cloudfunctions: allow to configure trigger_http security level

[gomezjdaniel]

Current provider doesn't allow to create an only-HTTPS-triggered function.

• This is not a backwards compatible change
• Possible values are SECURE_OPTIONAL (http/s) and SECURE_ALWAYS (https)

Relates to #8465

[slevenick]

Unfortunately we won't be able to accept this change.

This would be a breaking change because changing the type of this field from Bool -> String will break existing user's configs if they define this field as a boolean. This is possible to do in a major version of the provider, but unlikely to be something we would do.

I think the better approach would be to add a new optional field that controls this setting

[gomezjdaniel]

@slevenick got it.

I then added a new security_level field as #8465 suggests :)

In case everything is good, I will squash commits afterwards.

Also note cloudfunctions.HttpsTrigger.SecurityLevel possible values are ["SECURITY_LEVEL_UNSPECIFIED", "SECURE_ALWAYS", "SECURE_OPTIONAL"] but I omit the unspecified one.

[slevenick]

@slevenick got it.

I then added a new security_level field as #8465 suggests :)

In case everything is good, I will squash commits afterwards.

Also note cloudfunctions.HttpsTrigger.SecurityLevel possible values are ["SECURITY_LEVEL_UNSPECIFIED", "SECURE_ALWAYS", "SECURE_OPTIONAL"] but I omit the unspecified one.

I don't think we can include RequiredWith: []string{"trigger_http"}, as that would also make this change backwards incompatible. If the change would cause an existing config to fail it is considered breaking and would not be allowed until a major version of the provider.

Removing that should make this feasible at the cost of some validation

[gomezjdaniel]

My wrong @slevenick, I was trying to make trigger_http a required field in case security_level was set. Otherwise the http trigger would be enabled with either only of the previous fields being set which would make it confusing in my opinion.

Please check my latest commit ;).

[gomezjdaniel]

Ping @slevenick

[slevenick]

I've upstreamed this to our code generator so it can be replicated across the google and google-beta providers.

We will need docs describing this new field before we can merge this, can you add that? It would go into this file: https://github.com/hashicorp/terraform-provider-google/blob/master/website/docs/r/cloudfunctions_function.html.markdown

[gomezjdaniel]

Sure, there you go ;). I also fixed a typo in the code.

[slevenick]

So it looks like RequiredWith causes the dependency both ways:

Error: RequiredWith
on terraform_plugin_test.tf line 20, in resource "google_cloudfunctions_function" "function":
20:   trigger_http          = true
"trigger_http": all of `security_level,trigger_http` must be specified

which may make this a breaking change. We will likely have to remove that RequiredWith validation