From c0015b6580b06c9c1bca45c072961cafd5fa42db Mon Sep 17 00:00:00 2001 From: megan07 Date: Tue, 7 Jul 2020 08:56:26 -0500 Subject: [PATCH] make iam condition ga (#3729) * move iam condition block to ga * add docs for condition and update docs for ga --- .../data_source_google_iam_policy.go.erb | 6 ------ .../resources/resource_iam_binding.go.erb | 20 ------------------- .../resources/resource_iam_member.go.erb | 18 ----------------- ...rce_google_project_iam_binding_test.go.erb | 4 ---- ...urce_google_project_iam_member_test.go.erb | 4 ---- ...urce_google_project_iam_policy_test.go.erb | 4 ---- ...rce_google_service_account_iam_test.go.erb | 12 ----------- .../website/docs/d/iam_policy.html.markdown | 9 +++++++++ .../docs/r/google_project_iam.html.markdown | 8 ++++---- .../google_service_account_iam.html.markdown | 6 +++--- 10 files changed, 16 insertions(+), 75 deletions(-) diff --git a/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb b/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb index 96ab2c5508da..ba2d7c9b2dbe 100644 --- a/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb +++ b/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb @@ -49,7 +49,6 @@ func dataSourceGoogleIamPolicy() *schema.Resource { }, Set: schema.HashString, }, -<% unless version == 'ga' -%> "condition": { Type: schema.TypeList, Optional: true, @@ -71,7 +70,6 @@ func dataSourceGoogleIamPolicy() *schema.Resource { }, }, }, -<% end -%> }, }, }, @@ -130,9 +128,7 @@ func dataSourceGoogleIamPolicyRead(d *schema.ResourceData, meta interface{}) err for i, v := range bset.List() { binding := v.(map[string]interface{}) members := convertStringSet(binding["members"].(*schema.Set)) -<% unless version == 'ga' -%> condition := expandIamCondition(binding["condition"]) -<% end -%> // Sort members to get simpler diffs as it's what the API does sort.Strings(members) @@ -140,9 +136,7 @@ func dataSourceGoogleIamPolicyRead(d *schema.ResourceData, meta interface{}) err policy.Bindings[i] = &cloudresourcemanager.Binding{ Role: binding["role"].(string), Members: members, -<% unless version == 'ga' -%> Condition: condition, -<% end -%> } } diff --git a/third_party/terraform/resources/resource_iam_binding.go.erb b/third_party/terraform/resources/resource_iam_binding.go.erb index f429eccebad1..56d6ad8ce58c 100644 --- a/third_party/terraform/resources/resource_iam_binding.go.erb +++ b/third_party/terraform/resources/resource_iam_binding.go.erb @@ -31,7 +31,6 @@ var iamBindingSchema = map[string]*schema.Schema{ return schema.HashString(strings.ToLower(v.(string))) }, }, -<% unless version == 'ga' -%> "condition": { Type: schema.TypeList, Optional: true, @@ -57,7 +56,6 @@ var iamBindingSchema = map[string]*schema.Schema{ }, }, }, -<% end -%> "etag": { Type: schema.TypeString, Computed: true, @@ -109,11 +107,9 @@ func resourceIamBindingCreateUpdate(newUpdaterFunc newResourceIamUpdaterFunc, en } d.SetId(updater.GetResourceId() + "/" + binding.Role) -<% unless version == 'ga' -%> if k := conditionKeyFromCondition(binding.Condition); !k.Empty() { d.SetId(d.Id() + "/" + k.String()) } -<% end -%> return resourceIamBindingRead(newUpdaterFunc)(d, meta) } } @@ -152,9 +148,7 @@ func resourceIamBindingRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.Rea } else { d.Set("role", binding.Role) d.Set("members", binding.Members) -<% unless version == 'ga' -%> d.Set("condition", flattenIamCondition(binding.Condition)) -<% end -%> } d.Set("etag", p.Etag) return nil @@ -169,13 +163,6 @@ func iamBindingImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser config := m.