diff --git a/google/resource_compute_backend_service.go b/google/resource_compute_backend_service.go index 4c5dfaaf1dd..03dc28cdc13 100644 --- a/google/resource_compute_backend_service.go +++ b/google/resource_compute_backend_service.go @@ -1,7 +1,6 @@ package google import ( - "crypto/sha256" "errors" "fmt" "log" @@ -53,12 +52,11 @@ func resourceComputeBackendService() *schema.Resource { Type: schema.TypeString, Required: true, Sensitive: true, - DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { - if old == fmt.Sprintf("%x", sha256.Sum256([]byte(new))) { - return true - } - return false - }, + }, + "oauth2_client_secret_sha256": { + Type: schema.TypeString, + Computed: true, + Sensitive: true, }, }, }, @@ -321,7 +319,7 @@ func resourceComputeBackendServiceRead(d *schema.ResourceData, meta interface{}) d.Set("self_link", ConvertSelfLinkToV1(service.SelfLink)) d.Set("backend", flattenBackends(service.Backends)) d.Set("connection_draining_timeout_sec", service.ConnectionDraining.DrainingTimeoutSec) - d.Set("iap", flattenIap(service.Iap)) + d.Set("iap", flattenIap(d, service.Iap)) d.Set("project", project) guardedHealthChecks := make([]string, len(service.HealthChecks)) for i, v := range service.HealthChecks { @@ -423,18 +421,17 @@ func expandIap(configured []interface{}) *computeBeta.BackendServiceIAP { } } -func flattenIap(iap *computeBeta.BackendServiceIAP) []map[string]interface{} { +func flattenIap(d *schema.ResourceData, iap *computeBeta.BackendServiceIAP) []map[string]interface{} { result := make([]map[string]interface{}, 0, 1) if iap == nil || !iap.Enabled { return result } - result = append(result, map[string]interface{}{ - "oauth2_client_id": iap.Oauth2ClientId, - "oauth2_client_secret": iap.Oauth2ClientSecretSha256, + return append(result, map[string]interface{}{ + "oauth2_client_id": iap.Oauth2ClientId, + "oauth2_client_secret": d.Get("iap.0.oauth2_client_secret"), + "oauth2_client_secret_sha256": iap.Oauth2ClientSecretSha256, }) - - return result } func expandBackends(configured []interface{}) ([]*computeBeta.Backend, error) { diff --git a/google/resource_compute_backend_service_test.go b/google/resource_compute_backend_service_test.go index c003aa63296..1c6b5b0fcd3 100644 --- a/google/resource_compute_backend_service_test.go +++ b/google/resource_compute_backend_service_test.go @@ -111,14 +111,15 @@ func TestAccComputeBackendService_withBackendAndIAP(t *testing.T) { Config: testAccComputeBackendService_withBackendAndIAP( serviceName, igName, itName, checkName, 10), Check: resource.ComposeTestCheckFunc( - testAccCheckComputeBackendServiceExistsWithIAP( - "google_compute_backend_service.lipsum", &svc), + testAccCheckComputeBackendServiceExistsWithIAP("google_compute_backend_service.lipsum", &svc), + resource.TestCheckResourceAttr("google_compute_backend_service.lipsum", "iap.0.oauth2_client_secret", "test"), ), }, { - ResourceName: "google_compute_backend_service.lipsum", - ImportState: true, - ImportStateVerify: true, + ResourceName: "google_compute_backend_service.lipsum", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"}, }, { Config: testAccComputeBackendService_withBackend( diff --git a/website/docs/r/compute_backend_service.html.markdown b/website/docs/r/compute_backend_service.html.markdown index 0d71717677c..54ed5ac59ff 100644 --- a/website/docs/r/compute_backend_service.html.markdown +++ b/website/docs/r/compute_backend_service.html.markdown @@ -179,12 +179,16 @@ The `iap` block supports: * `oauth2_client_id` - (Required) The client ID for use with OAuth 2.0. * `oauth2_client_secret` - (Required) The client secret for use with OAuth 2.0. +Out of band changes to this field will not be detected by Terraform, and it may +perform spurious no-op updates when imported, or upgraded from pre-`2.0.0`. ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: +* `iap.0.oauth2_client_secret_sha256` - The SHA256 hash of the OAuth 2.0 client secret value. + * `fingerprint` - The fingerprint of the backend service. * `self_link` - The URI of the created resource. diff --git a/website/docs/version_2_upgrade.html.markdown b/website/docs/version_2_upgrade.html.markdown index 916a61be506..7b45cb65ab2 100644 --- a/website/docs/version_2_upgrade.html.markdown +++ b/website/docs/version_2_upgrade.html.markdown @@ -289,6 +289,14 @@ for more details. Use the [`google-beta` provider](#google-beta-provider) to set this field. +### `iap` may cause spurious updates + +Due to technical limitations around how Terraform can diff fields, you may see a +spurious update where the client secret in your config replaces an incorrect +value that was recorded in state, the SHA256 hash of the secret's value. + +You may also encounter the same behaviour on import. + ## Resource: `google_compute_disk` ### `disk_encryption_key_raw` and `disk_encryption_key_sha256` have been removed.