Add type field to DNS authorization reosurce (#10030) (#17459)

* Add type field to DNS authorization reosurce

* Add an example for regional DNS authorization

* Add an example for regional certs using regional DNS auth

* Fix lint errors

* Fix typo in the enum values

* Add type field in regional dns auth example

---------



[upstream:0ac8f5283f99aca69ac1821ecbc67200d45b0390]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/10030.txt

@@ -0,0 +1,4 @@
+```release-note:enhancement
+certificatemanager: added `type` field to `google_certificate_manager_dns_authorization` resource
+
+```

google/services/certificatemanager/resource_certificate_manager_certificate_generated_test.go

@@ -433,6 +433,55 @@ resource "google_certificate_manager_dns_authorization" "instance2" {
 `, context)
 }
 
+func TestAccCertificateManagerCertificate_certificateManagerGoogleManagedRegionalCertificateDnsAuthExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckCertificateManagerCertificateDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCertificateManagerCertificate_certificateManagerGoogleManagedRegionalCertificateDnsAuthExample(context),
+			},
+			{
+				ResourceName:            "google_certificate_manager_certificate.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"self_managed", "name", "location", "labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccCertificateManagerCertificate_certificateManagerGoogleManagedRegionalCertificateDnsAuthExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_certificate_manager_certificate" "default" {
+  name        = "tf-test-dns-cert%{random_suffix}"
+  description = "regional managed certs"
+  location = "us-central1"
+  managed {
+    domains = [
+      google_certificate_manager_dns_authorization.instance.domain,
+      ]
+    dns_authorizations = [
+      google_certificate_manager_dns_authorization.instance.id,
+      ]
+  }
+}
+resource "google_certificate_manager_dns_authorization" "instance" {
+  name        = "tf-test-dns-auth%{random_suffix}"
+  location    = "us-central1"
+  description = "The default dnss"
+  domain      = "subdomain%{random_suffix}.hashicorptest.com"
+}
+`, context)
+}
+
 func testAccCheckCertificateManagerCertificateDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

google/services/certificatemanager/resource_certificate_manager_dns_authorization.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
 	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+	"github.com/hashicorp/terraform-provider-google/google/verify"
 )
 
 func ResourceCertificateManagerDnsAuthorization() *schema.Resource {
@@ -101,6 +102,21 @@ Please refer to the field 'effective_labels' for all of the labels present on th
 				Description: `The Certificate Manager location. If not specified, "global" is used.`,
 				Default:     "global",
 			},
+			"type": {
+				Type:         schema.TypeString,
+				Computed:     true,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidateEnum([]string{"FIXED_RECORD", "PER_PROJECT_RECORD", ""}),
+				Description: `type of DNS authorization. If unset during the resource creation, FIXED_RECORD will
+be used for global resources, and PER_PROJECT_RECORD will be used for other locations.
+
+FIXED_RECORD DNS authorization uses DNS-01 validation method
+
+PER_PROJECT_RECORD DNS authorization allows for independent management
+of Google-managed certificates with DNS authorization across multiple
+projects. Possible values: ["FIXED_RECORD", "PER_PROJECT_RECORD"]`,
+			},
 			"dns_resource_record": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -172,6 +188,12 @@ func resourceCertificateManagerDnsAuthorizationCreate(d *schema.ResourceData, me
 	} else if v, ok := d.GetOkExists("domain"); !tpgresource.IsEmptyValue(reflect.ValueOf(domainProp)) && (ok || !reflect.DeepEqual(v, domainProp)) {
 		obj["domain"] = domainProp
 	}
+	typeProp, err := expandCertificateManagerDnsAuthorizationType(d.Get("type"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("type"); !tpgresource.IsEmptyValue(reflect.ValueOf(typeProp)) && (ok || !reflect.DeepEqual(v, typeProp)) {
+		obj["type"] = typeProp
+	}
 	labelsProp, err := expandCertificateManagerDnsAuthorizationEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -282,6 +304,9 @@ func resourceCertificateManagerDnsAuthorizationRead(d *schema.ResourceData, meta
 	if err := d.Set("domain", flattenCertificateManagerDnsAuthorizationDomain(res["domain"], d, config)); err != nil {
 		return fmt.Errorf("Error reading DnsAuthorization: %s", err)
 	}
+	if err := d.Set("type", flattenCertificateManagerDnsAuthorizationType(res["type"], d, config)); err != nil {
+		return fmt.Errorf("Error reading DnsAuthorization: %s", err)
+	}
 	if err := d.Set("dns_resource_record", flattenCertificateManagerDnsAuthorizationDnsResourceRecord(res["dnsResourceRecord"], d, config)); err != nil {
 		return fmt.Errorf("Error reading DnsAuthorization: %s", err)
 	}
@@ -477,6 +502,10 @@ func flattenCertificateManagerDnsAuthorizationDomain(v interface{}, d *schema.Re
 	return v
 }
 
