From bf8be1442cfbd89beeaaa0d63b29569a8bc6b98e Mon Sep 17 00:00:00 2001 From: Wilfred Date: Tue, 20 Oct 2020 22:41:01 +0200 Subject: [PATCH 01/10] add iam workload identity pool provider --- products/iambeta/api.yaml | 190 +++++++++++++++++- products/iambeta/terraform.yaml | 41 ++++ ...iam_workload_identity_pool_provider.go.erb | 27 +++ ...ad_identity_pool_provider_aws_basic.tf.erb | 13 ++ ...oad_identity_pool_provider_aws_full.tf.erb | 22 ++ ...d_identity_pool_provider_oidc_basic.tf.erb | 16 ++ ...ad_identity_pool_provider_oidc_full.tf.erb | 28 +++ ...load_identity_pool_provider_id_test.go.erb | 34 ++++ 8 files changed, 370 insertions(+), 1 deletion(-) create mode 100644 templates/terraform/constants/iam_workload_identity_pool_provider.go.erb create mode 100644 templates/terraform/examples/iam_workload_identity_pool_provider_aws_basic.tf.erb create mode 100644 templates/terraform/examples/iam_workload_identity_pool_provider_aws_full.tf.erb create mode 100644 templates/terraform/examples/iam_workload_identity_pool_provider_oidc_basic.tf.erb create mode 100644 templates/terraform/examples/iam_workload_identity_pool_provider_oidc_full.tf.erb create mode 100644 third_party/terraform/tests/resource_iam_beta-workload_identity_pool_provider_id_test.go.erb diff --git a/products/iambeta/api.yaml b/products/iambeta/api.yaml index 8a9ed3ffec37..ea1baf4a4f0b 100644 --- a/products/iambeta/api.yaml +++ b/products/iambeta/api.yaml @@ -94,7 +94,7 @@ objects: name: 'name' description: | The resource name of the pool as - `projects//locations/global/workloadIdentityPools/`. + `projects//locations/global/workloadIdentityPools/`. output: true - !ruby/object:Api::Type::Boolean name: 'disabled' @@ -102,3 +102,191 @@ objects: Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. + - !ruby/object:Api::Resource + name: 'WorkloadIdentityPoolProvider' + min_version: beta + base_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers + self_link: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}} + create_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/?workloadIdentityPoolProviderId={{workload_identity_pool_provider_id}} + update_verb: :PATCH + update_mask: true + description: A configuration for an external identity provider. + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Managing workload identity providers': + 'https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers' + api: 'https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools.providers' + properties: + - !ruby/object:Api::Type::String + name: 'workloadIdentityPoolId' + description: | + The ID used for the pool, which is the final component of the pool resource name. This + value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + required: true + input: true + url_param_only: true + - !ruby/object:Api::Type::String + name: 'workloadIdentityPoolProviderId' + description: | + The ID for the provider, which becomes the final component of the resource name. This + value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix + `gcp-` is reserved for use by Google, and may not be specified. + required: true + input: true + url_param_only: true + - !ruby/object:Api::Type::Enum + name: 'state' + description: | + The state of the provider. + STATE_UNSPECIFIED: State unspecified. + ACTIVE: The provider is active, and may be used to validate authentication credentials. + DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted + after approximately 30 days. You can restore a soft-deleted provider using + UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider + until it is permanently deleted. + output: true + values: + - :STATE_UNSPECIFIED + - :ACTIVE + - :DELETED + - !ruby/object:Api::Type::String + name: 'displayName' + description: A display name for the provider. Cannot exceed 32 characters. + - !ruby/object:Api::Type::String + name: 'description' + description: A description for the provider. Cannot exceed 256 characters. + - !ruby/object:Api::Type::String + name: 'name' + description: | + The resource name of the provider as + `projects//locations/global/workloadIdentityPools//providers/`. + output: true + - !ruby/object:Api::Type::Boolean + name: 'disabled' + description: | + Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. + However, existing tokens still grant access. + - !ruby/object:Api::Type::KeyValuePairs + name: 'attributeMapping' + description: | + Maps attributes from authentication credentials issued by an external identity provider + to Google Cloud attributes, such as `subject` and `segment`. + + Each key must be a string specifying the Google Cloud IAM attribute to map to. + + The following keys are supported: + * `google.subject`: The principal IAM is authenticating. You can reference this value + in IAM bindings. This is also the subject that appears in Cloud Logging logs. + Cannot exceed 127 characters. + * `google.groups`: Groups the external identity belongs to. You can grant groups + access to resources using an IAM `principalSet` binding; access applies to all + members of the group. + + You can also provide custom attributes by specifying `attribute.{custom_attribute}`, + where `{custom_attribute}` is the name of the custom attribute to be mapped. You can + define a maximum of 50 custom attributes. The maximum length of a mapped attribute key + is 100 characters, and the key may only contain the characters [a-z0-9_]. + + You can reference these attributes in IAM policies to define fine-grained access for a + workload to Google Cloud resources. For example: + * `google.subject`: + `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` + * `google.groups`: + `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` + * `attribute.