From b9c43315aec511a6ecf27012c2633b34f9e72ef7 Mon Sep 17 00:00:00 2001
From: upodroid <cy@borg.dev>
Date: Mon, 10 Aug 2020 12:24:58 +0100
Subject: [PATCH 1/2] enable uploading service account keys

---
 .../resource_google_service_account_key.go    | 32 ++++++++++++----
 ...esource_google_service_account_key_test.go | 38 +++++++++++++++++++
 .../serviceaccount/private_key.pem            | 28 ++++++++++++++
 .../serviceaccount/public_key.pem             | 17 +++++++++
 .../google_service_account_key.html.markdown  |  2 +
 5 files changed, 110 insertions(+), 7 deletions(-)
 create mode 100644 third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem
 create mode 100644 third_party/terraform/utils/test-fixtures/serviceaccount/public_key.pem

diff --git a/third_party/terraform/resources/resource_google_service_account_key.go b/third_party/terraform/resources/resource_google_service_account_key.go
index dc5d04b4a6cc..b15357499d80 100644
--- a/third_party/terraform/resources/resource_google_service_account_key.go
+++ b/third_party/terraform/resources/resource_google_service_account_key.go
@@ -52,6 +52,13 @@ func resourceGoogleServiceAccountKey() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: validation.StringInSlice([]string{"TYPE_NONE", "TYPE_X509_PEM_FILE", "TYPE_RAW_PUBLIC_KEY"}, false),
 			},
+			"public_key_data": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"key_algorithm", "private_key_type"},
+				Description:   `A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM.`,
+			},
 			// Computed
 			"name": {
 				Type:        schema.TypeString,
@@ -103,14 +110,25 @@ func resourceGoogleServiceAccountKeyCreate(d *schema.ResourceData, meta interfac
 		return err
 	}
 
-	r := &iam.CreateServiceAccountKeyRequest{
-		KeyAlgorithm:   d.Get("key_algorithm").(string),
-		PrivateKeyType: d.Get("private_key_type").(string),
-	}
+	var sak *iam.ServiceAccountKey
 
-	sak, err := config.clientIAM.Projects.ServiceAccounts.Keys.Create(serviceAccountName, r).Do()
-	if err != nil {
-		return fmt.Errorf("Error creating service account key: %s", err)
+	if d.Get("public_key_data").(string) != "" {
+		ru := &iam.UploadServiceAccountKeyRequest{
+			PublicKeyData: d.Get("public_key_data").(string),
+		}
+		sak, err = config.clientIAM.Projects.ServiceAccounts.Keys.Upload(serviceAccountName, ru).Do()
+		if err != nil {
+			return fmt.Errorf("Error creating service account key: %s", err)
+		}
+	} else {
+		rc := &iam.CreateServiceAccountKeyRequest{
+			KeyAlgorithm:   d.Get("key_algorithm").(string),
+			PrivateKeyType: d.Get("private_key_type").(string),
+		}
+		sak, err = config.clientIAM.Projects.ServiceAccounts.Keys.Create(serviceAccountName, rc).Do()
+		if err != nil {
+			return fmt.Errorf("Error creating service account key: %s", err)
+		}
 	}
 
 	d.SetId(sak.Name)
diff --git a/third_party/terraform/tests/resource_google_service_account_key_test.go b/third_party/terraform/tests/resource_google_service_account_key_test.go
index dbab8df45856..e720ea70b61a 100644
--- a/third_party/terraform/tests/resource_google_service_account_key_test.go
+++ b/third_party/terraform/tests/resource_google_service_account_key_test.go
@@ -57,6 +57,30 @@ func TestAccServiceAccountKey_fromEmail(t *testing.T) {
 	})
 }
 
