Add additional_group_keys attribute to `google_cloud_identity_group…

…` resource (hashicorp#9217) (hashicorp#16250)

* Add `additional_group_keys` attribute to `google_cloud_identity_group` resource

* Update acceptance test to check for attribute

* Fix test check

* Add `output: true` to nested properties in output field
[upstream:49d3741f9d4d810a0a4768363bb8498afa21c688]

Signed-off-by: Modular Magician <magic-modules@google.com>

.changelog/9217.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+cloudidentity: Added `additional_group_keys` attribute to `google_cloud_identity_group` resource
+```

google/services/cloudidentity/resource_cloud_identity_group.go

@@ -134,6 +134,40 @@ See the
 for possible values. Default value: "EMPTY" Possible values: ["INITIAL_GROUP_CONFIG_UNSPECIFIED", "WITH_INITIAL_OWNER", "EMPTY"]`,
 				Default: "EMPTY",
 			},
+			"additional_group_keys": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: `Additional group keys associated with the Group`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:     schema.TypeString,
+							Computed: true,
+							Description: `The ID of the entity.
+
+For Google-managed entities, the id must be the email address of an existing
+group or user.
+
+For external-identity-mapped entities, the id must be a string conforming
+to the Identity Source's requirements.
+
+Must be unique within a namespace.`,
+						},
+						"namespace": {
+							Type:     schema.TypeString,
+							Computed: true,
+							Description: `The namespace in which the entity exists.
+
+If not specified, the EntityKey represents a Google-managed entity
+such as a Google user or a Google Group.
+
+If specified, the EntityKey represents an external-identity-mapped group.
+The namespace must correspond to an identity source created in Admin Console
+and must be in the form of 'identitysources/{identity_source_id}'.`,
+						},
+					},
+				},
+			},
 			"create_time": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -338,6 +372,9 @@ func resourceCloudIdentityGroupRead(d *schema.ResourceData, meta interface{}) er
 	if err := d.Set("description", flattenCloudIdentityGroupDescription(res["description"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Group: %s", err)
 	}
+	if err := d.Set("additional_group_keys", flattenCloudIdentityGroupAdditionalGroupKeys(res["additionalGroupKeys"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Group: %s", err)
+	}
 	if err := d.Set("create_time", flattenCloudIdentityGroupCreateTime(res["createTime"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Group: %s", err)
 	}
@@ -542,6 +579,33 @@ func flattenCloudIdentityGroupDescription(v interface{}, d *schema.ResourceData,
 	return v
 }
 
+func flattenCloudIdentityGroupAdditionalGroupKeys(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed = append(transformed, map[string]interface{}{
+			"id":        flattenCloudIdentityGroupAdditionalGroupKeysId(original["id"], d, config),
+			"namespace": flattenCloudIdentityGroupAdditionalGroupKeysNamespace(original["namespace"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenCloudIdentityGroupAdditionalGroupKeysId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenCloudIdentityGroupAdditionalGroupKeysNamespace(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenCloudIdentityGroupCreateTime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }

google/services/cloudidentity/resource_cloud_identity_group_test.go

@@ -101,6 +101,10 @@ func testAccCloudIdentityGroup_cloudIdentityGroupsBasicExampleTest(t *testing.T)
 		Steps: []resource.TestStep{
 			{
 				Config: testAccCloudIdentityGroup_cloudIdentityGroupsBasicExample(context),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("google_cloud_identity_group.cloud_identity_group_basic",
+						"additional_group_keys.#"),
+				),
 			},
 			{
 				ResourceName:            "google_cloud_identity_group.cloud_identity_group_basic",

website/docs/r/cloud_identity_group.html.markdown

@@ -132,13 +132,37 @@ In addition to the arguments listed above, the following computed attributes are
   Resource name of the Group in the format: groups/{group_id}, where group_id
   is the unique ID assigned to the Group.
 
+* `additional_group_keys` -
+  Additional group keys associated with the Group
+  Structure is [documented below](#nested_additional_group_keys).
+
 * `create_time` -
   The time when the Group was created.
 
 * `update_time` -
   The time when the Group was last updated.
 
 
+<a name="nested_additional_group_keys"></a>The `additional_group_keys` block contains:
+
+* `id` -
+  (Output)
+  The ID of the entity.
+  For Google-managed entities, the id must be the email address of an existing
+  group or user.
+  For external-identity-mapped entities, the id must be a string conforming
+  to the Identity Source's requirements.
+  Must be unique within a namespace.
+
+* `namespace` -
+  (Output)
+  The namespace in which the entity exists.
+  If not specified, the EntityKey represents a Google-managed entity
+  such as a Google user or a Google Group.
+  If specified, the EntityKey represents an external-identity-mapped group.
+  The namespace must correspond to an identity source created in Admin Console
+  and must be in the form of `identitysources/{identity_source_id}`.
+
 ## Timeouts
 
 This resource provides the following