From 56858329b296114806c5eb59299e56935fdb0c4a Mon Sep 17 00:00:00 2001
From: Arnab Dasgupta <arnabadg@google.com>
Date: Wed, 3 Jul 2024 15:15:40 +0000
Subject: [PATCH] Remove default addition of IAP message and add new required
 fleid `enabled` under IAP to resource google_compute_backend_service

---
 mmv1/products/compute/BackendService.yaml      |  6 ++++--
 .../terraform/decoders/backend_service.go.erb  | 12 ------------
 .../terraform/encoders/backend_service.go.erb  | 18 ------------------
 .../backend_service_external_iap.tf.erb        |  1 +
 ...esource_compute_backend_service_test.go.erb |  7 ++++---
 5 files changed, 9 insertions(+), 35 deletions(-)

diff --git a/mmv1/products/compute/BackendService.yaml b/mmv1/products/compute/BackendService.yaml
index 5a7539e956ad..9900cceb834f 100644
--- a/mmv1/products/compute/BackendService.yaml
+++ b/mmv1/products/compute/BackendService.yaml
@@ -747,14 +747,16 @@ properties:
     description: Settings for enabling Cloud Identity Aware Proxy
     send_empty_value: true
     properties:
+      - !ruby/object:Api::Type::Boolean
+        name: 'enabled'
+        required: true
+        description: Whether the serving infrastructure will authenticate and authorize all incoming requests.
       - !ruby/object:Api::Type::String
         name: 'oauth2ClientId'
-        required: true
         description: |
           OAuth2 Client ID for IAP
       - !ruby/object:Api::Type::String
         name: 'oauth2ClientSecret'
-        required: true
         description: |
           OAuth2 Client Secret for IAP
         send_empty_value: true
diff --git a/mmv1/templates/terraform/decoders/backend_service.go.erb b/mmv1/templates/terraform/decoders/backend_service.go.erb
index 3e0796f151a5..2916928ce9bd 100644
--- a/mmv1/templates/terraform/decoders/backend_service.go.erb
+++ b/mmv1/templates/terraform/decoders/backend_service.go.erb
@@ -12,18 +12,6 @@
 	# See the License for the specific language governing permissions and
 	# limitations under the License.
 -%>
-// We need to pretend IAP isn't there if it's disabled for Terraform to maintain
-// BC behaviour with the handwritten resource.
-v, ok :=  res["iap"]
-if !ok || v == nil {
-	delete(res, "iap")
-	return res, nil
-}
-m := v.(map[string]interface{})
-if ok && m["enabled"] == false {
-	delete(res, "iap")
-}
-
 // Requests with consistentHash will error for specific values of
 // localityLbPolicy. However, the API will not remove it if the backend
 // service is updated to from supporting to non-supporting localityLbPolicy
diff --git a/mmv1/templates/terraform/encoders/backend_service.go.erb b/mmv1/templates/terraform/encoders/backend_service.go.erb
index 66626bf17fe3..b018972bd0b2 100644
--- a/mmv1/templates/terraform/encoders/backend_service.go.erb
+++ b/mmv1/templates/terraform/encoders/backend_service.go.erb
@@ -12,24 +12,6 @@
 	# See the License for the specific language governing permissions and
 	# limitations under the License.
 -%>
-// The BackendService API's Update / PUT API is badly formed and behaves like
-// a PATCH field for at least IAP. When sent a `null` `iap` field, the API
-// doesn't disable an existing field. To work around this, we need to emulate
-// the old Terraform behaviour of always sending the block (at both update and
-// create), and force sending each subfield as empty when the block isn't
-// present in config.
-
-iapVal := obj["iap"]
-if iapVal == nil {
-	data := map[string]interface{}{}
-	data["enabled"] = false
-	obj["iap"] = data
-} else {
-	iap := iapVal.(map[string]interface{})
-	iap["enabled"] = true
-	obj["iap"] = iap
-}
-
 backendsRaw, ok := obj["backends"]
 if !ok {
 	return obj, nil
diff --git a/mmv1/templates/terraform/examples/backend_service_external_iap.tf.erb b/mmv1/templates/terraform/examples/backend_service_external_iap.tf.erb
index 1679fa7c39e3..cf264f8565ca 100644
--- a/mmv1/templates/terraform/examples/backend_service_external_iap.tf.erb
+++ b/mmv1/templates/terraform/examples/backend_service_external_iap.tf.erb
@@ -3,6 +3,7 @@ resource "google_compute_backend_service" "<%= ctx[:primary_resource_id] %>" {
   protocol              = "HTTP"
   load_balancing_scheme = "EXTERNAL"
   iap {
+    enabled              = true
     oauth2_client_id     = "abc"
     oauth2_client_secret = "xyz"
   }
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_backend_service_test.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_backend_service_test.go.erb
index 8e1ecf66cb8b..31e61906671f 100644
--- a/mmv1/third_party/terraform/services/compute/resource_compute_backend_service_test.go.erb
+++ b/mmv1/third_party/terraform/services/compute/resource_compute_backend_service_test.go.erb
@@ -125,23 +125,23 @@ func TestAccComputeBackendService_withBackendAndIAP(t *testing.T) {
 		CheckDestroy:             testAccCheckComputeBackendServiceDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeBackendService_withBackendAndIAP(
+				Config: testAccComputeBackendService_withBackend(
 					serviceName, igName, itName, checkName, 10),
 			},
 			{
 				ResourceName:            "google_compute_backend_service.lipsum",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
 			},
 			{
-				Config: testAccComputeBackendService_withBackend(
+				Config: testAccComputeBackendService_withBackendAndIAP(
 					serviceName, igName, itName, checkName, 10),
 			},
 			{
 				ResourceName:      "google_compute_backend_service.lipsum",
 				ImportState:       true,
 				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
 			},
 		},
 	})
@@ -1266,6 +1266,7 @@ resource "google_compute_backend_service" "lipsum" {
   }
 
   iap {
+    enabled              = true
     oauth2_client_id     = "test"
     oauth2_client_secret = "test"
   }