(*Config) s := strings.Fields(d.Id()) var id, role string -<% if version == 'ga' -%> - if len(s) != 2 { - d.SetId("") - return nil, fmt.Errorf("Wrong number of parts to Binding id %s; expected 'resource_name role'.", s) - } - id, role = s[0], s[1] -<% else -%> if len(s) < 2 { d.SetId("") return nil, fmt.Errorf("Wrong number of parts to Binding id %s; expected 'resource_name role [condition_title]'.", s) @@ -188,7 +175,6 @@ func iamBindingImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser // condition titles can have any characters in them, so re-join the split string id, role, conditionTitle = s[0], s[1], strings.Join(s[2:], " ") } -<% end -%> // Set the ID only to the first part so all IAM types can share the same resourceIdParserFunc. d.SetId(id) @@ -202,7 +188,6 @@ func iamBindingImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser // Use the current ID in case it changed in the resourceIdParserFunc. d.SetId(d.Id() + "/" + role) -<% unless version == 'ga' -%> // Since condition titles can have any character in them, we can't separate them from any other // field the user might set in import (like the condition description and expression). So, we // have the user just specify the title and then read the upstream policy to set the full @@ -231,7 +216,6 @@ func iamBindingImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser d.SetId(d.Id() + "/" + k.String()) } } -<% end -%> // It is possible to return multiple bindings, since we can learn about all the bindings // for this resource here. Unfortunately, `terraform import` has some messy behavior here - @@ -281,15 +265,12 @@ func getResourceIamBinding(d *schema.ResourceData) *cloudresourcemanager.Binding Members: convertStringArr(members), Role: d.Get("role").(string), } -<% unless version == 'ga' -%> if c := expandIamCondition(d.Get("condition")); c != nil { b.Condition = c } -<% end -%> return b } -<% unless version == 'ga' -%> func expandIamCondition(v interface{}) *cloudresourcemanager.Expr { l := v.([]interface{}) if len(l) == 0 || l[0] == nil { @@ -316,4 +297,3 @@ func flattenIamCondition(condition *cloudresourcemanager.Expr) []map[string]inte }, } } -<% end -%> diff --git a/third_party/terraform/resources/resource_iam_member.go.erb b/third_party/terraform/resources/resource_iam_member.go.erb index 837c036afd17..e57e306c9a23 100644 --- a/third_party/terraform/resources/resource_iam_member.go.erb +++ b/third_party/terraform/resources/resource_iam_member.go.erb @@ -25,7 +25,6 @@ var IamMemberBaseSchema = map[string]*schema.Schema{ DiffSuppressFunc: caseDiffSuppress, ValidateFunc: validation.StringDoesNotMatch(regexp.MustCompile("^deleted:"), "Terraform does not support IAM members for deleted principals"), }, -<% unless version == 'ga' -%> "condition": { Type: schema.TypeList, Optional: true, @@ -51,7 +50,6 @@ var IamMemberBaseSchema = map[string]*schema.Schema{ }, }, }, -<% end -%> "etag": { Type: schema.TypeString, Computed: true, @@ -66,13 +64,6 @@ func iamMemberImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser config := m.(*Config) s := strings.Fields(d.Id()) var id, role, member string -<% if version == 'ga' -%> - if len(s) != 3 { - d.SetId("") - return nil, fmt.Errorf("Wrong number of parts to Member id %s; expected 'resource_name role member'.", s) - } - id, role, member = s[0], s[1], s[2] -<% else -%> if len(s) < 3 { d.SetId("") return nil, fmt.Errorf("Wrong number of parts to Member id %s; expected 'resource_name role member [condition_title]'.", s) @@ -85,7 +76,6 @@ func iamMemberImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser // condition titles can have any characters in them, so re-join the split string id, role, member, conditionTitle = s[0], s[1], s[2], strings.Join(s[3:], " ") } -<% end -%> // Set the ID only to the first part so all IAM types can share the same resourceIdParserFunc. d.SetId(id) @@ -101,7 +91,6 @@ func iamMemberImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser // Use the current ID in case it changed in the resourceIdParserFunc. d.SetId(d.Id() + "/" + role + "/" + strings.ToLower(member)) -<% unless version == 'ga' -%> // Read the upstream policy so we can set the full condition. updater, err := newUpdaterFunc(d, config) if err != nil { @@ -138,7 +127,6 @@ func iamMemberImport(newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser if k := conditionKeyFromCondition(binding.Condition); !k.Empty() { d.SetId(d.Id() + "/" + k.String()) } -<% end -%> return []*schema.ResourceData{d}, nil } @@ -165,11 +153,9 @@ func getResourceIamMember(d *schema.ResourceData) *cloudresourcemanager.Binding Members: []string{d.Get("member").(string)}, Role: d.Get("role").(string), } -<% unless version == 'ga' -%> if c := expandIamCondition(d.Get("condition")); c != nil { b.Condition = c } -<% end -%> return b } @@ -198,11 +184,9 @@ func resourceIamMemberCreate(newUpdaterFunc newResourceIamUpdaterFunc, enableBat return err } d.SetId(updater.GetResourceId() + "/" + memberBind.Role + "/" + strings.ToLower(memberBind.Members[0])) -<% unless version == 'ga' -%> if k := conditionKeyFromCondition(memberBind.Condition); !k.Empty() { d.SetId(d.Id() + "/" + k.String()) } -<% end -%> return resourceIamMemberRead(newUpdaterFunc)(d, meta) } } @@ -255,9 +239,7 @@ func resourceIamMemberRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.Read d.Set("etag", p.Etag) d.Set("member", member) d.Set("role", binding.Role) -<% unless version == 'ga' -%> d.Set("condition", flattenIamCondition(binding.Condition)) -<% end -%> return nil } } diff --git a/third_party/terraform/tests/resource_google_project_iam_binding_test.go.erb b/third_party/terraform/tests/resource_google_project_iam_binding_test.go.erb index 4afeca45809a..c4c9cb05cad5 100644 --- a/third_party/terraform/tests/resource_google_project_iam_binding_test.go.erb +++ b/third_party/terraform/tests/resource_google_project_iam_binding_test.go.erb @@ -217,7 +217,6 @@ func TestAccProjectIamBinding_noMembers(t *testing.T) { }) } -<% unless version == 'ga' -%> func TestAccProjectIamBinding_withCondition(t *testing.T) { t.Parallel() @@ -249,7 +248,6 @@ func TestAccProjectIamBinding_withCondition(t *testing.T) { }, }) } -<% end -%> func testAccProjectAssociateBindingBasic(pid, name, org, role string) string { return fmt.Sprintf(` @@ -337,7 +335,6 @@ resource "google_project_iam_binding" "acceptance" { `, pid, name, org, role) } -<% unless version == 'ga' -%> func testAccProjectAssociateBinding_withCondition(pid, name, org, role, conditionTitle string) string { return fmt.Sprintf(` resource "google_project" "acceptance" { @@ -358,4 +355,3 @@ resource "google_project_iam_binding" "acceptance" { } `, pid, name, org, role, conditionTitle) } -<% end -%> diff --git a/third_party/terraform/tests/resource_google_project_iam_member_test.go.erb b/third_party/terraform/tests/resource_google_project_iam_member_test.go.erb index 4327f549fe69..79d73d79d7bf 100644 --- a/third_party/terraform/tests/resource_google_project_iam_member_test.go.erb +++ b/third_party/terraform/tests/resource_google_project_iam_member_test.go.erb @@ -134,7 +134,6 @@ func TestAccProjectIamMember_remove(t *testing.T) { }) } -<% unless version == 'ga' -%> func TestAccProjectIamMember_withCondition(t *testing.T) { t.Parallel() @@ -168,7 +167,6 @@ func TestAccProjectIamMember_withCondition(t *testing.T) { }, }) } -<% end -%> func testAccProjectAssociateMemberBasic(pid, name, org, role, member string) string { return fmt.Sprintf(` @@ -208,7 +206,6 @@ resource "google_project_iam_member" "multiple" { `, pid, name, org, role, member, role2, member2) } -<% unless version == 'ga' -%> func testAccProjectAssociateMember_withCondition(pid, name, org, role, member, conditionTitle string) string { return fmt.Sprintf(` resource "google_project" "acceptance" { @@ -229,4 +226,3 @@ resource "google_project_iam_member" "acceptance" { } `, pid, name, org, role, member, conditionTitle) } -<% end -%> diff --git a/third_party/terraform/tests/resource_google_project_iam_policy_test.go.erb b/third_party/terraform/tests/resource_google_project_iam_policy_test.go.erb index 6f0a82db8dff..7de89ee41280 100644 --- a/third_party/terraform/tests/resource_google_project_iam_policy_test.go.erb +++ b/third_party/terraform/tests/resource_google_project_iam_policy_test.go.erb @@ -128,7 +128,6 @@ func TestAccProjectIamPolicy_expandedAuditConfig(t *testing.T) { }) } -<% unless version == 'ga' -%> func TestAccProjectIamPolicy_withCondition(t *testing.T) { t.Parallel() @@ -157,7 +156,6 @@ func TestAccProjectIamPolicy_withCondition(t *testing.T) { }, }) } -<% end -%> func getStatePrimaryResource(s *terraform.State, res, expectedID string) (*terraform.InstanceState, error) { // Get the project resource @@ -431,7 +429,6 @@ data "google_iam_policy" "expanded" { `, pid, name, org) } -<% unless version == 'ga' -%> func testAccProjectAssociatePolicy_withCondition(pid, name, org string) string { return fmt.Sprintf(` resource "google_project" "acceptance" { @@ -467,4 +464,3 @@ data "google_iam_policy" "admin" { } `, pid, name, org) } -<% end -%> diff --git a/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb b/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb index ad661abb3e59..6b4c32542dc9 100644 --- a/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb +++ b/third_party/terraform/tests/resource_google_service_account_iam_test.go.erb @@ -32,7 +32,6 @@ func TestAccServiceAccountIamBinding(t *testing.T) { }) } -<% unless version == 'ga' -%> func TestAccServiceAccountIamBinding_withCondition(t *testing.T) { t.Parallel() @@ -88,7 +87,6 @@ func TestAccServiceAccountIamBinding_withAndWithoutCondition(t *testing.T) { }, }) } -<% end -%> func TestAccServiceAccountIamMember(t *testing.T) { t.Parallel() @@ -114,7 +112,6 @@ func TestAccServiceAccountIamMember(t *testing.T) { }) } -<% unless version == 'ga' -%> func TestAccServiceAccountIamMember_withCondition(t *testing.T) { t.Parallel() @@ -170,7 +167,6 @@ func TestAccServiceAccountIamMember_withAndWithoutCondition(t *testing.T) { }, }) } -<% end -%> func TestAccServiceAccountIamPolicy(t *testing.T) { t.Parallel() @@ -194,7 +190,6 @@ func TestAccServiceAccountIamPolicy(t *testing.T) { }) } -<% unless version == 'ga' -%> func TestAccServiceAccountIamPolicy_withCondition(t *testing.T) { t.Parallel() @@ -216,7 +211,6 @@ func TestAccServiceAccountIamPolicy_withCondition(t *testing.T) { }, }) } -<% end -%> // Ensure that our tests only create the expected number of bindings. // The content of the binding is tested in the import tests. @@ -259,7 +253,6 @@ resource "google_service_account_iam_binding" "foo" { `, account) } -<% unless version == 'ga' -%> func testAccServiceAccountIamBinding_withCondition(account, member, conditionTitle, conditionExpr string) string { return fmt.Sprintf(` resource "google_service_account" "test_account" { @@ -305,7 +298,6 @@ resource "google_service_account_iam_binding" "foo2" { } `, account, member, member, conditionTitle, conditionExpr) } -<% end -%> func testAccServiceAccountIamMember_basic(account string) string { return fmt.Sprintf(` @@ -322,7 +314,6 @@ resource "google_service_account_iam_member" "foo" { `, account) } -<% unless version == 'ga' -%> func testAccServiceAccountIamMember_withCondition(account, conditionTitle string) string { return fmt.Sprintf(` resource "google_service_account" "test_account" { @@ -368,7 +359,6 @@ resource "google_service_account_iam_member" "foo2" { } `, account, conditionTitle) } -<% end -%> func testAccServiceAccountIamPolicy_basic(account string) string { return fmt.Sprintf(` @@ -392,7 +382,6 @@ resource "google_service_account_iam_policy" "foo" { `, account) } -<% unless version == 'ga' -%> func