Fix issue with google_compute_backend_service IAP client secret @ upd…

…ate (#2978)

<!-- This change is generated by MagicModules. -->
/cc @rileykarson

google/resource_compute_backend_service.go

@@ -1,7 +1,6 @@
 package google
 
 import (
-	"crypto/sha256"
 	"errors"
 	"fmt"
 	"log"
@@ -53,12 +52,11 @@ func resourceComputeBackendService() *schema.Resource {
 							Type:      schema.TypeString,
 							Required:  true,
 							Sensitive: true,
-							DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
-								if old == fmt.Sprintf("%x", sha256.Sum256([]byte(new))) {
-									return true
-								}
-								return false
-							},
+						},
+						"oauth2_client_secret_sha256": {
+							Type:      schema.TypeString,
+							Computed:  true,
+							Sensitive: true,
 						},
 					},
 				},
@@ -321,7 +319,7 @@ func resourceComputeBackendServiceRead(d *schema.ResourceData, meta interface{})
 	d.Set("self_link", ConvertSelfLinkToV1(service.SelfLink))
 	d.Set("backend", flattenBackends(service.Backends))
 	d.Set("connection_draining_timeout_sec", service.ConnectionDraining.DrainingTimeoutSec)
-	d.Set("iap", flattenIap(service.Iap))
+	d.Set("iap", flattenIap(d, service.Iap))
 	d.Set("project", project)
 	guardedHealthChecks := make([]string, len(service.HealthChecks))
 	for i, v := range service.HealthChecks {
@@ -423,18 +421,17 @@ func expandIap(configured []interface{}) *computeBeta.BackendServiceIAP {
 	}
 }
 
-func flattenIap(iap *computeBeta.BackendServiceIAP) []map[string]interface{} {
+func flattenIap(d *schema.ResourceData, iap *computeBeta.BackendServiceIAP) []map[string]interface{} {
 	result := make([]map[string]interface{}, 0, 1)
 	if iap == nil || !iap.Enabled {
 		return result
 	}
 
-	result = append(result, map[string]interface{}{
-		"oauth2_client_id":     iap.Oauth2ClientId,
-		"oauth2_client_secret": iap.Oauth2ClientSecretSha256,
+	return append(result, map[string]interface{}{
+		"oauth2_client_id":            iap.Oauth2ClientId,
+		"oauth2_client_secret":        d.Get("iap.0.oauth2_client_secret"),
+		"oauth2_client_secret_sha256": iap.Oauth2ClientSecretSha256,
 	})
-
-	return result
 }
 
 func expandBackends(configured []interface{}) ([]*computeBeta.Backend, error) {

google/resource_compute_backend_service_test.go

@@ -111,14 +111,15 @@ func TestAccComputeBackendService_withBackendAndIAP(t *testing.T) {
 				Config: testAccComputeBackendService_withBackendAndIAP(
 					serviceName, igName, itName, checkName, 10),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckComputeBackendServiceExistsWithIAP(
-						"google_compute_backend_service.lipsum", &svc),
+					testAccCheckComputeBackendServiceExistsWithIAP("google_compute_backend_service.lipsum", &svc),
+					resource.TestCheckResourceAttr("google_compute_backend_service.lipsum", "iap.0.oauth2_client_secret", "test"),
 				),
 			},
 			{
-				ResourceName:      "google_compute_backend_service.lipsum",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_compute_backend_service.lipsum",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
 			},
 			{
 				Config: testAccComputeBackendService_withBackend(

website/docs/r/compute_backend_service.html.markdown

@@ -179,12 +179,16 @@ The `iap` block supports:
 * `oauth2_client_id` - (Required) The client ID for use with OAuth 2.0.
 
 * `oauth2_client_secret` - (Required) The client secret for use with OAuth 2.0.
+Out of band changes to this field will not be detected by Terraform, and it may
+perform spurious no-op updates when imported, or upgraded from pre-`2.0.0`.
 
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are
 exported:
 
+* `iap.0.oauth2_client_secret_sha256` - The SHA256 hash of the OAuth 2.0 client secret value.
+
 * `fingerprint` - The fingerprint of the backend service.
 
 * `self_link` - The URI of the created resource.

website/docs/version_2_upgrade.html.markdown

@@ -289,6 +289,14 @@ for more details.
 
 Use the [`google-beta` provider](#google-beta-provider) to set this field.
 
+### `iap` may cause spurious updates
+
+Due to technical limitations around how Terraform can diff fields, you may see a
+spurious update where the client secret in your config replaces an incorrect
+value that was recorded in state, the SHA256 hash of the secret's value.
+
+You may also encounter the same behaviour on import.
+
 ## Resource: `google_compute_disk`
 
 ### `disk_encryption_key_raw` and `disk_encryption_key_sha256` have been removed.