Add Managed Kafka Acl resource and tests. (GoogleCloudPlatform#14034)

Co-authored-by: Sam Levenick <slevenick@google.com>

Author: 2 people

mmv1/products/managedkafka/Acl.yaml

@@ -0,0 +1,152 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# API resource name
+name: 'Acl'
+# Resource description for the provider documentation.
+description: |
+  A Managed Service for Apache Kafka ACL. Apache Kafka is a trademark owned by the Apache Software Foundation.
+
+docs:
+id_format: 'projects/{{project}}/locations/{{location}}/clusters/{{cluster}}/acls/{{acl_id}}'
+base_url: 'projects/{{project}}/locations/{{location}}/clusters/{{cluster}}/acls'
+self_link: 'projects/{{project}}/locations/{{location}}/clusters/{{cluster}}/acls/{{acl_id}}'
+create_url: 'projects/{{project}}/locations/{{location}}/clusters/{{cluster}}/acls?aclId={{acl_id}}'
+update_verb: 'PATCH'
+update_mask: true
+import_format:
+  - 'projects/{{project}}/locations/{{location}}/clusters/{{cluster}}/acls/{{%acl_id}}'
+
+timeouts:
+  insert_minutes: 20
+  update_minutes: 20
+  delete_minutes: 20
+
+custom_code:
+  post_create: 'templates/terraform/post_create/sleep.go.tmpl'
+  post_update: 'templates/terraform/post_create/sleep.go.tmpl'
+
+examples:
+  - name: 'managedkafka_acl_basic'
+    primary_resource_id: 'example'
+    vars:
+      acl_id: 'topic/mytopic'
+      cluster_id: 'my-cluster'
+    test_vars_overrides:
+      'acl_id': '"topic/mytopic"'
+
+parameters:
+  - name: 'location'
+    type: String
+    description: "ID of the location of the Kafka resource. See
+      https://cloud.google.com/managed-kafka/docs/locations for a list of
+      supported locations."
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'cluster'
+    type: String
+    description: "The cluster name."
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'aclId'
+    type: String
+    description: "The ID to use for the acl, which will become the final
+      component of the acl's name. The structure of `aclId` defines the Resource Pattern (resource_type,
+      resource_name, pattern_type) of the acl. `aclId` is structured like one of the following:
+
+      For acls on the cluster:
+        `cluster`
+
+      For acls on a single resource within the cluster:
+        `topic/{resource_name}`
+        `consumerGroup/{resource_name}`
+        `transactionalId/{resource_name}`
+
+      For acls on all resources that match a prefix:
+        `topicPrefixed/{resource_name}`
+        `consumerGroupPrefixed/{resource_name}`
+        `transactionalIdPrefixed/{resource_name}`
+
+      For acls on all resources of a given type (i.e. the wildcard literal '*''):
+        `allTopics` (represents `topic/*`)
+        `allConsumerGroups` (represents `consumerGroup/*`)
+        `allTransactionalIds` (represents `transactionalId/*`)."
+    url_param_only: true
+    required: true
+    immutable: true
+
+properties:
+  - name: 'name'
+    type: String
+    description: "The name of the acl. The `ACL_ID` segment is used when
+      connecting directly to the cluster. Must be in the format `projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_ID/acls/ACL_ID`."
+    output: true
+  - name: 'aclEntries'
+    type: Array
+    is_set: true
+    required: true
+    description: "The acl entries that apply to the resource pattern. The maximum number of allowed
+      entries is 100."
+    item_type:
+      type: NestedObject
+      properties:
+        - name: 'principal'
+          type: String
+          description: 'The principal. Specified as Google Cloud account, with the Kafka
+            StandardAuthorizer prefix User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com".
+            Can be the wildcard "User:*" to refer to all users.'
+          required: true
+        - name: 'permissionType'
+          type: String
+          default_value: "ALLOW"
+          description: 'The permission type. Accepted values are (case insensitive): ALLOW, DENY.'
+        - name: 'operation'
+          type: String
+          description: |
+            The operation type. Allowed values are (case insensitive): ALL, READ,
+            WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS,
+            ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols
+            for valid combinations of resource_type and operation for different Kafka API requests.
+          required: true
+        - name: 'host'
+          type: String
+          default_value: "*"
+          description: 'The host. Must be set to "*" for Managed Service for Apache Kafka.'
+  - name: 'etag'
+    type: Fingerprint
+    output: true
+    description: |
+      `etag` is used for concurrency control. An `etag` is returned in the
+      response to `GetAcl` and `CreateAcl`. Callers are required to put that etag
+      in the request to `UpdateAcl` to ensure that their change will be applied
+      to the same version of the acl that exists in the Kafka Cluster.
+
+      A terminal 'T' character in the etag indicates that the AclEntries were
+      truncated due to repeated field limits.
+  - name: 'resourceType'
+    type: String
+    description: |
+      The acl resource type derived from the name. One of: CLUSTER, TOPIC, GROUP, TRANSACTIONAL_ID.
+    output: true
+  - name: 'resourceName'
+    type: String
+    description: |
+      The acl resource name derived from the name. For cluster resource_type, this is always "kafka-cluster". Can be the wildcard literal "*".
+    output: true
+  - name: 'patternType'
+    type: String
+    description: "The acl pattern type derived from the name. One of: LITERAL, PREFIXED."
+    output: true

