secretmanager: set resolved version on ephemeral secret_version (#25071)

[jbbqqf]

Summary

Surface the resolved version on the google_secret_manager_secret_version ephemeral resource. When the caller omits version to fetch latest, the provider now writes the actually-opened version back into the version attribute, matching the behavior of the corresponding data source.

Fixes hashicorp/terraform-provider-google#25071 — see hashicorp/terraform-provider-google#25071

Why

The OP reported that this works:

ephemeral "google_secret_manager_secret_version" "test" {
  secret = google_secret_manager_secret.test.id
}

but reading ephemeral.google_secret_manager_secret_version.test.version afterwards yields null rather than the version that was actually loaded (e.g. "3"). The data source data.google_secret_manager_secret_version already does the right thing — it parses the API response's name field (projects/X/secrets/Y/versions/Z) and stores Z in version (see data_source_secret_manager_secret_version.go:143-160). The ephemeral implementation simply never copies the resolved version back into data.Version.

GCP API reference: https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets.versions/get — the response name is projects/{project}/secrets/{secret}/versions/{version} after latest is resolved server-side.

What changed

One handwritten file (canonical source in mmv1 third_party):

mmv1/third_party/terraform/services/secretmanager/ephemeral_google_secret_manager_secret_version.go | 11 +++++++++++

• Add regexp import + a package-level regexp.MustCompile("projects/(.+)/secrets/(.+)/versions/(.+)$"), mirroring the data source pattern.
• Mark the version schema attribute as Computed: true (in addition to Optional: true), again mirroring the project attribute on the same resource.
• After the GET response is unmarshalled, parse versionResp["name"] and write group 3 back into data.Version.

Edge cases tested

#	Scenario	Expected	Verified by
1	version omitted (resolves latest)	After Open, version reflects the actual version (e.g. "3")	Static — same regex extraction proven to work in the data source.
2	version = "1" (explicit numeric)	After Open, version is "1". The API returns name = projects/.../versions/1, the regex group 3 is "1" — same value the user provided, no diff.	Static — regex deterministic.
3	version = "5" but secret only has 3 versions	API GET returns 404; Open already errors out at Error retrieving secret version before we attempt to parse name. New code is unreachable on error.	Static — error path unchanged.

Test protocol

Test	Result	Notes
go build ./google/services/secretmanager/... (after copying canonical source into tpg)	ok	Compile clean.
Live BEFORE/AFTER smoke	not run	Ephemeral resources don't show up in terraform state in a form the smoke harness's apply/destroy cycle can pin against — they only exist for the duration of an operation. The fix is a 11-line addition that mirrors a tested pattern (data source). Reviewer can confirm by inspection.

Resources

• Original issue: Ephemeral google_secret_manager_secret_version does not properly set version after open hashicorp/terraform-provider-google#25071
• Reference (data source equivalent): google/services/secretmanager/data_source_secret_manager_secret_version.go:143-160
• API doc: https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets.versions/get

Disclosure

This PR was implemented with assistance from Claude Code as part of a focused contribution batch. The diff was reviewed manually against the data source's existing version-resolution code, which uses the exact same regex and value flow.