add iam workload identity federation

products/iambeta/api.yaml

@@ -0,0 +1,104 @@
+# Copyright 2020 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Product
+name: IAMBeta
+display_name: Cloud IAM
+versions:
+  - !ruby/object:Api::Product::Version
+    name: beta
+    base_url: https://iam.googleapis.com/v1beta/
+scopes:
+  - https://www.googleapis.com/auth/iam
+apis_required:
+  - !ruby/object:Api::Product::ApiReference
+    name: Identity and Access Management (IAM) API
+    url: https://console.cloud.google.com/apis/library/iam.googleapis.com/
+async: !ruby/object:Api::OpAsync
+  operation: !ruby/object:Api::OpAsync::Operation
+    path: 'name'
+    base_url: '{{op_id}}'
+    wait_ms: 1000
+  result: !ruby/object:Api::OpAsync::Result
+    path: 'targetLink'
+  status: !ruby/object:Api::OpAsync::Status
+    path: 'done'
+    complete: True
+    allowed:
+      - true
+      - false
+  error: !ruby/object:Api::OpAsync::Error
+    path: 'error'
+    message: 'message'
+objects:
+  - !ruby/object:Api::Resource
+    name: 'WorkloadIdentityPool'
+    min_version: beta
+    base_url: projects/{{project}}/locations/global/workloadIdentityPools
+    self_link: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
+    create_url: projects/{{project}}/locations/global/workloadIdentityPools?workloadIdentityPoolId={{workload_identity_pool_id}}
+    update_verb: :PATCH
+    update_mask: true
+    description: |
+      Represents a collection of external workload identities. You can define IAM policies to
+      grant these identities access to Google Cloud resources.
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Managing workload identity pools':
+          'https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools'
+      api: 'https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools'
+    properties:
+      - !ruby/object:Api::Type::String
+         name: 'workloadIdentityPoolId'
+         description: |
+           The ID to use for the pool, which becomes the final component of the resource name. This
+           value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
+           `gcp-` is reserved for use by Google, and may not be specified.
+         required: true
+         input: true
+         url_param_only: true
+      - !ruby/object:Api::Type::Enum
+        name: 'state'
+        description: |
+          The state of the pool.
+          STATE_UNSPECIFIED: State unspecified.
+          ACTIVE: The pool is active, and may be used in Google Cloud policies.
+          DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
+          approximately 30 days. You can restore a soft-deleted pool using
+          UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
+          permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
+          use existing tokens to access resources. If the pool is undeleted, existing tokens grant
+          access again.
+        output: true
+        values:
+          - :STATE_UNSPECIFIED
+          - :ACTIVE
+          - :DELETED
+      - !ruby/object:Api::Type::String
+        name: 'displayName'
+        description: A display name for the pool. Cannot exceed 32 characters.
+      - !ruby/object:Api::Type::String
+        name: 'description'
+        description: A description of the pool. Cannot exceed 256 characters.
+      - !ruby/object:Api::Type::String
+        name: 'name'
+        description: |
+          The resource name of the pool as
+          `projects/<projectnumber>/locations/global/workloadIdentityPools/<id>`.
+        output: true
+      - !ruby/object:Api::Type::Boolean
+        name: 'disabled'
+        description: |
+          Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
+          existing tokens to access resources. If the pool is re-enabled, existing tokens grant
+          access again.

products/iambeta/terraform.yaml

@@ -0,0 +1,47 @@
+# Copyright 2020 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Provider::Terraform::Config
+legacy_name: iam
+overrides: !ruby/object:Overrides::ResourceOverrides
+  WorkloadIdentityPool: !ruby/object:Overrides::Terraform::ResourceOverride
+    autogen_async: true
+    import_format: ["projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}"]
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "iam_workload_identity_pool_basic"
+        primary_resource_id: "example"
+        vars:
+          workload_identity_pool_id: "example-pool"
+        min_version: beta
+      - !ruby/object:Provider::Terraform::Examples
+        name: "iam_workload_identity_pool_full"
+        primary_resource_id: "example"
+        vars:
+          workload_identity_pool_id: "example-pool"
+        min_version: beta
+    docs: !ruby/object:Provider::Terraform::Docs
+      attributes: |
+        * `self_link`: The self link of the created WorkloadIdentityPool in the format `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      constants: templates/terraform/constants/iam_workload_identity_pool.go.erb
+    properties:
+      workloadIdentityPoolId: !ruby/object:Overrides::Terraform::PropertyOverride
+        validation: !ruby/object:Provider::Terraform::Validation
+          function: 'validateWorkloadIdentityPoolId'
+# This is for copying files over
+files: !ruby/object:Provider::Config::Files
+  # These files have templating (ERB) code that will be run.
+  # This is usually to add licensing info, autogeneration notices, etc.
+  compile:
+<%= lines(indent(compile('provider/terraform/product~compile.yaml'), 4)) -%>

templates/terraform/constants/iam_workload_identity_pool.go.erb

@@ -0,0 +1,27 @@
+const workloadIdentityPoolIdRegexp = `^[0-9a-z-]+$`
+
+func validateWorkloadIdentityPoolId(v interface{}, k string) (ws []string, errors []error) {
+    value := v.(string)
+
+    if strings.HasPrefix(value, "gcp-") {
+        errors = append(errors, fmt.Errorf(
+            "%q (%q) can not start with \"gcp-\"", k, value))
+    }
+
+    if !regexp.MustCompile(workloadIdentityPoolIdRegexp).MatchString(value) {
+       errors = append(errors, fmt.Errorf(
+            "%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k))
+    }
+
+    if len(value) < 4 {
+        errors = append(errors, fmt.Errorf(
+            "%q cannot be smaller than 4 characters", k))
+    }
+
+    if len(value) > 32 {
+        errors = append(errors, fmt.Errorf(
+            "%q cannot be greater than 32 characters", k))
+    }
+
+    return
+}

templates/terraform/examples/iam_workload_identity_pool_basic.tf.erb

@@ -0,0 +1,4 @@
+resource "google_iam_workload_identity_pool" "<%= ctx[:primary_resource_id] %>" {
+  provider                  = google-beta
+  workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>"
+}

templates/terraform/examples/iam_workload_identity_pool_full.tf.erb

@@ -0,0 +1,7 @@
+resource "google_iam_workload_identity_pool" "<%= ctx[:primary_resource_id] %>" {
+  provider                  = google-beta
+  workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>"
+  display_name              = "Name of pool"
+  description               = "Identity pool for automated test"
+  disabled                  = true
+}

third_party/terraform/tests/resource_iam_beta-workload_identity_pool_id_test.go.erb

@@ -0,0 +1,34 @@
+<% autogen_exception -%>
+package google
+
+<% unless version == 'ga' %>
+import (
+	"strings"
+	"testing"
+)
+
+func TestValidateIAMBetaWorkloadIdentityPoolId(t *testing.T) {
+	x := []StringValidationTestCase{
+		// No errors
+		{TestName: "basic", Value: "foobar"},
+		{TestName: "with numbers", Value: "foobar123"},
+		{TestName: "short", Value: "foos"},
+		{TestName: "long", Value: "12345678901234567890123456789012"},
+		{TestName: "has a hyphen", Value: "foo-bar"},
+
+		// With errors
+		{TestName: "empty", Value: "", ExpectError: true},
+		{TestName: "starts with a gcp-", Value: "gcp-foobar", ExpectError: true},
+		{TestName: "with uppercase", Value: "fooBar", ExpectError: true},
+		{TestName: "has an slash", Value: "foo/bar", ExpectError: true},
+		{TestName: "has an backslash", Value: "foo\bar", ExpectError: true},
+		{TestName: "too short", Value: "foo", ExpectError: true},
+		{TestName: "too long", Value: strings.Repeat("f", 33), ExpectError: true},
+	}
+
+	es := testStringValidationCases(x, validateWorkloadIdentityPoolId)
+	if len(es) > 0 {
+		t.Errorf("Failed to validate WorkloadIdentityPool names: %v", es)
+	}
+}
+<% end -%>

third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb

@@ -0,0 +1,99 @@
+<% autogen_exception -%>
+package google
+
+<% unless version == 'ga' %>
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccIAMBetaWorkloadIdentityPool_full(t *testing.T) {
+	t.Parallel()
+
+	randomSuffix := randString(t, 10)
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMBetaWorkloadIdentityPool_full(randomSuffix),
+			},
+			{
+				ResourceName:      "google_iam_workload_identity_pool.my_pool",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccIAMBetaWorkloadIdentityPool_update(randomSuffix),
+			},
+			{
+				ResourceName:      "google_iam_workload_identity_pool.my_pool",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccIAMBetaWorkloadIdentityPool_minimal(t *testing.T) {
+	t.Parallel()
+
+	randomSuffix := randString(t, 10)
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMBetaWorkloadIdentityPool_minimal(randomSuffix),
+			},
+			{
+				ResourceName:      "google_iam_workload_identity_pool.my_pool",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccIAMBetaWorkloadIdentityPool_update(randomSuffix),
+			},
+			{
+				ResourceName:      "google_iam_workload_identity_pool.my_pool",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccIAMBetaWorkloadIdentityPool_full(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_iam_workload_identity_pool" "my_pool" {
+  workload_identity_pool_id = "my-pool-%s"
+  display_name              = "Name of pool"
+  description               = "Identity pool for automated test"
+  disabled                  = true
+}
+`, suffix)
+}
+
+func testAccIAMBetaWorkloadIdentityPool_minimal(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_iam_workload_identity_pool" "my_pool" {
+  workload_identity_pool_id = "my-pool-%s"
+}
+`, suffix)
+}
+
+func testAccIAMBetaWorkloadIdentityPool_update(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_iam_workload_identity_pool" "my_pool" {
+  workload_identity_pool_id = "my-pool-%s"
+  display_name              = "Updated name of pool"
+  description               = "Updated description"
+  disabled                  = false
+}
+`, suffix)
+}
+<% end -%>