+func TestAccServiceAccountKey_fromCertificate(t *testing.T) {
+	t.Parallel()
+
+	resourceName := "google_service_account_key.acceptance"
+	accountID := "a" + randString(t, 10)
+	displayName := "Terraform Test"
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccServiceAccountKey_fromCertificate(accountID, displayName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleServiceAccountKeyExists(t, resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "public_key"),
+					resource.TestCheckResourceAttrSet(resourceName, "valid_after"),
+					resource.TestCheckResourceAttrSet(resourceName, "valid_before"),
+					resource.TestCheckResourceAttrSet(resourceName, "public_key"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckGoogleServiceAccountKeyExists(t *testing.T, r string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 
@@ -106,3 +130,17 @@ resource "google_service_account_key" "acceptance" {
 }
 `, account, name)
 }
+
+func testAccServiceAccountKey_fromCertificate(account, name string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "acceptance" {
+  account_id   = "%s"
+  display_name = "%s"
+}
+
+resource "google_service_account_key" "acceptance" {
+  service_account_id = google_service_account.acceptance.email
+  public_key_data    = filebase64("test-fixtures/serviceaccount/public_key.pem")
+}
+`, account, name)
+}
diff --git a/third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem b/third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem
new file mode 100644
index 000000000000..13bef8662000
--- /dev/null
+++ b/third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDAGCUQbs0lyyal
+BW4rBgWvU2awMXiVyQMOhWMQVMd99CgtY4Rzktj7qWnPiKe/daegyz40FXuq2Is8
+RThit4hx0RrdRFm8XXYpJjhHbIpCD/e5ukVMLNDIBqiMuFQI9naKcppuzOtLhtj3
+zOQ54qXwe183lrg60RHoVR95Z1QqnCGkZcyECGJMuQBEaYyTnzf/nFba05uPLcZS
+1RHtdu5xfdDCrS9vDYA7R/3tvQ2erRvETSUFpMyIOxSMgZEBKhDhVfYqVh5TgSo3
+fJ5oXHozdqno2nf+MkE71moP4LbwqUGrSWK19kLcOGnGxWzLwcJWDTDlnU1SMC1y
+1T7GG+4dAgMBAAECggEBAIO5CtF16V8dK2bFjoIaIxPS0PvJMLMln975QLEWMaYB
+Ivvc3hqSfBA2X8RcJQt5FnWAaSs2ABNrYi72GHA5AmtpxE4ubIpqXHhjKPxxRW1/
+nZPSU2qk4JYJWtMEIzvyJd9SLuwDwOWNloJ2EZpP/RImx2hLBhHvA6SZmneZj3GX
+ZlKKg9K4w4P8ER26N/oOO7F7VdNabuYuaEawPDvZu3M+Ze+H96nUtDhyrclzzxSN
+YSw7jDXvSc0M3Rm2yAqtcXMZpWi5IGBpvOFqJrEoNRLIFHYmguin68C4mVbB/opT
+d9XU+DoQitmPpmiwoQ1SQJTmVPVUpe3fXPUi4q+3gYECgYEA6HNWoiplrzRB05iA
+sbUnHmUX5MTYyBQsjrhUdazYSXQLc8U4HADsJXZK2TUjgzhhZ2ktKlYm3nijCm+z
+mdgIo/jpg229LPc5ZPXR49cdYoJDcauP0lBHQxNmXw5mtAeAFozgWViHqYH6ZHg4