mmv1/templates/terraform/examples/managedkafka_acl_basic.tf.tmpl

@@ -0,0 +1,37 @@
+resource "google_managed_kafka_cluster" "cluster" {
+  cluster_id = "{{index $.Vars "cluster_id"}}"
+  location = "us-central1"
+  capacity_config {
+    vcpu_count = 3
+    memory_bytes = 3221225472
+  }
+  gcp_config {
+    access_config {
+      network_configs {
+        subnet = "projects/${data.google_project.project.number}/regions/us-central1/subnetworks/default"
+      }
+    }
+  }
+}
+
+resource "google_managed_kafka_acl" "{{$.PrimaryResourceId}}" {
+  acl_id = "{{index $.Vars "acl_id"}}"
+  cluster = google_managed_kafka_cluster.cluster.cluster_id
+  location = "us-central1"
+    acl_entries {
+      principal = "User:admin@my-project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "ALL"
+      host = "*"
+    }
+    acl_entries {
+      principal = "User:producer-client@my-project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "WRITE"
+      host = "*"
+    }
+}
+
+data "google_project" "project" {
+}
+

mmv1/third_party/terraform/services/managedkafka/resource_managed_kafka_acl_test.go

@@ -0,0 +1,130 @@
+package managedkafka_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+)
+
+func TestAccManagedKafkaAcl_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckManagedKafkaAclDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccManagedKafkaAcl_full(context),
+			},
+			{
+				ResourceName:            "google_managed_kafka_acl.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"cluster", "location", "acl_id"},
+			},
+			{
+				Config: testAccManagedKafkaAcl_update(context),
+			},
+			{
+				ResourceName:            "google_managed_kafka_acl.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"cluster", "location", "acl_id"},
+			},
+		},
+	})
+}
+
+func testAccManagedKafkaAcl_full(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_managed_kafka_cluster" "example" {
+  cluster_id = "tf-test-my-cluster%{random_suffix}"
+  location = "us-central1"
+  capacity_config {
+    vcpu_count = 3
+    memory_bytes = 3221225472
+  }
+  gcp_config {
+    access_config {
+      network_configs {
+        subnet = "projects/${data.google_project.project.number}/regions/us-central1/subnetworks/default"
+      }
+    }
+  }
+}
+
+resource "google_managed_kafka_acl" "example" {
+  cluster = google_managed_kafka_cluster.example.cluster_id
+  acl_id = "topic/tf-test-my-acl%{random_suffix}"
+  location = "us-central1"
+   acl_entries {
+      principal = "User:admin@my-project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "ALL"
+      host = "*"
+    }
+    acl_entries {
+      principal = "User:producer-client@my-project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "WRITE"
+      host = "*"
+    }
+}
+
+data "google_project" "project" {
+}
+`, context)
+}
+
+func testAccManagedKafkaAcl_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_managed_kafka_cluster" "example" {
+  cluster_id = "tf-test-my-cluster%{random_suffix}"
+  location = "us-central1"
+  capacity_config {
+    vcpu_count = 3
+    memory_bytes = 3221225472
+  }
+  gcp_config {
+    access_config {
+      network_configs {
+        subnet = "projects/${data.google_project.project.number}/regions/us-central1/subnetworks/default"
+      }
+    }
+  }
+}
+
+resource "google_managed_kafka_acl" "example" {
+  cluster = google_managed_kafka_cluster.example.cluster_id
+  acl_id = "topic/tf-test-my-acl%{random_suffix}"
+  location = "us-central1"
+  acl_entries {
+      principal = "User:admin@project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "ALL"
+      host = "*"
+    }
+    acl_entries {
+      principal = "User:producer-client@my-project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "WRITE"
+      host = "*"
+    }
+    acl_entries {
+      principal = "User:producer-client@my-project.iam.gserviceaccount.com"
+      permission_type = "ALLOW"
+      operation = "CREATE"
+      host = "*"
+    }
+}
+
+data "google_project" "project" {
+}
+`, context)
+}