chore: Add custom plan modifier for RequestOnlyRequiredOnCreate Attribute

[marcabreracast]

Description

This PR addresses the following:

1. Follow-up from PR chore: Add required-create only implementation #3972, where due to a renaming decision on attribute requestOnlyRequiredOnCreate, the transformation step function naming needs to match for consistency purposes.
2. Addition of new custom plan modifier RequestOnlyRequiredOnCreateModifier, which adds validation when trying to create a resource with an attribute marked as RequestOnlyRequiredOnCreate = true, an error message will be shown.
3. This implementation allows to perform import without having to apply an additional step, improving the user experience.

Link to any related issue(s): CLOUDP-363710

Type of change:

• Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
• New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR. A migration guide must be created or updated if the new feature will go in a major version.
• Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR. A migration guide must be created or updated.
• This change requires a documentation update
• Documentation fix/enhancement

Required Checklist:

• I have signed the MongoDB CLA
• I have read the contributing guides
• I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
• I have added any necessary documentation (if appropriate)
• I have run make fmt and formatted my code
• If changes include deprecations or removals I have added appropriate changelog entries.
• If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Further comments

Behaviour of CreateOnly attribute is preserved, where the attribute is required on creation, but when tried to be updated in the configuration, a validation error message will be shown.

[Copilot]

Pull request overview

This PR introduces a new custom plan modifier RequestOnlyRequiredOnCreate to improve the user experience when importing resources. The modifier validates that attributes marked with RequestOnlyRequiredOnCreate = true have values during resource creation, while allowing them to be omitted during import operations.

• Renamed requiredOnCreateInputOnlyTransformation to requestOnlyRequiredOnCreateTransformation for consistency
• Added RequestOnlyRequiredOnCreateModifier that validates required attributes during creation but allows omission on import
• Refactored plan modifier generation to support multiple modifiers on a single attribute

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tools/codegen/codespec/config.go	Renamed transformation function to match the attribute name
tools/codegen/gofilegen/schema/schema_attribute.go	Refactored to support multiple plan modifiers and added RequestOnlyRequiredOnCreate modifier generation
tools/codegen/gofilegen/schema/schema_attribute_test.go	Added test coverage for RequestOnlyRequiredOnCreate attribute behavior
internal/common/customplanmodifier/request_only_required_create.go	New plan modifier implementation that validates required attributes during creation
internal/serviceapi/orgserviceaccountapi/resource_schema.go	Applied new plan modifier to secret_expires_after_hours attribute
internal/serviceapi/orgserviceaccountsecretapi/resource_schema.go	Applied new plan modifier to secret_expires_after_hours attribute

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The description is misleading. The modifier doesn't make create operations fail - it validates that required attributes are present during creation. Consider revising to: 'Validates that the attribute is provided during resource creation, but allows it to be omitted during import operations.'

Suggested change

	return "Ensures that create operations fail when attempting to create a resource with a missing required attribute."
	return "Validates that the attribute is provided during resource creation, but allows it to be omitted during import operations."

[maastha]

I believe such a value can only be null/non-null but never unknown right? Since these would be Optional attributes? If yes, I'd remove the Known check in the validation method & only check for null

[marcabreracast]

That is true yes, addressed in 7b3a175

[maastha]

should we also throw an error if the user tries to update it? Or is the expectation to always use it in conjunction with customplanmodifier.CreateOnly()?

How is it handled during resource reads? I assume the attribute would still stay in the state even though the GET calls don't return it right?

[marcabreracast]

If the user tries to update it, customplanmodifier.CreateOnly() is responsible for blocking the change and surfacing an error. RequestOnlyRequiredOnCreate only enforces that the attribute is present on create, so for attributes that are both required-on-create and immutable we expect to always use it in conjunction with CreateOnly(). However, an attribute could be CreateOnly, without RequestOnlyRequiredOnCreate.

Regarding your second question: you're correct. On resource reads, the attribute stays in the state, so it retains its last known value.