hashicorp · modular-magician · Aug 22, 2024 · Aug 22, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: allowed disabling 'server_tls_policy' during update in 'google_compute_target_https_proxy' resources
+```
@@ -144,7 +144,12 @@ set to INTERNAL_SELF_MANAGED or EXTERNAL or EXTERNAL_MANAGED.
 For details which ServerTlsPolicy resources are accepted with
 INTERNAL_SELF_MANAGED and which with EXTERNAL, EXTERNAL_MANAGED
 loadBalancingScheme consult ServerTlsPolicy documentation.
-If left blank, communications are not encrypted.`,
+If left blank, communications are not encrypted.
+
+If you remove this field from your configuration at the same time as
+deleting or recreating a referenced ServerTlsPolicy resource, you will
+receive a resourceInUseByAnotherResource error. Use lifecycle.create_before_destroy
+within the ServerTlsPolicy resource to avoid this.`,
 			},
 			"ssl_certificates": {
 				Type:     schema.TypeList,
@@ -1072,6 +1077,14 @@ func resourceComputeTargetHttpsProxyEncoder(d *schema.ResourceData, meta interfa
 		obj["sslCertificates"] = obj["certificateManagerCertificates"]
 		delete(obj, "certificateManagerCertificates")
 	}
+
+	// Send null if serverTlsPolicy is not set. Without this, Terraform would not send any value for `serverTlsPolicy`
+	// in the "PATCH" payload so if you were to remove a server TLS policy from a target HTTPS proxy, it would NOT remove
+	// the association.
+	if _, ok := obj["serverTlsPolicy"]; !ok {
+		obj["serverTlsPolicy"] = nil
+	}
+
 	return obj, nil
 }
 
@@ -1085,6 +1098,14 @@ func resourceComputeTargetHttpsProxyUpdateEncoder(d *schema.ResourceData, meta i
 		obj["sslCertificates"] = obj["certificateManagerCertificates"]
 		delete(obj, "certificateManagerCertificates")
 	}
+
+	// Send null if serverTlsPolicy is not set. Without this, Terraform would not send any value for `serverTlsPolicy`
+	// in the "PATCH" payload so if you were to remove a server TLS policy from a target HTTPS proxy, it would NOT remove
+	// the association.
+	if _, ok := obj["serverTlsPolicy"]; !ok {
+		obj["serverTlsPolicy"] = nil
+	}
+
 	return obj, nil
 }
 

@@ -92,21 +92,29 @@ func TestAccComputeTargetHttpsProxyServerTlsPolicy_update(t *testing.T) {
 		CheckDestroy:             testAccCheckComputeTargetHttpsProxyDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccComputeTargetHttpsProxyServerTlsPolicy_full(resourceSuffix),
+				Config: testAccComputeTargetHttpsProxyWithoutServerTlsPolicy(resourceSuffix),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckComputeTargetHttpsProxyExists(
 						t, "google_compute_target_https_proxy.foobar", &proxy),
 					testAccComputeTargetHttpsProxyHasNullServerTlsPolicy(t, &proxy),
 				),
 			},
 			{
-				Config: testAccComputeTargetHttpsProxyServerTlsPolicy_update(resourceSuffix),
+				Config: testAccComputeTargetHttpsProxyWithServerTlsPolicy(resourceSuffix),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckComputeTargetHttpsProxyExists(
 						t, "google_compute_target_https_proxy.foobar", &proxy),
 					testAccComputeTargetHttpsProxyHasServerTlsPolicy(t, "tf-test-server-tls-policy-"+resourceSuffix, &proxy),
 				),
 			},
+			{
+				Config: testAccComputeTargetHttpsProxyWithoutServerTlsPolicy(resourceSuffix),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeTargetHttpsProxyExists(
+						t, "google_compute_target_https_proxy.foobar", &proxy),
+					testAccComputeTargetHttpsProxyHasNullServerTlsPolicy(t, &proxy),
+				),
+			},
 		},
 	})
 }
@@ -419,7 +427,7 @@ resource "google_certificate_manager_dns_authorization" "instance" {
 `, id, id, id, id, id, id, id, id)
 }
 
-func testAccComputeTargetHttpsProxyServerTlsPolicy_full(id string) string {
+func testAccComputeTargetHttpsProxyWithoutServerTlsPolicy(id string) string {
 	return fmt.Sprintf(`
 data "google_project" "project" {}
 
@@ -428,7 +436,6 @@ resource "google_compute_target_https_proxy" "foobar" {
   name              = "tf-test-httpsproxy-%s"
 	url_map           = google_compute_url_map.foobar.self_link
 	ssl_certificates  = [google_compute_ssl_certificate.foobar.self_link]
-  server_tls_policy = null
 }
 
 resource "google_compute_backend_service" "foobar" {
@@ -454,28 +461,10 @@ resource "google_compute_ssl_certificate" "foobar" {
   private_key = file("test-fixtures/test.key")
   certificate = file("test-fixtures/test.crt")
 }
-
-resource "google_certificate_manager_trust_config" "trust_config" {
-  name     = "tf-test-trust-config-%s"
-  location = "global"
-
-  allowlisted_certificates  {
-    pem_certificate = file("test-fixtures/cert.pem")
-  }
-}
-
-resource "google_network_security_server_tls_policy" "server_tls_policy" {
-  name = "tf-test-server-tls-policy-%s"
-
-  mtls_policy {
-    client_validation_trust_config = "projects/${data.google_project.project.number}/locations/global/trustConfigs/${google_certificate_manager_trust_config.trust_config.name}"
-    client_validation_mode         = "ALLOW_INVALID_OR_MISSING_CLIENT_CERT"
-  }
-}
-`, id, id, id, id, id, id, id)
+`, id, id, id, id, id)
 }
 
-func testAccComputeTargetHttpsProxyServerTlsPolicy_update(id string) string {
+func testAccComputeTargetHttpsProxyWithServerTlsPolicy(id string) string {
 	return fmt.Sprintf(`
 data "google_project" "project" {}
 
@@ -527,6 +516,10 @@ resource "google_network_security_server_tls_policy" "server_tls_policy" {
     client_validation_trust_config = "projects/${data.google_project.project.number}/locations/global/trustConfigs/${google_certificate_manager_trust_config.trust_config.name}"
     client_validation_mode         = "ALLOW_INVALID_OR_MISSING_CLIENT_CERT"
   }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 `, id, id, id, id, id, id, id)
 }
@@ -404,6 +404,10 @@ The following arguments are supported:
   INTERNAL_SELF_MANAGED and which with EXTERNAL, EXTERNAL_MANAGED
   loadBalancingScheme consult ServerTlsPolicy documentation.
   If left blank, communications are not encrypted.
+  If you remove this field from your configuration at the same time as
+  deleting or recreating a referenced ServerTlsPolicy resource, you will
+  receive a resourceInUseByAnotherResource error. Use lifecycle.create_before_destroy
+  within the ServerTlsPolicy resource to avoid this.
 
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.