{custom_attribute}`: + `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` + + Each value must be a [Common Expression Language](https://opensource.google/projects/cel) + function that maps an identity provider credential to the normalized attribute specified + by the corresponding map key. + + You can use the `assertion` keyword in the expression to access a JSON representation of + the authentication credential issued by the provider. + + The maximum length of an attribute mapping expression is 2048 characters. When evaluated, + the total size of all mapped attributes must not exceed 8KB. + + For AWS providers, the following rules apply: + - If no attribute mapping is defined, the following default mapping applies: + ``` + { + "google.subject":"assertion.arn", + "attribute.aws_role": + "assertion.arn.contains('assumed-role')" + " ? assertion.arn.extract('{account_arn}assumed-role/')" + " + 'assumed-role/'" + " + assertion.arn.extract('assumed-role/{role_name}/')" + " : assertion.arn", + } + ``` + - If any custom attribute mappings are defined, they must include a mapping to the + `google.subject` attribute. + + For OIDC providers, the following rules apply: + - Custom attribute mappings must be defined, and must include a mapping to the + `google.subject` attribute. For example, the following maps the `sub` claim of the + incoming credential to the `subject` attribute on a Google token. + ``` + {"google.subject": "assertion.sub"} + ``` + - !ruby/object:Api::Type::String + name: 'attributeCondition' + description: | + [A Common Expression Language](https://opensource.google/projects/cel) expression, in + plain text, to restrict what otherwise valid authentication credentials issued by the + provider should not be accepted. + + The expression must output a boolean representing whether to allow the federation. + + The following keywords may be referenced in the expressions: + * `assertion`: JSON representing the authentication credential issued by the provider. + * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. + * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. + + The maximum length of the attribute condition expression is 4096 characters. If + unspecified, all valid authentication credential are accepted. + + The following example shows how to only allow credentials with a mapped `google.groups` + value of `admins`: + ``` + "'admins' in google.groups" + ``` + - !ruby/object:Api::Type::NestedObject + name: aws + description: An Amazon Web Services identity provider. + exactly_one_of: + - aws + - oidc + properties: + - !ruby/object:Api::Type::String + name: accountId + description: The AWS account ID. + required: true + - !ruby/object:Api::Type::NestedObject + name: oidc + description: An OpenId Connect 1.0 identity provider. + exactly_one_of: + - aws + - oidc + properties: + - !ruby/object:Api::Type::Array + name: allowedAudiences + item_type: Api::Type::String + description: | + Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange + requests are rejected if the token audience does not match one of the configured + values. Each audience may be at most 256 characters. A maximum of 10 audiences may + be configured. + + If this list is empty, the OIDC token audience must be equal to the full canonical + resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. + For example: + ``` + //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ + https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ + ``` + - !ruby/object:Api::Type::String + name: issuerUri + description: The OIDC issuer URL. + required: true diff --git a/products/iambeta/terraform.yaml b/products/iambeta/terraform.yaml index d0a01a2f3ae0..36e96dcc1275 100644 --- a/products/iambeta/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -39,6 +39,47 @@ overrides: !ruby/object:Overrides::ResourceOverrides workloadIdentityPoolId: !ruby/object:Overrides::Terraform::PropertyOverride validation: !ruby/object:Provider::Terraform::Validation function: 'validateWorkloadIdentityPoolId' + WorkloadIdentityPoolProvider: !ruby/object:Overrides::Terraform::ResourceOverride + autogen_async: true + import_format: ["projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_id}}"] + examples: + - !ruby/object:Provider::Terraform::Examples + name: "iam_workload_identity_pool_provider_aws_basic" + primary_resource_id: "example" + vars: + workload_identity_pool_id: "example-pool" + workload_identity_pool_provider_id: "example-prvdr" + min_version: beta + - !ruby/object:Provider::Terraform::Examples + name: "iam_workload_identity_pool_provider_aws_full" + primary_resource_id: "example" + vars: + workload_identity_pool_id: "example-pool" + workload_identity_pool_provider_id: "example-prvdr" + min_version: beta + - !ruby/object:Provider::Terraform::Examples + name: "iam_workload_identity_pool_provider_oidc_basic" + primary_resource_id: "example" + vars: + workload_identity_pool_id: "example-pool" + workload_identity_pool_provider_id: "example-prvdr" + min_version: beta + - !ruby/object:Provider::Terraform::Examples + name: "iam_workload_identity_pool_provider_oidc_full" + primary_resource_id: "example" + vars: + workload_identity_pool_id: "example-pool" + workload_identity_pool_provider_id: "example-prvdr" + min_version: beta + docs: !ruby/object:Provider::Terraform::Docs + attributes: | + * `self_link`: The self link of the created WorkloadIdentityPoolProvider in the format `projects/{project}/locations/global/workloadIdentityPools/{pool}/providers/{workload_identity_pool_provider_id}` + custom_code: !ruby/object:Provider::Terraform::CustomCode + constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb + properties: + workloadIdentityPoolProviderId: !ruby/object:Overrides::Terraform::PropertyOverride + validation: !ruby/object:Provider::Terraform::Validation + function: 'validateWorkloadIdentityPoolProviderId' # This is for copying files over files: !ruby/object:Provider::Config::Files # These files have templating (ERB) code that will be run. diff --git a/templates/terraform/constants/iam_workload_identity_pool_provider.go.erb b/templates/terraform/constants/iam_workload_identity_pool_provider.go.erb new file mode 100644 index 000000000000..c8f6100ceaf7 --- /dev/null +++ b/templates/terraform/constants/iam_workload_identity_pool_provider.go.erb @@ -0,0 +1,27 @@ +const workloadIdentityPoolProviderIdRegexp = `^[0-9a-z-]+$` + +func validateWorkloadIdentityPoolProviderId(v interface{}, k string) (ws []string, errors []error) { + value := v.