Skip to content

apikeys: migrate google_apikeys_key from DCL to MMv1 and add annotations#18328

Open
DrFaust92 wants to merge 4 commits into
GoogleCloudPlatform:mainfrom
DrFaust92:apikeys-mmv1-migration
Open

apikeys: migrate google_apikeys_key from DCL to MMv1 and add annotations#18328
DrFaust92 wants to merge 4 commits into
GoogleCloudPlatform:mainfrom
DrFaust92:apikeys-mmv1-migration

Conversation

@DrFaust92

Copy link
Copy Markdown
Contributor

Summary

Reimplements google_apikeys_key as an MMv1 resource (products/apikeys/Key.yaml), replacing the handwritten DCL implementation, and adds support for the mutable annotations field (a long-standing request — hashicorp/terraform-provider-google#18309). Adding annotations to the DCL-generated resource was not feasible (DCL is frozen and its schema isn't vendored in magic-modules), so the resource is migrated to MMv1 first, following the established DCL→MMv1 migration path (e.g. eventarc, compute firewall policies, certificate template).

Details

  • products/apikeys/Key.yaml — async (LRO) create with keyId create param, update_mask PATCH, all existing fields preserved (name, display_name, project, service_account_email, restrictions, key_string, uid), plus the new annotations (KeyValueAnnotations).
  • key_string is not part of the Key GET response; it is fetched from the getKeyString sub-endpoint via a post_read custom-code hook, mirroring the previous DCL behavior.
  • Soft delete: a deleted API key keeps being returned by GET (with a deleteTime) until it is purged. A decoder treats such keys as gone so Terraform no longer sees a deleted key as dangling. Because the generated destroy check does a plain GET, the example uses exclude_test and a hand-written, soft-delete-aware acceptance test is provided instead.
  • deletion_policy parity is preserved automatically by MMv1's unified deletion policy (ABANDON/DELETE).
  • Removes the handwritten DCL files (resource, DCL client/types, meta, sweeper, generated test) and the handwritten website doc (now generated).

Testing

Acceptance test run against a real project (create → import → update annotations/display_name/restrictions → import → soft-delete-aware destroy):

--- PASS: TestAccApikeysKey_basic (44.88s)

Import round-trips all fields (annotations ignored on import, as with labels/effective_annotations). Full provider builds and vets clean.

Release Note

apikeys: added `annotations` field to `google_apikeys_key`

Reimplements google_apikeys_key as an MMv1 resource (products/apikeys/Key.yaml),
replacing the handwritten DCL implementation, and adds support for the mutable
`annotations` field.

The key_string is fetched from the getKeyString sub-endpoint via a post_read
custom-code hook (it is not part of the Key GET response). A decoder treats a
soft-deleted key -- which the API keeps returning from GET with a deleteTime set
until it is purged -- as gone, so Terraform no longer sees a deleted key as
dangling. deletion_policy parity is preserved by MMv1's unified deletion policy.
@modular-magician modular-magician added the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Jul 19, 2026
@github-actions
github-actions Bot requested a review from c2thorn July 19, 2026 04:35
@github-actions

Copy link
Copy Markdown

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@c2thorn, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

awaiting-approval Pull requests that need reviewer's approval to run presubmit tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants