From 2f94236bb764a0ece3abb9d1f29c6c83ff915dd1 Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Wed, 29 May 2019 15:38:51 -0700
Subject: [PATCH] fix dnssec test (#777)

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 google-beta/resource_dns_managed_zone.go      |  2 +
 google-beta/resource_dns_managed_zone_test.go | 87 +++++++++++++++++--
 website/docs/r/dns_managed_zone.html.markdown |  5 +-
 3 files changed, 84 insertions(+), 10 deletions(-)

diff --git a/google-beta/resource_dns_managed_zone.go b/google-beta/resource_dns_managed_zone.go
index 027fbaa10fd..f7feb42d9ad 100644
--- a/google-beta/resource_dns_managed_zone.go
+++ b/google-beta/resource_dns_managed_zone.go
@@ -69,6 +69,7 @@ func resourceDnsManagedZone() *schema.Resource {
 					Schema: map[string]*schema.Schema{
 						"default_key_specs": {
 							Type:     schema.TypeList,
+							Computed: true,
 							Optional: true,
 							ForceNew: true,
 							Elem: &schema.Resource{
@@ -107,6 +108,7 @@ func resourceDnsManagedZone() *schema.Resource {
 						},
 						"non_existence": {
 							Type:         schema.TypeString,
+							Computed:     true,
 							Optional:     true,
 							ForceNew:     true,
 							ValidateFunc: validation.StringInSlice([]string{"nsec", "nsec3", ""}, false),
diff --git a/google-beta/resource_dns_managed_zone_test.go b/google-beta/resource_dns_managed_zone_test.go
index 946e4206fa6..82d8c73e429 100644
--- a/google-beta/resource_dns_managed_zone_test.go
+++ b/google-beta/resource_dns_managed_zone_test.go
@@ -67,6 +67,51 @@ func TestAccDnsManagedZone_privateUpdate(t *testing.T) {
 		},
 	})
 }
+
+func TestAccDnsManagedZone_dnssec_on(t *testing.T) {
+	t.Parallel()
+
+	zoneSuffix := acctest.RandString(10)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckDnsManagedZoneDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDnsManagedZone_dnssec_on(zoneSuffix),
+			},
+			{
+				ResourceName:      "google_dns_managed_zone.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccDnsManagedZone_dnssec_off(t *testing.T) {
+	t.Parallel()
+
+	zoneSuffix := acctest.RandString(10)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckDnsManagedZoneDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDnsManagedZone_dnssec_off(zoneSuffix),
+			},
+			{
+				ResourceName:      "google_dns_managed_zone.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccDnsManagedZone_privateForwardingUpdate(t *testing.T) {
 	t.Parallel()
 
@@ -111,6 +156,40 @@ resource "google_dns_managed_zone" "foobar" {
 }`, suffix, suffix, description)
 }
 
+func testAccDnsManagedZone_dnssec_on(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_dns_managed_zone" "foobar" {
+  name     = "mzone-test-%s"
+  dns_name = "tf-acctest-%s.hashicorptest.com."
+
+  dnssec_config {
+    state = "on"
+    default_key_specs {
+      algorithm  = "rsasha256"
+      key_length = "2048"
+      key_type   = "zoneSigning"
+    }
+    default_key_specs {
+      algorithm  = "rsasha256"
+      key_length = "2048"
+      key_type   = "keySigning"
+    }
+  }
+}`, suffix, suffix)
+}
+
+func testAccDnsManagedZone_dnssec_off(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_dns_managed_zone" "foobar" {
+  name     = "mzone-test-%s"
+  dns_name = "tf-acctest-%s.hashicorptest.com."
+
+  dnssec_config {
+    state = "off"
+  }
+}`, suffix, suffix)
+}
+
 func testAccDnsManagedZone_privateUpdate(suffix, first_network, second_network string) string {
 	return fmt.Sprintf(`
 resource "google_dns_managed_zone" "private" {
@@ -125,14 +204,6 @@ resource "google_dns_managed_zone" "private" {
     networks {
       network_url = "${google_compute_network.%s.self_link}"
     }
-    dnssec_config {
-      state             = "on"
-      default_key_specs {
-        algorithm       = "rsasha1"
-        key_length      = "128"
-        key_type        = "zoneSigning"
-      }
-    }
   }
 }
 
diff --git a/website/docs/r/dns_managed_zone.html.markdown b/website/docs/r/dns_managed_zone.html.markdown
index 4774d6df0e5..169b2499143 100644
--- a/website/docs/r/dns_managed_zone.html.markdown
+++ b/website/docs/r/dns_managed_zone.html.markdown
@@ -254,7 +254,7 @@ The `dnssec_config` block supports:
 
 * `non_existence` -
   (Optional)
-  Specifies the mechanism used to provide authenticated denial-of-existence responses. Output only while state is not OFF.
+  Specifies the mechanism used to provide authenticated denial-of-existence responses.
 
 * `state` -
   (Optional)
@@ -263,7 +263,8 @@ The `dnssec_config` block supports:
 * `default_key_specs` -
   (Optional)
   Specifies parameters that will be used for generating initial DnsKeys
-  for this ManagedZone. Output only while state is not OFF  Structure is documented below.
+  for this ManagedZone. If you provide a spec for keySigning or zoneSigning,
+  you must also provide one for the other.  Structure is documented below.
 
 
 The `default_key_specs` block supports: