compute: add name_prefix to google_compute_managed_ssl_certificate (#8889)#67
Open
jbbqqf wants to merge 12 commits into
Open
compute: add name_prefix to google_compute_managed_ssl_certificate (#8889)#67jbbqqf wants to merge 12 commits into
jbbqqf wants to merge 12 commits into
Conversation
…oogleCloudPlatform#8889) Adds the same name_prefix mechanism that google_compute_ssl_certificate already uses, so users can manage cert rotation by recreating certs with stable prefixes. Reuses the shared ssl_certificate.tmpl extra_schema_entry and the name_or_name_prefix.go.tmpl custom_expand that already power the user-managed SslCertificate resource. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
name_prefixsupport togoogle_compute_managed_ssl_certificate,mirroring the existing
name_prefixongoogle_compute_ssl_certificate.Users practising cert rotation typically need to recreate certs with
stable prefixes (so the new cert exists side-by-side with the old before
swap), and they want Terraform to generate the unique trailing suffix
automatically. Without
name_prefix, they must userandom_idworkarounds or imperative wrappers.
Fixes hashicorp/terraform-provider-google#8889 — see hashicorp/terraform-provider-google#8889
Why
The user-managed
google_compute_ssl_certificatealready supportsname_prefixvia a sharedextra_schema_entryandcustom_expand(
mmv1/templates/terraform/extra_schema_entry/ssl_certificate.tmplandmmv1/templates/terraform/custom_expand/name_or_name_prefix.go.tmpl).The Google-managed variant has the same lifecycle constraint
(certificates are immutable, must be rotated by replacement) and the
same underlying API resource (
compute#sslCertificate) — so the sameprefix-generation logic applies as-is.
GCP API reference:
What changed
This change is to a mmv1-generated resource. Files touched in
magic-modules:
The YAML edits:
docs.optional_propertiesentry documentingname_prefix(samewording as
SslCertificate.yaml).extra_schema_entry: 'templates/terraform/extra_schema_entry/ssl_certificate.tmpl'to the
custom_codeblock (which already had aconstantsentry).default_from_api: trueandcustom_expand: '.../name_or_name_prefix.go.tmpl'to the
nameproperty — same shape as thenamefield onSslCertificate.yaml.ignore_read_extra: ['name_prefix']to both examples (matches thepattern from
SslCertificate.yaml's examples —name_prefixis aclient-side-only field with no read counterpart).
Edge cases tested
nameset,name_prefixunsetname = "my-cert"nameis stillOptional+Computed,ConflictsWith: []string{"name_prefix"}name_prefixset,nameunsetname_prefix = "rotation-"namecomputed byid.PrefixedUniqueId(prefix)custom_expandtemplate emits the same logic asSslCertificate(prefix > 37 → ReducedPrefixedUniqueId, elseid.PrefixedUniqueId)name = "x"; name_prefix = "y-"ConflictsWithvalidatorssl_certificate.tmplschema entry hasConflictsWith: []string{"name"}name_prefixexceeds 54 charsname_prefix = strings.Repeat("a", 55)ValidateFuncrejects len > 54Test protocol
go run mmv1/. --output ... --version ga --no-docs)go build ./google/services/compute/...(TPG)go vet ./google/services/compute/...(TPG)name_prefixfieldresource_compute_managed_ssl_certificate.goafter regen — confirmsname_prefixschema entry,ConflictsWith: []string{"name"}, and the expand-name handlernamefield is computed-from-prefixexpandComputeManagedSslCertificateNamefollows the shared template: returnsnamewhen set, elseid.PrefixedUniqueId(name_prefix), elseid.UniqueId()This is a purely additive client-side schema extension (the API
already accepts whatever name the client supplies — there is no API-side
change). Live smoke is therefore not strictly necessary for confidence,
and Google-managed cert provisioning is slow/expensive (30-min create
timeout) which makes it costly. The static evidence is identical to
what's been used for the user-managed
SslCertificatename_prefixforyears.
Resources
name_prefixsupport togoogle_compute_managed_ssl_certificatehashicorp/terraform-provider-google#8889name_prefix):https://github.com/jbbqqf/magic-modules/blob/main/mmv1/products/compute/SslCertificate.yaml
https://github.com/jbbqqf/magic-modules/blob/feat/8889-managed-ssl-cert-name-prefix/mmv1/products/compute/ManagedSslCertificate.yaml
Disclosure
This PR was implemented with assistance from Claude Code. The diff was
modeled on the existing
SslCertificate.yamlname_prefixwiring — awell-tested pattern that's been in the provider for years — and the
regenerated provider compiled and vetted cleanly. The author (a human)
reviewed the diff and the regenerated schema before opening this PR.