Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issue with google_compute_backend_service IAP client secret @ update #2978

Merged
merged 1 commit into from
Feb 1, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 11 additions & 14 deletions google/resource_compute_backend_service.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
package google

import (
"crypto/sha256"
"errors"
"fmt"
"log"
Expand Down Expand Up @@ -53,12 +52,11 @@ func resourceComputeBackendService() *schema.Resource {
Type: schema.TypeString,
Required: true,
Sensitive: true,
DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
if old == fmt.Sprintf("%x", sha256.Sum256([]byte(new))) {
return true
}
return false
},
},
"oauth2_client_secret_sha256": {
Type: schema.TypeString,
Computed: true,
Sensitive: true,
},
},
},
Expand Down Expand Up @@ -321,7 +319,7 @@ func resourceComputeBackendServiceRead(d *schema.ResourceData, meta interface{})
d.Set("self_link", ConvertSelfLinkToV1(service.SelfLink))
d.Set("backend", flattenBackends(service.Backends))
d.Set("connection_draining_timeout_sec", service.ConnectionDraining.DrainingTimeoutSec)
d.Set("iap", flattenIap(service.Iap))
d.Set("iap", flattenIap(d, service.Iap))
d.Set("project", project)
guardedHealthChecks := make([]string, len(service.HealthChecks))
for i, v := range service.HealthChecks {
Expand Down Expand Up @@ -423,18 +421,17 @@ func expandIap(configured []interface{}) *computeBeta.BackendServiceIAP {
}
}

func flattenIap(iap *computeBeta.BackendServiceIAP) []map[string]interface{} {
func flattenIap(d *schema.ResourceData, iap *computeBeta.BackendServiceIAP) []map[string]interface{} {
result := make([]map[string]interface{}, 0, 1)
if iap == nil || !iap.Enabled {
return result
}

result = append(result, map[string]interface{}{
"oauth2_client_id": iap.Oauth2ClientId,
"oauth2_client_secret": iap.Oauth2ClientSecretSha256,
return append(result, map[string]interface{}{
"oauth2_client_id": iap.Oauth2ClientId,
"oauth2_client_secret": d.Get("iap.0.oauth2_client_secret"),
"oauth2_client_secret_sha256": iap.Oauth2ClientSecretSha256,
})

return result
}

func expandBackends(configured []interface{}) ([]*computeBeta.Backend, error) {
Expand Down
11 changes: 6 additions & 5 deletions google/resource_compute_backend_service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,14 +111,15 @@ func TestAccComputeBackendService_withBackendAndIAP(t *testing.T) {
Config: testAccComputeBackendService_withBackendAndIAP(
serviceName, igName, itName, checkName, 10),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeBackendServiceExistsWithIAP(
"google_compute_backend_service.lipsum", &svc),
testAccCheckComputeBackendServiceExistsWithIAP("google_compute_backend_service.lipsum", &svc),
resource.TestCheckResourceAttr("google_compute_backend_service.lipsum", "iap.0.oauth2_client_secret", "test"),
),
},
{
ResourceName: "google_compute_backend_service.lipsum",
ImportState: true,
ImportStateVerify: true,
ResourceName: "google_compute_backend_service.lipsum",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
},
{
Config: testAccComputeBackendService_withBackend(
Expand Down
4 changes: 4 additions & 0 deletions website/docs/r/compute_backend_service.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -179,12 +179,16 @@ The `iap` block supports:
* `oauth2_client_id` - (Required) The client ID for use with OAuth 2.0.

* `oauth2_client_secret` - (Required) The client secret for use with OAuth 2.0.
Out of band changes to this field will not be detected by Terraform, and it may
perform spurious no-op updates when imported, or upgraded from pre-`2.0.0`.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are
exported:

* `iap.0.oauth2_client_secret_sha256` - The SHA256 hash of the OAuth 2.0 client secret value.

* `fingerprint` - The fingerprint of the backend service.

* `self_link` - The URI of the created resource.
Expand Down
8 changes: 8 additions & 0 deletions website/docs/version_2_upgrade.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,14 @@ for more details.

Use the [`google-beta` provider](#google-beta-provider) to set this field.

### `iap` may cause spurious updates

Due to technical limitations around how Terraform can diff fields, you may see a
spurious update where the client secret in your config replaces an incorrect
value that was recorded in state, the SHA256 hash of the secret's value.

You may also encounter the same behaviour on import.

## Resource: `google_compute_disk`

### `disk_encryption_key_raw` and `disk_encryption_key_sha256` have been removed.
Expand Down