+hQzje23NlQqOjTa1WN6l+zWKjmkCgYEA044oZhZ7Z2V7/7Rjxn8wRM6uDoTPIfOm
+GuMSmyKq8/APlFlRwyUlFGw4mh0Nypu54zHVK6TgY7PpMNV8OOmeIdM85BslBkTp
+qEE9T2LiItFGruVX/mPHd5p03KPaXZ6pgmGrd/kxOzY561/fijiSaWjzGxgjN2Zw
+LFjxLFqTU5UCgYEA3lTTXDBpKfc1rwmCrnayf+P5wpp1Lon9RFUSk6tLBJa2DXlp
+fX90XzCRzseAvBXFNH/o70GP0+JXL7g/dLqpKQz/bPIdq1Cb2PE2XFJ4jKxDjgmm
+embGgmWf2PORUEiMPwVn4I1I1Ny5fjdu9/On8XrI0/FQ/8iAFAyBfZFsgWECgYEA
+gGhiBw0QXEMSD7QLd7lNsAYPSgq8uuvr35gCfB1/zE7i9fV9Fkjeh9XkSU7nRxpc
+qxVdQX9zH7FdEmISY20RqZBQ/lenknWTqafnsd7gSafjEldsoKEpumQLGL1v1rFu
+TBBChrC/fCQ+5aoswfXykH6+SKzO+1p3LcPSp0xW7j0CgYBzuELERQaReX+vBLoj
+Ud9tY2tR5RvgjUEMqNspP5hTuOu+7c8wtZ/V1AClIm4QX/vCZ/8UhEZTbrY5Xs1m
+jwoOudFSnibe9Ryzfq93i05Z5JFDopHi/Fw33jZ92SCk6DXd1VRZ6b5e4AJ+G/Xf
+bjVY0QEN+XLc/h9XJ3h9oJtFRg==
+-----END PRIVATE KEY-----
diff --git a/third_party/terraform/utils/test-fixtures/serviceaccount/public_key.pem b/third_party/terraform/utils/test-fixtures/serviceaccount/public_key.pem
new file mode 100644
index 000000000000..033abb616325
--- /dev/null
+++ b/third_party/terraform/utils/test-fixtures/serviceaccount/public_key.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnjCCAYYCCQD6STTBmcOGNTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZ1
+bnVzZWQwHhcNMjAwODEwMTExNzU0WhcNMzAwODA4MTExNzU0WjARMQ8wDQYDVQQD
+DAZ1bnVzZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAGCUQbs0l
+yyalBW4rBgWvU2awMXiVyQMOhWMQVMd99CgtY4Rzktj7qWnPiKe/daegyz40FXuq
+2Is8RThit4hx0RrdRFm8XXYpJjhHbIpCD/e5ukVMLNDIBqiMuFQI9naKcppuzOtL
+htj3zOQ54qXwe183lrg60RHoVR95Z1QqnCGkZcyECGJMuQBEaYyTnzf/nFba05uP
+LcZS1RHtdu5xfdDCrS9vDYA7R/3tvQ2erRvETSUFpMyIOxSMgZEBKhDhVfYqVh5T
+gSo3fJ5oXHozdqno2nf+MkE71moP4LbwqUGrSWK19kLcOGnGxWzLwcJWDTDlnU1S
+MC1y1T7GG+4dAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKZXsIoQ7CZhtb7GL7m6
+tVO/Q4WuL2D3sL0EYHpHWMUDFZ9aXeiNEaTJLYeaAkVQ80y+i1D2xaK42S/m94sd
+mq4UKy0sRN25brVXFGjhBNwk2iJlWPj9/ibttMLKMT2nxPWS+YQOCZXg5B60wUFD
+mmKkdsbZmrLe2VX2lHGvWuZF2ZFpx9wKcrLmQBhQ/1tZV7k8bf/JiWlGkQqDzwBZ
+m+xUNAUpu32QQwkNGUNte562KK9nzsbVD0qDBFcmh3sEirOgiU4ezEWdmbFhtcfH
+Q1lTZZ1oD38RmMNPnJUHY+b7W57TrsYO5inFjBwjYJ4plTUG12RSZ8nPz6whZTK6
+Gys=
+-----END CERTIFICATE-----
diff --git a/third_party/terraform/website/docs/r/google_service_account_key.html.markdown b/third_party/terraform/website/docs/r/google_service_account_key.html.markdown
index 974608205668..d2d44778a88a 100644
--- a/third_party/terraform/website/docs/r/google_service_account_key.html.markdown
+++ b/third_party/terraform/website/docs/r/google_service_account_key.html.markdown
@@ -64,6 +64,8 @@ Valid values are listed at
 
