GoogleCloudPlatform · slevenick · Aug 11, 2020 · Aug 3, 2020 · Aug 10, 2020 · Aug 10, 2020
diff --git a/third_party/terraform/resources/resource_google_service_account_key.go b/third_party/terraform/resources/resource_google_service_account_key.go
@@ -52,6 +52,13 @@ func resourceGoogleServiceAccountKey() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: validation.StringInSlice([]string{"TYPE_NONE", "TYPE_X509_PEM_FILE", "TYPE_RAW_PUBLIC_KEY"}, false),
 			},
+			"public_key_data": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"key_algorithm", "private_key_type"},
+				Description:   `A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM.`,
+			},
 			// Computed
 			"name": {
 				Type:        schema.TypeString,
@@ -103,14 +110,25 @@ func resourceGoogleServiceAccountKeyCreate(d *schema.ResourceData, meta interfac
 		return err
 	}
 
-	r := &iam.CreateServiceAccountKeyRequest{
-		KeyAlgorithm:   d.Get("key_algorithm").(string),
-		PrivateKeyType: d.Get("private_key_type").(string),
-	}
+	var sak *iam.ServiceAccountKey
 
-	sak, err := config.clientIAM.Projects.ServiceAccounts.Keys.Create(serviceAccountName, r).Do()
-	if err != nil {
-		return fmt.Errorf("Error creating service account key: %s", err)
+	if d.Get("public_key_data").(string) != "" {
+		ru := &iam.UploadServiceAccountKeyRequest{
+			PublicKeyData: d.Get("public_key_data").(string),
+		}
+		sak, err = config.clientIAM.Projects.ServiceAccounts.Keys.Upload(serviceAccountName, ru).Do()
+		if err != nil {
+			return fmt.Errorf("Error creating service account key: %s", err)
+		}
+	} else {
+		rc := &iam.CreateServiceAccountKeyRequest{
+			KeyAlgorithm:   d.Get("key_algorithm").(string),
+			PrivateKeyType: d.Get("private_key_type").(string),
+		}
+		sak, err = config.clientIAM.Projects.ServiceAccounts.Keys.Create(serviceAccountName, rc).Do()
+		if err != nil {
+			return fmt.Errorf("Error creating service account key: %s", err)
+		}
 	}
 
 	d.SetId(sak.Name)

diff --git a/third_party/terraform/tests/resource_google_service_account_key_test.go b/third_party/terraform/tests/resource_google_service_account_key_test.go
@@ -57,6 +57,30 @@ func TestAccServiceAccountKey_fromEmail(t *testing.T) {
 	})
 }
 
+func TestAccServiceAccountKey_fromCertificate(t *testing.T) {
+	t.Parallel()
+
+	resourceName := "google_service_account_key.acceptance"
+	accountID := "a" + randString(t, 10)
+	displayName := "Terraform Test"
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccServiceAccountKey_fromCertificate(accountID, displayName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleServiceAccountKeyExists(t, resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "public_key"),
+					resource.TestCheckResourceAttrSet(resourceName, "valid_after"),
+					resource.TestCheckResourceAttrSet(resourceName, "valid_before"),
+					resource.TestCheckResourceAttrSet(resourceName, "public_key"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckGoogleServiceAccountKeyExists(t *testing.T, r string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 
@@ -106,3 +130,17 @@ resource "google_service_account_key" "acceptance" {
 }
 `, account, name)
 }
+
+func testAccServiceAccountKey_fromCertificate(account, name string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "acceptance" {
+  account_id   = "%s"
+  display_name = "%s"
+}
+
+resource "google_service_account_key" "acceptance" {
+  service_account_id = google_service_account.acceptance.email
+  public_key_data    = filebase64("test-fixtures/serviceaccount/public_key.pem")
+}
+`, account, name)
+}
diff --git a/third_party/terraform/utils/test-fixtures/serviceaccount/public_key.pem b/third_party/terraform/utils/test-fixtures/serviceaccount/public_key.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnjCCAYYCCQD6STTBmcOGNTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZ1
+bnVzZWQwHhcNMjAwODEwMTExNzU0WhcNMzAwODA4MTExNzU0WjARMQ8wDQYDVQQD
+DAZ1bnVzZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAGCUQbs0l
+yyalBW4rBgWvU2awMXiVyQMOhWMQVMd99CgtY4Rzktj7qWnPiKe/daegyz40FXuq
+2Is8RThit4hx0RrdRFm8XXYpJjhHbIpCD/e5ukVMLNDIBqiMuFQI9naKcppuzOtL
+htj3zOQ54qXwe183lrg60RHoVR95Z1QqnCGkZcyECGJMuQBEaYyTnzf/nFba05uP
+LcZS1RHtdu5xfdDCrS9vDYA7R/3tvQ2erRvETSUFpMyIOxSMgZEBKhDhVfYqVh5T
+gSo3fJ5oXHozdqno2nf+MkE71moP4LbwqUGrSWK19kLcOGnGxWzLwcJWDTDlnU1S
+MC1y1T7GG+4dAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKZXsIoQ7CZhtb7GL7m6
+tVO/Q4WuL2D3sL0EYHpHWMUDFZ9aXeiNEaTJLYeaAkVQ80y+i1D2xaK42S/m94sd
+mq4UKy0sRN25brVXFGjhBNwk2iJlWPj9/ibttMLKMT2nxPWS+YQOCZXg5B60wUFD
+mmKkdsbZmrLe2VX2lHGvWuZF2ZFpx9wKcrLmQBhQ/1tZV7k8bf/JiWlGkQqDzwBZ
+m+xUNAUpu32QQwkNGUNte562KK9nzsbVD0qDBFcmh3sEirOgiU4ezEWdmbFhtcfH
+Q1lTZZ1oD38RmMNPnJUHY+b7W57TrsYO5inFjBwjYJ4plTUG12RSZ8nPz6whZTK6
+Gys=
+-----END CERTIFICATE-----
diff --git a/third_party/terraform/website/docs/r/google_service_account_key.html.markdown b/third_party/terraform/website/docs/r/google_service_account_key.html.markdown
@@ -64,6 +64,8 @@ Valid values are listed at
 
 * `private_key_type` (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
 
+* `public_key_data` (Optional) Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `public_key_type` and `private_key_type`.
+
 ## Attributes Reference
 
 The following attributes are exported in addition to the arguments listed above: