[datadog_observability_pipeline] make google auth optional (#3332)

datadog_observability_pipeline: make google auth optional

update cassettes

bump API client

update docs

update docs

Co-authored-by: May Lee <[email protected]>

update docs

Co-authored-by: May Lee <[email protected]>

correct docs

Co-authored-by: vladimir.zhuk <[email protected]>

Author: vladimir-dd

datadog/fwprovider/resource_datadog_observability_pipeline.go

@@ -458,7 +458,7 @@ type gcsDestinationModel struct {
 	KeyPrefix    types.String    `tfsdk:"key_prefix"`
 	StorageClass types.String    `tfsdk:"storage_class"`
 	Acl          types.String    `tfsdk:"acl"`
-	Auth         gcpAuthModel    `tfsdk:"auth"`
+	Auth         *gcpAuthModel   `tfsdk:"auth"`
 	Metadata     []metadataEntry `tfsdk:"metadata"`
 }
 
@@ -978,16 +978,8 @@ func (r *observabilityPipelineResource) Schema(_ context.Context, _ resource.Sch
 										},
 									},
 									Blocks: map[string]schema.Block{
-										"auth": schema.SingleNestedBlock{
-											Description: "GCP credentials used to authenticate with Google Cloud Storage.",
-											Attributes: map[string]schema.Attribute{
-												"credentials_file": schema.StringAttribute{
-													Required:    true,
-													Description: "Path to the GCP service account key file.",
-												},
-											},
-										},
-										"tls": tlsSchema(),
+										"auth": gcpAuthSchema(),
+										"tls":  tlsSchema(),
 									},
 								},
 							},
@@ -1893,20 +1885,12 @@ func (r *observabilityPipelineResource) Schema(_ context.Context, _ resource.Sch
 											Description: "Storage class used for objects stored in GCS.",
 										},
 										"acl": schema.StringAttribute{
-											Required:    true,
+											Optional:    true,
 											Description: "Access control list setting for objects written to the bucket.",
 										},
 									},
 									Blocks: map[string]schema.Block{
-										"auth": schema.SingleNestedBlock{
-											Description: "GCP credentials used to authenticate with Google Cloud Storage.",
-											Attributes: map[string]schema.Attribute{
-												"credentials_file": schema.StringAttribute{
-													Required:    true,
-													Description: "Path to the GCP service account key file.",
-												},
-											},
-										},
+										"auth": gcpAuthSchema(),
 										"metadata": schema.ListNestedBlock{
 											Description: "Custom metadata key-value pairs added to each object.",
 											NestedObject: schema.NestedBlockObject{
@@ -1952,16 +1936,8 @@ func (r *observabilityPipelineResource) Schema(_ context.Context, _ resource.Sch
 										},
 									},
 									Blocks: map[string]schema.Block{
-										"auth": schema.SingleNestedBlock{
-											Description: "GCP credentials used to authenticate with Google Cloud Pub/Sub.",
-											Attributes: map[string]schema.Attribute{
-												"credentials_file": schema.StringAttribute{
-													Optional:    true,
-													Description: "Path to the GCP service account key file.",
-												},
-											},
-										},
-										"tls": tlsSchema(),
+										"auth": gcpAuthSchema(),
+										"tls":  tlsSchema(),
 									},
 								},
 							},
@@ -2265,15 +2241,7 @@ func (r *observabilityPipelineResource) Schema(_ context.Context, _ resource.Sch
 										},
 									},
 									Blocks: map[string]schema.Block{
-										"auth": schema.SingleNestedBlock{
-											Description: "GCP credentials used to authenticate with Google Cloud Storage.",
-											Attributes: map[string]schema.Attribute{
-												"credentials_file": schema.StringAttribute{
-													Optional:    true,
-													Description: "Path to the GCP service account key file.",
-												},
-											},
-										},
+										"auth": gcpAuthSchema(),
 									},
 								},
 							},
@@ -2349,6 +2317,40 @@ func tlsSchema() schema.SingleNestedBlock {
 	}
 }
 
