Remove default addition of IAP message and add new required fleid `en…

…abled` under IAP to resource google_compute_backend_service

mmv1/products/compute/BackendService.yaml

@@ -747,14 +747,16 @@ properties:
     description: Settings for enabling Cloud Identity Aware Proxy
     send_empty_value: true
     properties:
+      - !ruby/object:Api::Type::Boolean
+        name: 'enabled'
+        required: true
+        description: Whether the serving infrastructure will authenticate and authorize all incoming requests.
       - !ruby/object:Api::Type::String
         name: 'oauth2ClientId'
-        required: true
         description: |
           OAuth2 Client ID for IAP
       - !ruby/object:Api::Type::String
         name: 'oauth2ClientSecret'
-        required: true
         description: |
           OAuth2 Client Secret for IAP
         send_empty_value: true

mmv1/templates/terraform/decoders/backend_service.go.erb

@@ -12,18 +12,6 @@
 	# See the License for the specific language governing permissions and
 	# limitations under the License.
 -%>
-// We need to pretend IAP isn't there if it's disabled for Terraform to maintain
-// BC behaviour with the handwritten resource.
-v, ok :=  res["iap"]
-if !ok || v == nil {
-	delete(res, "iap")
-	return res, nil
-}
-m := v.(map[string]interface{})
-if ok && m["enabled"] == false {
-	delete(res, "iap")
-}
-
 // Requests with consistentHash will error for specific values of
 // localityLbPolicy. However, the API will not remove it if the backend
 // service is updated to from supporting to non-supporting localityLbPolicy

mmv1/templates/terraform/encoders/backend_service.go.erb

@@ -12,24 +12,6 @@
 	# See the License for the specific language governing permissions and
 	# limitations under the License.
 -%>
-// The BackendService API's Update / PUT API is badly formed and behaves like
-// a PATCH field for at least IAP. When sent a `null` `iap` field, the API
-// doesn't disable an existing field. To work around this, we need to emulate
-// the old Terraform behaviour of always sending the block (at both update and
-// create), and force sending each subfield as empty when the block isn't
-// present in config.
-
-iapVal := obj["iap"]
-if iapVal == nil {
-	data := map[string]interface{}{}
-	data["enabled"] = false
-	obj["iap"] = data
-} else {
-	iap := iapVal.(map[string]interface{})
-	iap["enabled"] = true
-	obj["iap"] = iap
-}
-
 backendsRaw, ok := obj["backends"]
 if !ok {
 	return obj, nil

mmv1/templates/terraform/examples/backend_service_external_iap.tf.erb

@@ -3,6 +3,7 @@ resource "google_compute_backend_service" "<%= ctx[:primary_resource_id] %>" {
   protocol              = "HTTP"
   load_balancing_scheme = "EXTERNAL"
   iap {
+    enabled              = true
     oauth2_client_id     = "abc"
     oauth2_client_secret = "xyz"
   }

mmv1/third_party/terraform/services/compute/resource_compute_backend_service_test.go.erb

@@ -125,23 +125,23 @@ func TestAccComputeBackendService_withBackendAndIAP(t *testing.T) {
 		CheckDestroy:             testAccCheckComputeBackendServiceDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeBackendService_withBackendAndIAP(
+				Config: testAccComputeBackendService_withBackend(
 					serviceName, igName, itName, checkName, 10),
 			},
 			{
 				ResourceName:            "google_compute_backend_service.lipsum",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
 			},
 			{
-				Config: testAccComputeBackendService_withBackend(
+				Config: testAccComputeBackendService_withBackendAndIAP(
 					serviceName, igName, itName, checkName, 10),
 			},
 			{
 				ResourceName:      "google_compute_backend_service.lipsum",
 				ImportState:       true,
 				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
 			},
 		},
 	})
@@ -1266,6 +1266,7 @@ resource "google_compute_backend_service" "lipsum" {
   }
 
   iap {
+    enabled              = true
     oauth2_client_id     = "test"
     oauth2_client_secret = "test"
   }