fix(bigqueryconnection): flatten authentication fields from API response

[ota2000]

Description

The custom flatten function for the username_password block in google_bigquery_connection.configuration.authentication, introduced in #17083, was returning values from state via d.Get(...) instead of the API response. This caused two visible bugs:

1. After importing an existing connection, terraform plan always reported + username = "..." because the imported state was empty (d.Get returned "").
2. secret_type (output-only) was never populated, leaving it permanently null in state.

Fix

• Read username and password.secret_type from the API response (v).
• Keep password.plaintext from state because the API redacts it on read (avoids a permadiff).
• Drop configuration.0.authentication.0.username_password.0.username from the example test's ignore_read_extra. It is no longer needed now that the field round-trips through state correctly.

Behavior change

Limited to drift detection: external changes to username on the API side are now reflected on the next terraform plan, which matches Terraform's expected drift-detection semantics. Newly-created or already-applied resources see no diff (state and API agree).

Reproduction

Before the fix, with a connection created out-of-band and imported into state:

import {
  to = google_bigquery_connection.example
  id = "projects/my-project/locations/us-central1/connections/my-connection"
}

resource "google_bigquery_connection" "example" {
  configuration {
    connector_id = "google-alloydb"
    authentication {
      username_password {
        username = "dbuser"
        password { plaintext = "..." }
      }
    }
    # ...
  }
}

terraform plan reports + username = "dbuser" even though the API already has the correct value.

Release Note

bigqueryconnection: fixed an issue where `configuration.authentication.username_password.password.secret_type` is not populated and a diff on `configuration.authentication.username_password.username` after import in `google_bigquery_connection` resource

[github-actions]

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@shuyama1, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[github-actions]

@shuyama1 This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes for commit af125d1:

Diff report

Your PR generated the following diffs in downstream repositories:

Repository	Diff Link	Changes
google provider	View Diff	2 files changed, 22 insertions(+), 7 deletions(-)
google-beta provider	View Diff	2 files changed, 22 insertions(+), 7 deletions(-)

Test report

Analytics

Total Tests	Passed	Skipped	Affected
17	13	4	0

Affected Service Packages

• bigqueryconnection

Learn how VCR tests work

---

Step 1: Replaying Mode

🟢 All tests passed in Replaying mode! No Recording was needed.

View the build log

@ota2000, @sachinpro, @shuyama1 VCR tests complete for af125d1!

[github-actions]

@GoogleCloudPlatform/terraform-team @shuyama1 This PR has been waiting for review for 1 week. Please take a look! Use the label disable-review-reminders to disable these notifications.

[shuyama1]

Running some tests on TC

[shuyama1]

Thank you!