(string) + + if strings.HasPrefix(value, "gcp-") { + errors = append(errors, fmt.Errorf( + "%q (%q) can not start with \"gcp-\"", k, value)) + } + + if !regexp.MustCompile(workloadIdentityPoolProviderIdRegexp).MatchString(value) { + errors = append(errors, fmt.Errorf( + "%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k)) + } + + if len(value) < 4 { + errors = append(errors, fmt.Errorf( + "%q cannot be smaller than 4 characters", k)) + } + + if len(value) > 32 { + errors = append(errors, fmt.Errorf( + "%q cannot be greater than 32 characters", k)) + } + + return +} diff --git a/templates/terraform/examples/iam_workload_identity_pool_provider_aws_basic.tf.erb b/templates/terraform/examples/iam_workload_identity_pool_provider_aws_basic.tf.erb new file mode 100644 index 000000000000..d372c80425ae --- /dev/null +++ b/templates/terraform/examples/iam_workload_identity_pool_provider_aws_basic.tf.erb @@ -0,0 +1,13 @@ +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>" +} + +resource "google_iam_workload_identity_pool_provider" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "<%= ctx[:vars]["workload_identity_pool_provider_id"] %>" + aws { + account_id = "999999999999" + } +} diff --git a/templates/terraform/examples/iam_workload_identity_pool_provider_aws_full.tf.erb b/templates/terraform/examples/iam_workload_identity_pool_provider_aws_full.tf.erb new file mode 100644 index 000000000000..eeb461223d5d --- /dev/null +++ b/templates/terraform/examples/iam_workload_identity_pool_provider_aws_full.tf.erb @@ -0,0 +1,22 @@ +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>" +} + +resource "google_iam_workload_identity_pool_provider" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "<%= ctx[:vars]["workload_identity_pool_provider_id"] %>" + display_name = "Name of provider" + description = "AWS identity pool provider for automated test" + disabled = true + attribute_condition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"" + attribute_mapping = { + "google.subject" = "assertion.arn" + "attribute.aws_account" = "assertion.account" + "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" + } + aws { + account_id = "999999999999" + } +} diff --git a/templates/terraform/examples/iam_workload_identity_pool_provider_oidc_basic.tf.erb b/templates/terraform/examples/iam_workload_identity_pool_provider_oidc_basic.tf.erb new file mode 100644 index 000000000000..21ccc08d18fe --- /dev/null +++ b/templates/terraform/examples/iam_workload_identity_pool_provider_oidc_basic.tf.erb @@ -0,0 +1,16 @@ +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>" +} + +resource "google_iam_workload_identity_pool_provider" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "<%= ctx[:vars]["workload_identity_pool_provider_id"] %>" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + oidc { + issuer_uri = "https://sts.windows.net/azure-tenant-id" + } +} diff --git a/templates/terraform/examples/iam_workload_identity_pool_provider_oidc_full.tf.erb b/templates/terraform/examples/iam_workload_identity_pool_provider_oidc_full.tf.erb new file mode 100644 index 000000000000..05e0a4e899e3 --- /dev/null +++ b/templates/terraform/examples/iam_workload_identity_pool_provider_oidc_full.tf.erb @@ -0,0 +1,28 @@ +resource "google_iam_workload_identity_pool" "pool" { + provider = google-beta + workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>" +} + +resource "google_iam_workload_identity_pool_provider" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = "<%= ctx[:vars]["workload_identity_pool_provider_id"] %>" + display_name = "Name of provider" + description = "OIDC identity pool provider for automated test" + disabled = true + attribute_condition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups" + attribute_mapping = { + "google.subject" = "\"azure::\" + assertion.tid + \"::\" + assertion.sub" + "attribute.tid" = "assertion.tid" + "attribute.managed_identity_name" = < +package google + +<% unless version == 'ga' %> +import ( + "strings" + "testing" +) + +func TestValidateIAMBetaWorkloadIdentityPoolProviderId(t *testing.T) { + x := []StringValidationTestCase{ + // No errors + {TestName: "basic", Value: "foobar"}, + {TestName: "with numbers", Value: "foobar123"}, + {TestName: "short", Value: "foos"}, + {TestName: "long", Value: "12345678901234567890123456789012"}, + {TestName: "has a hyphen", Value: "foo-bar"}, + + // With errors + {TestName: "empty", Value: "", ExpectError: true}, + {TestName: "starts with a gcp-", Value: "gcp-foobar", ExpectError: true}, + {TestName: "with uppercase", Value: "fooBar", ExpectError: true}, + {TestName: "has an slash", Value: "foo/bar", ExpectError: true}, + {TestName: "has an backslash", Value: "foo\bar", ExpectError: true}, + {TestName: "too short", Value: "foo", ExpectError: true}, + {TestName: "too long", Value: strings.Repeat("f", 33), ExpectError: true}, + } + + es := testStringValidationCases(x, validateWorkloadIdentityPoolProviderId) + if len(es) > 0 { + t.Errorf("Failed to validate WorkloadIdentityPoolProvider names: %v", es) + } +} +<% end -%> From 