compute: added shared_secret_wo and shared_secret_wo_version fields to google_compute_vpn_tunnel + changes to write_only implementation in generator/templating

[ramonvermeulen]

Closes hashicorp/terraform-provider-google#23058

Release Note Template for Downstream PRs (will be copied)

See Write release notes for guidance.

compute: added `shared_secret_wo` and `shared_secret_wo_version` fields to `google_compute_vpn_tunnel`

[ramonvermeulen]

I am struggling a bit with the implementation, because of the following part in the template:

magic-modules/mmv1/templates/tgc/resource_converter.go.tmpl

Line 84 in d1f4492

{{ $prop.ApiName -}}Prop, err := expand{{ $.ResourceName -}}{{$prop.TitlelizeProperty}}(nil, d, config)

Because sharedSecret as well as sharedSecretWo share the same API name (sharedSecret), the yaml config generates the following:

	sharedSecretProp, err := expandComputeVpnTunnelSharedSecret(d.Get("shared_secret"), d, config)
	if err != nil {
		return err
	} else if v, ok := d.GetOkExists("shared_secret"); !tpgresource.IsEmptyValue(reflect.ValueOf(sharedSecretProp)) && (ok || !reflect.DeepEqual(v, sharedSecretProp)) {
		obj["sharedSecret"] = sharedSecretProp
	}
	sharedSecretProp, err := expandComputeVpnTunnelSharedSecretWo(d.Get("shared_secret_wo"), d, config)
	if err != nil {
		return err
	} else if v, ok := d.GetOkExists("shared_secret_wo"); !tpgresource.IsEmptyValue(reflect.ValueOf(sharedSecretProp)) && (ok || !reflect.DeepEqual(v, sharedSecretProp)) {
		obj["sharedSecret"] = sharedSecretProp
	}

Causing an error on the second generation of sharedSecretProp, would love some guidance on how to implement write-only arguments in a correct way.

You can see the error in the unit tests as well:

I took

magic-modules/mmv1/products/secretmanager/SecretVersion.yaml

Line 167 in 89b90c0

- name: 'secretDataWo'

as an example, however, in the secret manager variant this problem is solved via a custom_expand. But that is only possible if the write only argument is nested at least 1 level deep.

[ramonvermeulen]

This has been one of my deepest debugging sprees so far into the internals of magic-modules.

I have the feeling my yaml configuration was as it should be for implementing write-only arguments, however, my tests kept failing. To eventually get write-only arguments to work with my yaml configuration I had to do quite some debugging into how the code for write-only argument is generated.

I would love to hear your thoughts on this and the changes that I made, I followed the terraform provider sdk page on write-only arguments as reference. But possibly I was implementing my yaml incorrect in the first place, and some of the changes I made to the templates are not required (I don't know all the ins and outs, and possible impact).

Some key changes I made to the resource generation templates:

• Changed p.IgnoreRead to p.IgnoreRead || p.WriteOnly for the ReadProperties of a resource. I don't see a scenario where you want to read back a "write-only" argument from the API, but maybe I am missing something?
• Added {{if $prop.WriteOnly -}}Wo{{- end}} suffix to the expand functions, because of naming conflicts when two arguments use the same api field (which is the case with write-only) see compute: added shared_secret_wo and shared_secret_wo_version fields to google_compute_vpn_tunnel + changes to write_only implementation in generator/templating #14138 (comment)
• Added {{ else if $prop.WriteOnly }}getRawConfigAttributeAsString(d, "{{ underscore $prop.Name }}"){{ else }}, it seemed like in the old situation for the expand function the write-only argument was retrieved from the plan (via d.Get("{{underscore $prop.Name}}"), at least this was always empty), while the documentation states it can only be retrieved from config, I used this as reference.
• Added to condition to not generate flatten (just like ignore_read), since (I think) you do not need this anyways for a write-only argument

Local acceptance tests:

❯ make testacc TEST=./google/services/compute TESTARGS='-run=TestAccComputeVpnTunnel_'

TF_ACC=1 TF_SCHEMA_PANIC_ON_ERROR=1 go test ./google/services/compute -v -run=TestAccComputeVpnTunnel_ -timeout 240m -ldflags="-X=github.com/hashicorp/terraform-provider-google/version.ProviderVersion=acc"
=== RUN   TestAccComputeVpnTunnel_vpnTunnelBasicExample
=== PAUSE TestAccComputeVpnTunnel_vpnTunnelBasicExample
=== RUN   TestAccComputeVpnTunnel_regionFromGateway
=== PAUSE TestAccComputeVpnTunnel_regionFromGateway
=== RUN   TestAccComputeVpnTunnel_router
=== PAUSE TestAccComputeVpnTunnel_router
=== RUN   TestAccComputeVpnTunnel_routerWithSharedSecretWo_update
=== PAUSE TestAccComputeVpnTunnel_routerWithSharedSecretWo_update
=== RUN   TestAccComputeVpnTunnel_defaultTrafficSelectors
=== PAUSE TestAccComputeVpnTunnel_defaultTrafficSelectors
=== CONT  TestAccComputeVpnTunnel_vpnTunnelBasicExample
=== CONT  TestAccComputeVpnTunnel_routerWithSharedSecretWo_update
=== CONT  TestAccComputeVpnTunnel_defaultTrafficSelectors
=== CONT  TestAccComputeVpnTunnel_router
=== CONT  TestAccComputeVpnTunnel_regionFromGateway
--- PASS: TestAccComputeVpnTunnel_router (156.26s)
--- PASS: TestAccComputeVpnTunnel_vpnTunnelBasicExample (204.51s)
--- PASS: TestAccComputeVpnTunnel_regionFromGateway (227.94s)
--- PASS: TestAccComputeVpnTunnel_defaultTrafficSelectors (249.41s)
--- PASS: TestAccComputeVpnTunnel_routerWithSharedSecretWo_update (287.52s)
PASS
ok      github.com/hashicorp/terraform-provider-google/google/services/compute  288.258s

The tfstate after local apply via manual testing:

[github-actions]

Hello! I am a robot. Tests will require approval from a repository maintainer to run.

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@melinath, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.