Add IAP support to compute_region_backend_service

mmv1/products/compute/api.yaml

@@ -2320,6 +2320,28 @@ objects:
         name: 'id'
         description: 'The unique identifier for the resource.'
         output: true
+      - !ruby/object:Api::Type::NestedObject
+        name: 'iap'
+        description: Settings for enabling Cloud Identity Aware Proxy
+        properties:
+          - !ruby/object:Api::Type::Boolean
+            name: 'enabled'
+            description: Enables IAP.
+          - !ruby/object:Api::Type::String
+            name: 'oauth2ClientId'
+            required: true
+            description: |
+              OAuth2 Client ID for IAP
+          - !ruby/object:Api::Type::String
+            name: 'oauth2ClientSecret'
+            required: true
+            description: |
+              OAuth2 Client Secret for IAP
+          - !ruby/object:Api::Type::String
+            name: 'oauth2ClientSecretSha256'
+            output: true
+            description: |
+              OAuth2 Client Secret SHA-256 for IAP
       - !ruby/object:Api::Type::Enum
         name: 'loadBalancingScheme'
         input: true

mmv1/products/compute/terraform.yaml

@@ -425,6 +425,18 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         custom_flatten: templates/terraform/custom_flatten/guard_self_link_array.go.erb
       id: !ruby/object:Overrides::Terraform::PropertyOverride
         exclude: true
+      iap: !ruby/object:Overrides::Terraform::PropertyOverride
+        send_empty_value: true
+      iap.enabled: !ruby/object:Overrides::Terraform::PropertyOverride
+        exclude: true
+      iap.oauth2ClientSecret: !ruby/object:Overrides::Terraform::PropertyOverride
+        send_empty_value: true
+        # We don't support ignore_read on nested fields
+        ignore_read: true
+        sensitive: true
+        custom_flatten: templates/terraform/custom_flatten/compute_backend_service_iap_oauth2_client_secret.go.erb
+      iap.oauth2ClientSecretSha256: !ruby/object:Overrides::Terraform::PropertyOverride
+        sensitive: true
       protocol: !ruby/object:Overrides::Terraform::PropertyOverride
         default_from_api: true
       portName: !ruby/object:Overrides::Terraform::PropertyOverride

mmv1/templates/terraform/decoders/region_backend_service.go.erb

@@ -12,6 +12,18 @@
 	# See the License for the specific language governing permissions and
 	# limitations under the License.
 -%>
+// We need to pretend IAP isn't there if it's disabled for Terraform to maintain
+// BC behaviour with the handwritten resource.
+v, ok :=  res["iap"]
+if !ok || v == nil {
+	delete(res, "iap")
+	return res, nil
+}
+m := v.(map[string]interface{})
+if ok && m["enabled"] == false {
+	delete(res, "iap")
+}
+
 // Requests with consistentHash will error for specific values of
 // localityLbPolicy. However, the API will not remove it if the backend
 // service is updated to from supporting to non-supporting localityLbPolicy

mmv1/templates/terraform/encoders/region_backend_service.go.erb

@@ -12,6 +12,26 @@
 	# See the License for the specific language governing permissions and
 	# limitations under the License.
 -%>
+// The RegionBackendService API's Update / PUT API is badly formed and behaves like
+// a PATCH field for at least IAP. When sent a `null` `iap` field, the API
+// doesn't disable an existing field. To work around this, we need to emulate
+// the old Terraform behaviour of always sending the block (at both update and
+// create), and force sending each subfield as empty when the block isn't
+// present in config.
+
+iapVal := obj["iap"]
+if iapVal == nil {
+	data := map[string]interface{}{}
+	data["enabled"] = false
+	data["oauth2ClientId"] = ""
+	data["oauth2ClientSecret"] = ""
+	obj["iap"] = data
+} else {
+	iap := iapVal.(map[string]interface{})
+	iap["enabled"] = true
+	obj["iap"] = iap
+}
+
 if d.Get("load_balancing_scheme").(string) == "INTERNAL_MANAGED" {
 	return obj, nil
 }

mmv1/third_party/terraform/tests/resource_compute_region_backend_service_test.go.erb

@@ -239,6 +239,36 @@ func TestAccComputeRegionBackendService_ilbUpdateFull(t *testing.T) {
 }
 <% end -%>
 
+func TestAccComputeRegionBackendService_withBackendAndIAP(t *testing.T) {
+	backendName := fmt.Sprintf("foo-%s", randString(t, 10))
+	checkName := fmt.Sprintf("bar-%s", randString(t, 10))
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckComputeRegionBackendServiceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionBackendService_ilbBasicwithIAP(backendName, checkName),
+			},
+			{
+				ResourceName:      "google_compute_region_backend_service.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+        ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
+			},
+			{
+				Config: testAccComputeRegionBackendService_ilbBasic(backendName, checkName),
+			},
+			{
+				ResourceName:      "google_compute_region_backend_service.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccComputeRegionBackendService_ilbBasic(serviceName, checkName string) string {
 	return fmt.Sprintf(`
 resource "google_compute_region_backend_service" "foobar" {
@@ -965,3 +995,43 @@ resource "google_compute_health_check" "zero" {
 }
 `, serviceName, drainingTimeout, checkName)
 }
+
+func testAccComputeRegionBackendService_ilbBasicwithIAP(serviceName, checkName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_region_backend_service" "foobar" {
+  name                  = "%s"
+  health_checks         = [google_compute_health_check.health_check.self_link]
+  port_name             = "http"
+  protocol              = "HTTP"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  locality_lb_policy    = "RING_HASH"
+  circuit_breakers {
+    max_connections = 10
+  }
+  consistent_hash {
+    http_cookie {
+      ttl {
+        seconds = 11
+        nanos   = 1234
+      }
+      name = "mycookie"
+    }
+  }
+  outlier_detection {
+    consecutive_errors = 2
+  }
+
+  iap {
+    oauth2_client_id     = "test"
+    oauth2_client_secret = "test"
+  }
+}
+
+resource "google_compute_health_check" "health_check" {
+  name     = "%s"
+  http_health_check {
+    port = 80
+  }
+}
+`, serviceName, checkName)
+}