0f737e60f158a8d0a82891a175572d6615a877bd Mon Sep 17 00:00:00 2001 From: Wilfred van der Deijl Date: Thu, 22 Oct 2020 14:30:53 +0200 Subject: [PATCH 02/10] Apply suggestions from code review Co-authored-by: Scott Suarez --- products/iambeta/api.yaml | 16 ++++++++-------- products/iambeta/terraform.yaml | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/products/iambeta/api.yaml b/products/iambeta/api.yaml index ea1baf4a4f0b..54eb323cf7f8 100644 --- a/products/iambeta/api.yaml +++ b/products/iambeta/api.yaml @@ -94,7 +94,7 @@ objects: name: 'name' description: | The resource name of the pool as - `projects//locations/global/workloadIdentityPools/`. + `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. output: true - !ruby/object:Api::Type::Boolean name: 'disabled' @@ -107,7 +107,7 @@ objects: min_version: beta base_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers self_link: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}} - create_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/?workloadIdentityPoolProviderId={{workload_identity_pool_provider_id}} + create_url: projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers?workloadIdentityPoolProviderId={{workload_identity_pool_provider_id}} update_verb: :PATCH update_mask: true description: A configuration for an external identity provider. @@ -139,9 +139,9 @@ objects: name: 'state' description: | The state of the provider. - STATE_UNSPECIFIED: State unspecified. - ACTIVE: The provider is active, and may be used to validate authentication credentials. - DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The provider is active, and may be used to validate authentication credentials. + * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted. @@ -160,7 +160,7 @@ objects: name: 'name' description: | The resource name of the provider as - `projects//locations/global/workloadIdentityPools//providers/`. + `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`. output: true - !ruby/object:Api::Type::Boolean name: 'disabled' @@ -254,7 +254,7 @@ objects: ``` - !ruby/object:Api::Type::NestedObject name: aws - description: An Amazon Web Services identity provider. + description: An Amazon Web Services identity provider. Not compatible with the property oidc. exactly_one_of: - aws - oidc @@ -265,7 +265,7 @@ objects: required: true - !ruby/object:Api::Type::NestedObject name: oidc - description: An OpenId Connect 1.0 identity provider. + description: An OpenId Connect 1.0 identity provider. Not compatible with the property aws. exactly_one_of: - aws - oidc diff --git a/products/iambeta/terraform.yaml b/products/iambeta/terraform.yaml index 36e96dcc1275..9d7da5498977 100644 --- a/products/iambeta/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -73,7 +73,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides min_version: beta docs: !ruby/object:Provider::Terraform::Docs attributes: | - * `self_link`: The self link of the created WorkloadIdentityPoolProvider in the format `projects/{project}/locations/global/workloadIdentityPools/{pool}/providers/{workload_identity_pool_provider_id}` + * `self_link`: The self link of the created WorkloadIdentityPoolProvider in the format `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}` custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb properties: From 722051c823c90a357aefc2899a13e4a748046452 Mon Sep 17 00:00:00 2001 From: Wilfred Date: Thu, 22 Oct 2020 14:36:32 +0200 Subject: [PATCH 03/10] make clear that name and self_link contain project number, not id --- products/iambeta/api.yaml | 4 ++-- products/iambeta/terraform.yaml | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/products/iambeta/api.yaml b/products/iambeta/api.yaml index 54eb323cf7f8..b3ed9112ad41 100644 --- a/products/iambeta/api.yaml +++ b/products/iambeta/api.yaml @@ -94,7 +94,7 @@ objects: name: 'name' description: | The resource name of the pool as - `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. output: true - !ruby/object:Api::Type::Boolean name: 'disabled' @@ -160,7 +160,7 @@ objects: name: 'name' description: | The resource name of the provider as - `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`. + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`. output: true - !ruby/object:Api::Type::Boolean name: 'disabled' diff --git a/products/iambeta/terraform.yaml b/products/iambeta/terraform.yaml index 9d7da5498977..ea29e7a8d796 100644 --- a/products/iambeta/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -32,7 +32,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides min_version: beta docs: !ruby/object:Provider::Terraform::Docs attributes: | - * `self_link`: The self link of the created WorkloadIdentityPool in the format `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}` + * `self_link`: The self link of the created WorkloadIdentityPool in the format + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}` custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool.go.erb properties: @@ -73,7 +74,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides min_version: beta docs: !ruby/object:Provider::Terraform::Docs attributes: | - * `self_link`: The self link of the created WorkloadIdentityPoolProvider in the format `projects/{project}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}` + * `self_link`: The self link of the created WorkloadIdentityPoolProvider in the format + `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}` custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb properties: From 6a8f2ee7a26fa03620879ea78694cb8ebaed12a3 Mon Sep 17 00:00:00 2001 From: Wilfred Date: Thu, 22 Oct 2020 14:36:44 +0200 Subject: [PATCH 04/10] fixed wrong file naming --- ...rb => resource_iam_beta_workload_identity_pool_id_test.go.erb} | 0 ...ource_iam_beta_workload_identity_pool_provider_id_test.go.erb} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename third_party/terraform/tests/{resource_iam_beta-workload_identity_pool_id_test.go.erb => resource_iam_beta_workload_identity_pool_id_test.go.erb} (100%) rename third_party/terraform/tests/{resource_iam_beta-workload_identity_pool_provider_id_test.go.erb => resource_iam_beta_workload_identity_pool_provider_id_test.go.erb} (100%) diff --git a/third_party/terraform/tests/resource_iam_beta-workload_identity_pool_id_test.go.erb b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_id_test.go.erb similarity index 100% rename from third_party/terraform/tests/resource_iam_beta-workload_identity_pool_id_test.go.erb rename to third_party/terraform/tests/resource_iam_beta_workload_identity_pool_id_test.go.erb diff --git a/third_party/terraform/tests/resource_iam_beta-workload_identity_pool_provider_id_test.go.erb b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_id_test.go.erb similarity index 100% rename from third_party/terraform/tests/resource_iam_beta-workload_identity_pool_provider_id_test.go.erb rename to third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_id_test.go.erb From 477ffa7b50ad0c7e00ba671ccb8473370a030983 Mon Sep 17 00:00:00 2001 From: Wilfred Date: Thu, 22 Oct 2020 15:38:51 +0200 Subject: [PATCH 05/10] sync provider docs to pool docs --- products/iambeta/api.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/products/iambeta/api.yaml b/products/iambeta/api.yaml index b3ed9112ad41..ad111bf9dda5 100644 --- a/products/iambeta/api.yaml +++ b/products/iambeta/api.yaml @@ -71,14 +71,14 @@ objects: name: 'state' description: | The state of the pool. - STATE_UNSPECIFIED: State unspecified. - ACTIVE: The pool is active, and may be used in Google Cloud policies. - DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after - approximately 30 days. You can restore a soft-deleted pool using - UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is - permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or - use existing tokens to access resources. If the pool is undeleted, existing tokens grant - access again. + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The pool is active, and may be used in Google Cloud policies. + * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after + approximately 30 days. You can restore a soft-deleted pool using + UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is + permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or + use existing tokens to access resources. If the pool is undeleted, existing tokens grant + access again. output: true values: - :STATE_UNSPECIFIED @@ -142,9 +142,9 @@ objects: * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted - after approximately 30 days. You can restore a soft-deleted provider using - UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider - until it is permanently deleted. + after approximately 30 days. You can restore a soft-deleted provider using + UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider + until it is permanently deleted. output: true values: - :STATE_UNSPECIFIED From 4112f073175f68a826bd0f0db6a307051d8a825d Mon Sep 17 00:00:00 2001 From: Wilfred Date: Thu, 22 Oct 2020 15:39:08 +0200 Subject: [PATCH 06/10] add tests for provider --- products/iambeta/terraform.yaml | 2 +- ...orkload_identity_pool_provider_test.go.erb | 198 ++++++++++++++++++ 2 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb diff --git a/products/iambeta/terraform.yaml b/products/iambeta/terraform.yaml index ea29e7a8d796..1363a02f0303 100644 --- a/products/iambeta/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -42,7 +42,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides function: 'validateWorkloadIdentityPoolId' WorkloadIdentityPoolProvider: !ruby/object:Overrides::Terraform::ResourceOverride autogen_async: true - import_format: ["projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_id}}"] + import_format: ["projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}"] examples: - !ruby/object:Provider::Terraform::Examples name: "iam_workload_identity_pool_provider_aws_basic" diff --git a/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb new file mode 100644 index 000000000000..6077c4ff1011 --- /dev/null +++ b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb @@ -0,0 +1,198 @@ +<% autogen_exception -%> +package google + +<% unless version == 'ga' %> +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" +) + +func TestAccIAMBetaWorkloadIdentityPoolProvider_aws(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_aws_full(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.my_provider", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_aws_enabled(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.my_provider", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_aws_basic(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.my_provider", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccIAMBetaWorkloadIdentityPoolProvider_oidc(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_oidc_full(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.my_provider", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccIAMBetaWorkloadIdentityPoolProvider_oidc_basic(context), + }, + { + ResourceName: "google_iam_workload_identity_pool_provider.my_provider", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_aws_full(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "my_pool" { + workload_identity_pool_id = "my-pool-%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "my_provider" { + workload_identity_pool_id = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "my-provider-%{random_suffix}" + display_name = "Name of provider" + description = "AWS identity pool provider for automated test" + disabled = true + attribute_condition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"" + attribute_mapping = { + "google.subject" = "assertion.arn" + "attribute.aws_account" = "assertion.account" + "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" + } + aws { + account_id = "999999999999" + } +} +`, context) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_aws_enabled(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "my_pool" { + workload_identity_pool_id = "my-pool-%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "my_provider" { + workload_identity_pool_id = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "my-provider-%{random_suffix}" + display_name = "Name of provider" + description = "AWS identity pool provider for automated test" + disabled = false + attribute_condition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"" + attribute_mapping = { + "google.subject" = "assertion.arn" + "attribute.aws_account" = "assertion.account" + "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" + } + aws { + account_id = "999999999999" + } +} +`, context) +} + +func testAccIAMBetaWorkloadIdentityPoolProvider_oidc_full(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "my_pool" { + workload_identity_pool_id = "my-pool-%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "my_provider" { + workload_identity_pool_id = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "my-provider-%{random_suffix}" + display_name = "Name of provider" + description = "OIDC identity pool provider for automated test" + disabled = true + attribute_condition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups" + attribute_mapping = { + "google.subject" = "\"azure::\" + assertion.tid + \"::\" + assertion.sub" + "attribute.tid" = "assertion.tid" + "attribute.managed_identity_name" = < From e4b227ff811a534779513984e954dbd6e01d0977 Mon Sep 17 00:00:00 2001 From: Wilfred Date: Fri, 23 Oct 2020 18:37:05 +0200 Subject: [PATCH 07/10] workload identity resources have no self_link --- products/iambeta/terraform.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/products/iambeta/terraform.yaml b/products/iambeta/terraform.yaml index 1363a02f0303..59a9807481b7 100644 --- a/products/iambeta/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -30,10 +30,6 @@ overrides: !ruby/object:Overrides::ResourceOverrides vars: workload_identity_pool_id: "example-pool" min_version: beta - docs: !ruby/object:Provider::Terraform::Docs - attributes: | - * `self_link`: The self link of the created WorkloadIdentityPool in the format - `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}` custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool.go.erb properties: @@ -72,10 +68,6 @@ overrides: !ruby/object:Overrides::ResourceOverrides workload_identity_pool_id: "example-pool" workload_identity_pool_provider_id: "example-prvdr" min_version: beta - docs: !ruby/object:Provider::Terraform::Docs - attributes: | - * `self_link`: The self link of the created WorkloadIdentityPoolProvider in the format - `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}` custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb properties: From 7f61a29bfb46f52e4fe445a5fc07c155f5683375 Mon Sep 17 00:00:00 2001 From: Wilfred Date: Tue, 27 Oct 2020 12:25:47 +0100 Subject: [PATCH 08/10] treat delete state as gone --- products/iambeta/terraform.yaml | 4 ++++ products/storage/terraform.yaml | 2 +- .../iam_workload_identity_pool.go.erb | 17 +++++++++++++++++ .../iam_workload_identity_pool_provider.go.erb | 17 +++++++++++++++++ ...o.erb => treat_deleted_state_as_gone.go.erb} | 0 ..._workload_identity_pool_provider_test.go.erb | 2 ++ ..._iam_beta_workload_identity_pool_test.go.erb | 2 ++ 7 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.erb create mode 100644 templates/terraform/custom_check_destroy/iam_workload_identity_pool_provider.go.erb rename templates/terraform/decoders/{storage_hmac_key.go.erb => treat_deleted_state_as_gone.go.erb} (100%) diff --git a/products/iambeta/terraform.yaml b/products/iambeta/terraform.yaml index 59a9807481b7..d9332f380aff 100644 --- a/products/iambeta/terraform.yaml +++ b/products/iambeta/terraform.yaml @@ -32,6 +32,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides min_version: beta custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool.go.erb + decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb + test_check_destroy: templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.erb properties: workloadIdentityPoolId: !ruby/object:Overrides::Terraform::PropertyOverride validation: !ruby/object:Provider::Terraform::Validation @@ -70,6 +72,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides min_version: beta custom_code: !ruby/object:Provider::Terraform::CustomCode constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb + decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb + test_check_destroy: templates/terraform/custom_check_destroy/iam_workload_identity_pool_provider.go.erb properties: workloadIdentityPoolProviderId: !ruby/object:Overrides::Terraform::PropertyOverride validation: !ruby/object:Provider::Terraform::Validation diff --git a/products/storage/terraform.yaml b/products/storage/terraform.yaml index 56fd4bfe903d..5fa12e75dfe9 100644 --- a/products/storage/terraform.yaml +++ b/products/storage/terraform.yaml @@ -133,7 +133,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides state: !ruby/object:Overrides::Terraform::PropertyOverride update_url: projects/{{project}}/hmacKeys/{{access_id}} custom_code: !ruby/object:Provider::Terraform::CustomCode - decoder: templates/terraform/decoders/storage_hmac_key.go.erb + decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb pre_delete: templates/terraform/pre_delete/storage_hmac_key.go.erb post_create: templates/terraform/post_create/storage_hmac_key.go.erb test_check_destroy: templates/terraform/custom_check_destroy/storage_hmac_key.go.erb diff --git a/templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.erb b/templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.erb new file mode 100644 index 000000000000..2f8625e11abb --- /dev/null +++ b/templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.erb @@ -0,0 +1,17 @@ +config := googleProviderConfig(t) + +url, err := replaceVarsForTest(config, rs, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}") +if err != nil { + return err +} + +res, err := sendRequest(config, "GET", "", url, config.userAgent, nil) +if err != nil { + return nil +} + +if v := res["state"]; v == "DELETED" { + return nil +} + +return fmt.Errorf("IAMBetaWorkloadIdentityPool still exists at %s", url) diff --git a/templates/terraform/custom_check_destroy/iam_workload_identity_pool_provider.go.erb b/templates/terraform/custom_check_destroy/iam_workload_identity_pool_provider.go.erb new file mode 100644 index 000000000000..be95789594e7 --- /dev/null +++ b/templates/terraform/custom_check_destroy/iam_workload_identity_pool_provider.go.erb @@ -0,0 +1,17 @@ +config := googleProviderConfig(t) + +url, err := replaceVarsForTest(config, rs, "{{IAMBetaBasePath}}projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") +if err != nil { + return err +} + +res, err := sendRequest(config, "GET", "", url, config.userAgent, nil) +if err != nil { + return nil +} + +if v := res["state"]; v == "DELETED" { + return nil +} + +return fmt.Errorf("IAMBetaWorkloadIdentityPoolProvider still exists at %s", url) diff --git a/templates/terraform/decoders/storage_hmac_key.go.erb b/templates/terraform/decoders/treat_deleted_state_as_gone.go.erb similarity index 100% rename from templates/terraform/decoders/storage_hmac_key.go.erb rename to templates/terraform/decoders/treat_deleted_state_as_gone.go.erb diff --git a/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb index 6077c4ff1011..b840fd58f642 100644 --- a/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb +++ b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_provider_test.go.erb @@ -19,6 +19,7 @@ func TestAccIAMBetaWorkloadIdentityPoolProvider_aws(t *testing.T) { vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), Steps: []resource.TestStep{ { Config: testAccIAMBetaWorkloadIdentityPoolProvider_aws_full(context), @@ -58,6 +59,7 @@ func TestAccIAMBetaWorkloadIdentityPoolProvider_oidc(t *testing.T) { vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), Steps: []resource.TestStep{ { Config: testAccIAMBetaWorkloadIdentityPoolProvider_oidc_full(context), diff --git a/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb index a5458976aa90..7b90a5bc4428 100644 --- a/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb +++ b/third_party/terraform/tests/resource_iam_beta_workload_identity_pool_test.go.erb @@ -17,6 +17,7 @@ func TestAccIAMBetaWorkloadIdentityPool_full(t *testing.T) { vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolDestroyProducer(t), Steps: []resource.TestStep{ { Config: testAccIAMBetaWorkloadIdentityPool_full(randomSuffix), @@ -46,6 +47,7 @@ func TestAccIAMBetaWorkloadIdentityPool_minimal(t *testing.T) { vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolDestroyProducer(t), Steps: []resource.TestStep{ { Config: testAccIAMBetaWorkloadIdentityPool_minimal(randomSuffix), From 9f431ca84558870ba581f5b7295d9191a7d7bb17 Mon Sep 17 00:00:00 2001 From: Wilfred Date: Mon, 2 Nov 2020 09:41:51 +0100 Subject: [PATCH 09/10] google_iam_workload_identity_pool_provider data source --- ...rce_iam_beta_workload_identity_pool.go.erb | 2 +- ...eta_workload_identity_pool_provider.go.erb | 33 ++++++++++ ...orkload_identity_pool_provider_test.go.erb | 61 +++++++++++++++++++ third_party/terraform/utils/provider.go.erb | 1 + ...m_workload_identity_pool_provider.markdown | 41 +++++++++++++ 5 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool_provider.go.erb create mode 100644 third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb create mode 100644 third_party/terraform/website/docs/d/iam_workload_identity_pool_provider.markdown diff --git a/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool.go.erb b/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool.go.erb index 21b8289e000d..498f9d27fd79 100644 --- a/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool.go.erb +++ b/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool.go.erb @@ -8,7 +8,7 @@ import ( func dataSourceIAMBetaWorkloadIdentityPool() *schema.Resource { - dsSchema := (resourceIAMBetaWorkloadIdentityPool().Schema) + dsSchema := datasourceSchemaFromResourceSchema(resourceIAMBetaWorkloadIdentityPool().Schema) addRequiredFieldsToSchema(dsSchema, "workload_identity_pool_id") addOptionalFieldsToSchema(dsSchema, "project") diff --git a/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool_provider.go.erb b/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool_provider.go.erb new file mode 100644 index 000000000000..698bd8f0615b --- /dev/null +++ b/third_party/terraform/data_sources/data_source_iam_beta_workload_identity_pool_provider.go.erb @@ -0,0 +1,33 @@ +<% autogen_exception -%> +package google + +<% unless version == 'ga' -%> +import ( + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func dataSourceIAMBetaWorkloadIdentityPoolProvider() *schema.Resource { + + dsSchema := datasourceSchemaFromResourceSchema(resourceIAMBetaWorkloadIdentityPoolProvider().Schema) + addRequiredFieldsToSchema(dsSchema, "workload_identity_pool_id") + addRequiredFieldsToSchema(dsSchema, "workload_identity_pool_provider_id") + addOptionalFieldsToSchema(dsSchema, "project") + + return &schema.Resource{ + Read: dataSourceIAMBetaWorkloadIdentityPoolProviderRead, + Schema: dsSchema, + } +} + +func dataSourceIAMBetaWorkloadIdentityPoolProviderRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + id, err := replaceVars(d, config, "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + return resourceIAMBetaWorkloadIdentityPoolProviderRead(d, meta) + +} +<% end -%> diff --git a/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb b/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb new file mode 100644 index 000000000000..49941ce27b1f --- /dev/null +++ b/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb @@ -0,0 +1,61 @@ +<% autogen_exception -%> +package google + +<% unless version == 'ga' -%> +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" +) + +func TestAccDataSourceIAMBetaWorkloadIdentityPoolProvider_basic(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": randString(t, 10), + } + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccDataSourceIAMBetaWorkloadIdentityPoolProviderBasic(context), + Check: resource.ComposeTestCheckFunc( + checkDataSourceStateMatchesResourceState("data.google_iam_workload_identity_pool_provider.foo", "google_iam_workload_identity_pool_provider.bar"), + ), + }, + }, + }) +} + +func testAccDataSourceIAMBetaWorkloadIdentityPoolProviderBasic(context map[string]interface{}) string { + return Nprintf(` +resource "google_iam_workload_identity_pool" "pool" { + workload_identity_pool_id = "pool-%{random_suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "bar" { + workload_identity_pool_id = "pool-%{random_suffix}" + workload_identity_pool_provider_id = "bar-provider-%{random_suffix}" + display_name = "Name of provider" + description = "OIDC identity pool provider for automated test" + disabled = true + attribute_condition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + oidc { + allowed_audiences = ["https://example.com/gcp-oidc-federation"] + issuer_uri = "https://sts.windows.net/azure-tenant-id" + } + } + +data "google_iam_workload_identity_pool_provider" "foo" { + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id + workload_identity_pool_provider_id = google_iam_workload_identity_pool_provider.bar.workload_identity_pool_provider_id +} +`, context) +} +<% end -%> diff --git a/third_party/terraform/utils/provider.go.erb b/third_party/terraform/utils/provider.go.erb index 34b351501658..a453db36566b 100644 --- a/third_party/terraform/utils/provider.go.erb +++ b/third_party/terraform/utils/provider.go.erb @@ -225,6 +225,7 @@ func Provider() *schema.Provider { "google_iam_testable_permissions": dataSourceGoogleIamTestablePermissions(), <% unless version == 'ga' -%> "google_iam_workload_identity_pool": dataSourceIAMBetaWorkloadIdentityPool(), + "google_iam_workload_identity_pool_provider": dataSourceIAMBetaWorkloadIdentityPoolProvider(), <% end -%> "google_kms_crypto_key": dataSourceGoogleKmsCryptoKey(), "google_kms_crypto_key_version": dataSourceGoogleKmsCryptoKeyVersion(), diff --git a/third_party/terraform/website/docs/d/iam_workload_identity_pool_provider.markdown b/third_party/terraform/website/docs/d/iam_workload_identity_pool_provider.markdown new file mode 100644 index 000000000000..14bc63f7c955 --- /dev/null +++ b/third_party/terraform/website/docs/d/iam_workload_identity_pool_provider.markdown @@ -0,0 +1,41 @@ +--- +subcategory: "Cloud IAM" +layout: "google" +page_title: "Google: google_iam_workload_identity_pool_provider" +sidebar_current: "docs-google-datasource-iam-workload-identity-pool-provider" +description: |- + Get a IAM workload identity pool provider from Google Cloud +--- + +# google\_iam\_workload_\identity\_pool\_provider + +Get a IAM workload identity provider from Google Cloud by its id. + +~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. +See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. + +## Example Usage + +```tf +data "google_iam_workload_identity_pool_provider" "foo" { + workload_identity_pool_id = "foo-pool" + workload_identity_pool_provider_id = "bar-provider" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `workload_identity_pool_id` - (Required) The id of the pool which is the + final component of the pool resource name. +* `workload_identity_pool_provider_id` - (Required) The id of the provider which is the + final component of the resource name. + +- - - + +* `project` - (Optional) The project in which the resource belongs. If it + is not provided, the provider project is used. + +## Attributes Reference +See [google_iam_workload_identity_pool_provider](https://www.terraform.io/docs/providers/google/r/iam_workload_identity_pool_provider.html) resource for details of all the available attributes. From adead0d5d1f7e1b885e715a24b15e9a29c2a0122 Mon Sep 17 00:00:00 2001 From: Wilfred van der Deijl Date: Thu, 5 Nov 2020 23:37:18 +0100 Subject: [PATCH 10/10] Make sure provider depends on pool --- ..._source_iam_beta_workload_identity_pool_provider_test.go.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb b/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb index 49941ce27b1f..b556c3c8db73 100644 --- a/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb +++ b/third_party/terraform/tests/data_source_iam_beta_workload_identity_pool_provider_test.go.erb @@ -37,7 +37,7 @@ resource "google_iam_workload_identity_pool" "pool" { } resource "google_iam_workload_identity_pool_provider" "bar" { - workload_identity_pool_id = "pool-%{random_suffix}" + workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id workload_identity_pool_provider_id = "bar-provider-%{random_suffix}" display_name = "Name of provider" description = "OIDC identity pool provider for automated test"