+func gcpAuthSchema() schema.SingleNestedBlock {
+	return schema.SingleNestedBlock{
+		Description: "GCP credentials used to authenticate with Google Cloud services.",
+		Attributes: map[string]schema.Attribute{
+			"credentials_file": schema.StringAttribute{
+				Optional:    true,
+				Description: "Path to the GCP service account key file. Required when `auth` block is specified.",
+			},
+		},
+	}
+}
+
+func expandGcpAuth(auth *gcpAuthModel) *datadogV2.ObservabilityPipelineGcpAuth {
+	if auth == nil {
+		return nil
+	}
+
+	gcpAuth := &datadogV2.ObservabilityPipelineGcpAuth{}
+	if !auth.CredentialsFile.IsNull() {
+		gcpAuth.SetCredentialsFile(auth.CredentialsFile.ValueString())
+	}
+	return gcpAuth
+}
+
+func flattenGcpAuth(auth *datadogV2.ObservabilityPipelineGcpAuth) *gcpAuthModel {
+	if auth == nil {
+		return nil
+	}
+
+	return &gcpAuthModel{
+		CredentialsFile: types.StringValue(auth.CredentialsFile),
+	}
+}
+
 func (r *observabilityPipelineResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
 	resource.ImportStatePassthroughID(ctx, frameworkPath.Root("id"), request, response)
 }
@@ -3534,15 +3536,18 @@ func expandGoogleCloudStorageDestination(ctx context.Context, d *gcsDestinationM
 	dest.SetId(d.Id.ValueString())
 	dest.SetBucket(d.Bucket.ValueString())
 	dest.SetStorageClass(datadogV2.ObservabilityPipelineGoogleCloudStorageDestinationStorageClass(d.StorageClass.ValueString()))
-	dest.SetAcl(datadogV2.ObservabilityPipelineGoogleCloudStorageDestinationAcl(d.Acl.ValueString()))
+
+	if !d.Acl.IsNull() {
+		dest.SetAcl(datadogV2.ObservabilityPipelineGoogleCloudStorageDestinationAcl(d.Acl.ValueString()))
+	}
 
 	if !d.KeyPrefix.IsNull() {
 		dest.SetKeyPrefix(d.KeyPrefix.ValueString())
 	}
 
-	dest.SetAuth(datadogV2.ObservabilityPipelineGcpAuth{
-		CredentialsFile: d.Auth.CredentialsFile.ValueString(),
-	})
+	if auth := expandGcpAuth(d.Auth); auth != nil {
+		dest.SetAuth(*auth)
+	}
 
 	var metadata []datadogV2.ObservabilityPipelineMetadataEntry
 	for _, m := range d.Metadata {
@@ -3577,18 +3582,24 @@ func flattenGoogleCloudStorageDestination(ctx context.Context, src *datadogV2.Ob
 		})
 	}
 
-	return &gcsDestinationModel{
+	out := &gcsDestinationModel{
 		Id:           types.StringValue(src.GetId()),
 		Bucket:       types.StringValue(src.GetBucket()),
 		KeyPrefix:    types.StringPointerValue(src.KeyPrefix),
 		StorageClass: types.StringValue(string(src.GetStorageClass())),
-		Acl:          types.StringValue(string(src.GetAcl())),
-		Auth: gcpAuthModel{
-			CredentialsFile: types.StringValue(src.Auth.CredentialsFile),
-		},
-		Metadata: metadata,
-		Inputs:   inputs,
+		Metadata:     metadata,
+		Inputs:       inputs,
+	}
+
+	if acl, ok := src.GetAclOk(); ok {
+		out.Acl = types.StringValue(string(*acl))
 	}
+
+	if auth, ok := src.GetAuthOk(); ok {
+		out.Auth = flattenGcpAuth(auth)
+	}
+
+	return out
 }
 
 func expandGooglePubSubDestination(ctx context.Context, d *googlePubSubDestinationModel) datadogV2.ObservabilityPipelineConfigDestinationItem {
@@ -3601,10 +3612,8 @@ func expandGooglePubSubDestination(ctx context.Context, d *googlePubSubDestinati
 		dest.SetEncoding(datadogV2.ObservabilityPipelineGooglePubSubDestinationEncoding(d.Encoding.ValueString()))
 	}
 
