From 270c1dc5ec140a88b312877e026e105465404c15 Mon Sep 17 00:00:00 2001 From: Matt Shaw Date: Wed, 6 May 2026 11:48:42 -0700 Subject: [PATCH] apigee: populate sharedflow_deployment fields in Read The Read function for google_apigee_sharedflow_deployment fetched the deployment from the API but never copied the response into Terraform state. As a result service_account always read back as null, and because service_account is ForceNew this caused destructive resource replacement after terraform import whenever the user's HCL declared a non-empty service_account that matched what was actually deployed. Populate environment, sharedflow_id (from the apiProxy response field), revision, and service_account in state from the GET response. Also strip the projects/-/serviceAccounts/ prefix that the API may return on serviceAccount, so a Read after a Create using the bare-email form that the schema documents shows no drift. Update the existing acceptance test to declare a service_account on the deployment so the existing ImportStateVerify steps now exercise the field; previously they did not because no service_account was set. Fixes hashicorp/terraform-provider-google#25332 --- .../resource_apigee_sharedflow_deployment.go | 32 ++++++++++++++++++- ...ource_apigee_sharedflow_deployment_test.go | 15 ++++++--- 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment.go b/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment.go index bb8091b997ce..5c2b6ca0895d 100644 --- a/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment.go +++ b/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment.go @@ -3,6 +3,7 @@ package apigee import ( "fmt" "log" + "strings" "time" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" @@ -140,6 +141,23 @@ func resourceApigeeSharedflowDeploymentRead(d *schema.ResourceData, meta interfa } log.Printf("[DEBUG] ApigeeSharedflowDeployment deployStartTime %s", res["deployStartTime"]) + // org_id is not returned by the API; it is derived from the resource ID + // (set by Create or by the import parser) and stays in state untouched. + if err := d.Set("environment", flattenApigeeSharedflowDeploymentEnvironment(res["environment"], d, config)); err != nil { + return fmt.Errorf("Error reading SharedflowDeployment: %s", err) + } + // The API uses `apiProxy` for both API proxy and shared flow deployments + // to identify the deployed artifact. + if err := d.Set("sharedflow_id", flattenApigeeSharedflowDeploymentSharedflowId(res["apiProxy"], d, config)); err != nil { + return fmt.Errorf("Error reading SharedflowDeployment: %s", err) + } + if err := d.Set("revision", flattenApigeeSharedflowDeploymentRevision(res["revision"], d, config)); err != nil { + return fmt.Errorf("Error reading SharedflowDeployment: %s", err) + } + if err := d.Set("service_account", flattenApigeeSharedflowDeploymentServiceAccount(res["serviceAccount"], d, config)); err != nil { + return fmt.Errorf("Error reading SharedflowDeployment: %s", err) + } + return nil } @@ -263,7 +281,19 @@ func flattenApigeeSharedflowDeploymentRevision(v interface{}, d *schema.Resource } func flattenApigeeSharedflowDeploymentServiceAccount(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { - return v + // The Apigee API may return service accounts as a full resource name + // (e.g. "projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com") + // while the schema documents (and Create accepts) the bare email form. + // Strip the prefix when present so a Read after a Create using the bare + // email does not show drift. + if v == nil { + return v + } + s, ok := v.(string) + if !ok { + return v + } + return strings.TrimPrefix(s, "projects/-/serviceAccounts/") } func init() { diff --git a/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment_test.go b/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment_test.go index 747804b3eea8..29a50391bc12 100644 --- a/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment_test.go +++ b/mmv1/third_party/terraform/services/apigee/resource_apigee_sharedflow_deployment_test.go @@ -135,11 +135,18 @@ resource "google_apigee_sharedflow" "test_apigee_sharedflow" { depends_on = [google_apigee_organization.apigee_org] } +resource "google_service_account" "sharedflow_sa" { + account_id = "tf-test-sf-sa%{random_suffix}" + display_name = "TF Test Sharedflow SA" + project = google_project.project.project_id +} + resource "google_apigee_sharedflow_deployment" "sharedflow_deployment_test" { - environment = google_apigee_environment.apigee_environment.name - org_id = google_apigee_sharedflow.test_apigee_sharedflow.org_id - revision = google_apigee_sharedflow.test_apigee_sharedflow.revision[length(google_apigee_sharedflow.test_apigee_sharedflow.revision)-1] - sharedflow_id = google_apigee_sharedflow.test_apigee_sharedflow.name + environment = google_apigee_environment.apigee_environment.name + org_id = google_apigee_sharedflow.test_apigee_sharedflow.org_id + revision = google_apigee_sharedflow.test_apigee_sharedflow.revision[length(google_apigee_sharedflow.test_apigee_sharedflow.revision)-1] + sharedflow_id = google_apigee_sharedflow.test_apigee_sharedflow.name + service_account = google_service_account.sharedflow_sa.email } `, context) }