+func flattenCertificateManagerDnsAuthorizationType(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenCertificateManagerDnsAuthorizationDnsResourceRecord(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return nil
@@ -533,6 +562,10 @@ func expandCertificateManagerDnsAuthorizationDomain(v interface{}, d tpgresource
 	return v, nil
 }
 
+func expandCertificateManagerDnsAuthorizationType(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandCertificateManagerDnsAuthorizationEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

google/services/certificatemanager/resource_certificate_manager_dns_authorization_generated_test.go

@@ -78,6 +78,43 @@ output "record_data_to_insert" {
 `, context)
 }
 
+func TestAccCertificateManagerDnsAuthorization_certificateManagerDnsAuthorizationRegionalExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckCertificateManagerDnsAuthorizationDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCertificateManagerDnsAuthorization_certificateManagerDnsAuthorizationRegionalExample(context),
+			},
+			{
+				ResourceName:            "google_certificate_manager_dns_authorization.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name", "location", "labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccCertificateManagerDnsAuthorization_certificateManagerDnsAuthorizationRegionalExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_certificate_manager_dns_authorization" "default" {
+  name        = "tf-test-dns-auth%{random_suffix}"
+  location    = "us-central1"
+  description = "reginal dns"
+  type        = "PER_PROJECT_RECORD"
+  domain      = "subdomain%{random_suffix}.hashicorptest.com"
+}
+`, context)
+}
+
 func testAccCheckCertificateManagerDnsAuthorizationDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/certificate_manager_certificate.html.markdown

@@ -310,6 +310,35 @@ resource "google_certificate_manager_dns_authorization" "instance2" {
   domain      = "subdomain2.hashicorptest.com"
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_google_managed_regional_certificate_dns_auth&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Certificate Manager Google Managed Regional Certificate Dns Auth
+
+
+```hcl
+resource "google_certificate_manager_certificate" "default" {
+  name        = "dns-cert"
+  description = "regional managed certs"
+  location = "us-central1"
+  managed {
+    domains = [
+      google_certificate_manager_dns_authorization.instance.domain,
+      ]
+    dns_authorizations = [
+      google_certificate_manager_dns_authorization.instance.id,
+      ]
+  }
+}
+resource "google_certificate_manager_dns_authorization" "instance" {
+  name        = "dns-auth"
+  location    = "us-central1"
+  description = "The default dnss"
+  domain      = "subdomain.hashicorptest.com"
+}
+```
 
 ## Argument Reference
 

website/docs/r/certificate_manager_dns_authorization.html.markdown

@@ -51,6 +51,23 @@ output "record_data_to_insert" {
  value = google_certificate_manager_dns_authorization.default.dns_resource_record.0.data
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_dns_authorization_regional&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Certificate Manager Dns Authorization Regional
+
+
+```hcl
+resource "google_certificate_manager_dns_authorization" "default" {
+  name        = "dns-auth"
+  location    = "us-central1"
+  description = "reginal dns"
+  type        = "PER_PROJECT_RECORD"
+  domain      = "subdomain.hashicorptest.com"
+}
+```
 
 ## Argument Reference
 
@@ -83,6 +100,16 @@ The following arguments are supported:
   **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
   Please refer to the field `effective_labels` for all of the labels present on the resource.
 
+* `type` -
+  (Optional)
+  type of DNS authorization. If unset during the resource creation, FIXED_RECORD will
+  be used for global resources, and PER_PROJECT_RECORD will be used for other locations.
+  FIXED_RECORD DNS authorization uses DNS-01 validation method
+  PER_PROJECT_RECORD DNS authorization allows for independent management
+  of Google-managed certificates with DNS authorization across multiple
+  projects.
+  Possible values are: `FIXED_RECORD`, `PER_PROJECT_RECORD`.
+
 * `location` -
   (Optional)
   The Certificate Manager location. If not specified, "global" is used.