-	if d.Auth != nil {
-		auth := datadogV2.ObservabilityPipelineGcpAuth{}
-		auth.SetCredentialsFile(d.Auth.CredentialsFile.ValueString())
-		dest.SetAuth(auth)
+	if auth := expandGcpAuth(d.Auth); auth != nil {
+		dest.SetAuth(*auth)
 	}
 
 	if d.Tls != nil {
@@ -3639,9 +3648,7 @@ func flattenGooglePubSubDestination(ctx context.Context, src *datadogV2.Observab
 	}
 
 	if auth, ok := src.GetAuthOk(); ok {
-		out.Auth = &gcpAuthModel{
-			CredentialsFile: types.StringValue(auth.CredentialsFile),
-		}
+		out.Auth = flattenGcpAuth(auth)
 	}
 
 	if src.Tls != nil {
@@ -4520,10 +4527,8 @@ func expandGooglePubSubSource(src *googlePubSubSourceModel) datadogV2.Observabil
 	pubsub.SetSubscription(src.Subscription.ValueString())
 	pubsub.SetDecoding(datadogV2.ObservabilityPipelineDecoding(src.Decoding.ValueString()))
 
-	if src.Auth != nil {
-		auth := datadogV2.ObservabilityPipelineGcpAuth{}
-		auth.SetCredentialsFile(src.Auth.CredentialsFile.ValueString())
-		pubsub.SetAuth(auth)
+	if auth := expandGcpAuth(src.Auth); auth != nil {
+		pubsub.SetAuth(*auth)
 	}
 
 	if src.Tls != nil {
@@ -4546,8 +4551,8 @@ func flattenGooglePubSubSource(src *datadogV2.ObservabilityPipelineGooglePubSubS
 		Decoding:     types.StringValue(string(src.GetDecoding())),
 	}
 
-	out.Auth = &gcpAuthModel{
-		CredentialsFile: types.StringValue(src.Auth.CredentialsFile),
+	if auth, ok := src.GetAuthOk(); ok {
+		out.Auth = flattenGcpAuth(auth)
 	}
 
 	if src.Tls != nil {
@@ -4881,12 +4886,8 @@ func expandGoogleChronicleDestination(ctx context.Context, src *googleChronicleD
 	src.Inputs.ElementsAs(ctx, &inputs, false)
 	dest.SetInputs(inputs)
 
-	if src.Auth != nil {
-		auth := datadogV2.ObservabilityPipelineGcpAuth{}
-		if !src.Auth.CredentialsFile.IsNull() {
-			auth.SetCredentialsFile(src.Auth.CredentialsFile.ValueString())
-		}
-		dest.Auth = auth
+	if auth := expandGcpAuth(src.Auth); auth != nil {
+		dest.SetAuth(*auth)
 	}
 
 	if !src.CustomerId.IsNull() {
@@ -4919,8 +4920,8 @@ func flattenGoogleChronicleDestination(ctx context.Context, src *datadogV2.Obser
 		LogType:    types.StringValue(src.GetLogType()),
 	}
 
-	out.Auth = &gcpAuthModel{
-		CredentialsFile: types.StringValue(src.Auth.CredentialsFile),
+	if auth, ok := src.GetAuthOk(); ok {
+		out.Auth = flattenGcpAuth(auth)
 	}
 
 	return out

datadog/tests/cassettes/TestAccDatadogObservabilityPipeline_googleChronicleDestination.freeze

@@ -1 +1 @@
-2025-04-29T12:01:31.171761+02:00
+2025-11-19T17:16:41.161176+01:00

datadog/tests/cassettes/TestAccDatadogObservabilityPipeline_googleChronicleDestination.yaml

