From f9da5048e562f9979f724940334a4f5eceea8003 Mon Sep 17 00:00:00 2001
From: kumailkermalli-datatonic
 <108349674+kumailkermalli-datatonic@users.noreply.github.com>
Date: Tue, 12 Mar 2024 23:33:51 +0000
Subject: [PATCH] feat: add credentials_secret field in azure blob storage
 block for google storage transfer job resource (#9278)

* feat: add `credentials_secret` in `azure_blob_storage_data` source config

* feat: add version guard for `credentials_secret` as in preview

* docs: add documentation on `credentials_secret`
---
 ...o => resource_storage_transfer_job.go.erb} | 53 +++++++++++++++----
 .../docs/r/storage_transfer_job.html.markdown |  4 +-
 2 files changed, 45 insertions(+), 12 deletions(-)
 rename mmv1/third_party/terraform/services/storagetransfer/{resource_storage_transfer_job.go => resource_storage_transfer_job.go.erb} (96%)

diff --git a/mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go b/mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go.erb
similarity index 96%
rename from mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go
rename to mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go.erb
index 148ab8c0af82..0a955d9f11b3 100644
--- a/mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go
+++ b/mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go.erb
@@ -1,3 +1,4 @@
+<% autogen_exception -%>
 package storagetransfer
 
 import (
@@ -50,6 +51,12 @@ var (
 		"transfer_spec.0.aws_s3_data_source.0.aws_access_key",
 		"transfer_spec.0.aws_s3_data_source.0.role_arn",
 	}
+	<% unless version == 'ga' -%>
+	azureOptionCredentials = []string{
+		"transfer_spec.0.azure_blob_storage_data_source.0.azure_credentials",
+		"transfer_spec.0.azure_blob_storage_data_source.0.credentials_secret",
+	}
+	<% end -%>
 )
 
 func ResourceStorageTransferJob() *schema.Resource {
@@ -559,9 +566,14 @@ func azureBlobStorageDataSchema() *schema.Resource {
 				Description: `Root path to transfer objects. Must be an empty string or full path name that ends with a '/'. This field is treated as an object prefix. As such, it should generally not begin with a '/'.`,
 			},
 			"azure_credentials": {
-				Type:     schema.TypeList,
-				Required: true,
-				MaxItems: 1,
+				Type:         schema.TypeList,
+				<% unless version == 'ga' -%>
+				Optional:     true,
+				ExactlyOneOf: azureOptionCredentials,
+				<% else -%>
+				Required:     true,
+				<% end -%>
+				MaxItems:     1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"sas_token": {
@@ -574,6 +586,14 @@ func azureBlobStorageDataSchema() *schema.Resource {
 				},
 				Description: ` Credentials used to authenticate API requests to Azure.`,
 			},
+			<% unless version == 'ga' -%>
+			"credentials_secret": {
+				Optional:     true,
+				Type:         schema.TypeString,
+				Description:  `The Resource name of a secret in Secret Manager containing SAS Credentials in JSON form. Service Agent must have permissions to access secret. If credentials_secret is specified, do not specify azure_credentials.`,
+				ExactlyOneOf: azureOptionCredentials,
+			},
+			<% end -%>
 		},
 	}
 }
@@ -1099,6 +1119,11 @@ func expandAzureCredentials(azureCredentials []interface{}) *storagetransfer.Azu
 }
 
 func flattenAzureCredentials(d *schema.ResourceData) []map[string]interface{} {
+	<% unless version == 'ga' -%>
+	if d.Get("transfer_spec.0.azure_blob_storage_data_source.0.azure_credentials.0.sas_token") == "" {
+		return []map[string]interface{}{}
+	}
+	<% end -%>
 	data := map[string]interface{}{
 		"sas_token": d.Get("transfer_spec.0.azure_blob_storage_data_source.0.azure_credentials.0.sas_token"),
 	}
@@ -1114,19 +1139,25 @@ func expandAzureBlobStorageData(azureBlobStorageDatas []interface{}) *storagetra
 	azureBlobStorageData := azureBlobStorageDatas[0].(map[string]interface{})
 
 	return &storagetransfer.AzureBlobStorageData{
-		Container:        azureBlobStorageData["container"].(string),
-		Path:             azureBlobStorageData["path"].(string),
-		StorageAccount:   azureBlobStorageData["storage_account"].(string),
-		AzureCredentials: expandAzureCredentials(azureBlobStorageData["azure_credentials"].([]interface{})),
+		Container:         azureBlobStorageData["container"].(string),
+		Path:              azureBlobStorageData["path"].(string),
+		StorageAccount:    azureBlobStorageData["storage_account"].(string),
+		AzureCredentials:  expandAzureCredentials(azureBlobStorageData["azure_credentials"].([]interface{})),
+		<% unless version == 'ga' -%>
+		CredentialsSecret: azureBlobStorageData["credentials_secret"].(string),
+		<% end -%>
 	}
 }
 
 func flattenAzureBlobStorageData(azureBlobStorageData *storagetransfer.AzureBlobStorageData, d *schema.ResourceData) []map[string]interface{} {
 	data := map[string]interface{}{
-		"container":         azureBlobStorageData.Container,
-		"path":              azureBlobStorageData.Path,
-		"storage_account":   azureBlobStorageData.StorageAccount,
-		"azure_credentials": flattenAzureCredentials(d),
+		"container":          azureBlobStorageData.Container,
+		"path":               azureBlobStorageData.Path,
+		"storage_account":    azureBlobStorageData.StorageAccount,
+		"azure_credentials":  flattenAzureCredentials(d),
+		<% unless version == 'ga' -%>
+		"credentials_secret": azureBlobStorageData.CredentialsSecret,
+		<% end -%>
 	}
 
 	return []map[string]interface{}{data}
diff --git a/mmv1/third_party/terraform/website/docs/r/storage_transfer_job.html.markdown b/mmv1/third_party/terraform/website/docs/r/storage_transfer_job.html.markdown
index c354672672d2..2f2d4ecb5d83 100644
--- a/mmv1/third_party/terraform/website/docs/r/storage_transfer_job.html.markdown
+++ b/mmv1/third_party/terraform/website/docs/r/storage_transfer_job.html.markdown
@@ -247,7 +247,9 @@ The `aws_access_key` block supports:
 
 * `path` - (Required) Root path to transfer objects. Must be an empty string or full path name that ends with a '/'. This field is treated as an object prefix. As such, it should generally not begin with a '/'.
 
-* `azure_credentials` - (Required) Credentials used to authenticate API requests to Azure block.
+* `credentials_secret` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Full Resource name of a secret in Secret Manager containing [SAS Credentials in JSON form](https://cloud.google.com/storage-transfer/docs/reference/rest/v1/TransferSpec#azureblobstoragedata:~:text=begin%20with%20a%20%27/%27.-,credentialsSecret,-string). Service Agent for Storage Transfer must have permissions to access secret. If credentials_secret is specified, do not specify azure_credentials.`,
+
+* `azure_credentials` - (Required in GA, Optional in [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Credentials used to authenticate API requests to Azure block.
 
 The `azure_credentials` block supports: