The allowed_referrers field of the google_apikeys_key resource is not a regex

[sarth6]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.4 on x86-64

• provider registry.terraform.io/hashicorp/google v5.41.0
• provider registry.terraform.io/hashicorp/google-beta v5.41.0

Affected Resource(s)

google_apikeys_key

Terraform Configuration

resource "google_apikeys_key" "google_maps" {
  name         = "google-maps-api-key"
  display_name = "google-maps-api-key"
  depends_on = [
    google_project_service.project-services["maps-backend.googleapis.com"],
    google_project_service.project-services["places-backend.googleapis.com"],
    google_project_service.project-services["places.googleapis.com"],
  ]

  restrictions {
    browser_key_restrictions {
      allowed_referrers = [
        ".*//.example//.com.*",
      ]
    }
    api_targets {
      service = "maps-backend.googleapis.com"
      methods = ["GET*"]
    }
    api_targets {
      service = "places-backend.googleapis.com"
      methods = ["GET*"]
    }
    api_targets {
      service = "places.googleapis.com"
      methods = ["GET*"]
    }
  }
}

Debug Output

No response

Expected Behavior

I should be able to use the maps API from any subdomain of example.com.

Actual Behavior

I can't use the maps API from any subdomain of example.com. Either the docs are wrong or the resource is bugged, the allowed_referrers field is not a regex currently (maybe it used to be?). Instead it's just a string with globing, as per the docs on the UI in GCP (Credentials Page):

How do I restrict my API key to specific websites?
Use a website to restrict the URLs that can use an API key. [Learn more ](https://cloud.google.com/docs/authentication/api-keys#adding_http_restrictions)

Here are some examples of URLs that you can allow to set up a website:

Any URL in a single domain with no subdomains: https://example.com
Any URL in a single subdomain: https://sub.example.com
Any subdomain in a single domain, using a wildcard asterisk (*): https://*.example.com
A domain and all its subdomains, using a wildcard asterisk (*):
https://example.com
https://*.example.com
A URL with a non-standard port: http://www.example.com:8000
Note: query parameters and fragments are not currently supported; they will be ignored if you include them in a website.

In the end, this works:

allowed_referrers = [
        "https://*.example.com",
      ]

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/apikeys_key

b/359945934

[ggtisc]

It looks like there isn't an API JSON guide for the google_apikeys_key resource, just this. This is necessary to confirm the scope and limitations of the allowed_referrers argument for this issue as well as its usage example.