 * `private_key_type` (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
 
+* `public_key_data` (Optional) Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `public_key_type` and `private_key_type`.
+
 ## Attributes Reference
 
 The following attributes are exported in addition to the arguments listed above:

From 9741e64af5c85e0ca9c9e80f491c50d8ce9ecee7 Mon Sep 17 00:00:00 2001
From: upodroid <cy@borg.dev>
Date: Tue, 11 Aug 2020 21:37:38 +0100
Subject: [PATCH 2/2] remove service account key

---
 .../serviceaccount/private_key.pem            | 28 -------------------
 1 file changed, 28 deletions(-)
 delete mode 100644 third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem

diff --git a/third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem b/third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem
deleted file mode 100644
index 13bef8662000..000000000000
--- a/third_party/terraform/utils/test-fixtures/serviceaccount/private_key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDAGCUQbs0lyyal
-BW4rBgWvU2awMXiVyQMOhWMQVMd99CgtY4Rzktj7qWnPiKe/daegyz40FXuq2Is8
-RThit4hx0RrdRFm8XXYpJjhHbIpCD/e5ukVMLNDIBqiMuFQI9naKcppuzOtLhtj3
-zOQ54qXwe183lrg60RHoVR95Z1QqnCGkZcyECGJMuQBEaYyTnzf/nFba05uPLcZS
-1RHtdu5xfdDCrS9vDYA7R/3tvQ2erRvETSUFpMyIOxSMgZEBKhDhVfYqVh5TgSo3
-fJ5oXHozdqno2nf+MkE71moP4LbwqUGrSWK19kLcOGnGxWzLwcJWDTDlnU1SMC1y
-1T7GG+4dAgMBAAECggEBAIO5CtF16V8dK2bFjoIaIxPS0PvJMLMln975QLEWMaYB
-Ivvc3hqSfBA2X8RcJQt5FnWAaSs2ABNrYi72GHA5AmtpxE4ubIpqXHhjKPxxRW1/
-nZPSU2qk4JYJWtMEIzvyJd9SLuwDwOWNloJ2EZpP/RImx2hLBhHvA6SZmneZj3GX
-ZlKKg9K4w4P8ER26N/oOO7F7VdNabuYuaEawPDvZu3M+Ze+H96nUtDhyrclzzxSN
-YSw7jDXvSc0M3Rm2yAqtcXMZpWi5IGBpvOFqJrEoNRLIFHYmguin68C4mVbB/opT
-d9XU+DoQitmPpmiwoQ1SQJTmVPVUpe3fXPUi4q+3gYECgYEA6HNWoiplrzRB05iA
-sbUnHmUX5MTYyBQsjrhUdazYSXQLc8U4HADsJXZK2TUjgzhhZ2ktKlYm3nijCm+z
-mdgIo/jpg229LPc5ZPXR49cdYoJDcauP0lBHQxNmXw5mtAeAFozgWViHqYH6ZHg4
-hQzje23NlQqOjTa1WN6l+zWKjmkCgYEA044oZhZ7Z2V7/7Rjxn8wRM6uDoTPIfOm
-GuMSmyKq8/APlFlRwyUlFGw4mh0Nypu54zHVK6TgY7PpMNV8OOmeIdM85BslBkTp
-qEE9T2LiItFGruVX/mPHd5p03KPaXZ6pgmGrd/kxOzY561/fijiSaWjzGxgjN2Zw
-LFjxLFqTU5UCgYEA3lTTXDBpKfc1rwmCrnayf+P5wpp1Lon9RFUSk6tLBJa2DXlp
-fX90XzCRzseAvBXFNH/o70GP0+JXL7g/dLqpKQz/bPIdq1Cb2PE2XFJ4jKxDjgmm
-embGgmWf2PORUEiMPwVn4I1I1Ny5fjdu9/On8XrI0/FQ/8iAFAyBfZFsgWECgYEA
-gGhiBw0QXEMSD7QLd7lNsAYPSgq8uuvr35gCfB1/zE7i9fV9Fkjeh9XkSU7nRxpc
-qxVdQX9zH7FdEmISY20RqZBQ/lenknWTqafnsd7gSafjEldsoKEpumQLGL1v1rFu
-TBBChrC/fCQ+5aoswfXykH6+SKzO+1p3LcPSp0xW7j0CgYBzuELERQaReX+vBLoj
-Ud9tY2tR5RvgjUEMqNspP5hTuOu+7c8wtZ/V1AClIm4QX/vCZ/8UhEZTbrY5Xs1m
-jwoOudFSnibe9Ryzfq93i05Z5JFDopHi/Fw33jZ92SCk6DXd1VRZ6b5e4AJ+G/Xf
-bjVY0QEN+XLc/h9XJ3h9oJtFRg==
------END PRIVATE KEY-----