@@ -31,13 +31,13 @@ interactions:
         content_length: 431
         uncompressed: false
         body: |
-            {"data":{"id":"f1690c06-24e0-11f0-92e2-da7ad0900002","type":"pipelines","attributes":{"name":"chronicle pipeline","config":{"destinations":[{"auth":{"credentials_file":"/secrets/gcp.json"},"customer_id":"3fa85f64-5717-4562-b3fc-2c963f66afa6","encoding":"json","id":"chronicle-dest-1","inputs":["source-1"],"log_type":"nginx_logs","type":"google_chronicle"}],"processors":[],"sources":[{"id":"source-1","type":"datadog_agent"}]}}}}
+            {"data":{"id":"226cb6b8-c563-11f0-bd66-da7ad0900002","type":"pipelines","attributes":{"name":"chronicle pipeline","config":{"destinations":[{"auth":{"credentials_file":"/secrets/gcp.json"},"customer_id":"3fa85f64-5717-4562-b3fc-2c963f66afa6","encoding":"json","id":"chronicle-dest-1","inputs":["source-1"],"log_type":"nginx_logs","type":"google_chronicle"}],"processors":[],"sources":[{"id":"source-1","type":"datadog_agent"}]}}}}
         headers:
             Content-Type:
                 - application/json
         status: 201 Created
         code: 201
-        duration: 666.372958ms
+        duration: 518.496334ms
     - id: 1
       request:
         proto: HTTP/1.1
@@ -54,7 +54,7 @@ interactions:
         headers:
             Accept:
                 - application/json
-        url: https://api.datadoghq.com/api/v2/remote_config/products/obs_pipelines/pipelines/f1690c06-24e0-11f0-92e2-da7ad0900002
+        url: https://api.datadoghq.com/api/v2/remote_config/products/obs_pipelines/pipelines/226cb6b8-c563-11f0-bd66-da7ad0900002
         method: GET
       response:
         proto: HTTP/1.1
@@ -65,13 +65,13 @@ interactions:
         content_length: 431
         uncompressed: false
         body: |
-            {"data":{"id":"f1690c06-24e0-11f0-92e2-da7ad0900002","type":"pipelines","attributes":{"name":"chronicle pipeline","config":{"destinations":[{"auth":{"credentials_file":"/secrets/gcp.json"},"customer_id":"3fa85f64-5717-4562-b3fc-2c963f66afa6","encoding":"json","id":"chronicle-dest-1","inputs":["source-1"],"log_type":"nginx_logs","type":"google_chronicle"}],"processors":[],"sources":[{"id":"source-1","type":"datadog_agent"}]}}}}
+            {"data":{"id":"226cb6b8-c563-11f0-bd66-da7ad0900002","type":"pipelines","attributes":{"name":"chronicle pipeline","config":{"destinations":[{"auth":{"credentials_file":"/secrets/gcp.json"},"customer_id":"3fa85f64-5717-4562-b3fc-2c963f66afa6","encoding":"json","id":"chronicle-dest-1","inputs":["source-1"],"log_type":"nginx_logs","type":"google_chronicle"}],"processors":[],"sources":[{"id":"source-1","type":"datadog_agent"}]}}}}
         headers:
             Content-Type:
                 - application/json
         status: 200 OK
         code: 200
-        duration: 326.566625ms
+        duration: 244.281667ms
     - id: 2
       request:
         proto: HTTP/1.1
@@ -88,7 +88,7 @@ interactions:
         headers:
             Accept:
                 - '*/*'
-        url: https://api.datadoghq.com/api/v2/remote_config/products/obs_pipelines/pipelines/f1690c06-24e0-11f0-92e2-da7ad0900002
+        url: https://api.datadoghq.com/api/v2/remote_config/products/obs_pipelines/pipelines/226cb6b8-c563-11f0-bd66-da7ad0900002
         method: DELETE
       response:
         proto: HTTP/1.1
@@ -104,4 +104,4 @@ interactions:
                 - application/json
         status: 204 No Content
         code: 204
-        duration: 457.401125ms
+        duration: 469.484542ms

datadog/tests/cassettes/TestAccDatadogObservabilityPipeline_googleChronicleDestinationMinimal.freeze

@@ -0,0 +1 @@
+2025-11-19T17:16:43.764799+01:00