From fd0bee0367a74f7bc121e9e010de8e88b217f60d Mon Sep 17 00:00:00 2001 From: Andy Lo-A-Foe Date: Tue, 8 Oct 2024 22:47:14 +0200 Subject: [PATCH] Deprecate private key fields in IAM Service Signed-off-by: Andy Lo-A-Foe --- docs/resources/iam_service.md | 4 ++-- internal/services/iam/service/resource_iam_service.go | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/resources/iam_service.md b/docs/resources/iam_service.md index 18fbd794..d5dbf6fb 100644 --- a/docs/resources/iam_service.md +++ b/docs/resources/iam_service.md @@ -75,9 +75,9 @@ The following arguments are supported: * `validity` - (Optional) Integer. Validity of service (in months). Minimum: 1, Maximum: 600 (5 years), Default: 12 * `token_validity` - (Optional) Integer. Access Token Lifetime (in seconds). Default: 1800 (30 minutes), Maximum: 2592000 (30 days) * `default_scopes` - (Required) Array. Default scopes. You do not have to specify these explicitly when requesting a token. Minimum: ["openid"] -* `self_managed_private_key` - (Optional) RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the +* `self_managed_private_key` - (Deprecated, Optional) RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM -* `self_managed_expires_on` - (Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years. +* `self_managed_expires_on` - (Deprecated, Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years. * `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key` diff --git a/internal/services/iam/service/resource_iam_service.go b/internal/services/iam/service/resource_iam_service.go index eb54b69d..ac553c9a 100644 --- a/internal/services/iam/service/resource_iam_service.go +++ b/internal/services/iam/service/resource_iam_service.go @@ -86,11 +86,13 @@ func ResourceIAMService() *schema.Resource { Optional: true, Description: "RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM.\n" + "Mutually exclusive with `self_managed_certificate`", + Deprecated: "Use 'self_managed_certificate' instead. This will be removed in a future version", }, "self_managed_expires_on": { Type: schema.TypeString, Optional: true, Description: "Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.\nOnly applicable when `self_managed_private_key` is used", + Deprecated: "Use 'self_managed_certificate' instead. This will be removed in a future version", }, "self_managed_certificate": { Type: schema.TypeString, @@ -189,7 +191,7 @@ func resourceIAMServiceCreate(ctx context.Context, d *schema.ResourceData, m int } _ = d.Set("private_key", iam.FixPEM(createdService.PrivateKey)) - // Set certificate if set from the get go + // Set certificate if set from the get-go if selfPrivateKey != "" { diags = setSelfManagedPrivateKey(client, *createdService, d) if len(diags) > 0 { @@ -320,7 +322,7 @@ func resourceIAMServiceUpdate(ctx context.Context, d *schema.ResourceData, m int privateKey := d.Get("private_key").(string) if newPrivateKey.(string) == "" && newCertificate.(string) == "" && privateKey == "" { - return diag.FromErr(fmt.Errorf("you cannot revert to a server side managed private key once you set a self managed private key or certificate")) + return resourceIAMServiceRead(ctx, d, m) // Don't update anything } if newCertificate.(string) != "" && newPrivateKey.(string) != "" { return diag.FromErr(fmt.Errorf("you cannot set 'self_managed_private_key' value in combination with 'self_managed_certificate'"))