fix key value for cloud cdn to issue signed urls

[BIwashi]

Fixed key value for cloud cdn to issue signed urls.

When creating a signed URL for CloudCDN, I used random_id b64_url. google_compute_backend_bucket_signed_url_key | Resources | hashicorp/google | Terraform Registry

resource "random_id" "url_signature" {
  byte_length = 16
}

resource "google_compute_backend_bucket_signed_url_key" "backend_key" {
  name           = "test-key"
  key_value      = random_id.url_signature.b64_url
  backend_bucket = google_compute_backend_bucket.test_backend.name
}

I have confirmed that this works. However, when I created them from the Google Cloud console or gcloud command, the keys created were URL safe, base64 encoded, and padded with =.

Furthermore, the official Google Cloud sample code assumes padded keys, so I could not use the keys created with b64_url without modification. In addition, when I tried to create a signed URL using the gcloud compute sign-url command, an error occurred because it used a key without padding.

failed gcloud command

> gcloud compute sign-url \
  "https://example.com/test.png" \
  --key-name test-key \
  --key-file key-file \
  --expires-in 5m \
  --validate
ERROR: gcloud crashed (Error): Incorrect padding

If you would like to report this issue, please run the following command:
  gcloud feedback

To check gcloud for common problems, please run the following command:
  gcloud info --run-diagnostics

fixed google cloud sample code for golang Use signed URLs  |  Cloud CDN  |  Google Cloud

// readKeyFile reads the base64url-encoded key file and decodes it.
func readKeyFile(path string) ([]byte, error) {
        b, err := ioutil.ReadFile(path)
        if err != nil {
                return nil, fmt.Errorf("failed to read key file: %+v", err)
        }
-       d := make([]byte, base64.URLEncoding.DecodedLen(len(b)))
-       n, err := base64.URLEncoding.Decode(d, b)
+       d := make([]byte, base64.RawURLEncoding.DecodedLen(len(b)))
+       n, err := base64.RawURLEncoding.Decode(d, b)
        if err != nil {
                return nil, fmt.Errorf("failed to base64url decode: %+v", err)
        }
        return d[:n], nil
}

Therefore, for Cloud CDN key values, base64 url safe and padding with = is desirable, but currently random_id does not provide such output. One of the outputs of random_id, b64_std, is not url safe, but it is base64 encoded with = padding. So I modified the code to take advantage of this and use the replace function to convert it to url safe.

key_value       = replace(replace(random_id.url_signature.b64_std,"+", "-") ,"/", "_")

I have confirmed by looking at the implementation in the random_id repository (hashicorp/terraform-provider-random ) that b64_url and b64_std implemented in Go as follows

https://github.com/hashicorp/terraform-provider-random/blob/7b934142db2bb3569fa324df4409bb6c6dc69ec3/internal/provider/resource_id.go#L143-L161

b64Std := base64.StdEncoding.EncodeToString(bytes)
id := base64.RawURLEncoding.EncodeToString(bytes)
...
B64URL:     types.StringValue(prefix + id),

I think that base64.URLEncoding.EncodeToString(bytes) is suitable in this case, not base64.RawURLEncoding.EncodeToString(bytes). So I think that we need to add the output to random_id. (ActuallyI have issued a PR regarding this.)

---

If this PR is for Terraform, I acknowledge that I have:

• [x] Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• [x] Generated Terraform, and ran make test and make lint to ensure it passes unit and linter tests.
• [x] Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• [ ] Ran relevant acceptance tests (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• [x] Read the Release Notes Guide before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

Fix key value for cloud cdn to issue signed urls

[google-cla[bot]]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[modular-magician]

Oops! It looks like you're using an unknown release-note type in your changelog entries:

• REPLACEME

Please only use the types listed in https://github.com/GoogleCloudPlatform/magic-modules/blob/master/.ci/RELEASE_NOTES_GUIDE.md.

[modular-magician]

Hello! I am a robot who works on Magic Modules PRs.

I've detected that you're a community contributor. @roaks3, a repository maintainer, has been assigned to assist you and help review your changes.

:question: First time contributing? Click here for more details

---

Your assigned reviewer will help review your code by:

• Ensuring it's backwards compatible, covers common error cases, etc.
• Summarizing the change into a user-facing changelog note.
• Passes tests, either our "VCR" suite, a set of presubmit tests, or with manual test runs.

You can help make sure that review is quick by running local tests and ensuring they're passing in between each push you make to your PR's branch. Also, try to leave a comment with each push you make, as pushes generally don't generate emails.

If your reviewer doesn't get back to you within a week after your most recent change, please feel free to leave a comment on the issue asking them to take a look! In the absence of a dedicated review dashboard most maintainers manage their pending reviews through email, and those will sometimes get lost in their inbox.

---

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 2 insertions(+), 2 deletions(-)) Terraform Beta: Diff ( 2 files changed, 2 insertions(+), 2 deletions(-)) TF Validator: Diff ( 2 files changed, 3 insertions(+), 3 deletions(-))

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 2 files changed, 2 insertions(+), 2 deletions(-)) Terraform Beta: Diff ( 2 files changed, 2 insertions(+), 2 deletions(-)) TF Validator: Diff ( 2 files changed, 3 insertions(+), 3 deletions(-))

[roaks3]

Hi @BIwashi , this is great info that you've provided! Normally, we would capture the problem in an issue, so that it is searchable by other people, and we can determine a proper solution from there. Would you mind creating an issue for this (I think a lot of the information you have here could be copy-and-pasted): https://github.com/hashicorp/terraform-provider-google/issues

I can follow up with a comment on that issue, but from what I'm seeing in the PR, this change seems reasonable to make. Note that it is a documentation-only change to two of our examples, and I would like to confirm that the existing example is not working before suggesting this solution to users.

[BIwashi]

Hi @roaks3, thank you for replying!! I added an issue to https://github.com/hashicorp/terraform-provider-google/issues/13584, and I also added debugging logs for terraform apply and gcloud compute sign-url If this other work I should be doing exists, let me know…!

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team This PR has been waiting for review for 3 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team This PR has been waiting for review for 4 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team This PR has been waiting for review for 5 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 6 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 7 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 8 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 9 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 10 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 11 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 12 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 13 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 14 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 15 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 16 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 17 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[roaks3]

Per https://github.com/hashicorp/terraform-provider-google/issues/13584#issuecomment-2314568353, we probably won't need this now that gcloud has been updated, but I will leave it open for just a bit longer to confirm.

[github-actions[bot]]

@GoogleCloudPlatform/terraform-team @roaks3 This PR has been waiting for review for 18 weeks. Please take a look! Use the label disable-review-reminders to disable these notifications.

[rileykarson]

I'm gonna close this preemptively since we can always reopen it, it'll remained linked from the issue for discoverability.