Deprecate private key fields in IAM Service

Signed-off-by: Andy Lo-A-Foe <andy.loafoe@gmail.com>

docs/resources/iam_service.md

@@ -75,9 +75,9 @@ The following arguments are supported:
 * `validity` - (Optional) Integer. Validity of service (in months). Minimum: 1, Maximum: 600 (5 years), Default: 12
 * `token_validity` - (Optional) Integer. Access Token Lifetime (in seconds). Default: 1800 (30 minutes), Maximum: 2592000 (30 days)
 * `default_scopes` - (Required) Array. Default scopes. You do not have to specify these explicitly when requesting a token. Minimum: ["openid"]
-* `self_managed_private_key` - (Optional)  RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the
+* `self_managed_private_key` - (Deprecated, Optional)  RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the
   IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM
-* `self_managed_expires_on` - (Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
+* `self_managed_expires_on` - (Deprecated, Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
 * `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service.
   This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key`
 

internal/services/iam/service/resource_iam_service.go

@@ -86,11 +86,13 @@ func ResourceIAMService() *schema.Resource {
 				Optional:  true,
 				Description: "RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" +
 					"Mutually exclusive with `self_managed_certificate`",
+				Deprecated: "Use 'self_managed_certificate' instead. This will be removed in a future version",
 			},
 			"self_managed_expires_on": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.\nOnly applicable when `self_managed_private_key` is used",
+				Deprecated:  "Use 'self_managed_certificate' instead. This will be removed in a future version",
 			},
 			"self_managed_certificate": {
 				Type:      schema.TypeString,
@@ -189,7 +191,7 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int
 	}
 	_ = d.Set("private_key", iam.FixPEM(createdService.PrivateKey))
 
-	// Set certificate if set from the get go
+	// Set certificate if set from the get-go
 	if selfPrivateKey != "" {
 		diags = setSelfManagedPrivateKey(client, *createdService, d)
 		if len(diags) > 0 {
@@ -320,7 +322,7 @@ func resourceIAMServiceUpdate(ctx context.Context, d *schema.ResourceData, m int
 		privateKey := d.Get("private_key").(string)
 
 		if newPrivateKey.(string) == "" && newCertificate.(string) == "" && privateKey == "" {
-			return diag.FromErr(fmt.Errorf("you cannot revert to a server side managed private key once you set a self managed private key or certificate"))
+			return resourceIAMServiceRead(ctx, d, m) // Don't update anything
 		}
 		if newCertificate.(string) != "" && newPrivateKey.(string) != "" {
 			return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))