fix(iam_workload_identity_pool_provider): fix jwks_json permadiff

[dullest]

Fixes hashicorp/terraform-provider-google#23259

Release Note Template for Downstream PRs (will be copied)

See Write release notes for guidance.

iambeta: fixed permadiff issue with `jwks_json` field in `google_iam_workload_identity_pool_provider` resource

[github-actions]

Hello! I am a robot. Tests will require approval from a repository maintainer to run.

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@NickElliot, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[github-actions]

@NickElliot This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

[github-actions]

@GoogleCloudPlatform/terraform-team @NickElliot This PR has been waiting for review for 1 week. Please take a look! Use the label disable-review-reminders to disable these notifications.

[NickElliot]

Hi, could you clarify the nature of what this is doing to fix the permadiff scenario?

[dullest]

Hi, this fix addresses the permadiff issue by implementing a custom diff_suppress_func for JWKS JSON strings.
It compares both terraform config and state as an unmarshalled objects, ignoring the formatting diff between terraform config and Google Cloud side, which stores/returns JWKS with whitespace.
Additionally, the field order is automatically set by Google Cloud side as well. This also causes a diff.
A trace log shows that Google Cloud returns JWKS with whitespace as follows.
Terraform stores this value as-is in the state and compares the diff.
This causes a permadiff when users provide encoded json in terraform config.

"jwksJson": "{\n  \"keys\": [{\n    \"kty\": \"RSA\",\n    \"alg\": \"RS256\",\n    \"use\": \"sig\",\n    \"kid\": \"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\n    \"n\": \"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\",\n    \"e\": \"AQAB\"\n  }]\n}"

The following example, which passes json to jwks_json field, causes a permadiff since the provider directly uses the string that Google Cloud returns.

resource "google_iam_workload_identity_pool" "this" {
  project                   = var.project_id
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "this" {
  project                            = var.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.this.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  attribute_mapping = {
    "google.subject" = "assertion.sub"
  }
  oidc {
    allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
    jwks_json = jsonencode({
      keys = [{
        kty = "RSA"
        alg = "RS256"
        kid = "sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA"
        use = "sig"
        e   = "AQAB"
        n   = "ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw"
      }]
    })
  }
}

terraform plan shows the following diff because of the behavior.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_iam_workload_identity_pool_provider.this will be updated in-place
  ~ resource "google_iam_workload_identity_pool_provider" "this" {
        id                                 = "projects/example/locations/global/workloadIdentityPools/example-pool/providers/example-prvdr"
        name                               = "projects/123456/locations/global/workloadIdentityPools/example-pool/providers/example-prvdr"
        # (9 unchanged attributes hidden)

      ~ oidc {
          ~ jwks_json         = jsonencode( # whitespace changes
                {
                    keys = [
                        {
                            alg = "RS256"
                            e   = "AQAB"
                            kid = "sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA"
                            kty = "RSA"
                            n   = "ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw"
                            use = "sig"
                        },
                    ]
                }
            )
            # (2 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.