/regional_secret_version_enable.go.erb
+  - !ruby/object:Api::Type::NestedObject
+    name: payload
+    description: The secret payload of the Regional SecretVersion.
+    required: true
+    flatten_object: true
+    custom_flatten: templates/terraform/custom_flatten/regional_secret_version_access.go.erb
+    properties:
+      - !ruby/object:Api::Type::String
+        name: secret_data
+        api_name: data
+        required: true
+        immutable: true
+        sensitive: true
+        description: The secret data. Must be no larger than 64KiB.
+        custom_expand: templates/terraform/custom_expand/secret_version_secret_data.go.erb

mmv1/templates/terraform/custom_expand/regional_secret_version_enable.go.erb

@@ -0,0 +1,52 @@
+<%- # the license inside this block applies to this file
+	# Copyright 2024 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	name := d.Get("name").(string)
+	if name == "" {
+		return "", nil
+	}
+
+	url, err := tpgresource.ReplaceVars(d, config, "{{SecretManagerRegionalBasePath}}{{name}}")
+	if err != nil {
+		return nil, err
+	}
+
+	if v == true {
+		url = fmt.Sprintf("%s:enable", url)
+	} else {
+		url = fmt.Sprintf("%s:disable", url)
+	}
+
+	parts := strings.Split(name, "/")
+	project := parts[1]
+
+	userAgent, err :=  tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config: config,
+		Method: "POST",
+		Project: project,
+		RawURL: url,
+		UserAgent: userAgent,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}

mmv1/templates/terraform/custom_flatten/regional_secret_version_access.go.erb

@@ -0,0 +1,58 @@
+<%- # the license inside this block applies to this file
+	# Copyright 2024 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	transformed := make(map[string]interface{})
+
+	// if this secret version is disabled, the api will return an error, as the value cannot be accessed, return what we have
+	if d.Get("enabled").(bool) == false {
+		transformed["secret_data"] = d.Get("secret_data")
+		return []interface{}{transformed}
+	}
+
+	url, err := tpgresource.ReplaceVars(d, config, "{{SecretManagerRegionalBasePath}}{{name}}:access")
+	if err != nil {
+		return err
+	}
+
+	parts := strings.Split(d.Get("name").(string), "/")
+	project := parts[1]
+
+	userAgent, err :=  tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	if err != nil {
+		return err
+	}
+
+	accessRes, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config: config,
+		Method: "GET",
+		Project: project,
+		RawURL: url,
+		UserAgent: userAgent,
+	})
+	if err != nil {
+		return err
+	}
+
+	if d.Get("is_secret_data_base64").(bool) {
+		transformed["secret_data"] = accessRes["payload"].(map[string]interface{})["data"].(string)
+	} else {
+		data, err := base64.StdEncoding.DecodeString(accessRes["payload"].(map[string]interface{})["data"].(string))
+		if err != nil {
+			return err
+		}
+		transformed["secret_data"] = string(data)
+	}
+	return []interface{}{transformed}
+}

mmv1/templates/terraform/custom_flatten/regional_secret_version_version.go.erb

@@ -0,0 +1,25 @@
+<%- # the license inside this block applies to this file
+	# Copyright 2024 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	name := d.Get("name").(string)
+	secretRegex := regexp.MustCompile("projects/(.+)/locations/(.+)/secrets/(.+)/versions/(.+)$")
+
+	parts := secretRegex.FindStringSubmatch(name)
+	if len(parts) != 5 {
+		return fmt.Errorf("Version name does not fit the format `projects/{{project}}/locations/{{location}}/secrets/{{secret}}/versions/{{version}}`")
+	}
+
+	return parts[4]
+}

mmv1/templates/terraform/custom_import/regional_secret_version.go.erb

@@ -0,0 +1,49 @@
+<%- # the license inside this block applies to this file
+	# Copyright 2024 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+	config := meta.(*transport_tpg.Config)
+
+	// current import_formats can't import fields with forward slashes in their value
+	if err := tpgresource.ParseImportId([]string{"(?P<name>.+)"}, d, config); err != nil {
+		return nil, err
+	}
+
+	name := d.Get("name").(string)
+	secretRegex := regexp.MustCompile("(projects/.+/locations/.+/secrets/.+)/versions/.+$")
+	versionRegex := regexp.MustCompile("projects/(.+)/locations/(.+)/secrets/(.+)/versions/(.+)$")
+
+	parts := secretRegex.FindStringSubmatch(name)
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("Version name does not fit the format `projects/{{project}}/locations/{{location}}/secrets/{{secret}}/versions/{{version}}`")
+	}
+	if err := d.Set("secret", parts[1]); err != nil {
+		return nil, fmt.Errorf("Error setting secret: %s", err)
+	}
+
+	parts = versionRegex.FindStringSubmatch(name)
+
+	if err := d.Set("version", parts[4]); err != nil {
+		return nil, fmt.Errorf("Error setting version: %s", err)
+	}
+
+	// Explicitly set virtual fields to default values on import
+	if err := d.Set("deletion_policy", "DELETE"); err != nil {
+		return nil, fmt.Errorf("Error setting deletion policy: %s", err)
+	}
+
+	if err := d.Set("location", parts[2]); err != nil {
+		return nil, fmt.Errorf("Error setting location: %s", err)
+	}
+
+	return []*schema.ResourceData{d}, nil

mmv1/templates/terraform/custom_update/regional_secret_version.go.erb

@@ -0,0 +1,20 @@
+<%- # the license inside this block applies to this file
+	# Copyright 2024 Google Inc.
+	# Licensed under the Apache License, Version 2.0 (the "License");
+	# you may not use this file except in compliance with the License.
+	# You may obtain a copy of the License at
+	#
+	#     http://www.apache.org/licenses/LICENSE-2.0
+	#
+	# Unless required by applicable law or agreed to in writing, software
+	# distributed under the License is distributed on an "AS IS" BASIS,
+	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	# See the License for the specific language governing permissions and
+	# limitations under the License.
+-%>
+_, err := expandSecretManagerRegionalRegionalSecretVersionEnabled(d.Get("enabled"), d, config)
+if err != nil {
+	return err
+}
+
+return resourceSecretManagerRegionalRegionalSecretVersionRead(d, meta)

mmv1/templates/terraform/examples/regional_secret_version_basic.tf.erb

@@ -0,0 +1,9 @@
+resource "google_secret_manager_regional_secret" "secret-basic" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+}
+
+resource "google_secret_manager_regional_secret_version" "<%= ctx[:primary_resource_id] %>" {
+  secret = google_secret_manager_regional_secret.secret-basic.id
+  secret_data = "<%= ctx[:vars]['data'] %>"
+}

mmv1/templates/terraform/examples/regional_secret_version_deletion_policy_abandon.tf.erb

@@ -0,0 +1,10 @@
+resource "google_secret_manager_regional_secret" "secret-basic" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+}
+
+resource "google_secret_manager_regional_secret_version" "<%= ctx[:primary_resource_id] %>" {
+  secret = google_secret_manager_regional_secret.secret-basic.id
+  secret_data = "<%= ctx[:vars]['data'] %>"
+  deletion_policy = "ABANDON"
+}