diff --git a/.changelog/4575.txt b/.changelog/4575.txt new file mode 100644 index 0000000000..64d410f4ac --- /dev/null +++ b/.changelog/4575.txt @@ -0,0 +1,3 @@ +```release-note:bug +binaryauthorization: fixed permadiff in `google_binary_authorization_attestor` +``` diff --git a/google-beta/resource_binary_authorization_attestor.go b/google-beta/resource_binary_authorization_attestor.go index b0c0afb948..89861e4bbd 100644 --- a/google-beta/resource_binary_authorization_attestor.go +++ b/google-beta/resource_binary_authorization_attestor.go @@ -24,6 +24,34 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" ) +func compareSignatureAlgorithm(_, old, new string, _ *schema.ResourceData) bool { + // See https://cloud.google.com/binary-authorization/docs/reference/rest/v1/projects.attestors#signaturealgorithm + normalizedAlgorithms := map[string]string{ + "ECDSA_P256_SHA256": "ECDSA_P256_SHA256", + "EC_SIGN_P256_SHA256": "ECDSA_P256_SHA256", + "ECDSA_P384_SHA384": "ECDSA_P384_SHA384", + "EC_SIGN_P384_SHA384": "ECDSA_P384_SHA384", + "ECDSA_P521_SHA512": "ECDSA_P521_SHA512", + "EC_SIGN_P521_SHA512": "ECDSA_P521_SHA512", + } + + normalizedOld := old + normalizedNew := new + + if normalized, ok := normalizedAlgorithms[old]; ok { + normalizedOld = normalized + } + if normalized, ok := normalizedAlgorithms[new]; ok { + normalizedNew = normalized + } + + if normalizedNew == normalizedOld { + return true + } + + return false +} + func resourceBinaryAuthorizationAttestor() *schema.Resource { return &schema.Resource{ Create: resourceBinaryAuthorizationAttestorCreate, diff --git a/google-beta/resource_binaryauthorization_attestor_test.go b/google-beta/resource_binaryauthorization_attestor_test.go index db52341289..a4ddd21056 100644 --- a/google-beta/resource_binaryauthorization_attestor_test.go +++ b/google-beta/resource_binaryauthorization_attestor_test.go @@ -7,6 +7,50 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" ) +func TestSignatureAlgorithmDiffSuppress(t *testing.T) { + cases := map[string]struct { + Old, New string + ExpectDiffSuppress bool + }{ + "ECDSA_P256 equivalent": { + Old: "ECDSA_P256_SHA256", + New: "EC_SIGN_P256_SHA256", + ExpectDiffSuppress: true, + }, + "ECDSA_P384 equivalent": { + Old: "ECDSA_P384_SHA384", + New: "EC_SIGN_P384_SHA384", + ExpectDiffSuppress: true, + }, + "ECDSA_P521 equivalent": { + Old: "ECDSA_P521_SHA512", + New: "EC_SIGN_P521_SHA512", + ExpectDiffSuppress: true, + }, + "not equivalent 1": { + Old: "ECDSA_P256", + New: "EC_SIGN_P384_SHA384", + ExpectDiffSuppress: false, + }, + "not equivalent 2": { + Old: "ECDSA_P384_SHA384", + New: "EC_SIGN_P521_SHA512", + ExpectDiffSuppress: false, + }, + "not equivalent 3": { + Old: "ECDSA_P521_SHA512", + New: "EC_SIGN_P256_SHA256", + ExpectDiffSuppress: false, + }, + } + + for tn, tc := range cases { + if compareSignatureAlgorithm("signature_algorithm", tc.Old, tc.New, nil) != tc.ExpectDiffSuppress { + t.Errorf("bad: %s, %q => %q expect DiffSuppress to return %t", tn, tc.Old, tc.New, tc.ExpectDiffSuppress) + } + } +} + func TestAccBinaryAuthorizationAttestor_basic(t *testing.T) { t.Parallel()