Remove post-startup-script key from protected metadata for EUC (#15998)

Author: madhusuraj

mmv1/templates/terraform/constants/workbench_instance.go.tmpl

@@ -4,13 +4,16 @@ var WorkbenchInstanceSettableUnmodifiableDefaultMetadata = []string{
 	"report-notebook-metrics",
 }
 
+var WorkbenchInstanceEUCSettableUnmodifiableDefaultMetadata = []string{
+	"post-startup-script",
+	"post-startup-script-behavior",
+}
+
 var WorkbenchInstanceEUCProvidedAdditionalMetadata = []string{
 	"enable-oslogin",
 	"disable-ssh",
 	"ssh-keys",
 	"block-project-ssh-keys",
-	"post-startup-script",
-	"post-startup-script-behavior",
 	"startup-script",
 	"startup-script-url",
 	"gce-container-declaration",
@@ -95,6 +98,12 @@ func WorkbenchInstanceMetadataDiffSuppress(k, old, new string, d *schema.Resourc
 				return true
 			}
 		}
+
+		for _, metadata := range WorkbenchInstanceEUCSettableUnmodifiableDefaultMetadata {
+			if key == metadata && new == "" {
+				return true
+			}
+		}
 	}
 
 	for _, metadata := range WorkbenchInstanceSettableUnmodifiableDefaultMetadata {
@@ -284,7 +293,12 @@ func workbenchMetadataCustomizeDiff(_ context.Context, diff *schema.ResourceDiff
 		oldMetadata := o.(map[string]interface{})
 		newMetadata := n.(map[string]interface{})
 
-		for _, key := range WorkbenchInstanceSettableUnmodifiableDefaultMetadata {
+		unmodifiableKeys := append([]string{}, WorkbenchInstanceSettableUnmodifiableDefaultMetadata...)
+        if v, ok := diff.GetOk("enable_managed_euc"); ok && v.(bool) {
+            unmodifiableKeys = append(unmodifiableKeys, WorkbenchInstanceEUCSettableUnmodifiableDefaultMetadata...)
+        }
+
+		for _, key := range unmodifiableKeys {
 			oldValue, oldOk := oldMetadata[key]
 			newValue, newOk := newMetadata[key]
 
@@ -304,4 +318,4 @@ func workbenchMetadataCustomizeDiff(_ context.Context, diff *schema.ResourceDiff
 		}
 	}
 	return nil
-}
+}

mmv1/third_party/terraform/services/workbench/resource_workbench_instance_test.go

@@ -6,6 +6,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
+
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 )
 
 func TestAccWorkbenchInstance_update(t *testing.T) {
@@ -877,3 +879,57 @@ resource "google_workbench_instance" "instance" {
 }
 `, context)
 }
+
+func TestAccWorkbenchInstance_metadataEUCForceNew(t *testing.T) {
+	t.Skip("Skipping until backend rollout completes which throws an error for non-allowlisted users, rather than silently dropping the key.")
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckWorkbenchInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWorkbenchInstance_metadataEUC(context, "old-script.sh"),
+			},
+			{
+				Config: testAccWorkbenchInstance_metadataEUC(context, "new-script.sh"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_workbench_instance.instance", plancheck.ResourceActionReplace),
+					},
+				},
+			},
+		},
+	})
+}
+
+func testAccWorkbenchInstance_metadataEUC(context map[string]interface{}, scriptName string) string {
+	context["script_name"] = scriptName
+	return acctest.Nprintf(`
+resource "google_workbench_instance" "instance" {
+  name     = "tf-test-workbench-%{random_suffix}"
+  location = "us-central1-a"
+  instance_owners = ["workbenche2etestota@gmail.com"]
+
+  gce_setup {
+    machine_type = "n1-standard-1"
+    vm_image {
+      project = "cloud-notebooks-managed"
+      family  = "workbench-instances"
+    }
+
+    metadata = {
+      post-startup-script          = "%{script_name}"
+      post-startup-script-behavior = "run_once"
+    }
+  }
+  
+  enable_managed_euc = true
+}
+`, context)
+}