Add client scope (#13212)

[upstream:4e49b7ef4148798533d74f008751ce0b02d8c5c0]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/13212.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+certificatemanager: add CLIENT_AUTH value documentation/example for `scope`  in `google_certificate_manager_certificate`.
+```

google/services/certificatemanager/resource_certificate_manager_certificate.go

@@ -218,7 +218,10 @@ EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates
 See https://cloud.google.com/vpc/docs/edge-locations.
 
 ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs).
-See https://cloud.google.com/compute/docs/regions-zones`,
+See https://cloud.google.com/compute/docs/regions-zones.
+
+CLIENT_AUTH: Certificates with CLIENT_AUTH scope are used by a load balancer (TLS client) to be presented to the backend (TLS server) when backend mTLS is configured.
+See https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#client-certificate.`,
 				Default: "DEFAULT",
 			},
 			"self_managed": {

google/services/certificatemanager/resource_certificate_manager_certificate_generated_test.go

@@ -482,6 +482,45 @@ resource "google_certificate_manager_dns_authorization" "instance" {
 `, context)
 }
 
+func TestAccCertificateManagerCertificate_certificateManagerClientAuthCertificateExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckCertificateManagerCertificateDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCertificateManagerCertificate_certificateManagerClientAuthCertificateExample(context),
+			},
+			{
+				ResourceName:            "google_certificate_manager_certificate.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "location", "name", "self_managed", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccCertificateManagerCertificate_certificateManagerClientAuthCertificateExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_certificate_manager_certificate" "default" {
+  name        = "tf-test-client-auth-cert%{random_suffix}"
+  description = "Global cert"
+  scope       = "CLIENT_AUTH"
+  self_managed {
+    pem_certificate = file("test-fixtures/cert.pem")
+    pem_private_key = file("test-fixtures/private-key.pem")
+  }
+}
+`, context)
+}
+
 func testAccCheckCertificateManagerCertificateDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/certificate_manager_certificate.html.markdown

@@ -341,6 +341,25 @@ resource "google_certificate_manager_dns_authorization" "instance" {
   domain      = "subdomain.hashicorptest.com"
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_client_auth_certificate&open_in_editor=main.tf" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Certificate Manager Client Auth Certificate
+
+
+```hcl
+resource "google_certificate_manager_certificate" "default" {
+  name        = "client-auth-cert"
+  description = "Global cert"
+  scope       = "CLIENT_AUTH"
+  self_managed {
+    pem_certificate = file("test-fixtures/cert.pem")
+    pem_private_key = file("test-fixtures/private-key.pem")
+  }
+}
+```
 
 ## Argument Reference
 
@@ -375,7 +394,9 @@ The following arguments are supported:
   EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence.
   See https://cloud.google.com/vpc/docs/edge-locations.
   ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs).
-  See https://cloud.google.com/compute/docs/regions-zones
+  See https://cloud.google.com/compute/docs/regions-zones.
+  CLIENT_AUTH: Certificates with CLIENT_AUTH scope are used by a load balancer (TLS client) to be presented to the backend (TLS server) when backend mTLS is configured.
+  See https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#client-certificate.
 
 * `self_managed` -
   (Optional)