EphemeralWriteOnly: add secretAccessKeyWo (#12967)

Author: BBBmau

mmv1/products/bigquerydatatransfer/Config.yaml

@@ -41,6 +41,7 @@ custom_code:
   post_create: 'templates/terraform/post_create/set_computed_name.tmpl'
   pre_update: 'templates/terraform/pre_update/bigquerydatatransfer_config.tmpl'
   custom_import: 'templates/terraform/custom_import/bigquery_data_transfer_self_link_as_name_set_location.go.tmpl'
+  raw_resource_config_validation: 'templates/terraform/validation/bigquery_data_transfer_config.go.tmpl'
 custom_diff:
   - 'sensitiveParamCustomizeDiff'
   - 'paramsCustomizeDiff'
@@ -210,6 +211,12 @@ properties:
       **NOTE** : If you are attempting to update a parameter that cannot be updated (due to api limitations) [please force recreation of the resource](https://www.terraform.io/cli/state/taint#forcing-re-creation-of-resources).
     required: true
     custom_flatten: 'templates/terraform/custom_flatten/json_to_string_map.go.tmpl'
+
+  - name: 'sensitiveParamsWoVersion'
+    type: Integer
+    immutable: true
+    description: |
+      The version of the sensitive params - used to trigger updates of the write-only params
   - name: 'sensitiveParams'
     type: NestedObject
     description: |
@@ -226,6 +233,19 @@ properties:
         type: String
         description: |
           The Secret Access Key of the AWS account transferring data from.
-
-        required: true
         sensitive: true
+        at_least_one_of:
+          - 'sensitive_params.0.secretAccessKey'
+          - 'sensitive_params.0.secretAccessKeyWo'
+        conflicts:
+          - 'sensitive_params.0.secretAccessKeyWo'
+      - name: 'secretAccessKeyWo' # Wo is convention for write-only properties
+        type: String
+        description: |
+          The Secret Access Key of the AWS account transferring data from.
+        write_only: true
+        at_least_one_of:
+          - 'sensitive_params.0.secretAccessKeyWo'
+          - 'sensitive_params.0.secretAccessKey'
+        conflicts:
+          - 'sensitive_params.0.secretAccessKey'

mmv1/templates/terraform/constants/bigquery_data_transfer.go.tmpl

@@ -1,4 +1,5 @@
 var sensitiveParams = []string{"secret_access_key"}
+var sensitiveWoParams = []string{"secret_access_key_wo"}
 
 func sensitiveParamCustomizeDiff(_ context.Context, diff *schema.ResourceDiff, v interface{}) error {
 	for _, sp := range sensitiveParams {
@@ -8,6 +9,16 @@ func sensitiveParamCustomizeDiff(_ context.Context, diff *schema.ResourceDiff, v
 			return fmt.Errorf("Sensitive param [%s] cannot be set in both `params` and the `sensitive_params` block.", sp)
 		}
 	}
+
+	{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
+	for _, sp := range sensitiveWoParams {
+		mapLabel := diff.Get("params." + sp[:len(sp)-3]).(string)
+		authLabel, _ := diff.GetRawConfigAt(cty.GetAttrPath("sensitive_params").IndexInt(0).GetAttr(sp))
+		if mapLabel != "" && authLabel.AsString() != "" {
+				return fmt.Errorf("Sensitive param [%s] cannot be set in both `params` and the `sensitive_params` block.", sp)
+			}
+		}
+	{{- end }}
 	return nil
 }
 

mmv1/templates/terraform/encoders/bigquery_data_transfer.go.tmpl

@@ -39,6 +39,14 @@ for _, sp := range sensitiveParams {
 		params[sp] = auth.(string)
 	}
 }
+{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
+for _, sp := range sensitiveWoParams {
+	if auth, _ := d.GetRawConfigAt(cty.GetAttrPath("sensitive_params").IndexInt(0).GetAttr(sp)); !auth.IsNull() && auth.Type().Equals(cty.String) {
+		sp = sp[:len(sp)-3] // _wo is convention for write-only params and are removed here
+		params[sp] = auth.AsString()
+	}
+}
+{{- end }}
 
 obj["params"] = params
 

mmv1/templates/terraform/validation/bigquery_data_transfer_config.go.tmpl

@@ -0,0 +1 @@
+validation.PreferWriteOnlyAttribute(cty.GetAttrPath("sensitive_params").IndexInt(0).GetAttr("secret_access_key"),cty.GetAttrPath("sensitive_params").IndexInt(0).GetAttr("secret_access_key_wo"))