testAccServiceAccountIamPolicy_withCondition(account string) string { return fmt.Sprintf(` resource "google_service_account" "test_account" { @@ -419,4 +408,3 @@ resource "google_service_account_iam_policy" "foo" { } `, account) } -<% end -%> diff --git a/third_party/terraform/website/docs/d/iam_policy.html.markdown b/third_party/terraform/website/docs/d/iam_policy.html.markdown index d2a0a4db705c..5b2ea7d18810 100644 --- a/third_party/terraform/website/docs/d/iam_policy.html.markdown +++ b/third_party/terraform/website/docs/d/iam_policy.html.markdown @@ -87,6 +87,15 @@ each accept the following arguments: * `log_type` (Required) Defines the logging level. `DATA_READ`, `DATA_WRITE` and `ADMIN_READ` capture different types of events. See [the audit configuration documentation](https://cloud.google.com/resource-manager/reference/rest/Shared.Types/AuditConfig) for more details. * `exempted_members` (Optional) Specifies the identities that are exempt from these types of logging operations. Follows the same format of the `members` array for `binding`. +* `condition` - (Optional) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below. + +The `condition` block supports: + +* `expression` - (Required) Textual representation of an expression in Common Expression Language syntax. + +* `title` - (Required) A title for the expression, i.e. a short string describing its purpose. + +* `description` - (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. ## Attributes Reference diff --git a/third_party/terraform/website/docs/r/google_project_iam.html.markdown b/third_party/terraform/website/docs/r/google_project_iam.html.markdown index e5cf01aa3d14..c8ea70862740 100644 --- a/third_party/terraform/website/docs/r/google_project_iam.html.markdown +++ b/third_party/terraform/website/docs/r/google_project_iam.html.markdown @@ -48,7 +48,7 @@ data "google_iam_policy" "admin" { } ``` -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +With IAM Conditions: ```hcl resource "google_project_iam_policy" "project" { @@ -88,7 +88,7 @@ resource "google_project_iam_binding" "project" { } ``` -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +With IAM Conditions: ```hcl resource "google_project_iam_binding" "project" { @@ -117,7 +117,7 @@ resource "google_project_iam_member" "project" { } ``` -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +With IAM Conditions: ```hcl resource "google_project_iam_member" "project" { @@ -183,7 +183,7 @@ will not be inferred from the provider. * `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below. -* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. +* `condition` - (Optional) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below. --- diff --git a/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown b/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown index 8f87bd776ca7..5bd5551aef2e 100644 --- a/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown +++ b/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown @@ -63,7 +63,7 @@ resource "google_service_account_iam_binding" "admin-account-iam" { } ``` -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +With IAM Conditions: ```hcl resource "google_service_account" "sa" { @@ -112,7 +112,7 @@ resource "google_service_account_iam_member" "gce-default-account-iam" { } ``` -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +With IAM Conditions: ```hcl resource "google_service_account" "sa" { @@ -155,7 +155,7 @@ The following arguments are supported: * `policy_data` - (Required only by `google_service_account_iam_policy`) The policy data generated by a `google_iam_policy` data source. -* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. +* `condition` - (Optional) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below. The `condition` block supports: